User Account Control

We promised that this blog would provide a view of Engineering Windows 7 and that means that we would cover the full range of topics—from performance to user interface, technical and non-technical topics, and of course easy topics and controversial topics.  This post is about User Account Control.  Our author is Ben Fathi, vice president for core OS development.  UAC is a feature that crosses many aspects of the Windows architecture—security, accounts, user interface, design, and so on—we had several other members of the team contribute to the post. 

We continue to value the discussion that the posts seem to inspire—we are betting (not literally of course) that this post will bring out comments from even the most reserved of our readers.  Let’s keep the comments constructive and on-topic for this one.

FWIW, the server employs some throttles on comments that aim to reduce spam.  We don’t control this and have all the “unmoderated” options checked.  I can’t publish the spam protection rules since that sort of defeats the purpose (and I don’t know them).  However, I apologize if your comment doesn’t make it through.  --Steven

User Account Control (UAC) is, arguably, one of the most controversial features in Windows Vista. Why did Microsoft add all those popups to Windows? Does it actually improve security? Doesn’t everyone just click “continue”? Has anyone in Redmond heard the feedback on users and reviewers? Has anyone seen a tv commercial about this feature? 

In the course of working on Windows 7 we have taken a hard look at UAC – examining customer feedback, volumes of data, the software ecosystem, and Windows itself. Let’s start by looking at why UAC came to be and our approach in Vista.

The Why of UAC

Technical details aside, UAC is really about informing you before any “system-level” change is made to your computer, thus enabling you to be in control of your system. An “unwanted change” can be malicious, such as a virus turning off the firewall or a rootkit stealthily taking over the machine. However an “unwanted change” can also be actions from people who have limited privileges, such as a child trying to bypass Parental Controls on the family computer or an employee installing prohibited software on a work computer. Windows NT has always supported multiple user account types – one of which is the “standard user,” which does not have the administrative privileges necessary to make changes like these. Enterprises can (and commonly do) supply most employees with a standard user account while providing a few IT pros administrative privileges. A standard user can’t make system level changes, even accidentally, by going to a malicious website or installing the wrong program. Controlling the changes most people can make to the computer reduces help desk calls and the overall Total Cost of Ownership (TCO) to the company. At home, a parent can create a standard user account for the children and use Parental Controls to protect them.

However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. This is partly due to the first user account defaulting to administrator, since an administrator on the machine is required, and partly due to the fact that people want and expect to be in control of their computer. Since most users have an Administrator account, this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. Software written this way would not work for standard users, such as the enterprise user and parental control cases mentioned above. Additionally, giving every application full access to the computer left the door open for damaging changes to the system, either intentionally (by malware) or unintentionally (by poorly written software.)

Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.  75% of machines have one account.

Figure 1. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.

User Account Control was implemented in Vista to address two key issues: one, incompatibility of software across user types and two, the lack of user knowledge of system-level changes. We expanded the account types by adding the Protected Admin (PA), which became the default type for the first account on the system. When a PA user logs into the system, she is given two security tokens – one identical to the Standard User token that is sufficient for most basic privileges and a second with full Administrator privileges. Standard users receive only the basic token, but can bring in an Administrator token from another account if needed.

When the system detects that the user wants to perform an operation which requires administrative privileges, the display is switched to “secure desktop” mode, and the user is presented with a prompt asking for approval. The reason the display is transitioned to “secure desktop” is to avoid malicious software attacks that attempt to get you to click yes to the UAC prompt by mimicking the UAC interface (spoofing the UI.) They are not able to do this when the desktop is in its “secure” state. Protected Admin users are thus informed of any system changes, and only need to click yes to approve the action. A standard user sees a similar dialog, but one that enables her to enter Administrative credentials (via password, smart card PIN, fingerprint, etc) from another account to bring in the Administrator privileges needed to complete the action. In the case of a home system utilizing Parental Controls, the parent would enter his or her login name and password to install the software, thus enabling the parent to be in control of software added to the system or changes made to the system. In the enterprise case, the IT administrator can control the prompts through group policy such that the standard user just gets a message informing her that she cannot change system state.

What we have learned so far

We are always trying to improve Windows, especially in the areas that affect our customers the most. This section will look at the data around the ecosystem, Windows, and end-users—recognizing that the data itself does not tell the story of annoyance or frustration that many reading this post might feel. 

UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. As mentioned in previous posts, there are ways for our customers to voluntarily and anonymously send us data on how they use our features (Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, blog posts, and in house usability testing). The data and feedback we collect help inform and prioritize the decisions we make about our feature designs. From this data, we’ve learned a lot about UAC’s impact.

Impact on the software ecosystem

UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.

In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their “sessions” - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.

Number of unique applications and tasks creating UAC prompts.  Shows a significant decline.

Figure 2. Number of unique applications and tasks creating UAC prompts.

This reduction means more programs work well for Standard Users without prompting every time they run or accidentally changing an administrative or system setting. In addition, we also expect that as people use their machines longer they are installing new software or configuring Windows settings less frequently, which results in fewer prompts, or conversely when a machine is new that is when there is unusually high activity with respect to administrative needs. Customer Experience Improvement Program data indicates that the number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1.

Percentage of sessions with prompts over time. 

Figure 3. Percentage of sessions with prompts over time.

Impact on Windows

An immediate result of UAC was the increase in engineering quality of Windows. There are now far fewer Windows components with full access to the system. Additionally, all the components that still need to access the full system must ask the user for permission to do so. We know from our data that Windows itself accounts for about 40% of all UAC prompts. This is even more dramatic when you look at the most frequent prompts: Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1. Some targeted improvements in Vista SP1 reduced Windows prompts from frequently used components such as the copy engine, but clearly we have more we can (and will) do. The ecosystem also worked hard to reduce their prompts, thus the number of Windows components on the top 50 list increased. Windows has more of an opportunity to make deeper architectural changes in Windows 7, so you can expect fewer prompts from Windows components. Reducing prompts in the software ecosystem and in Windows is a win-win proposition. It enables people to feel confident they have a greater choice of software that does not make potentially destabilizing changes to the system, and it enables people to more readily identify critical prompts, thus providing a more confident sense of control.

One important area of feedback we’ve heard a lot about is the number of prompts encountered during a download from Internet Explorer. This is a specific example of a more common situation - where an application’s security dialogs overlap with User Account Control. Since XP Service Pack 2, IE has used a security dialog to warn users before running programs from the internet. In Vista, this often results in a double prompt – IE’s security dialog, followed immediately by a UAC dialog. This is an area that should be properly addressed.

Number of Microsoft prompters in the top 50 over time.

Figure 4. Number of Microsoft prompters in the top 50 over time.

Impact on Customers

One extra click to do normal things like open the device manager, install software, or turn off your firewall is sometimes confusing and frustrating for our users. Here is a representative sample of the feedback we’ve received from the Windows Feedback Panel:

  • “I do not like to be continuously asked if I want to do what I just told the computer to do.”

  • “I feel like I am asked by Vista to approve every little thing that I do on my PC and I find it very aggravating.”

  • “The constant asking for input to make any changes is annoying. But it is good that it makes kids ask me for password for stuff they are trying to change.”

  • “Please work on simplifying the User Account control.....highly perplexing and bothersome at times”

We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done). However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.

Does this make the system more secure? If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don’t read the prompts, and thus gain no benefit from them (and are just annoyed). In Vista, some power users have chosen to disable UAC – a setting that is admittedly hard to find. We don’t recommend you do this, but we understand you find value in the ability to turn UAC off. For the rest of you who try to figure out what is going on by reading the UAC prompt , there is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it’s something you want to happen. However, we haven’t made things easy on you - the dialogs in Vista aren’t easy to decipher and are often not memorable. In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista.  Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable.

Percentage of prompts over time per prompt type.

Figure 5. Percentage of prompts over time per prompt type.

Percentage of UAC prompts allowed over time.

Figure 6. Percentage of UAC prompts allowed over time.

Looking ahead…

Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.

Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:

  • Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.

  • Enable our customers to be more confident that they are in control of their systems.

  • Make prompts informative such that people can make more confident choices.

  • Provide better and more obvious control over the mechanism.

The benefits UAC has provided to the ecosystem and Windows are clear; we need to continue that work. By successfully enabling standard users UAC has achieved its goal of giving IT administrators and parents greater control to lock down their systems for certain users. As shown in our data above, we’ve seen the number of external applications and Windows components that unnecessarily require Admin privileges dramatically drop. This also has the direct benefit of reducing the total amount of prompts users see, a common complaint we hear frequently. Moving forward we will look at the scenarios we think are most important for our users so we can ensure none of these scenarios include prompts that can be avoided. Additionally, we will look at “top prompters” and continue to engage with third-party software vendors and internal Microsoft teams to further reduce unnecessary prompts.

More importantly, as we evolve UAC for Windows 7 we will address the customer feedback and satisfaction issues with the prompts themselves. We’ve heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience. We believe this can be achieved by focusing on two key principles. 1) Broaden the control you have over the UAC notifications. We will continue to give you control over the changes made to your system, but in Windows 7, we will also provide options such that when you use the system as an administrator you can determine the range of notifications that you receive. 2) Provide additional and more relevant information in the user interface. We will improve the dialog UI so that you can better understand and make more informed choices. We’ve already run new design concepts based on this principle through our in-house usability testing and we’ve seen very positive results. 83% of participants could provide specific details about why they were seeing the dialog. Participants preferred the new concepts because they are “simple”, “highlight verified publishers,” “provide the file origin,” and “ask a meaningful question.” 

In summary, yes, we’ve heard the responses to the UAC feature – both positive and negative. We plan to continue to build on the benefits UAC provides as an agent for standard user, making systems more secure. In doing so, we will also address the overwhelming feedback that the user experience must improve.

Ben Fathi

Comments (188)
  1. resplendent says:

    No idea if this is possible, but it would be nice to get IE to still run in protected mode even with "overall" UAC off.  Since browsers tend to be the biggest malware entrance portals, a compromise of system protection vs intrusiveness would be nice.

  2. Cartman05 says:

    Yes, the User Account Control is a great idea and in theory it should ensure that there is no malicious software on Windows computer. Please do not allow this tool to be weakened in any way, only strengthened so that one day, users won’t need any anti-spyware software or anything like that.

    To help the average user understand this feature, you could add a "What is this?" link and include UAC in a walk-around of all the features of Windows 7 that is displayed during installation or the first time that the PC is used.

    One problem that I’ve had with the UAC is that sometimes the prompt is delayed and the installation that I am running is stuck at 0% until the prompt is displayed.

  3. says:

    UAC prompts going down from 775,312 to 168,149 makes me feel goooood. Can you implement a feature where when Vista is manually installed (not unattended or automatic deployment), UAC is not enabled at all (no reboots required) for the first half hour/an hour during which the admin can setup his machine completely (including Control Panel settings, registry tweak and Group policies) and installs the most important of apps after which UAC is never again disabled unless the user disables it? For automatic deployment scenarios, it can be turned on by default. Same thing when a new user account is created. And if the admin finishes setting up his system earlier than that time, he can turn on UAC at any point after that.

    Oh, and one more thing, can we have RunAs back in the GUI (or integrate ShellRunas into the OS) and make it run with explorer.exe (Windows Explorer), iexplore.exe (IE), MSIs and batch files & scripts? And a "Run as" in the "Run" box?

  4. marcinw says:

    > Since most users have an Administrator

    > account, this has historically created an

    > environment where most applications, as well

    > as some Windows components, always assumed

    > they could make system-level changes to the

    > system. […] Additionally, giving every

    > application full access to the computer left

    > the door open for damaging changes to the

    > system, either intentionally (by malware) or

    > unintentionally (by poorly written software.)

    I’m really sorry, but once again. If applications can add files to system core and if Registry is shared, it also left the door open. What will you do in 7 for avoiding it ?

    UAC could be very good, if:

    1. it will be used in really critic things only (like adding drivers)

    2. it will be possible easy disable some alerts

  5. espeholt_jr says:

    I really thinks UAC is a good thing – though a little annoying. Actually the thing that annoys me must is the safe screen because it makes flicker. So I disable it and enable password.

    But when you talk about quality software and poorly written applications, I really thinks MS should be the leader and remove all those small artifacts in Windows. Mostly graphical artifacts thinks which make Windows look cheap (which its not ;)). Anyway, this blog is a cool thing 🙂

    Best regards

  6. marcinw says:

    > No idea if this is possible, but it would be

    > nice to get IE to still run in protected mode

    > even with "overall" UAC off.

    It would be possible to minimize problems, when IE and other applications will be separated from each other and main system "core" (will have separate Registry, will put files in separate directories, etc.)

    Microsoft will probably not do it, because:

    1. it will need some additional work

    2. some applications will need changes

    3. MS doesn’t probably WANT to make IE another "ordinary" application (this is closed circle: people search for alternatives, because IE is very integrated with main system parts and each bug can make many problems; Microsoft thinks probably, that separating IE will make, that people will search more easy for alternatives and this thinking is wrong, because non technical users will use browser "from box")

  7. anshu_10us says:

    Great that finally someone is talking about it. UAC has really been a pain sometimes. Its a great idea about broadening the control because i definitely want to be notified if something unwanted is accessing stuff in my PC but definitely not when i try to open MSCONFIG to remove the startup programs.

