Make User Account Control (UAC) Stop Blacking Out the Screen in Windows Vista
In Windows Vista, the screen goes dark when the User Account Control window comes up, which is extremely annoying. They call it the "Secure Desktop", but I think it's obnoxious.
Note that this will make your system less secure before proceeding.
Update: Windows Vista Home users should use the registry patch at the bottom of the article instead.
Windows Vista Business/Ultimate Users
To get to the configuration screen for this, type in security to the start menu search box. You should see the Local Security Policy as the top search item.
In the Local Security Policy window, browse down to Local Policies \ Security Options
Over in the right hand part of the window, scroll down near the bottom and find the item titled "User Account Control: Switch to the secure desktop when prompting for elevation" Double-click on the item, change it to disabled and then click OK.
Windows Vista Home Users
For Windows Home users, you will need to open up regedit via the start menu search box. Browse down to this registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
Right-click in the right-hand pane and create a new 32-bit DWORD value called PromptOnSecureDesktop, setting the value to 0.
(Rant about security)
You can see by the large number of comments that this article is controversial. It's true, disabling security features will always make your system less secure, and you should strongly consider the consequences before you make any change like this.
Making the change discussed in this article will give somebody the ability to "hijack" the UAC dialog… Of course, that would mean they already got spyware or virusware on your computer. Seems to me that if they already got that far, to where they have an application running on your system… that they could pretty much do anything they wanted to anyway. All of the files that you care about would be owned by your local user account, so they could get into anything they want at that point.
You should also note that if you are not logged in as an "Administrative" user account, then this change will still result in the password dialog, which couldn't be quite as easily hacked. You aren't using the administrator account if you are worried about security are you?
I should finally mention that if you are really that worried about security, you can always switch to Ubuntu Linux. The "UAC" mode in linux is much simpler, especially in Ubuntu. You are only prompted for your password the first time you try to make a system change, and then it doesn't ask you again for a few minutes, as opposed to every single administrative function you click in Windows Vista. It's a pity they don't bundle linux with virtualization of Windows.
'They call it the “Secure Desktop”, but I think it’s obnoxious.'
It is called that way for a reason. While a window is on the secure desktop, applications cannot interfere with it. With the secure desktop turned off, they can (and for instance a piece of malware could send an event to the window, making it believe the "Continue" button was clicked by you when it really shouldn't have).
I have Outlook 2002 and went over the maximum data storage amount. This closed that .pst file and now I can not run scan.pst to fix or WORSE can not merge it into Outlook 2007 due to error. If anyone could help me unlock all my e-mail, repair the error and then merge it into my new outlook 2007 I'd be so grateful. Plus is there anyway to increase automatically the Outlook box size so this never happens again?
"Note: This does make your system slightly less secure, so be warned."
Be clear to your readers. What this does is make it so the UAC dialog can be interfered with (accepted without your knwoledge) by another application, including a malicious one that triggered UAC by needing Administrator-level rights.
This is not accurate. The blacked-out screen is called a secure desktop. Other applications or processes can't send anything to the UAC prompt when it's in secure desktop mode. If you disable secure desktop, you are vulnerable to anything that wants to send an "invoke continue button" to the UAC dialog.
You might consider revising your post.
They don't call it Secure Desktop for no reason. Using Secure Desktop prevents other applications from spoofing the UAC prompt window.
All you have done here is encourage users to get owned by shatter attacks. The same way that shatter attacks can easily own Linux or Apple su dialogs.
Updating your post with some warnings about your steps, as well as providing some information on what this all about, would be a good idea.
Please do NOT do this! This is not just disabling the cosmetic black screen. Windows allows one program to send messages to another. Secure desktop temporarily prevents these messages from going through. If you disable it, then virus and malware can send a "click" message to the secure prompt dialog, which basically means they can do the honor of clicking OK for you. In other words, this is as good as turning off your security altogether.
Won't this allow malicious programs to send a "continue" signal to the dialog box, thus defeating the purpose of UAC?
Thank you very much. Love it.
I agree, this makes the system less secure.
This article is about giving you the option to change the behavior if you so choose.
Get a Mac.
@Sara - look here http://support.microsoft.com/?kbid=296088
@tib - if people wanted a mac they would have bought one. go back to playing pong or whatever the latest game on the mac is.
Sure it makes it less secure. However, anyone who actually does this probably isnt a novice. Most likely power users will shut this off as it is freaking annoying and I have complete control over what comes into this machine and leaves it. So as the others say dont do this 'patch' unless you know what you are doing already!
