• ARTICLES
SEARCH

How-To Geek

Understanding User Account Control in Windows 7

User Account Control, otherwise known as UAC, was regularly cited as one of Vista’s problems and was even the subject of an Apple advertisement.  However, this feature has greatly increased the security of Vista computers, and today we’ll see how it’s been improved in Windows 7.

What is UAC?

UAC is a feature of Windows Vista and 7 designed to prevent unauthorized changes to your computer.  Recent versions of Linux and Mac OS X have similar prompts when changing settings or installing programs as well.  This is a crucial feature that makes your computer much more secure.

By default, even an administrator account in modern versions of Windows does not have full access to modify system settings and install programs.  Thus, if you try to install a program or change critical settings, you may see your desktop fade and show only a prompt window asking if you’re sure you want to do this.  This is a secure desktop, designed to prevent a program from automatically approving itself.

image

While this may simply seem like a nuisance, it actually protects your system from malicious programs.  For instance, if you inserted a flash drive that had a worm virus into your computer, it would attempt to automatically run and install on your computer without your knowledge.  UAC, however, would catch it, and ask you whether or not you wanted to install the program.  You could easily know that you did not want it since you did not initiate the install, and thus you would protect your computer and data.

What types of UAC prompts may I see?

The UAC prompt you see may vary depending on the program you are installing.  If you are installing or configuring a program that has been signed with a security certificate, the prompt may look something like this.  Notice that it shows the program’s name, publisher, and origin.

 image

If you click Show details, you can see where the file is stored and can view its security certificate.

 image

Unsigned applications may show a different UAC prompt.  It states that the publisher is unknown, and since it is unsigned there is no certificate to view.  Additionally, this prompt has a yellow banner which alerts that the program is from an unknown publisher.

image

If you’re using a standard account in Windows, then you will be required to enter the administrative password to accept a UAC prompt.

image

When will I see a UAC prompt?

Usually it is fairly easy to tell when you will see a UAC prompt.  First, installing or making changes to any application, or for that matter changing any file that is outside your User folder will require you to authenticate the changes.  Some older programs may actually require a UAC prompt each time they run; this will only occur if they change critical settings or store files in secure folders every time they run.  You may notice a shield icon on programs or installers that will launch a UAC prompt before running.

image

Windows Vista always created a UAC prompt whenever any Windows settings were changed.  In Windows 7, the default is to not prompt you when changes are made to Windows.  However, changing some critical settings, such as the UAC settings, will cause a prompt.  You can tell when an action will create a UAC prompt by the shield logo over the Ok button or beside its name.

image

Finally, you can choose to run any program in administrative mode.  This is helpful if, for instance, you need to change a setting via Command Prompt and need administrative privileges.  To launch a program in administrative mode, simply right-click on it’s icon and select “Run as Administrator.”  Doing this will always require accepting a UAC prompt.

image

How can I change UAC’s settings?

In Windows Vista, UAC had two settings: on and off.  Windows 7 offers more granular controls for UAC.  Simply type “UAC” into your start menu search, and select “Change User Account Control Settings” to change how UAC works on your computer.

image

This panel gives you direct controls on how UAC will work on your computer.  The default settings will notify you if programs try to make changes to your computer, but not if you change Windows settings.  As previously noted, changing certain Windows settings such as these UAC settings will still require approving a UAC prompt.

image

The top setting is the absolutely most secure, and is how UAC worked in Windows Vista.  It will notify you whenever any change is made to your computer, including changing any Windows settings.

image

The step down from the Windows 7 default settings is similar to the default settings in Windows 7, but will not dim the desktop when a UAC prompt comes up.  This may make your system less secure, as some malicious programs could automatically approve the UAC prompt when it is in this mode.

image

Or, if you wish to never see a UAC prompt, you can select the lowest setting.  This leaves your system settings similar to Windows XP, which never prompts when any changes are made or programs are installed.  We do not recommend this setting, but it is available if you want it.  If you do choose to turn off UAC, the changes will not take place until you have restarted your computer.

image

Conclusion

In our opinion, UAC is one of the best features in Windows Vista and 7 as it can keep your computer much more secure than it was in Windows XP and older versions.  UAC is also much less annoying in Windows 7, and you can adjust it to exactly the level of security you need.

Further reading:

Disable UAC in Windows Vista

Info about UAC from the Engineering Windows 7 Blog

Matthew digs up tasty bytes about Windows, Virtualization, and the cloud, and serves them up for all to enjoy!

  • Published 03/1/10

Comments (14)

  1. HugoHilter

    “….and you can adjust it to exactly the level of security you need.” I have adjust – to “off”. One minute, after i install Win 7.

    When there is no possibility, some programs (for example TuneUp Utilities) to get on a “White List” – the UAC is not acceptable for me. Without any questions. That is MY computer, i am the owner – not Microsoft. And i use all off my computers only by myself.