    I second the thot of running IE in a protected mode. I am by no means a OS expert so am not sure if thats totally possible with win NT kernel or not.

    finally here is my 2 cents – as much as i appreciate the existance of a virtual controller to control the ISVs but wudnt it be better if they are somehow brought under one umbrella to make sure all of them follow a standard. This sure is a herculian task but assures a radical improvement of software quality and user experience.

  8. L33tMasta says:

    UAC is a great thing for users that want to keep tabs on everything that’s being installed. I, myself, have disabled UAC because of the prompts. I move a lot of files around a lot of sensitive folders and it just doesn’t make sense to keep it enabeled when I know what I’m doing and the system thinks I don’t. It’s a great idea to get people started on the path of thinking about what goes on their PCs but for power users like myself it can really only be a hinderance.

  9. d_e says:

    The thing will all those warning is that some webpages already explain that the user will have to acknowledge this and that to make a program run. Users are trained to acknowledge UAC (and other) security prompts. This situation can only be improved by showing less UAC prompts.

    And most UAC prompts aren’t target audience friendly. They contain way too much text and are (Microsoft-typical) too technical. Technical descriptions using non-technical words acutally.

    There should be only questions like "Are you trying to install a new program?". Or "Are you attaching a new device to your computer?". With dangerous symbols. Users should be scared when they see the prompt – because they only see the prompt once a year and because it makes a lasting impression. It should give them bad dreams…

    Two things I couldn’t figure out in all those years:

    1. The need for the yellow security bar in IE – the one that blocks downloads…

    2. Why MS invented UAC instead of just improving the usability of standard user accounts. Because the security subsystem itself was/is perfectly fine…

  10. Puckdropper says:

    I disabled UAC for the first couple days after I got a new computer to make transitioning easier.  After I had most everything transitioned, I turned UAC back on and haven’t seen too many UAC dialogs.  The ones that I have seen have been useless, though, in that they don’t give me any useful information about what’s really going on.

    One drawback to the new security model is that I’ve got to open a privileged command prompt to execute a single command.  I’d love a way to elevate to admin rights for just the one command, as sudo does on *nix systems.

  11. Hairs says:

    While some have started muttering that this blog is nothing more than another marketing ploy, this post proves them wrong (or for the cynical, partly wrong).

    A clear, informative, and above all honest post about designing and building in integral part of the OS, targets, successes, flaws and missed opportunities all quantified and addressed. Well done, this makes me feel a lot more comfortable about the work that’s going into Win 7.

    Of course, I’m still not going to use it if you keep that horrible Vista Explorer. XP’s was 99% perfect, apart from its intransigent refusal to display folder sizes. (don’t tell me it causes too much overhead, because you’ve got pointless fancy sliders for changing between view types. If I can get it in a balloon tip, show it in Explorer)

  12. gkeramidas says:

    here’s my initial response before even reading the article. i’ll append to it if necessary.

    to me, if i click on something, whether it’s to change the time, go into device manager or computer management, i must want to do it.

    so, once you get uac to know:

    1. i clicked on something so i want access to it.

    2. something i didn’t click on is opening


    3. that i clicked on paint and some other app is trying to launch, i turn it off.

    (can’t believe uac is invoked when accesing the time ui, anyway)

    once it’s smart enough to know this, i’ll leave it on.

  13. Vistaline says:

    >>And a "Run as" in the "Run" box?

    Run As in the Start Menu (which functions as Run) would be awesome. CTRL+SHFT+Enter until then. Would be nice to keep my fingers on the alphabet keys though.

    >>…i definitely want to be notified if something unwanted is accessing stuff in my PC but definitely not when i try to open MSCONFIG to remove the startup programs.

    I believe MSConfig makes changes to startup that are system-wide. Not only that, but you can change boot options, services, etc. It’s not the kind of config panel you want every user to have access to.

    A better option for you would be to use the Startup folder, Windows Defender (I think…), or Task Scheduler. I prefer Task scheduler as I can put my startup programs on a 30 second to 60 second timer (more wouldn’t make sense).

  14. says:

    Personally I like the UAC. I’m not saying that there aren’t areas of improvement, but the fact that I’m very confident about the security of my vista computer I think speaks a lot to UAC. While it can be annoying, and may slow down the computer at times, its a great safety net.

    And the fact that because of UAC, Windows is changing the software ecosystem is an even better thing.

  15. asymtote says:

    I understand what you are trying to achieve with UAC and I do agree that it is worthwhile goal. Also given where you are starting from the current implementation is a reasonable solution.

    Perhaps the biggest frustration for me (and I consider myself a knowledgeable Windows user) is the 1 to 2 second screen blank that occurs on my PC before the UAC prompt occurs. Although it sounds silly that long jarring pause has already put me in a bad mood that I don’t want to take the time to fully comprehend the information the dialog is telling me. I don’t know if the screen blank is a result of my hardware or device drivers or is caused by the OS itself but by getting rid of this one artifact would improve my UAC experience by an order of magnitude. Some quick searching on the web would suggest other people feel the same way.


  16. Vistaline says:

    >>Of course, I’m still not going to use it if you keep that horrible Vista Explorer. XP’s was 99% perfect, apart from its intransigent refusal to display folder sizes.

    I’m sure if they made a post on the UI/Explorer we’d crash their servers with responses. 🙂 We have much to say. lol

    >>The ones that I have seen have been useless, though, in that they don’t give me any useful information about what’s really going on.

    I love UAC but, generally, the prompts do look rather vague and useless. Makes me interested to see what they’re doing with these new UAC dialogs for W7.

  17. FreakyT says:

    Personally, I’d like to see the transition to UAC prompts a bit more smooth.  I realize the importance of using secure desktop, but the way the screen flashes is really annoying.  Some kind of smooth fade would be a huge improvement!

    Also, I’d like to see the ability to "open files as administrator."  For example, if I want to edit a file in Program Files, I have to first run the editor with elevated privileges, then navigate to and open the file.  I’d much rather do that in one click.

    P.S. I’m one of the few Vista users I know who have left UAC enabled; I think it’s useful, if a bit annoying at times.

  18. jgoto says:

    I bought a computer with Windows Vista within the first few days of its release.  UAC was the first thing about Vista that I noticed when I started using it.  After fighting off Malware on Windows 98 and Windows Xp machines for so long, and so many futile hours of trying to sanitize the compromised machines of friends and families, I immediately appreciated what you guys were doing with UAC.  It is absolutely necessary and I’m glad to hear that you will bring an improved version of UAC to the next version of Windows.

  19. PRab says:

    One easy tweak that could eliminate many UAC prompts would be make a "Programs" folder inside the "User" folder. Make it easy for installers to give an option switch to this alternative "Programs" directory before the UAC popup is presented. Right now applications let either let you choose a folder or default to the "Application Data" folder (See sync-toy).

    Overall UAC is a great idea, it just has some rough edges and needs more support by making user specific copies of system directories.

    One graph that I would like to see is the % of people with UAC turned off. From comments on forums it sounds like many people have it turned off, but in my experience I have found very few people with it off.

  20. Rayadoman says:

    One of the things I would like added is an "Approved List" for the UAC.  There are a couple pieces of software, mainly updaters, that prompt a UAC message each time the program runs.  I know what these programs are and I will always approved each time.  

    If there was a list that users could add programs to that would allow the programs to either bypass the UAC or send an approved response to it automatically it will be great.  Putting programs on this list should not be easy but it should not be difficult either.  Maybe a right click, run as admin, then check mark in the admin login box would work.  Programs should not be allowed to place themselves or other programs onto this list.

  21. steak820 says:

    It took me a while to get around to using UAC but now that i know how to use it correctly i really dig it, well done! The only problem i have with it is with the secure desktop, when it’s activated it’s sort of a jarring experience, almost akin to a system crash. Would it be possible to maybe smooth the transition somewhat, my nerves are not what they were lol

  22. magicalclick says:

    Microsoft has a free software called Steady State. This is a kid safe environment. It doesn’t save any changes to the computer. I think MS should consider it build-in.

    About UAC, it is fine. I am using it to know what the installer is modifying important sector or not. But sometimes it is quite annoying indeed.

  23. LordAntares says:

    One of the things I really think would reduce complaints would be if once you okayed a UAC prompt the user wouldn’t be prompted for another 30 seconds or minute. I know that for me at least the prompts tend to come in bursts, and if I only have to click once instead of the 5 or so times in a row, that would make me appreciate UAC much more.

  24. Don Reba says:

    I have been running separate accounts since Windows 2000. I know how my system works and keep it running like clockwork. I was happy without UAC and hoped it would not affect me. With every system I gave UAC a fair chance, but had to turn it off every time.

    The popups are annoying, but far worse is when UAC fails silently. For no apparent reason, actions fail to execute, files are not created where they are supposed to, applications crash.

    Example 1: change the source viewer in IE7 to VIM, then choose "View source", then nothing happens.

    Example 2: installation of a mission-critical software package fails with UAC on, even with administrator rights. The installer tries to copy its "ini" to the Windows folder.

    Example 2: game modification installer, properly designed to work with restricted rights, crashes with UAC on. File creation operations succeed, but the files are not created, at least not where they are expected.

    It does not stop there. Even when off, UAC is a major pain. Things that worked fine in XP break. RunAs no longer works. Cardspace fails.

    UAC is appalling.

  25. irdawood says:

    Windows Steady State is very very good, especially if you have kids in the home.

    Implementing a feature or at least a link to the download location in the Parental Controls would be very very helpful.

  26. WindowsFanboy says:

    I have always had user account control on, and I don’t mind it too much. The security makes up for the annoyance…most of the time. There are certain things which bring up WAY too many UAC prompts.

    For example: I want to manually delete a folder from C:/Program Files. First, I have to click "Yes" to confirm that I really wanted to delete it. Then I have to click "Continue" because I am modifying C:/Program Files. Clicking that brings up UAC, where I have to click "Continue" again.

    Sorry, but that is too many prompts. There should a maximum of ONE prompt after I confirm the deletion. This prompt would tell you why it had appeared ("Modifying C:/Program Files could cause undesirable program errors. Click continue if you are sure you want to delete this folder.")

    …Just one example of excess annoyance. I agree with the previous posts that when users see too many prompts, they stop reading them and just click continue.

    Keep up the great work!

  27. VistaLover says:

    Of course, so many people complain about the secure desktop (jarring screen ‘crash’, etc.) and there is a group policy setting that can turn it off (google "turn off secure desktop") while still leaving uac on. This really tells you something about the people who sit around on forums criticizing MS all day, and what they know.  Anyway, I like UAC as it is, I only see a uac screen when I am doing system wide changes that I want software not to be able to do without my permission.  Compromising UAC would mean any software could do anything it wanted on my system, I can’t believe people even suggest that, they should go turn off uac and leave everyone else alone with that asinine nonsense.  One thing I would like to see is a no-read-up policy for low integrity level on most everything.  As it is now, malware can’t write to the system areas and auto-start with windows and so on, but it can still read user data and this is a security concern MS should address. MS should notify developers that this will go into effect in Windows 7 so that they have time to fix whatever code this affects and then set it up like that so that users don’t have valuable private data stolen by any malware that exploits IE. Thanks for the blog and good work, again.

  28. wolrah says:

    >> I don’t know if the screen blank is a result of my hardware or device drivers or is caused by the OS itself but by getting rid of this one artifact would improve my UAC experience by an order of magnitude.

    It is your hardware.  Is your monitor connected via VGA by chance?  When Windows resets the video mode, VGA monitors have to resync and that takes time.  DVI monitors don’t have this problem.

    Why it resets the video mode I still haven’t figured out, there has to be a way to have a secure desktop without the video driver needing to know.

    >> Example 1: change the source viewer in IE7 to VIM, then choose "View source", then nothing happens.

    Just an aside, you are enough of a power user to use VIM (heck, even know what VIM is) and you still use IE for anything where viewing source matters?  You are probably one in a million.  The rest of us left that piece of trash long ago and only use it for that one percent of the web that hasn’t figured out what standards mean.

    Directly on topic, I really think the UAC developers should put Windows away for a month and go use either OS X or Linux.  Experience sudo and how it works.  Return to Windows development, throw out UAC entirely, and as Apple would say, "start your photocopiers."

    Duplicate prompts aren’t a problem, the user is allowed to do anything that affects only them without a prompt, and the prompts that you do get have this nifty button titled "Details" which when clicked tells you what wants privs and why.  If you’re having prompts being automatically triggered by requests to change certain things, clearly the software knows what triggered it and can tell me so I don’t have to guess.

  29. JuanK_Solocodigo says:

    I believe this three points would be very usefull to improve UAC:

    1- If i check an application to run always as an administrator… why i need to aprove it every time? whit just once uthorization would be great.

    2- Detect when a user makes changes and when another source make the changes (virus, malware, other apps no directly opened by users etc.) UAC must be less extrict when the action is made it directly by an admin user.