I ended up returning Vista and had the computer shop reinstall Windows Vista. It just doesn't work right for me. Thank you for these articles, though!
I really hope Microsoft takes care of this on their own in a future service pack or update.
Slightly less secure?
By doing this, you may as well just switch UAC off!
I was looking for a way of doing just that. Thanks a bunch.
Adam:
Ah, but turning UAC of is not the same, as it prevents you from doing some things (try installing the latest acrobat reader without UAC).
The black screen is horrible, distracting and uncomfortable, MS should find a better way to do this. In the mean while the likes of me that don't get malware installed (usually) are just plain irritated by this screen, so,
GEEK: thank you.
You've GOT to be kidding. You want to make your computer less secure because you don't like the visual effects associated with it? And not only that, you're telling OTHER people to compromise their own security just for the visual effect.
When windows displays a security dialog, it places the dialog on a separate desktop so that programs can't take control of your computer away from you. When a new desktop shows up, the old desktop is greyed out to show you that it's inactive. THAT's why the screen goes dark.
What you're suggesting is putting security-related windows on the standard desktop, which means that any program running on your computer can assume administrative rights without your intervention.
Really, that's just plain stupid. You're just asking to get hacked.
@Tyler:
You call this screen blanking event a "visual effect?!" Surely you are joking. If the way you describe it is accurate, why don't they use the Aero interface to smoothly grey out the screen? THEN I might consider it a "visual effect." If they want to get _really_ slick, they should blur the current background and present the Secure Desktop on top of the blurred general desktop. I don't think that is what is happening though.
It seems to me more as though they are changing the mode of the graphics driver. Sometimes when I have the Secure Desktop switch, I get a notification bubble suggesting that the graphics driver has stopped working, but has recovered.
I actually am pretty annoyed by this whole Secure Desktop blank screen issue, and hope the MS team can find a more elegant solution soon.
What's annoying about the secure desktop is not that it blacks out the rest of the desktop, but that it temporarily disables aero. The flicker is annoying and takes an extra two seconds.
"The “UAC” mode in linux is much simpler, especially in Ubuntu. You are only prompted for your password the first time you try to make a system change, and then it doesn’t ask you again for a few minutes, as opposed to every single administrative function you click in Windows Vista."
This is incorrect. Vista does carry _root sessions. I've witnessed this many times were I was able to make an administrative action (which triggered UAC), then make subsequent actions 9which otherwise would trigger UAC) without re-triggering UAC.
George,
The UAC mode does not "save" in Vista. What is happening is that the application that you first ran in admin mode is launching the other applications, which will then run in admin mode as well, because they are being opened by that process.
If you were to go to a completely different screen, you would still be prompted.
I noticed that when you log in to Vista remotely (with RDP), the UAC prompts open in the secure desktop as normal, but WITHOUT taking a screenshot of your desktop.
Obviously this helps speed things up over the network connection, but it also effectively removes the “flashing black screen”, since the whole snapshot piece is removed from the equation.
So my question is… how do we turn of the “snapshot” “feature” and just make it use regular secure desktop (with no background)? This would keep security tight, but help to remove the infuriating flickering…
Any ideas anyone?
What Richiepoo said is spot on. If they did what he said below I would be so much happier
"why don’t they use the Aero interface to smoothly grey out the screen? THEN I might consider it a “visual effect.” If they want to get _really_ slick, they should blur the current background and present the Secure Desktop on top of the blurred general desktop."
Linux implementation is unsafe because it leave open the entire session during elevation
Linux implementation is unsafe because it leaves opened the entire session during elevation
What makes this useful is the fact that Secure Windows has a tendency to cause programs that use DirectX and other like assistants to error and shut down.
It's a great safety feature, but if every time someone tries to run a program, and then have to quit said program to simply open up a new one, then it's doing more harm than help for most.
And then if you're stuck in a situation where you wish to use 2 programs that require DX, then you're really in a pickle. One at a time only, I'm afraid. Or at least, if you don't tweak it yourself.
I want the UAC Secure Desktop prompt, but without the screen darkening! The prompt "Windows requires your permission to continue" is OK. I can live with that. But I can't stand the dark background. It is intolerable. Why?
When I dismiss the prompt quickly, what I have to endure is a violent flash from the screen as its brightness plunges briefly and then brightens up again. It messes with my eyes because the sudden brightness change it makes my pupils dilate and then shrink again. It is like a strobe light in reverse and it is horrible. It gives me a headache. Even if I close my eyes the brightness change is still bothersome. Please, there must be a way to keep the UAC prompt and its functionality but stop it from messing with the screen.