    By the way: the notifications in Mac OS X (i use an iMac with Snow Leopard too) are a little bit more discreetly…

  2. Ron

    Sorry, no sale. UAC is nothing more than a nagging little sister always ready to tell Dad you’re playing with the computer. The “security” feature of UAC is lost on me. It is the first thing I disable on a clean install.

    If Windows truly wants to protect the OS from negligent operation a more Unix-type system would be the ideal in which the user account does not have root/Administrator privileges unless a password is entered, and then ONLY when something critical will affect the registry.

    I’m not a Gates-hater nor do I think Microsoft is evil. But Windows is not the best OS out there even if Win 7 is step in the right direction. When it comes to security, Microsoft cares about one issue and one issue only: Making sure your copy of Windows is genuine and thus, making easy clean installs over OEM systems a damn nightmare. Microsoft checks my copy all the time. It’s ridiculous.

    I wish Microsoft would put as much effort in true security and vulnerability patching as they do making sure I’m not using a bootleg copy of Windows.

  3. Mark Thomas

    HugoHilter, you may want to think twice before you disable UAC. Just this week I saw a trojan with a rootkit payload slip past the installed antivirus software, and the only thing preventing it from spreading was UAC. In fact, Microsoft crippled UAC in Windows 7 so that malware can actually turn it of (?!?!?!) but the user is still notified immediately when this happens. That’s how we caught it and stopped it.

    Windows XP’s security settings were terrible. There is no reason to open that kind of security hole just to avoid a few minor dialog windows every now and then…unless you like cleaning viruses and reinstalling operating systems.

  4. StoneCut

    Anyone who disables UAC probably hasn’t understood the mechanism and how much it protects you and others in your network.

  5. HugoHilter

    @Mark Thomas:

    I´m not God – i don´t have the absolutely truth/knowledge. I have only an opinion – right or wrong – but it´s my opinion. I don´t say to another person: “You must disable your UAC!”

    A little bit risk is always…but i think the risk fore my nerves with UAC is bigger…

  6. calebstein

    First thing I do with a computer: disable UAC for administrators with the registry editor.

  7. whiplash55

    Seems stupid to turn off UAC, I seldom see it, and it can save you, as it did me the other day just by following an innocent result in a Google search about Cross Country’s skis. Not the type of subject that many would consider risky, but compromised web servers are everywhere.
    XP is a lousy operating system. It wasn’t secure when it launched and it isn’t now.

  8. John Mack

    Win XP would be perfect if it had UAC like Win 7. Fast, stable, compatible and ubiquitous.

  9. HydroKirby

    I’m a major fan of the UAC. When I first got Windows 7, the first thing I did was maximized UAC’s touchiness and made a Standard user which I use for 99.99% of my tasks. My one and only gripe is that UAC tends to make confusing problems when activated. Putting my admin account’s password into UAC makes a program run as though the admin *user* ran it. So Winamp may think it was run for the first time or something like that. That could be a pain if all my settings are in my standard account but I need to run as an admin (for example, FreeCommander needing to see certain folders).

    I discovered that I could alleviate this problem by going up to the program’s properties and giving it security clearance (the standard user running it typically only had rights to Read). This bypasses the need to call UAC and therefore the dual preferences problem.

    Also, the preferences are typically in the AppData folder, so you could synchronize the settings between accounts by throwing around the files from there if you wished.

  10. Monkey Coder

    Developing with UAC is just too bothersome, the restricted permissions don’t consider developers. Microsoft Visual Studio is a good example of one such caveat [http://msdn.microsoft.com/en-us/library/ms165100(VS.80).aspx]

    UAC is a hacked patch to cover the holes left by legacy design, and I truly wish they thought of a better solution back when they built the NT kernel, it’s pretty much beyond repair IMHO.

    For the average “power user” I suppose it will do.

  11. Brildoctor

    I turned UAC off and use spybots residant function

  12. Starshooter

    IF they(MS) provided a way for me to choose which applications I don’t want to be included in the UAC check (EVERY TIME I LOAD THE APP) if the application doesn’t have a known publisher or some other reason of my choosing, then I’d be happy..

  13. Wingnut

    Hi gang! I agree wholeheartedly with Starshooter. For example… MS Train SImulator. I’ve taken ownership, I’ve tried launching as admin, and I’ve tried praying. WHY does it keep bothering me with that stupid UAC prompt at sim-launch? Allow ME to pick which programs use it and which don’t… PLEASE! UAC is VERY annoying.

    MS, use your intrusive middle-of-the-night updating system to fix THAT if you would. Thank you. Well said, Starshooter.

  14. george

    NICE TREATISE ON UAG, BUT DOESN.T SOLVE THE PROBLEM.
    I WOULDN;T DISABLE UAC BASED ON PRIOR EXPERIENCE.
    TRIED EVERYTHING – RAN UNDER EVERY OS (COMPATABILITY),
    READ ONLY IS OFF.

    ANY IDEAS?.

Enter Your Email Here to Get Access for Free:

Go check your email!