    3- Create ‘UAC – permisson groups’, may be i need my kids or my workers can change some ‘less dangerous’ configurations, but not anothers.

  30. Daniel Smith says:

    Isn’t this just like the boy who cried wolf story?

    Now that Vista has been out for a while and people have become used to the "excessive" UAC prompts isn’t it kinda too late to train people to pay attention to these prompts.  I can see if people jumped from XP to Windows 7 you could easily instill in users that if you see a UAC prompt pay close attention to it.  But for users going from Vista to 7 isn’t it already too late?  Windows 7 users coming from XP may respond correctly but Vista users would think "oh it’s just that unnecessary UAC prompt again" and hit continue and then allow the malware to run.

    If I could request certain areas for UAC not to be enabled it would be the Reliability and Performance Monitor cause what setting can you adjust there?  None that I know of.  When adjust the date and time.  When you install update from Windows Update.  On that subject why don’t we get UAC prompts when Windows automatically installs updates itself during a shutdown or restart?

    Slightly OT but I’d like to remove the dialog box that pops up when you move something to the recycle bin asking if I’m sure I want to do this.  I understand why you do this but I’d like the option to turn this off.

  31. says:

    – I would like to add the following games to Windows or Windows Ultimate Extras: Shogi, Go, Xiàngqí, sudoku and Pai Sho, which also include the features of the Microsoft Plus Pack for hearing, Microsoft Plus! Labyrinth, dancers for windows media player

    – Recommend that the new windows did not have the most win.ini and the registration and be changed to a more secure, better designed and do not let so many traces, which also did not install an administrator account by default but a limited and in linux

    – New effects in wpf and more customizable as Compiz-Fusion, the desktop is equal to KDE and GNOME, windows media center that supports full HD audio, video and images, support for Nintendo Wii and PlayStation

  32. sdwolf says:

    I also find that UAC has some performance issues.  Sometimes it can take as long as two seconds for a prompt to appear, and in the meantime my display is either solid black, or the machine appears frozen.  This is intermittant, but happens frequently enough to be a real annoyance.

    I also totally agree with d_e’s comments about the form UAC prompts should take.  In essence, "Program x needs your permission to continue," followed by one of the following:

    – "Are you attaching a new device to your computer?"

    – "Are you updating a driver or system component?"

    – "Are you installing or updating a program?"

    – "Are you making changes to your system settings or files?"

    A "Details" button would also be helpful, especially if it includes details like:

    – the full path and filename of the app that produced the prompt

    – the publisher of the app

    – what, exactly, the app is attempting to do.

    Lastly, and most importantly, I believe UAC should be taken a step further.  When a user approves an action, immediately create a Restore Point before allowing the app to proceed (perhaps display a progress bar while the restore point is made so the user doesn’t think the machine simply froze).  That way, if approves something they shouldn’t have, they can still recover.

  33. hollamon says:

    UAC was a good step in the right direction (particularly in forcing the 1st and 3rd party ecosystem to stop expecting users as admin), but needs a few improvements.  

    1.  UAC needs to provide enough information to make a valid choice!

    I realize you dont want to add a bunch of technical information to the front of it.  But that technical information needs to be available somehow, otherwise you cant make an informed decision.

    This means executable triggering it, file locations and names its trying to write.  Reg locations and values its trying to write.  And detailed information if adding to startup, or otherwise installing drivers or similar.

    This information just is not available now, and it needs to be.

    2.  Remember last-used username when UAC is running in credentials mode (ie, requiring a user-name and password to elevate).

    On a non-server, the vast, vast majority of the usage of elevation is going to be to the same alternate account (ie, an la-* local admin or a da-* domain admin account).  

    Why cant it remember the last used username in my profile, to save me a bunch of typing every time I have to elevate?

    3.  RunAs needs to return!

    It’s insane that we lost a big piece of functionality in this space when UAC hit by losing RunAs.  And unless it was just sheer lack of manpower, I cant imagine why you would take that away.  There is still a very common set of use-cases for RunAs, even with UAC turned on, PARTICULARLY in the corporate environment.

    I do understand that the switches will become more complicated, as you have to handle in-place elevation on the same account vs. elevating to a different account, etc.  But we need that back.

    4.  Tighter integration with RunAs/etc with the Shell.  

    For example, I would really like to be able to modify my hosts files by right clicking it, and holding down shift while I choose ‘Edit with Notepad++’ which launches it with elevation.

    Right now, you have to manually elevate/launch the editor, then find and open the text file.  Seems like an unnecessary pain.

    5. Opening a new explorer.exe shell as admin is fairly broken.

    For example, if I wade through the program files, accessories, and launch Windows Explorer as Admin, do I get it actually launched as Admin?  No!  It silently fails to do what I told it to do, and launches a new explorer window in the regular account.  

    If this worked, much like we have been doing for years on XP, we can launch an explorer window as Admin, and keep it open for days or weeks while we do stuff there we need admin for.  

    Overall, nearly every IT pro needs to run Vista with a permanently-running command prompt that has been ‘Run as Administrator’ opened.  

    Look for ways to eliminate needing to do that.

    And please oh please bring back runas, or make something new similar to sudo/su.  We need this so much on the command line.

  34. domenico says:

    personally,  UAC has never given nuisance

  35. hollamon says:

    One more thing I forgot while writing my post a minute ago.  

    UAC hangs for several minutes sometimes in the Secure Desktop.

    It only happens when my laptop is at home, so on the internet and a valid network, but cannot reach the corporate DCs.

    I’ll cause an elevation, type in my new credentials, and it will sit as long as 1-2 minutes before I regain control of my computer.

    Given that this is happening while the secure desktop is loaded, this basically makes my computer 100% non-usable and effectively gone during that time period.  

    Note that this is elevation with credentials, so I have to type in a different set of credentials to elevate.

    There should be a hard-timeout period of 5 seconds.  Or drop out of secure desktop instantly before doing the network query.

    This actually seemed to get dramatically worse with SP1, even though I read in the release notes that some work was done to improve that.

  36. PatriotB says:

    @marcinw — what you describe sounds a lot like the former NGSCB project (aka Palladium) — secure, segregated areas ("nexuses") running on a single machine.

    @asymtote & wolrah — One thing to watch for is driver updates which actually make the "blank screen" delay worse.  A while back, updated Nvidia drivers were offered via Windows Update and I installed them, and after that I started getting the same UAC delays.  Rolling back to the previous drivers solved the problem.

  37. PatriotB says:

    One thing that I think would be helpful would be a secure hardware-based approval mechanism of some sort, for example a new key on your keyboard that when held down, would surpress the UAC prompt when clicking on a button/program.

    It’s not as easy as it might seem, forever.  First of all, you could have malware just waiting around in the background, trying to elevate repeatedly and it will eventually sneak through when the timing is right.

    Secondly, how long would the user need to hold down the key after performing the UI action?  If for some reason the app showing the UI has a delay before trying to create the elevated process, the user would need to keep the key down the entire time.

    In any event, it would be great if there was some way to authoritatively know whether an elevated process creation request was really intended/initiated by the user.

  38. RotoSequence says:

    I’d have more to say regarding UAC if I had a real amount of experience "using" it on a day to day basis (I turned it off in the Beta), and if I knew what the changes would constitute. So far as I can tell, you’re dealing with all the issues I actually care about; keeping my system secure, without bothering the daylights out of me in the process.

  39. says:

    I think the UAC is very great, but! there are some problems, first there is the problem for just watch for information, a sample: If i would to watch my drive informations with the tool for that i need to give them admin rights. i think you just need to become an admin when you wona change something and not if you just would to watch informations.

    second, double klicks…also a sample: if i wona create a folder in maybe the Users Folder(i now that is not normal but i use this for the sample) i make ->rightklick->New->Folder->Continoue->Continoue…why we dont have just ->rightklick->New->Folder>Continouem, why we dont just need to say 1 time ok and not 2 times?

    I saw some screenshots from 7 M3 and the new UAC Settings, i think this is the right way but look for problems like the 2 i told at the beginning of the post…

  40. danwdoo says:

    One that drives me bonkers is why I need elevation to do an ipconfig release or renew? Since Vista took away the very handy "repair" option (which renews the address very quickly) I find myself running into a roadblock here all the time. The vista repair option takes forever to run since I already know what the problem is.

    As an admin, I may go to someones machine and need to make a networking adjustment. I then open a command prompt and try to release and renew but of course get the elevation error. I then have to close the cmd window and hunt down the cmd icon (since it’s not my machine I’m usually doing this on so don’t have an admin shortcut already made) so I can right click and choose run as administrator.

    Often times I find it easier to just unplug the network cable and plug it back in which does the same thing with no UAC issues! There is a real breakdown somewhere when software behavior pushes users to a hardware workaround because the software is making a relatively benign task such a pain.

    I am encouraged to see that we will have more control in the next Windows over generates these error messages.



  41. caleb.vear says:

    The reason that I have turned UAC off on my machine is because when I want to work with files outside of my profile directory UAC seems to block it all the time.  For example it won’t let me create a folder in the program files directory or add files there.  It will UAC prompt me, but then it still won’t do what I asked.  I have a couple of programs that don’t come with an installer that I normally stick under the program files dir and then just put a shortcut into the start menu.  If there was an easy way for me to run windows explorer in admin mode (with the UAC prompt at the start) I would probably turn UAC back on.

    I frequently do work on peoples computers and sometimes when their computer won’t boot they want to get some of their files off the disk.  I have an external enclosure for this sort of thing, but windows will tell me that I don’t have sufficient privileges to open their profile directory on the external drive.  It prompts me for elevated privileges, but no matter how many times I click the continue button it still won’t let me through.  As soon as I disable UAC I don’t have a problem anymore.

  42. caleb.vear says:

    This was meant to go on the bottom of the previous comment, but apparently the comments have a max length.

    The following paragraphs detail some thoughts I have had on things that could improve my experience with UAC and make it more practical for me to have it on all the time.

    Another feature that could be cool is if you could automatically raise a specific piece of software to admin privileges while it was running from the task manager.  For example sometimes I need admin privileges to work with some projects in Visual Studio, but I forgot to open it as admin so I have to close everything and then open it again.

    Also as has already been mentioned it would be nice if even when you’re running with UAC turned off you could set some programs (such as IE) to run with only basic user privileges.

    Maybe there could be a dialog that let you switch your account mode while it was running.  So I could click a button which would allow everything full privileges while I did something and then I could flick it back into UAC mode straight away so I know if something bad is trying to do something I don’t want it to.

  43. martinIsMe says:

    Thanks for the blog on the UAC. I had a pretty good understanding before, but it’s helpful to have detailed information.

    I like the idea behind UAC. Anything that helps stability is appreciated. I must say though, that I ended up turning it off because of the constant bombardment of popping up windows while trying to work. I found that it was very distracting and I stopped reading or caring what it was about or what it said. I would simply click to get it off the screen.

    Another annoyance was that my father would call me several times a day, would read what it said to me and ask for my advise on whether he should allow or not. Needless to say the next time I flew back into town, disabling the UAC was the first thing I did.

    So again, I like the idea behind it, but this is a incredibly annoying implementation that feels more like a band-aid over a large problem of how easy it is to get down into the core of windows and mess something up.

    I don’t know what the answer is, but I just felt like this was a huge step in the wrong direction in the user experience field.

  44. twentytwokhz says:

    "Run as" would be a very nice addition. Also please notice the way Linux distros prompt for administrator credentials when trying to run system level or maintenance programs.

    Run as combined with administrator credentials would be very useful in cases where you want to enable/disable some features for a standard user account. (shouldn’t appear in an admin account)

    Personally I hope UAC is gonna get better in Windows 7 and be less obtrusive and more of an adviser.

  45. mark_ms says:

    When installing a new app, I get a UAC prompt but I would like a way to control the amount of access that the app gets on my system. e.g. If I were to install a system-level utility, I can give it full access to the system. If I’m installing a text editor or a game, I want to be able to limit its access to its folder in Program Files and any special folders it wants to add in My Documents. I would also like UAC to tell me if an app tries to go beyond app-level access. At the moment, there is not enough granularity so the UAC prompt to install a text editor is the same as what a system-level utility would require. Essentially, I want UAC to have the same customisability as a good firewall.

    Also, since I try a lot of software that don’t even have their own installers, I put them in a separate folder. By not using Program Files, am I lessening my security? Wouldn’t these programs try to save settings to their own folders, so they would actually fail if they ran in Program Files?

    Can we have the app isolation of App-V become part of standard Windows?

  46. mludwig says:

    I like the principle of least privilege and I believe it makes software more secure and less destructive in case of failure. I support extending UAC and building it deeper into the architecture, while making it less annoying.

    I have the following proposals for UAC:

    – I envisage a layered approach for privileges a process can aquire. Not too many, but enough for people to be able to taylor the prompts for their level of security-awareness. For example, one layer could be session-restricted privileges, which doesn’t allow the process to make permanent system-level changes, that couldn’t be reverted by a simple reboot. Another layer could be per-user privileges, only affecting the current user.