Phil,
I could not agree with you more… it's so irritating. There's also a delay of about 3-5 seconds on my machine for some reason while the screen flickers in and out.
This is the only way to keep the prompt but turn off the flashing… unless MS decides to fix this problem.
I think what I'm reading is that the blacking out of the screen isn't the issue, and even the UAC dialog being in Aero Basic isn't the issue, but the "flashing" or "3-5 second delay" or "flickering" is the issue.
I think the issue then is that you need a newer graphics card or newer drivers.
I don't have any of those issues on my laptop, it's pretty much instant.
Get a MAC!!!
Yes Kearns, this damn flickering is the issue. But what I don't understand is why this happen only in secure desktop or (in my case) windows logon. I have the Mobile Intel® 945GM Express Chipset with the lastest drivers (ver 15.4.3, date 6/6/07).
I just thought I would add my two penneth worth, I agree that if it is not able to be hacked, we wish, it is a good idea but I dislike the way that vista does the UAC, it is slow and annoying. It is a good security measure destroyed by a corporate idea that you need to have more security and lets make it obvious, I wonder how many MS engineers leave it on.
Why can't I run some of my programs bypassing the check using the user id I choose (sudo). If I don’t want security in some programs then that is my choice. Thanks for this hack it is less annoying than disabling the UAC and getting the security warning.
I'm not an expert and I don't really understand computers. All I can say is that the rubbish that Vista is doing will result in LESS security because it is SO annoying that the average person will probably not want it. Vista takes AGES to do anything and the black screen is ridiculous. If I want to delete a bloody shortcut on the start up menu it comes up. I have to turn off my firewall because it wont let me download music LEGALLY through itunes. The protected internet won't let me watch BBC Question Time online!! It is STUPID!! And (worst) if any web pages run slightly slow (which some do because of stupid vista) it closes them ALL - HOW DO I STOP THIS HAPPENING??? Serious question - everything on my comp is backed up (and most is on email) so who cares if my computer is hacked? How can it possibly be more hassle than dealing with well meaning security features?
If people want to change the way Vista works, they should be able too. This is what makes open source software so great if you want to remove,modify something you should be able too. Not go with what the author of the program thinks is what the user needs/wants. Nothing is 100% secure and never will be. Having a program prompt you 3-4 times is not my idea of secure, if i open up group policy, then open up another program which requires admin privs UAC should remember it, also Linux allows one to bypass the password prompt when using sudo, which many could say is a security issue why, if someone hacks my user account gets auto root access. It's the same with UAC it's the admin's issue to disable it or not.
The problem I had with this is that when it comes up OUT of the secure desktop mode it does not restore the graphics display driver settings correctly. Thus if you are in extended screen mode it forgets about the second screen. Or if you have a the screen rotated 90 degrees from the default (I have a convertible tablet) it forgets that. The blinking of the screen is annoying, but not worth turning off the security. The fact that it doesn't restore to the previous state is a bug, and should be fixed.
Oh dear oh dear….
All i hear is a bunch of cry babies..
"oohhh it makes your systems vulnerable to attacks!"
"Applications can force a 'continue' on the 'secure desktop'"
"Your wrong!..your wrong! It's not a visual effect!"
"makes your system vulnerable to attacks"
Of course it does…
So does not installing anti-virus software…so does not turning on your firewall…so does not using some malware protection software…
Whats the big deal about UAC then? If it's such a 'necessity' then why does it even give you the option of switching it off in control panel? The same reason it's optional to install and use anti-virus/malware/firewall software….OPTIONAL
Heres a scenario for you, you want to drive to the shop…how:
Put key in car door, unlock the car, switch on ignition…perform usual tasks to drive
Now heres the same scenarion with UAC
Put key in car door, answer the car back by saying i am the boss let me put the key in now, car hesitates asks you one more time while the lights go out, tell it your the boss again, car hesitates lights go on key goes in the door.
Unlock door, answer the car back by saying you are the boss open the god damn door, car hesitates asks you one more time while the lights go out, (damn those lights gotta change the bulb, i'll get one at the shop whenever the hell i get there), tell it one more time you are the boss, car hesitates lights go on door unlocks.
Switch on ignition…
you get the picture…it adds further steps to the simplest tasks.
