The Windows 7 UAC Slider, and What You Can Do on Windows Vista Today

As I am focusing more and more on Windows 7, I find that blogging now begins with web searching, to make sure that what I’m talking about is already publicly disclosed and, as such, I’m not putting my job at risk. :-)

I want to go into a bit of detail on UAC configuration, what’s changing in Windows 7, and what’s available today. Because, in my experience, there are a lot of people who don’t fully understand how to configure UAC as it exists in Windows Vista – probably because we haven’t spent enough time talking about it.

PC Magazine (oh, how I’m going to miss the dead tree edition of that magazine) was kind enough to already show you what I want to talk about in it’s article here:,2817,2335122,00.asp. So, let’s have a second look at the new UI for UAC in Windows 7, as it exists today (this is not a commitment that it will never change, that it’s a good idea, or that you won’t experience premature hair loss from viewing the picture – all the regular disclaimers for pre-release software apply):

UAC Settings

Now, my friend Crispin would prefer a different UI metaphor than a slider – he’d like to see a pair of pants – the further down you pull the slider, the further down your pants are while you’re computing. I actually think that’s a really good analogy. Let’s look at each of these settings, talk about what you can (and can’t) do on Windows Vista today, and then add some commentary on the consequences of making that choice.

Always Notify Me

This is UAC configured the way you get it on Windows Vista today. This one should be very familiar.

Notify me only when programs try to make changes to my computer

This one is genuinely new for Windows 7, and essentially will auto-approve elevation when performing some actions to modify system state. I won’t get into the mechanics of exactly what we’re doing, because it’s neither final nor am I currently authoritative on all of the details behind the logic here. My goal here is to explain what you could do today, anyway.

Notify me only when programs try to make changes to my computer (do not dim my desktop)

Well, half of this (as discussed above) is new stuff, but the other half (the half in parentheses) is available for you on Windows Vista: not dimming the desktop. That’s something you can configure today. In group policy, under Windows Settings \ Security Settings \ Local Policies \ Security Options, you’ll find an entry called User Account Control: Switch to the secure desktop when prompting for elevation. Change that policy to disabled, and you have that half of the configuration.

Why do we default to switching to the secure desktop? Defense in depth. Message queues don’t have security descriptors. Of course, User Interface Privilege Isolation should help keep less trusted messages from getting to the approval dialog (consent.exe runs with System IL), but it’s even better to get to a separate desktop since the boundary of a window message is the desktop.

You see, today Windows doesn’t have what some call “Authentic User Gestures” – the ability to differentiate between a real user clicking a mouse button which gets translated into a window message to click the button, and an application sending a window message to pretend that somebody clicked it. To the receiving application, they both look exactly the same. So we build up mechanisms like this. While elevation is not technically a security boundary, it should at least do a reasonably good job of looking after you.

When do I see people configuring this policy? Well, there were some drivers early on that had a really hard time with the transition to the secure desktop (I haven’t seen this in a while). And otherwise, I see people configure this temporarily to make it easier to grab a screenshot of the dialog box. (Of course, if you want to make it look more realistic, you should change the theme to the basic theme first, since the secure desktop doesn’t have glass.

Never notify me

This is the off switch that you have in Windows Vista. This is bad for all the same reasons that it’s bad in Windows Vista.

So, what’s really new is the “windows settings” categorization. But wait, there’s more! This slider still doesn’t expose two settings which are very interesting to know about!

In the “Behavior of the elevation prompt for …” settings you have:

(For local administrators) Elevate without prompting

This is the setting for people who never, ever want to see a prompt, but don’t want to lose out on the value of UAC. You keep things like Internet Explorer in Protected Mode, AXIS for your standard users, UAC file and registry virtualization, and all kinds of other useful stuff – and, oh yeah, the fact that the overwhelming majority of software testing is done in the default configuration (enabled). If you’re hell-bent on disabling UAC, could I talk you into giving this setting a try?

(For standard users) Automatically deny elevation requests

This is the setting for people who disable UAC for their standard users because they don’t want them seeing a credential prompt, since their users won’t have credentials and, in the enterprise, that just means it’s going to cost more to run the helpdesk. You don’t have to disable UAC and lose all of its benefits, you just need to tweak this policy.

Personally, I’d like to see an additional notch in the slider that uses these settings – leaving UAC on but getting rid of all notifications. Perhaps even hiding to “off” switch a bit, because in my travels, this is the setting that gives the best overall experience for people who hate prompts passionately. But alas, it’s not my decision to make.

By the way, here is the e7 post on UAC:

Comments (6)

  1. Eric says:

    Great information. Interesting note about the driver issues – in fact, the Intel drivers on my work desktop *still* have problems to this day – about 5% of the time my secondary monitor will shutoff when a UAC dialog comes up and refuse to come back.

    Fortunately I was able to leave UAC (mostly) on by manipulating the secure desktop setting.

    Any idea why secure desktop quickly turns off and on display (LCD panels, etc) when switching modes? Driver issue, or by design?

  2. cjacks says:

    Hi Eric,

    I can’t really say much without a kernel debugger and a whole lot of time. When you are going to the secure desktop and you have DWM enabled, you’re moving from rendering Direct3D9 surfaces to using just a 2D surface. Some drivers have been known not do this switch … elegantly … including sending the monitor a singnal to switch to an invalid mode.

    Are there no more current drivers available?

    Also, out of sheer curiosity (I honestly don’t know the answer) – does it still happen if you set the theme to Vista Basic so you don’t have to go from a DWM rendered desktop to a non-DWM rendered desktop? Since I don’t have drivers that have a problem, I can’t just play around with that here…



  3. Mark Sowul says:

    I had a similar issue with ATI FireGL drivers.  It would only do it with my second monitor, but it would take a good 5 seconds because the monitor would go to standby and back on.  It was just the cheapo one that came with my workstation so I ended up getting a newer nVidia card, and that was that.

    But!  Fast user switching still totally fubars anything on my second monitor.  This is with both video cards.  Doesn’t really happen on my home machine though (different dual monitors; different video card but still nVidia).  Sigh.

  4. says:

    Isn’t "Elevate without prompting" available today on Vista with TweakUAC?

  5. cjacks says:


    I don’t know TweakUAC specifically, but the capability is there in Windows Vista today via group policy. It wouldn’t be hard for somebody to configure that policy. That was the point of my post – that there are more options today on Windows Vista than just the on/off we have in the control panel.


  6. Eric says:

    > Some drivers have been known not do this

    > switch … elegantly … including sending

    > the monitor a singnal to switch to an invalid

    > mode.

    Ahhhh, that makes a lot of sense!

    > Are there no more current drivers available?

    Unfortunately, no – running the latest. I think the workstation is running the Intel’s Q965 chipset – one of the first ones they made that supported Aero. I’ve also had a fun issue where installing some patches (and things like IE8) will shut off the drivers with a "drivers are not compatible with this version of Windows."

    If I turn Secure Desktop on and turn off DWM, my LCD panels stay active the entire time – a brief flash of black, but no video mode change.

    I can’t say it enough – I’m a huge fan of UAC. I used to have to fight and fight to make "standard user compatibility" a priority here and no-one took it serously until Vista. It’s definitely working as intended! :-D