    An application wants to write its own folder (ex. program update)? Give it access to its files only. The layering could also happen for application classes: trusted ones getting automatic elevation, while recently downloaded programs not.

    By no means do I think that this can be done without any architectural changes. However, building up a new security-minded architecture could prove beneficial in the long run.

    – make prompts meaningful (as read in the blog) = no "Unknown Publisher" or worse, empty prompts

  47. agwizard says:

    As a software professional I was heavily involved in getting our applications to work without the need for admin privileges under Vista. Four key changes that could be made in Windows 7 to reduce UAC dialogs and simplify the development of well-behaved software:

    1. Allow processes to have write access to the folder containing the initial executable file of the process, and to sub-folders of that folder. This will avoid the need for admin privileges for programs that keep data files in their installation folder (a common reason for needing admin privileges), without compromising security.

    2. Have a catalog of permitted automatic elevations by permitted signed apps when the user is an administrator.

    3. Before raising a UAC dialog, determine whether the request was initiated by a "known good" user action in a "known good" program – such as a user drag of a file in Windows Explorer – when the user is an administrator.

    4. Allow an already-running process to temporarily automatically elevate to admin privileges (with UAC verification), rather than requiring a separate process or out-of-proc COM object.

  48. lyesmith says:

    Does this mean that you keep the Vista kernel eventually? The same hybrid in name but anyway big, over-blown monster? I am probably wrong but UAC seems to me something that is should be handled in core level.

    I really like this blog but what I miss is feedback from you. Details of Windows 7. I guess you want to make it a big surprise just don’t make it a big shock. This time you have to live up to the expectations. And not just on UI and User Interaction level, but also on core level.

    Maybe these are just my fears, but I really would not like to be disappointed as I did in Vista.

    Actually I would like if you implement a proper Administrator and User accounts. In Administrator account everything goes without prompting. In user account you should be asked for administrative credentials to change sensitive things.

    At first run the user should be asked to create an admin account and a user account as well. And the the user should be encouraged to use the user account most of the time. IMHO

  49. Aleria says:

    I always disable UAC because in it’s current state it’s useless.

    My current gripes are:

    1) WHY is a prompt appearing? If it’s going to appear, I want to know WHY an application is asking for admin privileges. Is there any use for it otherwise? I can potentially be allowing a malicious program to cause havoc. Come on! Even security software is better at this than UAC!

    2) Don’t ask me ALL the time. Implement a feature to "don’t ask me next time", like security software has. Next time an application asks and I already answered, Windows should be able to remember it!

    3) Security first – make a whitelist. Find safe programs and allow Windows to actually recommend if to allow or deny it, because frankly, half of the time we don’t know what a program is doing and don’t know if we should approve or not.

    4) The default permissions are probably wrong. Then inability to extract and unpack files using compression utilities anywhere is a common need, but it requires admin privileges! This usually results in running the program as admin.

    Don’t get me wrong – the ability to monitor and approve changes to the system on-the-fly is a very good idea, and I already have security software that takes care of this simply because UAC is so useless. If UAC were to be as good as these software, then there would be no need to disable it and use 3rd party software!

  50. eliassorensen says:

    Why not make it optional to enable UAC when you make a new user account?

    "Do you want to enable User Account Control on this account? UAC can be useful for kid’s accounts bla bla bla.. Read more about UAC".

    Personally, I like the idea with UAC, but I don’t use it. I’ve been to tired of looking at those UAC overlays, which does not provide enough information about the program to use it as an user who doesn’t has much knowlegde about computers and software.

    Give the user more information in the UAC popups, reduce the number of popups.

  51. Xini says:

    I’m afraid I’m no big fan of UAC. I do get the idea of it but it fails quite badly in achieving it’s goal.

    Firstly I am tempted to ask what the security of my computer has to do with Microsoft. If I want to have a really secure computer then surely I would but security programs and not an OS. If it is to be integrated at the core level then it should be optional. MY computer is my computer… if I wish to run it like a school boy without a clue then the software should allow that. I don’t like being nannied.

    Secondly, why was the administrator account hidden in vista? I can understand ensuring that the user is most strongly warned about switching off security features but disabling it and forcing people to use command lines etc? A little extreme.

    Personally I found the best solution was to have an admin and normal user account but then you have to know pre-emptively that you’ll need full admin rights before you log in or sit there loging in and out. If I were to design a revamp for the UAC it would not be based upon single actions but rather a more literal interpretation of being able to elevate the user rights to admin rights. Basically the user logs in with a standard account. When asked or upon command they can raise the security level to that of an admin whilst in session. This elevation lasts for a user set period of time (possibly 30 seconds or so as default).

    Now this may produce some instances where someone elevates their privaledges and then manages to get a virus because they went on a dodgy internet site within the 30 seconds but I’m afraid you can’t stop people pouring water into their computer and this should be treated the same. At some point the human being has to take responsibility otherwise you’ll just frustrate those who do know what their doing as happened with Vista’s UAC.

    Either that or at least unhide the administrators account. That way when I’m installing hardware or any large amounts of software I can switch account. I’ve had more than a couple of instances where the something hasn’t installed properly unless it’s done as an administrator.

    Oh that reminds me… please also fix the backwards compatability. Battlefield requiring administrator privalledges to run without crashing was irritating.


  52. says:

    I am another person who has disabled UAC. Why? Well, to be perfectly honest I found it more annoying then helpful. Sure I appreciated to thought and objective, but the implementation was driving me up the wall.

    My preference would be to only have it appear when a chance is made to core system files. I am regularly testing programs, accessing files created on my dual boot XP drive (which I rarely use these days)and running software which keeps giving me the popup.

    I will be paying close attention to this topic and the responses from MS.

  53. ralish says:

    I think that the ideas behind the implementation of UAC are fundamentally sound, although, there’s a way to go before the technology has really reached a state that casual computer users and professionals are fully accepting of it.

    However, one idea I really think you should consider would be something that various Unix operating systems have implemented; the ability to temporarily supress requests for superuser access for a period of time. For example, this may be done on a Unix system when doing a bunch of system-level configuration changes through the GUI, that would otherwise result in numerous confirmation prompts.

    Something similar for UAC would definitely have its uses, as there are situations that will occur where several UAC prompts can be expected over a short period of time. For example, a fresh installation of Windows while installing numerous hardware drivers and software that requires specific kernel additions, such as virus scanners, firewalls, virtual CD/DVD drivers, and so on. The current solution of disabling UAC (reboot), do the task, enable UAC (reboot), does to me seem a little clumsy and far from ideal.

    Of course, how such a feature is implemented at the UI level could vary, there are many posibilities, but the core functionality that could be provided I suspect many power users would really value.

  54. thecolonel says:

    sounds to me like you guys are well aware how much we all hate the way UAC is currently implemented – it’s no exaggeration to say that everyone i know who actually uses Vista (very few people) have it turned off

    the theory and concept behind it is indeed noble, it’s the realisation that’s made it a complete dog.

    as a side note, i know it drives Microsoft mad that Vista gets such bad word-of-mouth reviews between peers. fixing UAC would eliminate half this problem

  55. soukyuu says:

    Good to see that introducing UAC actually made software developers change their software to be able to work w/o needing admin privileges, maybe this way, windows’ "limited" users will have a purpose too, never used them under XP cause everything needed admin privileges anyway.

    As for Vista, I’m one of the people who got annoyed by the UAC pop-ups and turned it off. I do understand that it’s useful for less experienced users, so please keep it and make the whole process more fluent; i actually hated the flickering screen more than the additional click to do something. Oh and keep the option to turn it off please.

  56. Tihiy says:

    There could be two solutions:

    – "Don’t require UAC prompt for this application"

    This can be hairy, since this base must be protected well.

    – "Don’t require UAC prompt for this session".

    That would be very nice, especially for admins.

    Current (???) M3 W7 builds "UAC aggressiveness" slider seems not very friendly, and described poorly.

  57. Laith says:

    I am glad to see that the number of software requiring admin access is being reduced – which helps security.

    I really cannot stand the UAC. I find it really annoying. I click to do an action and it asks me if I am sure I want to pursue this action. As a power user, I don’t want to be bugged by silly prompts every time I want to do something. I appreciate the purpose of the UAC and understand it is reducing security threats however to me – a power user that knows what hes doing, I shouldn’t have to be bugged which is why I have disabled the UAC. I tried to get used to it but even after 9 months of trying, it simply did my head in.

    What annoys me even more is now that I have disabled it, every time I start up my laptop, I am introduced with a lovely popup from the notification area telling me to enable it again and it won’t stop – adding to the frustration.

  58. I have to agree with commenter Tihiy on this one.

    I only get peeved with UAC when I’m doing a lot of "work" on the pc. I wouldn’t mind being prompted once and have the option to allow for session.

  59. quillaja says:

    @Daniel Smith

    _"Slightly OT but I’d like to remove the dialog box that pops up when you move something to the recycle bin asking if I’m sure I want to do this.  I understand why you do this but I’d like the option to turn this off."_

    You can turn it off. (1) open the recycle bin. (2) click "organize / properties" from the menu bar. (3) uncheck "display delete confirmation box."

    Heck, you can have things delete immediately if you want. You’ve been able to set these options since long before vista. You just need to dig around.

  60. martinparry says:

    I don’t think you should attach too much importance to the data that so many admins approve the UAC prompt quickly, and don’t remember what the prompt actually said.  For me, it’s the timing of the prompt that makes all the difference.  Let me explain…

    UAC doesn’t annoy me most of the time because I learn to expect the prompt, when firing up mmc for example, so the click is somewhat automatic.  However, there have been (rare) occasions when the UAC prompt appears at an unexpected moment.  On those occasions, I definitely stop, read the prompt, and think about my decision.

    This might mean there’s a "window of opportunity" for malware to get my approval when I think I’m approving something else, but I still feel safer than when there was no UAC.

  61. CRMMario says:

    The idea of the UAC is right, but you need to work in options like "I Trust in this software" so the UAC don’t display every time the popup…. and please avoid duplicate popup, i receive in some circunstancies three popup for one operation ???

  62. divinglog says:

    I’m using Windows Live OneCare and have choosen to manually allow software to access the internet. When a new software want’s to access the internet, I’ll get 3 promts on Vista. First OneCare asking to allow this, then UAC asking to allow OneCare to allow this, and then again OneCare asking the same question again. Please make your own software work better with UAC. This task should be only one click. If it’s UAC or OneCare asking doesn’t matter. But it should be only one click.

    I don’t know if this has been fixed in SP1 as I’ve not tried it again. When I tried to sort my start menu programs on Vista (without SP1) by moving, deleting and renaming the shortcuts, I’ve got for every single action and shortcut an UAC prompt. I simply gave up sorting my start menu (the nice Vista menu with search box helps a lot with an unsorted menu).

    Sometimes the UAC promt starts minimized or in the background. I see only the flashing button in the taskbar and I have to click it to bring it into the foreground. An unexperienced user may miss this and never see the promt and wonder why the action he wants to start doesn’t work.

    I want a feature that I can disable UAC promts for a specific action (e.g. a checkbox in the UAC dialog "Never ask me for this action again"). So I can partially disable UAC for often used programs or actions. This could work similary like a firewall. As soon as the program changes (filesize/hash/location), the UAC promt will return.

  63. yogee says:

    I think I caught the basic Idea of UAC already in the first Vista beta. But as a so called ‘Poweruser’ I tend to turn the whole thing off, as soon as the installation is finished.

    so, instead of controlling ALL of my action, or rather respond to always the same action, it would be great if the UAC had some sort of Training Mode..

    You see that in Firewalls a lot, where the software ‘tries to get an idea’ of how people use the network, Ports etc…

    (or at least that you would have some kind of option, that UAC remembers the choice I’ve made…).

  64. elmarj says:

    I think it would be good to have some visual cue (like an alternatively colored title-bar or maybe a small icon), that makes clear that a program runs in elevated mode.

    On a side note: I’m wondering how people are using their client-systems when the UAC-prompt is such a huge cause of anoyance. Although I consider myself a power user, I don’t see many prompts as there’s no need to change system-settings (or install software) on a daily basis.

  65. simmans says:

    Only one thing to say, keep the system protected by default but give possibility to desactivate this security. User mustn’t be jailed with something he don’t want.

  66. jheinrichs79 says:

    One thing that I don’t know why more people don’t complain about is UAC and networking. Other then the "ipconfig /renew" not working without running cmd with Run as… UAC and networking is my next most fustrating issue. For example, you are trying to run an application install off the network. Now in order to correctly install the software you are asked to "Run with higher rights" that of a local admin account. In a domain that local admin account does not have access to the files needing to be installed so the whole installation fails. Now some of you smarty pants might say well you should have been using group policy using msi’s to deploay the software anyways!. There are still a lot of vendors that do not provide an MSI and sometimes I have seen where if the program itself does automatic updates like Adobe reader group policy sometimes kicks back in and tries to re-install the application which then completely renders the program useless. What I propose that Microsoft first an formost is make their OS have the ability to have a regular user have a UAC type prompt that asks them for permission of the administrator. So many programs break if the user isn’t an administrator. Although I hate to say it Linux and Mac OS do such a better job at this then compared with Windows. If the UAC gave the option to check off a box and then be able to specify an adim like "administrator@domain.local" that would really help us out. UAC is great for home users… terible for Domains…

  67. babylon2233 says:

    I’m waiting a post about WGA. I hope you are able to provide a good protection against privacy for Windows. I don’t why a big company like you unable to win against a small team of hackers. Or, maybe you deliberately giving chance to piracy in order to widespread Windows usage in third world countries which most of users unable or unwilling to buy a freaking expensive license of Windows. If what I’m saying is not right, I guess you know what you have to day. I’ll keep viewing this blog and hope you will make a good post to explain your view on piracy and your anti-piracy strategy. Hope you’ll have a good implementation too.