"Applications can force a 'continue' on the 'secure desktop'"
That is also very true…but again, whats the problem? Any application that requires confirmation from the 'secure desktop' is obviously already on the machine, or wants on your machine…Any application that is already on my machine has been put there by windows or myself, i know this because i am an experienced windows user who takes a lot of care with my system. I am also at peace of mind that my anti-virus/malware/firewall software will pick up any unwanted .dll, or the like, registering on my computer.So any application that needs my confirmation for something will be one that i have installed for a reason…
Reply back with…yeah but anti-virus/malware software etc etc doesn't always work you might still get a virus that does something and because UAC is off your not protected…blah blah…No..i have never once had a virus that i did not put on my computer voluntarily, meaning i downloaded a bad zip etc and got infected…those were the days when i didn't bother with antivirus software…i do now and i have never had a virus on my machine since. They have always been stoppedbefore they were put on.
"Your wrong!..your wrong! It's not a visual effect!"
I dont care…it flashes the screen black then transparent black, then flashes black when it returns to normal…it almost feels like a gunshot going off…BOOOOM!! CONTINUE!! BOOOOM!! Thats enough a visual effect as it needs to be…
My last comments…
I just want to finally say that it really is a pain in the ass…People who have been using computers for years…(i would hope) know how to keep their computer neat and tidy…and secure. They know that when they go into 'Program Files' and Create a new folder…they really do just want to create a folder, no hassle…with UAC…everytime you create a folder it's an episode, Yes i do want to create the folder….'you sure?' god damn…yes…'okay theres your folder'…fine but whats the folder called? 'New Folder' well thats bullshit, i need to change the name…popup…'you sure? God damn! Thats the point when it should stop…but no…one more, just for fun.
So how many popups to create a folder you want? 4………what an ass
"You call this screen blanking event a "visual effect?!" Surely you are joking. If the way you describe it is accurate, why don't they use the Aero interface to smoothly grey out the screen? THEN I might consider it a "visual effect." If they want to get _really_ slick, they should blur the current background and present the Secure Desktop on top of the blurred general desktop. I don't think that is what is happening though.
It seems to me more as though they are changing the mode of the graphics driver. Sometimes when I have the Secure Desktop switch, I get a notification bubble suggesting that the graphics driver has stopped working, but has recovered.
I actually am pretty annoyed by this whole Secure Desktop blank screen issue, and hope the MS team can find a more elegant solution soon. "
Graphics driver errors popping up too?….and your not going to disable UAC??
man your way more patient that i am…UAC is clearly a bigger ass to you that it is to me.
Wow that was easy and sure stopped something that really bugged me.
Thank You "Muchly"
Cuggie
It has been said earlier on in the comments that the Gksu and Kdesu dialogs in Linux can be "smashed" by malicious programs. This is completely false. One, the gksu and kdesu dialogs require your password. Secondly, I know for a fact that gksu will warn you if another program seems to have control over the keyboard or mouse (on a slow enough computer, if you launch a program with gksu and then focus a terminal window at exactly the right moment, you can generate a false alarm).
See the manual page for gksu for more information on how to temporarily disable the keyboard and mouse locking warning.
my main problem is on vistas control panel it says your systems administrater has disabled the launching of the display control panel so I cant have a desktop Help. anne
No offense but, turning off the secure desktop prompt isn't turning off UAC. All the user permissions and virtualization still take place, so it's still hard to mess things up or, God forbid, get "h@cked".
Anyways it doesnt' matter how many "security" measures you put into place, how secure your computer is depends 100% on the end-user. The end users that really f*ck their computers up doing things that no one with common sense would do will still manage to mess a system up. MS is trying to babysit for regular users(which is really hard but you can't blame them for trying), but lets power users control their environment, such as turning off secure desktop prompting, amongst other things.
You want proof? I've run my home systems with just my basic firewall on my lynksys home router, no windows firewall, no antivirus on my main windows account(AVG Home run for some of my accounts) and I've used this comptuer for regular web browsing, gaming, email etc. It's runs amazing because it's not being killed by 100 processes that get installed everytime i download stuff. Don't go to p0rn warez sites, don't use peer to peer software and gambling sites. I never have had a problem, and I've had this setup for over 3 years.
Just scan what you don't trust, don't install what you don't know, clean up your startup(regiustry included) once in a while, spyware scan once in a while… companies make money on publishing fear and hack stories, which result is your computer run at half performance, but your no safer.
.
The easiest thing would have been to to be able to put a checkmark on the program the first time you run/install it to either giving it permission or NOT. It ticks me off that certain programs (because they are non-MSFT) have to get permission EVERY time you run it due to UAC
hehe, looks like 70% of the first posts were MS employees
They blank screen reminds me of the old Timex Sinclair.
I'm amazed that people consider this silly screen blanking to be a good thing.
I turn this off, and if I accidentally install a program that contains a virus, my avast antivirus goes off the deep end anyway.