  68. The Phazer says:

    The problem with UAC is that it’s not just the UAC prompts. Turning UAC off stops file and registry virtualisation, knackering up user settings and configurations in many programs (especially if you only have UAC on intermittently). Likewise this works in reverse. With UAC turned on, why is the DRM registry files around htcaccess hidden (even with "view hidden files" turned on)? – users sadly need to get there quite a bit to delete those files as the DRM registry is so prone to corruption, and if they do they have no idea that they’re failing to do so unless they’re running with UAC turned off – this forces three reboots for a task that should only take one.

    WHY!!! It’s baffling. UAC being on or off should control UAC only. It shouldn’t randomly be changing file permissions and virtualisation at it’s whim.

  69. paaland says:

    I simply hate the UAC prompts. I’d prefer to get a plain old "Access denied" message. You already have the "Run as Administrator" option on right-click on all applications. I can even put that as a default if I wish. A bit better "sudo" support would be great.

    The problem is that if I run as a normal user with UAC turned off a lot of stuff just failes silently (especially registering ActiveX’s with regsvr32.exe during install of apps). The application seemingly was installed fine, but when I start it up it failes due to missing ActiveX components.

  70. AndrewWen says:

    Can’t Windows implement something similar to SUID bit on Unix/Linux system?

    As a developer, most of time I am forced to create a do-nothing service simply for giving auto-elevation to my application. An Unix-like SUID feature will eliminate the need for creating services in such kind of scenario and reduce the number of services running on the system.

    On Windows, one can set the flag "Run As Administrator" on an executable file. But Windows would prompt for credential when starting such file. I *really* hate this.

  71. ltfields says:

    My thoughts on UAC:

    As an IT professional, I keep a good idea of what’s going on for my system at all times, so UAC was an extreme annoyance for me.  I’ll admit I took the time to find the settings and disable it.  I do appreciate Microsoft biting the bullet though and forcing the lazy application developers out there to actually think about what kind of access their programs really need.  The side benefit we noticed is that it’s been a lot easier to secure our Terminal Services farms now because a lot of the applications aren’t fussy about requiring local administrator group privileges (this used to be a huge pain).  Overall I like the direction Microsoft is taking, as they’ve let the developer community be too lazy for too long, but keep this blog going, as I think every time you guys can explain why you’re doign things with Windows Vista and Windows 7 in a particular way, you’ll help us understand, and you’ll get better buy-in from us in the IT pro community.

  72. jrronimo says:

    In general, I actaully really like UAC. So much so that I enable the ‘Administrator’ account in Vista and set my personal account to be a ‘Standard User’. So not only do I get a UAC prompt, I have to type a different password in to allow that change. I like to think of it as similar to the security on a Mac or Ubuntu machine.

    As many others, I’m sure, I do have my gripe with UAC, though, and the Windows 7 team seems to know about them already:

    The Double Prompt. This one is the worst — I’m getting a dialogue box telling me that I’m going to get another dialogue box? Seriously? This should never happen — ANY UAC prompt should go STRAIGHT to the secure desktop. There a user can Continue or Cancel (or be required to enter a password) and that is that. I’m glad to hear that this is an area of change for Windows 7.

    Thanks for the informative post!

  73. manicmarc says:

    As someone who uses Macs and Linux, the prompts are nothing new to me, I don’t mind them at all.

    It’s kind of like asking people to wear seatbelts. It’s a pain, and slightly uncomfortable – but in the grand scheme of things it’s utterly justifiable.

    What does concern me is specific flaws are being found that can escalate code to Admin privileges (a recent GDI+ flaw springs to mind).

  74. Ravewulf says:

    I don’t mind the prompts for installing software at all, my main problem is when I’m prompted for Windows operations. For example, when ever I start up my computer the first thing I do is start up task manager and I like to view all of the processes. Without UAC selecting the check box once keeps it checked for all future sessions, while with UAC I am prompted everytime I log on and check the check box. Other admin stuff like this should have an opt out of UAC prompts setting in protected admin accounts.

    My other annoyance is that when saving pictures from IE (Save picture as) the folder I saved to is not remembered throughout that instance of IE. For example if I open a bunch of tabs from my art inbox on deviantART I have to renavigate from the My Pictures folder each time I save from a different tab instead of remembering the subfolder that I save to.

  75. steven_sinofsky says:

    There have been a few questions about the percentage of customers that disable UAC.  Our data is showing that about 92% of people run with UAC enabled.

    The interesting point to consider is the data about how many popups happen early in the usage of a new PC–this might cause an enthusiast to disable UAC early on and then decide not to enable it or neglect to enable it after the initial flurry of elevation requests.  That is perhaps why this number, 8% disabled, might seem a tad bit higher than expected.


  76. marcinw says:

    when there is new process (like application or something) run in the system, there is created new unique directory in Program Files. Process will have access into it – there will be "virtual" Program Files, Windows, Documents and Settings created there. Process will have created own Registry file, system will have some central Registry too and processes will see it as part of own (part in read only and part in read write mode – for example info about drivers and extensions assignment). Uninstalling application will be connected with removing "virtual" directory from Program Files, removing process registry file and things put into central Registry by process.

    All processes will be working this way – Explorer, IE, etc. Some default apps will be able for more from box (like RegEdit) – info about this will be saved in Windows directory. It will be possible to give more privileges to each process too.

    UAC will be visible only when application will try to add driver or when network connection will be set. It will be possible to select "always allow for it" and after giving password avoid question again.

  77. RuslanUrban says:

    It seems to me that Windows core must be looked at first, before looking at the security issues, and UAC in particular.

    How does malware infect computers? Which Windows components are typically compromised by malware the most? By now, information collected by UAC must have allowed to collect information about the actions that users usually reject. That would be a good place to start the analysis.

    What can be done to reduce the number of UAC dialogs by changing such concepts as how the Registry is used, for example? Which legacy components can be dropped or replaced with virtual machine hosting processes? The idea is to encourage users to run legacy applications within Virtual Machines that simulate system boot-up from standby (instant VM).

    What can be done to find which Windows components are broken? It is very hard to find holes in the Registry – too much data that is often meaningless even to advanced users. What can be moved out of the registry? SysInternals tools are very useful, but sometimes it still takes hours to find the source of an infection.

    System Restore must be reviewed. Restoring system back to a restore point does not recover enough data. Very often, OS remains infected with malware. Therefore, System Restore is often useless.

    One more thing that can be implemented is to run OS session in the "transaction" mode. Then, when a Windows shutdown or a user log-off is initiated, file system changes can be committed. And, if the OS becomes infected, the changes can be discarded. However, advanced users should be able to review the changes before committing the save. This would eliminate the need for many UAC messages.

  78. RuslanUrban says:

    I agree that "Run As" option I think is a must. UAC messages can be displayed in the active window as a modal dialog if the actions are initiated by a process that has an active window. It would eliminate some user frustration. Sometimes, it is hard to determine which program caused a UAC pop-up, and whether the action was expected.

    User should be able to put applications into the list of trusted applications and permit or disable most common operations that are can be blocked by UAC. User should be able to remember settings for such operations when a UAC dialogs are displayed (add a checkbox or another button). And, developers should be able to incorporate UAC presets into the installation packages so the user would be able to accept recommended settings at once.

    I somewhat agree with users that recommend suspending UAC messages for an application or even all applications for the duration of the session. Security can be compromised, unless running session in "transaction" mode when the changes to the file system are not committed.

  79. marcinw says:

    > I’m waiting a post about WGA. I hope you

    > are able to provide a good protection against

    > privacy for Windows.

    well, it would be good to know, why does alternative method of checking genuine software (downloading application + copying code) connect to Microsoft server and exchange some data. Is it privacy ?

    > I don’t why a big company

    > like you unable to win against

    > a small team of hackers

    what man created, man can hack

  80. marcinw says:

    > It seems to me that Windows core

    > must be looked at first, before looking

    > at the security issues, and UAC in particular.

    YES, YES & YES. There must be changed some things on low level and we can speak about things on high level. Microsoft is already loosing some market (because of vista). He can’t built new system on exactly the same solutions. Speaking about bells and whistles and "wow" will be not enough, there is required engineering knowledge and hard work.

    Separating components must be done. Not total, because we will loose some functionality. But much bigger than in Vista. When architecture will be correct, we will not need to use so often System Restore, UAC and other.

  81. marcinw says:

    > It seems to me that Windows core

    > must be looked at first, before looking

    > at the security issues, and UAC in particular.

    YES, YES & YES. There must be changed some things on low level and we can speak about things on high level. Microsoft is already loosing some market (because of vista). He can’t built new system on exactly the same solutions. Speaking about bells and whistles and "wow" will be not enough, there is required engineering knowledge and hard work.

    Separating components must be done. Not total, because we will loose some functionality. But much bigger than in Vista. When architecture will be correct, we will not need to use so often System Restore, UAC and other.

    Microsoft must hear customers, not only listen.

  82. Dan.F says:

    In my opinion, the whole idea of the prompts is flawed at its core, and the model of users is not a reflection of how a real system should be.

    An administrator should have the ability to perform administrative tasks, and it should be assumed that they know what they are doing = they don’t need the popups asking them if they are sure.

    A normal user should not have the ability to perform administrative tasks EVER, NEVER EVER!! Don’t ask them if they want to – if they are not an administrator, they aren’t allowed to do administrative things.

    If a regular user account sincerely needs to perform an administrator action, then you should have to authenticate as an admin/superuser … can you tell what I’m getting at – sudo – Unix/Linux/MacOSX – that’s how they work.

  83. spacejumper says:

    In my oppinion for an IT Admin or a power-user the UAC is a real annoyance and productivity killer. As many have already said before me I know exactly why I want to do changes to the Registry or delete files or folders in Program Files or Windows.

    If UAC is a must for Windows 7 I would like to have the following choces (probably anyone who installs and configures Windows for a living will appreciate it):

    – have the choice during initial Windows setup process to Enable or permanently disable UAC

    – if I choose to Enable UAC please let me select if I want it enabled right away or after x minutes after the first log on

    – if I create a new user and I grant it Admin rights I want those rights to be indeed full Admin rights not a slimmed down version

    – allow for the UAC to be tweaked so it will show additional prompts only to the events I choose to monitor

    – make UAC manageble through GPOs at the domain level

    – as other users mentioned before create a distiction between actions made by an actual user and actions made by software

    Probably I can think a dozen more features I would like to see in the UAC but I know that if I would get half of what I listed already I could consider myself lucky.

    Finally, UAC was my main reason why I stayed away from Vista… even with UAC disabled there were times were I felt that my user with full admin priviledges was not actually in full control over the system… we the IT people like to feel in control!


  84. spacejumper says:

    …and please return the "RunAs" as a choice…

  85. RonV says:

    @Daniel Smith

    <<Slightly OT but I’d like to remove the dialog box that pops up when you move something to the recycle bin asking if I’m sure I want to do this.  I understand why you do this but I’d like the option to turn this off.>>

    The delete confirmation can easily be disabled. Right click the Recycle Bin desktop icon, select properties. Remove the check mark from the ‘Display delete confirmation dialog.

  86. Fredledingue says:

    I approve totaly the UAC.

    I don’t understand why poeple are so upset about it.

    True that most of basic users don’t read the prompt and don’t know why it’s important.

    One day I made a an experiment: I created a message box telling "Your hard disk will be completely erased. Do you want to continue?" and some poeple clicked "yes".

    One shortfall of UAC is that it doesn’t intercept certain attempts to modify the system.

    I have seen two softwares which tried to modify the system settings or registry and simply produced nothing or an error from these program without UAC poping up.

    What happens is that some programs don’t work because the system is protected but UAC fails to inform you or to let you accept the changes.

  87. gss4w says:

    I think that the implementation of the secure desktop for UAC prompts was a mistake.  It makes the UAC prompts seem much more annoying for several reasons.

    First, it makes the prompts less responsive.  Especially on older hardware, but even on newer hardware it can take over a second for the prompt to appear.  On my computer the UAC prompts are much quicker with the secure desktop disabled.

    Second, it prevents you from multitasking.  When an application generates a UAC prompt you can not work on anything else, you must respond to the prompt to continue using your computer.  If I receive a UAC prompt I’m not expecting I might want to use google to see if there is information about the prompt.  With the secure desktop enabled I would have to cancel the prompt and remember what it said in order to do this.  In general being forced to acknowledge a single dialog box and not being able to use any other program is annoying.

    I’m glad that it is possible to disable the secure desktop for UAC prompts, but I would recommend either making that the default, or making the option more obvious.

  88. Yert says:

    I have to say I love the amount of people voicing like for UAC, even if they have slightly tweaked it (such as one person disabling the Secure Desktop in favor of just using a password; not perfect, but still using UAC like people SHOULD).

    For those that don’t understand it, and furthermore, refuse to (and then turn it off forever)… I won’t preach how useful LUA is AGAIN but I will say you are in for a rude awakening. A VERY rude awakening. Expect bad things.

    I like how this article mentioned Standard User accounts being made usable by UAC (A MAJOR PRODUCTIVITY BOOST!!!), but it didn’t explain the pain that made that necessary. Even if it did, it might not have done justice. Anyone who has tried to Administrate an XP box with a Standard Account will understand this perfectly; RunAs is a joke for the majority of elevations.

    Speaking of RunAs… I agree with the majority of people who mention it in here. Bring it back; it can elevate to full Administrator (like the Administrator account has) for single tasks, making multiple prompting programs run much smoother. It may need to use a Secure Desktop much like UAC does, but the lack of it is painful.

    Someone made a comment on UAC data being used to blacklist methods used by malware. I have to say that a blacklist is a bad idea in security; whitelisting good programs is much better, and has no false positives to worry about. You wouldn’t use a firewall that only blocked where attacks have come from in the past, right? So why is security software like this? With UAC (a whitelist of sorts) I don’t need antivirus (a blacklist type security mechanism).

    And as for those who want protected mode of IE without UAC, there is a way to do it *right now*, but I’m not telling. Run UAC; you will be better off.

  89. says:


    "…and please return the "RunAs" as a choice…"

    why? you can do everything you can do with RunAs in the search field of the startmenue…

  90. lyesmith says:

    Once again Administrators should have administrators/system rights. The OS should not questions what an Administrator is doing. If the Admin intention is to infect a computer with 100s of viruses thats fine. (It is actually the AV responsibility to prompt the admin in this case). The OS should make it more comfortable for the admin to change stuff. You should expect that the admin is well aware of that installing downloading softwares can be dangerous you do not have to prompt him. However when you prompt an administrator then you should provide detailed information about whats going on.

    When the admin creates a user account he should be able to explicitly set the right for each user. During the UA creation process. That should include for example allowing/prohibiting installing softwares/viruses. However those softwares should only allowed to access stuff in the User security sandbox, and not in the Admin security sandbox.

    If the User wants to do something that requires admin rights then he should be prompted for Admin credentials.

  91. lyesmith says:

    I just mention that not including Group Policy Editor (also Terminal Server) into Vista Home products was a sickening thing to do. It actually made me consider to switch to Mac. This is just a cheap shot to make people to upgrade to Ultimate for a 100 bucks. Next time what you don’t include notepad?

    Having Terminal Server on the home computer is more important than on a business computer. They have servers anyway.

  92. lyesmith says:

    I can not see anything about MinWin or kernel changes, about hypervisor in Win 7 or core features in the PDC2008 agenda.

    Does this mean that Win7 will be a polished Vista?

  93. piratk says:

    Every time UAC pops up I feel like the system slows down. This is very annoying, a task that previously took less than a second, now can take more than 10 seconds. UAC dialogs often never say why admin rights are needed. I would like a way of sand-box the program, with temporary admin rights, to an sandboxed version of my system, and when the program terminates, I would be given the option of committing these changes to my system, or just saving them for this program to use the next time it is used. This way, badly written programs may run in admin-mode, and never know anything about it. Dangerous commits should be warned about, whilst commits not affecting anything important, would be just safe.

    Sandbox admin rights! 🙂

  94. Colmeister says:

    Surely one of the best (and simplest) things that could be done to improve security is to change the installer for Windows 7 to encourage/force the creation of a standard user account. Your own stats show that the majority of home computer have a single user set-up and this is configured as an admin user, this is a situation that you should try and address.

    I guess this would involve communication with other members of the ecosystem so that suppliers of new computers configure them in this way.

  95. stodge says:

    UAC is just another hack to poorly address flaws in Windows. UAC only exists because previous versions of Windows:

    – let applications write to any part of the registry

    – applications write to any part of the disk

    – weren’t designed with security in mind

    Windows needs a redesign from scratch. Take the current kernel and scratch the rest. Heck, take a version of BSD and build on that. It couldn’t be any worse than Vista.

  96. thecolonel says:

    i don’t understand what’s so difficult about just copying the MacOSX way of doing UAC? a lot of people here are hinting at it, so i’ll just go ahead and suggest it out loud

    great ideas should be shared, and when did you ever hear about anyone complaining about the way OSX handles the UAC side of things?

  97. ddahlstrom says:

    After reading all this, the two ideas that really struck home with me, such that I’d be perfectly happy with UAC are…

    1. Ability to add apps to an approved whitelist.

    2. The prompt needs to report what the system is about to do.

  98. mccabe says:

    I’m firmly in the disabled UAC category; it was my first step in coming to terms with Vista, and I’m glad to have it gone.

    UAC fails for two reasons:

    1. There’s no white list. I don’t want to be asked every time I open the same program. It needs an option to remember my choices, and only prompt if the program has changed.

    2. The feedback is non-informative. Unless I already know the application being installed, I can’t garner much from a UAC prompt. And of course, if I know what I’m installing, I also know I don’t need to be prompted about it…

  99. Magumi says:

    I like to be protected by UAC, but I wish it remembered my choice – I hate it when I have to click "allow" even if I launch the same application for 100th time. Add a simple check box "Remember me next time" and I’ll be happy as a mouse.

  100. manicmarc says:

    Those of you who don’t like secure desktop, if it wasn’t for this then any rough application could modify the UAC prompt and make it green, with text to say it’s a trusted window component.

    What about a White List? How long would it be before hackers realized how to get their application into the White list? Not long.  Mac OS X has a good idea by remembering your action for the session. How it implements this I have no idea, something to do with the keychain.

    IIRC then the MAC OS windowing system means you can’t easily adapt another Window’s contents or listen to it’s messages.

  101. lyesmith says:

    "…  most machines (75%) have a single account with full admin privileges. … this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. "

    So because of "historical" reason you just inherited this bad practice to every MS OS. Congratulation.

    Those users who does not understand why should they have admin account and user account as well will just click on YES for every popup you display. Do you think they will actually read what you display? Or understand?

    Why can’t you just break away of the bad inheritance of earlier Windows OS.

    Win7 needs a proper UA managment! Not more pop-up.

  102. Eghost says:

    UAC, it’s a good thing, for the most part.  However Microsoft please take into account, your power users. You should be able to disable it, you should be able to be a true administrator. And not have to right click to run as Administrator. Now you might ask why? Simply power users are not your atypical user, we want control, we want to be able to change things with out the fanfare that comes with UAC or right clicking to run as an administrator.  Now why should Microsoft care about the small percentage of power users out there?  Easy, we are the ones people ask for advice, companies ask for our opinions. Vista is not power user friendly, it is locked down way to much, the security, and the UI.  I believe a large part of Vista’s problems stem from Microsoft alienated the power user, and like it or not, word of mouth is a large part of acceptance. I have been asked many times , "Do you like or use Vista?".  I have to reply no, and most people say, "If your not going to use it, I wont either." Again, don’t for get your power users, or computer geeks what ever you want to call us. don’t put up "WALLS" allow users a choice. That is why Vista has failed, it no, "CHOICE" it is do it Microsoft way, not every one wants it your way. Choice, is the only thing I can say, Windows 7 really needs to be choice, with UAC, with the UI. Don’t fail like like you did with the beta’s of Vista, listen users and give us CHOICE. I really want, "life with out walls." Please let Windows 7 be that because Vista is, "Life With Walls"…..    

  103. Eghost says:

    One more thing, if you want to see Microsoft’s, "WALLS" just head over to the IE 8 blog, Dean still will not discus the UI on IE 8, He and his team are ignoring it, and ignoring the power users. IE 8 is, "you will use it Microsoft’s way."  I use FF3, I would love to recommend and use IE 8, but Dean and his team needs to realize, power users are your word of mouth, power users are your, "go to person’s" Power Users are your life blood. Dean give up control allow users to customize. Stop putting up, "walls" and allow users a choice….   Again it is all about, "CHOICE" it is all about, "Life with our Walls"….

  104. spivonious says:

    I honestly haven’t seen a UAC prompt in a few months.  It sure got annoying when I was installing apps on the computer after installing Vista, and configuring system settings, and updating drivers.

    I think that if I set an application to always run as administrator, it should prompt me when I set that option, not every time I start the application.

    Also, UAC prompts for writing to any non-user folder is a little silly.  Limit the protection to %windir% and other user’s folders.

  105. Jalf says:

    "In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista.  Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable."

    Predictable? No, glaringly obvious. It’s the single first thing we were taught in our HCI class on first year in computer science. Requiring the user to repeatedly press ‘ok’ only guarantees on thing: They’ll do it automatically, without even noticing or remembering that they did it.

    And this was the first thing I thought when I first saw a UAC prompt. God dammit, what were Microsoft thinking? This is worse than useless, you finally decided to tackle the problem of everyone using admin privileges, and you botch it by training everyone to grant admin privileges to anyone who asks, which isn’t much of an improvement over just having admin privileges on to begin with.

    As it turned out, it had a large effect on the ecosystem, which is nice, but in teaching the end user to behave sensibly, you might be worse off now than before Vista. At least when Vista came out, people noticed the UAC prompts. Now they don’t.

    One step in fixing this might be to provide some sensible context information. Tell me *which* action it is I’m approving. But that in itself is not enough. The UAC prompts must also be so rare that you *notice* when you finally get one.

    Anyway, I suspect that one major factor in the frustration with UAC is that it slows you down so much. First, the graphical component is generally useless, and it takes time (the screen goes blank, and then a moment later, the secure desktop shows up, allowing you to click. And then, another small wait before your regular desktop is back. (Of course, I understand that it’d be a problem if applications could mess with the UAC prompt, but the delay in the current implementation is enough to drive anyone mad.

    And second, this retroactive prompt interrupts the user, injecting several new actions into what should have (and was expected to be) one or two simple mouse clicks (say, to open the control panel)

    One obvious solution, then, is to make it easy for the user to specify in advance that "this should run with admin privileges, and here is my login info", so it doesn’t have to pop up and prompt, similar to the sudo command in Linux. If I know that the task I’m about to perform requires admin privileges, I’d like to be able to proactively approve it. And definitely without the whole desktop-switching nonsense. I don’t mind typing in my password every time. That doesn’t take long to do. But the "secure desktop" fails because it completely interrupts my flow, and slows me down noticeably. (So no, I’m not asking for a whitelist, just an easier way to proactively approve individual tasks. And of course, if I don’t "pre-approve" the task I’m performing, I’ll still have to deal with a UAC prompt. I’d just like a more streamlined and less disruptive way to approve the task I’m doing before I get the big prompt.

    I fully agree with the goal of UAC, but if I can’t perform individual tasks as admin without being slowed down, it becomes frustrating. Perhaps instead of a "secure desktop" clearing the entire screen just to show this prompt, a "secure dialog box" would suffice? I mean, sure, so Explorer needs UAC approval to copy these files, fine, but why shouldn’t I be able to continue surfing in Firefox in the background? The prompt must obviously prevent me from completing the action in Explorer, but it has no business locking down my other applications. (Both because it’s not very user-friendly, and because switching to a separate secure desktop seems, at least in the Vista incarnation, to be extremely slow).

    And if it isn’t possible to make such a "secure dialog", perhaps you should make it possible. There’s no technical reason why it couldn’t be done, and it would be a hell of a lot less frustrating than the full-screen UAC prompts.

  106. Nidonocu says:

    A UAC user and lover here, with it enabled I finally feel I don’t have to run with a Virus scanner installed. Crazy I know but I feel UAC finally gives -me- the choice of if a program is safe to run or not. I know, I’m the odd one out here.

    Information though is the big thing, people should be told why and the UI should be different for one case rather than another. Running setup for an application should be very different from performing a system change.

  107. ddahlstrom says:

    Not so odd.  I stopped using virus software when I went to Vista 64 almost a year ago.  I still use Windows Defender and a firewall, but no virus protection.  I just got really tired of the added bloat and tried it out "just to see".  No regrets so far.

  108. fsomalia says:

    I agree with Dan.F, wolrah and others. I do understand the question you’re trying to address with UAC, but disagree completely with UAC.

    Just copy any UNIX-like OS, like MacOS, Linux distros, etc.

    First of all: do not create the first user as Administrator! Use Runas/sudo. Do not ever, never promote privileges!

    Why do not embrace a well-proven concept?

  109. dosulliv91 says:

    I ran as a non-admin user after I first installed Vista for 6 months or so and found it to be surprisingly painless to use my machine as I always have (Knowing the admin user password for UAC overrides was key of course).