I cannot believe the people on here who are apologizing for Microsoft for this one. I just got my first Vista computer yesterday and I am already at the breaking point… there are SIX (count 'em, SIX) confirmations required to create & rename a new folder in Program Files and copy a program into the new folder.
Dear Microsoft: If you make your security measures annoying and hard to live with, people will just turn them off. It's like an automatically locking door that keeps locking people out. Pretty soon somebody is going to stick a piece of wood in the door and prop it open… and there goes your security! If you want people to adopt a security measure, it can't be annoying!!
…and don't even get me STARTED on the Office 2007 UI… hfkaw;lgbnaws.xbnas.nasf… Why am I still dealing with Microsoft stupidity in 2008?!?!
Thank you for this page!
The thing about this is the simple fact that MS chose the black screen effect (an effect of my hardware to handle this malware protection) instead of just addressing the malware protection otherwise and quit being hard on my eyes and hardware. I like Vista but MS needs to learn from Sysinternals about how they could make the UAC worth using for their clients. The UAC is a very complex system to understand for the regular user, but completely user unfriendly. It is all or nothing and no choices for the user or administrator to set things specifically for their chosen applications. No one needs prompted 2 to 3 times from an icon they clicked on their desktop multiple times a day. Basic freshman or High School Psychology knows repetition is something humans hate, let alone repeating themselves. We built PC's to handle these repetitive tasks for us, not to feed them back to ourselves!
Thank you very, very much for posting this article, it helped a lot of people, including my brother. He sends his regards.
And in response to the people who wet themselves at the thought of disabling the UAC, well, it shouldn't be the only protection you've got on your computer in the first place. But, you know, God forbid you don't have ten confirmation requests every time you want to open a folder! Turn UAC back on this very instant~*~*~!
Even Bill turned off his UAC. Thanks for the tip. The pros/cons chit-chat was enlightening. Just let the reader decide based on what they can risk or not. For me, I just made my Vista less annoying
The problem with the UAC black screen is worse when watching videos or something within Windows media centre - it stops the playback during and for a few second after the UAC prompt - very annoying if you miss something important! Great article for people who use applications that trigger then UAC!
Thank you for this . Heres why I had to do it .
I use a Wacom tablet and also run ZoneAlarm .
Anything that prompted this from ZoneAlarm or whatever meant
my tablet would not work on my laptop. I would then have to go to
my mousepad on the laptop which I hate using and click continue.
The last time I had to deal with this was after running regedit and then not being
able to use my tablet to say OK to get to the registry. Now after adding the 0 for the
value and closing I quickly went back to check out going to regedit and voila , I could say
yes to it with the tablet . Thanks. what a headache that was becoming.
Interesting debate over this, but I'm with the 'power user' approach to this.
I too have had a home desktop for about 3 years now. I've never reformatted (i know I prolly should), never had a firewall on it, had it through Uni - so it's been on some dodgy networks and leeched connections in it's time. I do run Spybot and AdAware every couple of months or so and it always manages to find something (I'm thinking it's thanks to facebook personally) - but nothing really bad. I have NEVER had a virus play havok on any machine I've owned (had one or two thanks to bad downloads but AVG vaulted them before I knew the download had finished), and I've always operated under the same general system setup.
If you're the type of person that when your computer plays up grabs the phone and calls your child/colleague/parent/neighbour then please god leave this thing switched on! If on the other hand you can generally fix your machine whatever comes accross - be that with prior knowledge or an understanding of the power of google, then switch this off if you want to reduce your daily click count and save your mouse from dying earlier than it should.
Those who have the power and the confidence: Save a mouse, turn off UAC
Load SUPERAntiSpyware and check for updates then scan PC. I have used this software to correct other problems.
The problem with the UAC black screen can be turned off separately without turning UAC off.
Now it does not disturb my DVB Tuner (TV) - Big releif! The blackening out really bugged me.
It is done under "adminstrative tools" (Ultimate)
- "Local security policies"
- "security options"
- "User Account Control: Switch to the secure desktop when prompting for elevation" set 'disable'
(it is near the bottom)
This can be done in registry for Vista home
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
Right-click in the right-hand pane and create a new 32-bit DWORD value called PromptOnSecureDesktop, setting the value to 0.
To those who complains that UAC appears when creating a folder in Program Files, I want to ask, WHAT ARE YOU DOING? UAC prompts when doing just that is common. Program Files is not where you put your files, that where your Documents is for. If you have your own executables, put them on the Application Data folder under your Users directory (the way utorrent correctly did). You have no reason to manually put files of any kind in Program Files. Misusing that folder and then blame UAC for doing its job is moronic and show how n00b you can be.