    The eventual deal breaker for me was that application functionality was in some cases degraded. One example being windows update – when running as a non-administrator, I would never get automatically notified/prompted to download patches, regardless of the windows update settings. However, if I ran windows update manually and entered my credentials into the UAC prompt, I would then see the available patches. This ceased to be an issue when I granted my userid admin rights.

    Another example was the Windows problem and solution reporting tool. I would never be prompted to report an issue, not made aware of an available solution, while the app was running in a non-admin environment. Again, this problem disappeared when I logged in as an admin user.

    Now it could be argued that these functions are something non-administrators should not be concerned about anyway. But for folks like me who are trying to use their computer in the most secure environment possible, I found it a bit disconcerting that applications behaved different in a non admin environment. Not to mention potentially dangerous, in the case of non-admin users who have their windows update setup to notify them of patches, as this means updates will never be applied to their machines!

  110. Hairs says:

    It’s not at all suprising to me that the linux/mac fanboy’s response to every problem that crops up is "Do it the Linux way!" – in truth their way is not the only way, and in many cases may not be the best way either.

    The last time I attempted to use Linux I found myself being asked (as an admin) to give access to…. change my mouse settings. I’d LOVE to see the logic behind that one.

    "My god the user wants to change the scroll speed on his mouse! Stop him! It just cannae taek it cap’n! Ah Dooooon’t hae the powah!"

    And some people find UAC an annoying implementation….

  111. marcinw says:

    Each system has got some advantages and disadvantages.

    People accepted XP, because it was good enough (enough easy, stable, etc.).

    Later Microsoft programmers/managers didn’t have idea, what to do next (yes, Vista work was restarted in some moment). Somebody decided, that removing some control from user is good way (decreased functionality of defragmenter, more DRM, etc. etc.). People decided – we don’t want it.

    Microsoft decided – we will advertise it, we will discontinue XP….

    Now Microsoft needs releasing new system on the time. I have feeling, that it will be another Vista. The same technology, more bells and whistles. Microsoft can do it. I hope, that more and more people will criticize this system then. The reason is simple – removing some things, which make system insecure and difficult in managing (shared Registry for example), can have only good consequences. Speaking and extending only such solutions like UAC (which only mark security in some things) will have bad consequences only.

    What can I add ? Don’t add thousands of API, only change some architecture things (yes, it can make some system apps incompatible, but people will accept it, when will see profits and will switch into new system much faster). As codebase you can use even Windows XP.

  112. KellenF says:

    There were a lot of comments saying they wanted "Run as Administrator", but I didn’t see any with the option I was looking for, "Run as limited account".  I’m sure a lot of us here fit into the category of poweruser that generally logs in as an admin account and is pretty smart about not running malicious applications/navigating to infected sites.  What I would like though, when I have an application I’m less sure of, or when browsing the internet, is to specify from the outset that I less than trust this application.

    As it is now I have to run a VPC to handle these kinds of issues, but it’s cumbersome and in some cases not possible (when not on my machine).

  113. lyesmith says:


    How often do you change the mouse settings? UAC is annoying. And it is NOT SAFE. Because regular users just click "yes" anyway. They do not even notice it any more. They DO NOT read the text any more. Is there any stats how often average user press "no"? Especially how often they press "no" when they should do that? UAC actually would not make any change if it does not exist. Personally I would just remove it completely.

    If you have admin rights you will do what you want to do anyway.

    But an admin should never be prompted because he wants to install something or change a settings. You either have your rights or not.

  114. marcinw says:

    > There were a lot of comments saying they

    > wanted "Run as Administrator", but I didn’t

    > see any with the option I was looking for,

    > "Run as limited account".  I’m sure a lot of

    > us here fit into the category of poweruser

    > that generally logs in as an admin account and

    > is pretty smart about not running malicious

    >  applications/navigating to infected sites.  

    > What I would like though, when I have an

    > application I’m less sure of, or when browsing

    >the internet, is to specify from the outset

    > that I less than trust this application.

    my opinion: system should be built this way, that will make working all time in Admin account uncomfortable (it must be connected with changing architecture this way, that working in limited account will be more comfortable). in my opinion adding "run as limited user" will not help in this…

  115. grasfearn says:

    If Microsoft is now aware of 775,312 applications that display a UAC prmopt to run successfully, why not colour code the background of the prompt (green, amber and red)? Surely Microsoft has a fair idea now of those applications that pose little risk (displaying a green prompt), some potential risk (displaying an amber prompt) or great risk (displaying a red prompt)?

  116. ababiec says:

    My biggest gripe with UAC is when I move/delete files & folders on an external USB drive where I originally added the files & folders using another computer (and another user account).

    If we can’t shut off UAC for external drives, then at least give me the option to enter "Admin" mode for the entire session while I am doing file mgmt. I can’t find a way to run Windows Explorer as an Administrator.

  117. manicmarc says:

    lyesmith you have it al wrong. IT IS the OS’s job to prompt the user. Antivirus software IS NOT needed. Just ask the average Mac / Linux user what AV software they use and they’ll laugh in your face. Their OS protects them, not some expensive piece of bloatware.

  118. iCeCloW says:

    What is about Registry Virtualization and so on?

    I think this is related to UAC, as was supossed to virtualize access to restricted areas of the registry on applications that were not UAC aware. However this in Vista was never working correctly. Although the virtualized registry was created it never made an app work with that. I can´t imagin why not, if your access is virtualized the app should have worked correctly, if it was well implementend. In my experience I thinked it was incorrectly implemented. Is this going to be improved?

  119. mludwig says:

    As others mentioned already, it can be slow to appear and disappear sometimes. It adds a few seconds to performing a single admin task, which is annoying.

  120. vons says:

    What I don’t see in this post is the number of UAC prompts that the user encounters before finding what he needs.

    When I need to look up or change something in the network settings, it always takes me quite a while before finding what I’m looking for.

    This means selecting things in the control panel, getting a UAC prompt, navigating around, and only to discover that the setting I need is elsewhere.

    Before I find what I need I can get 4-5 UAC prompts while searching this way, simply because the information is difficult to find.

    Personally I would get a lot less UAC prompts if all the network configuration stuff was easy to find, and preferrably presented in a single control panel app so that there would always be just one UAC prompt.

    So improving the way in which Windows presents information to the user can also reduce the number of UAC prompts.

    Concerning UAC itself, I mainly see it as a kind of improved RunAs in the sense that it automatically prompts me when something needs admin rights. Saves me from thinking of running stuff using RunAs/RunAsAdmin, and works for things that don’t propose a RunAs.

    Being able to look at the system configuration and having a button that allows elevation in order to make changes is also very nice.

    In practice this saves me from switching between a normal user and the admin account; logging off and on is annoying.

    Something I still miss is the option of running installers elevated or not. Currently, at least pre-vista setup programs always provoke an elevation prompt, there doesn’t seem to be a way to run such setup programs as normal user.

    Not all setup programs install stuff in program files and such, some only install a plug-in in a user-accessible folder.

    So such setups are now impossible unless the installer is updated by the developer.

    The only work-around is to temporarily give myself admin rights, which is a bit annoying as well.

    It would be nice if the UAC dialog proposed an option to run the program without elevation (which is exactly what happens when running such a setup as a normal user under XP).

  121. p_rynhart says:

    Regarding the post from ababiec:

    > If we can’t shut off UAC for external drives,

    > then at least give me the option to enter

    > "Admin" mode for the entire session while I am

    > doing file mgmt. I can’t find a way to run

    > Windows Explorer as an Administrator.

    Open a command prompt using "Run as Administrator" (i.e. right click on cmd.exe and then Run As Administrator).  In the resultant elevated command prompt, type "explorer /separate".  The resultant explorer window (and  only this window) will have a full admin token – and, therefore, will not trigger any UAC prompts.

    If you require another elevated instance, you can "explorer /separate" again from the elavated cmd.exe prompt.  To differentiate between filtered and full instances of explorer.exe, I recommend the use of PrivBar.



  122. mariosalice says:

    UAC is a malicious program.

    I kill it on first sight ever since I got Vista.

    Then I kill security center alerts, to get rid of "UAC not working" messages.

    This way I went on with Vista and didn’t go back to XP.

    It is most important for me to be able to kill both alerts and virtualization of UAC.

    Otherwise I won’t follow with Seven.

    Build a user mode by default during installation.

    And make it work right.

  123. steven_sinofsky says:

    A few folks have suggested we create 2 accounts, one admin and one standard user.  This is definitely something worth considering of course.

    There are two things we keep having to consider:

    * A most common support call to OEMs and Microsoft is "lost password".  This would effectively double the chances of a lost password.  Also, by having the "Administrator" named account on the machine creates an obvious entry point for dictionary attacks.  

    * The out of box experience (that is the time from opening the box to getting on the internet) is a big design point–creating two user name/password combinations seems counter to that goal as well. Asking for two unique user names at the start seems awkward in terms of what most folks would believe to be required.

    Just something that we’re thinking about…


  124. lyesmith says:

    Whats the idea behind that "to change the User Account Control message behavior" I have to have Windows Vista Enterprise or Windows Vista Ultimate?

    Home versions does not need proper UAC?

    I still can not see the advantage of UAC as implemented now. MS educated the user to click "Yes" every popup he sees.

    Exactly how is UAC makes the system safer? Are there significant user group who actually reads them?

  125. burgesjl says:

    Like someone else said on here, I’m getting more worried about this blog as time goes by. MS has hinted that they’ll release an alpha fairly soon, possibly in a few months, and a release within a year. We can’t still be discussing basic concepts such as these and meet that timeline. I think the feature set has already been decided, and we’re simply being softened up for what is already coming. And most of that is simply a warming over of concepts that already exist in Vista, such as UAC, which just don’t work and can’t ever work because they come at an issue from the wrong angle. I really am getting the feeling that MS believe Vista can simply be tweaked. We’ve seen discussions on the basic fundamental OS building blocks, that basically haven’t gone anywhere: they see no problem with what they have or are ‘locked into’ some concepts that are fundamentally flawed. I’m seeing the same here. There’s analysis galore, but it all makes the same fundamental mistake: its looking to fix or tweak something that shouldn’t be the starting point in the first place. MS need to go back and look at the iPod and Wii: they changed the game with their UIs and avoided the problems of existing UIs and interaction by simply doing it differently at the outset.

  126. nikkool says:

    Other than the frequency of the prompts, the two most annoying this about it are the

        -delay, which leaves installer at 0% for some time before UAC pops up.

        -the fact that it locks up the whole screen (although it does go int the background sometimes.

    A better way would be to instead pop-up a little message on the side above the system tray (similar to live messenger), and have it stay there, which would probably reduce all the funny graphics stuff that happens.

    And I agree that there really should be a safe list that frequent programs could be added to.

    In addition to this though, Windows really should have some of the common programs, like security suites, already recognized, much like firewalls in recent days have become smarter and instead of prompting users, they make smart decisions, which for the most are ‘smart’.

  127. irdawood says:

    Well to the above commentator, I too agree that Win7 must be under feature lockdown with Beta 1’s supposed release this December.

    Though, the posts on this blog are still useful as the team has time to ‘fine-tune’ existing components of the OS, which is exactly what they are trying to do.

    Im sure MS and the windows team within the company know that a lot is riding on this release being successful and to eradicate the misconceptions people have of Vista as we no way can have a repeat of that episode.

  128. Laith says:

    I have been following these comments and I agree with many.

    UAC does seem to slow down productivity because of the "lag" it causes before and after it asks for permission.

    Security center really needs to "forget" about UAC. It never seems to give up on it (create an option for this please!).

    It would be great to for us interesting in the engineering of W7 to understand how our comments/posts help improve/shape W7 when we are so close to beta 1 and I (as others) guess that now W7 is feature locked?

    I would also greatly appreciate if staff replies in the comments area where shaded another colour so I can identify who is staff and who isn’t.

  129. Hairs says:

    How often do I change my mouse settings? Irrelevant! What’s relevant is that someone decided changing mouse settings was a potentially dangerous act that needed to be UAC’d. Utterly moronic thinking.

    Manic marc:

    Linux and Mac users are welcome to laugh in someone’s face if they suggest anti-virus, but the idea that they are inherently "secure" is not at all true, as was proved with the Month of Apple Bugs.

    A recent Apple critical security update was 300megs – for 3 apps. That’s as big as service pack 3, which contains every critical patch ever released for XP. BSD was recently exposed as having a critical security flaw that was in place since… the BSD project started, over 20 years ago.

    The only reason macs and linux don’t have AV is that malicious hackers haven’t started targetting them yet. If they start, you can expect to see a lot of people with their smug pants around their ankles very quickly indeed.

  130. says:

    You know those movies… where someone is being guarded by someone for some reason (Politicians wife/kid, witness in a murder trial, etc..), and they get frustrated by all the security, and find a way to escape by themselves?

    Invariably, the person gets themselves into trouble they can’t handle.

    That’s what most of the people complaining about UAC are like.  They whine and moan about how bad UAC is, but as soon as they ditch it, they get themslves in trouble.

  131. killeraardvark says:

    I would like to see a way to adjust the UAC to different threat levels like how IE has different levels of security.  UAC should have a Low, Medium, High and Custom.  This would cater to everyone if they made it easy to do so.

  132. says:

    Given all your research data, I wonder if you ever found a survey that provides you with an answer to: Given a ‘proceed’ or ‘do nothing’ choice, what would an ordinary person do? Factoring in also that there may be ‘warnings’ of mild or dire consequences to their actions.

    I for one would do nothing.  I don’t want anything happening.  Therefore I am unable to operate your software products, as ‘doing nothing’ turns the computer into a dead machine.

    So, make sure you have a ‘kill the little stinker’ built into Windows 7, as I like computing!  🙂

  133. Fredledingue says:

    Steven Sinofsky wrote "A few folks have suggested we create 2 accounts, one admin and one standard user.  This is definitely something worth considering of course. …etc"

    I’m against that too in regard to the typical home users.

    We can do everything through the UAC, we don’t need a second account. Maybe a switch to an "administrator mode" to temporarily lift restrictions could be appropriate in some cases, when needed.


    "A most common support call to OEMs and Microsoft is "lost password".

    For many home users a password is useless. It should be clearly optionable. You can leave the box blank, but poeple feel obliged to type in something, preferably difficult to remember. Replace the box by a button reading [password…], under "advanced options" and lost passwords will be a thing of the past.

    It’s also important that noobs know that you can always change the statu and password and everything on the account later when necessary.

  134. gonzc900 says:

    I have no problem with UAC. I’m glad though you are making a UAC control center to control the prompts. If only you did this sooner.

    Looking forward to seeing this in person

  135. Asesh says:

    One thing that I really hate about UAC is it blocks everything on screen when displaying it’s dialog box, that’s the reason it’s very annoying. And the UAC dialog box should also display if the executable is signed or not and the digital signature is valid or not. Actually Windows 7 should do this before launching any applications besides the installed ones.

  136. Asesh says:

    There’s a feature in XP to run programs with least privilege even if you are logged in as Admin by right clicking that program then choosing ‘Run as…’ which would make the viruses and malwares useless even if they run. Why isn’t that feature available in Vista? By default Vista gives administrators standard privilege, that’s cool. But even if viruses run with standard privilege they still can delete or infect files on other drives besides that system drive and can make other changes that can still affect administrators. So Vista’s security is still lame. So putting that feature back into Windows 7 and running the programs via that feature would be great cause even running a malicious program would make no difference to the users

  137. Asesh says:

    Just to add again. By default applications that are not installed should launch with least privilege rights (XP-> right click a program and select ‘Run as…’ and click ok) which is a feature not available in Vista when you are logged in as Admin, which would definitely make the OS very secure. There should be options to run that programs with either Admin and Standard privileges.

  138. Asesh says:

    Microsoft should improve UAC in Vista too. Why only Windows 7? Am talking about UAC UI in Vista. Rather than blocking the whole screen by displaying the UAC dialog in Vista, why not replace it with a simple dialog box which will act as a child window that asked for permission to get admin rights by not blocking that whole screen which is damn annoying. That would make UAC much simpler. I know so many Vista users and they all hate that thing and so do I. So please don’t forget Vista users too. It would be great if we could see that in Vista SP2. Many won’t upgrade to Windows 7 until it’s SP1 release so will I. So make Vista users happy too.

  139. lyesmith says:

    An other problem with UAC and the "one UA" is that you deliberitly make stuff hard to find or change stuff when the user has admin account. The OS should make these changes easy for an administrator.

    Just a bit of brain dumping…

    What if you the admin user account (or the one you would like to have) has two mode.

    First is the "user" mode what is optimized for average user and a protected "admin" mode which is optimized for admins. The admin mode even could be different UI for admins a a separate Admin Virtual Desktop. On this desktop the user would find every tool to make the admin work easy.

    When the user goes to the Admin Desktop then he can work with admin security settings. When he goes back to User Desktop then user security kicks in.

    For example no software could install itself if the user desktop is active. if something needs to be done then the user gets a subtle notification and he can go to the admin desktop. But if the user have to do a lots of admin work then he could just go to admin desktop and change stuff without annoying UAC prompts.

    I the User Desktop should be viewable from Admin Desktop in a secure way

    The chalange here is to make sure that the user dont stay in the Admin Desktop all the time. But I guess it is doabble if the Admin Desktop is optimized for admin work and not for general work.

  140. aJanuary says:

    It seems to me that one of the biggest fustrations comes from having just clicked something to perform an action, and then a UAC prompt effectively (it seems to the user) asking them if they’re sure they want to perform said action. "Of course I want to do that, I just clicked it!". Ideally, it seems to me, it would be able to distinguish between actions the user invoked explicitly and implicit operations. Probably impossible to impliment in a system wide scheme, but perhaps possible to do in the shell to reduce the number of dialogs Windows pops up.

    On a more achievable note, I think it could be improved with increased granularity. A portion of users who disable UAC disable it because they perform a small subset of tasks that routinely bring up a UAC prompt. If they could disable it just for those tasks but still benefit from the increased security in other areas it would be good.

  141. Prixsel says:

    Symnatec released their UAC beta software with ability do search from internet and blbock unneeded reappearing popups so I hope you take a look what is already being built if you haven’t looked the news yet

  142. gonzc900 says:

    I agree with Asesh why not make this feature as an update in Vista SP2.

  143. shaunco says:

    [disclosure: I am a developer at Symantec and was involved in the Norton UAC Tool.]

    The Norton UAC Tool was written to address what we see as a usability issue in Vista’s UAC prompting.  The Microsoft Vista team did a fantastic job of improving the security of Windows by implemented integrity levels, isolation, user interface privilege isolation, and file/registry virtualization (which lead to protected mode IE) – but we were concerned with the trend of users disabling UAC all together or blindly clicking allow (Chicken Little, "the sky is falling", syndrome). Both resulting in the fantastic new security in Vista becoming useless (by either being disabled or ignored).

    I am very pleased to see that the Windows 7 team is taking this problem seriously, paying very close attention to the CEIP data, and putting time and effort in to improving the usability and readability of UAC prompts while also working to reduce the number of prompts generated by Windows.

    All around fantastic news!

  144. mariosalice says:

    The installation key could be the default admin password – default name "admin".

    Then we might be able to log in with either a new password (easier) or the installation key.

  145. nExoR says:

    UAC as a idea is not bad, but the core idea of ‘how to protect’ is a mistake from the very beginning of NT workstation (w2k wrks). The idea was (and regrettably still is and even more terrifying you write it is going to be) to give an administrator privileges to the first account created. you write how cool UAC is changing app ecosystem and less and less application need admin privileges – true, but imagine how would today IT look like, if XP would create non-administrator account for the first user. probably there wouldn’t be such apps at all.

    you had a chance with vista to change the situation – but instead you decided to create UAC. and the solution was so simple, with no need of architecture changes: simple add some ‘special admin session’ (some kind of GUI) to make system changes, some easy way to create ‘run as admin’ shortcut icons to commonly used tasks. this would force users (AND STUPID DEVELOPER COMPANIES!) to write app for standard users.

    some may say – it would be hard to educate ppl and how to use it and what is all about. i answer: look at this all mess about UAC – it’s not simple as well, but you decided to though. more over – it’s the matter of well designed interface giving easy way to configure that (in some part automatically) and giving enough information.

    UAC would be nice supplement then. for now a moment – as you wrote above – the users don’t even know why they are abused by some question, and what they are asked for. as result most of users simply accepts clicking ‘allow’ – so what kind of security it is?

    …so keep making complex statistics, make UAC and then slowly define object by object what operation will not prompt – and in effect you will have gr8 functionality of UAC-with-no-UAC, malicious software and spyware will learn how to use those no-prompt actions, and the apps will still be written as in w9x epoch – as there is one user on the computer with admin privileges. imho this situation (admin-apps) is your (microsoft) fault, and as i can read – you put a lot of effort to keep it that way.

  146. Asesh says:

    Wouldn’t it be better if Windows 7 would show up a dialog box when a non installed progam is opened which would display with what privilege the user would want to run that specific application e.g,

    1: Least privilege (XP -> right click and program and select ‘Run As…’ and click ok)

    2: Standard privilege

    3: Admin privilege

    It would be great and our computer would be more secure.

  147. As a developer, UAC did force us to do a complete review of our code and we tidied up a few minor issues, but we were already able to run successfully without admin privileges.

    The one big irritant has been Office 2007.

    The ‘Not installed for current user’ problem has forced me and others to disable UAC.  There is probably another solution, but that seems to work reliably.

    In addition, on sandboxed machines, virtual machines etc that get a lot of configuration, switching it off saves time.

    A slightly OT issue which is incredibly annoying is getting hit by being a good citizen and Authenticode signing our .NET assemblies – then high-security customers that do not allow internet access have issues with the CLR checking the certificate revocation list.  

    For apps, this leads to a delay, but for services it’s worse, as the SCM decides it’s not started in a timely fashion and kills it.

    As with UAC, there should be some method of trusting certain apps explicitly, rather than just turning off the checking mechanism itself, which seems to be the fix in .NET 2.0 SP1.

    I note that some companies are now shipping unsigned assemblies to avoid this issue.  This is really not what you want from your ISVs, so try and reward good citizenship with elegant solutions.


  148. quux says:

    I’m a sysadmin and personally I very much like UAC – in fact I consider it the best reason to upgrade to Vista. I have had a habit of running nonadmin since NT4, and UAC makes this much MUCH easier. So to me, the benefits are obvious.

    But I encounter UAC hate on an almost daily basis from other users. You’ve heard all the epithets I’m sure, so I will not repeat them. But I have a difficult time expressing the value of UAC in ways that don’t cause instant contempt and/or glazed over "I’m not really listening" expressions on the faces of the UAC-haters. I can see where they are coming from (they’ve always been in full control of their systems; why are they now being demoted?), but they have a tough time seeing where I’m coming from. This gets me to thinking: how can MS soften the introduction to UAC, and better tell its story to the users who will be shocked and angered by it?

    First, I think it would be very worthwhile to hire a really good media team and have them film a few short introductory videos. People need to be taken by the hand and led through a story which brings home the problem and the solution. I have read everything I could find about UAC, and talked to as many people as I could. It seems to me that the stuff which really explains the issue would bore a nontechnical user. With many other things vying for their attention, this is where they just click some other link and move on – still not really understanding the issues UAC works to resolve, still feeling that it is an unnecessary imposition on their day. So they simply type ‘disable UAC’ into the search bar, find a recipe, and use it.

    Once you have a couple of movies, and perhaps a few text-and-graphic explanations for various audiences, link these from every UAC prompt. My thinking is that there should be a series of quick 2-5 minute hits, from basic to more advanced. A couple of episodes would address the question of ‘what can I trust?’. And so on. All should be given in a plainspoken manner that does not patronize or talk down to the customer (for some reason I keep thinking of the videos Amazon used to introduce their Kindle, though of course the problem is much different here).

    I don’t know where you will find the people who can explain UAC in ways that new-to-UAC and already-hate-UAC folks can connect with. Media consultants? Documentary directors? Independent film types who premier at place like the Sundance Film Festival? I do think it’s important to look outside the standard tech writer crowd, though – they have already struck out.

    Thanks for providing this forum. Now I’ll go back and read the rest of the comments!

  149. lotharamious says:

    Personally I like the idea of UAC.  I have 2 outstanding issues with it, though.  The first is the fact that each prompt is a pop up window.  Why not have it dock to the task bar?  This way you always know where a prompt will appear.

    The second issue I have is a bit more complex.  During a typical session, I usually peer around at settings, without modification.  So when I want to take a look at Device Manager, for example, I first have to accept a UAC prompt.  But all I really wanted to do was LOOK at the settings, not necessarily change them.

    Would it be possible to integrate UAC in such a window so that you can easily see your settings?  And then when or if you would like to make a change, all you would have to do is type in the password in the window and POOF!! everything is modifiable.

    KDE has similar functionality and I believe it is far more useful and less intrusive than the current implementation of UAC.

    I appreciate this forum a lot.  It encourages excellent discussion about all of the functionality of Windows.  Keep up the good work Windows Team!  It sounds like Windows 7 will be an EXCELLENT and well-polished release.

  150. lyesmith says:

    I have to say I am quite anxious about Win 7. Hardly can wait to hear the reviews of the alpha.

    I do appreciate this blog, but reading it I can not see how will be Windows 7 a new version of Windows . For now it looks like 6.2 rather than 7.0.  

    The kernel will be an enhanced version of the kernel of WS2008 whis is the same as SP1 has(I think).  The UI will be an enhanced  version of Vistas.  (which is fine except Virtual desktops and other missing features will be a must have for me).

    To stay on topic I can not see the urges to change UAC into a more useful one. (I do stand with my opinion that the current form is useless b/c it educated the user to accept anything, also very annoying)

    off Steve Jobs just bragged about their success and that big part of it was the Vista, I could not agree more Windows needs a revolution not patching up the old legacy. Just look at how outdated the way windows connect with other devices. Just try to connect wireleslly an out of box WMobile 6 device with and out of box Vista and then use it in XXI century way, remoting, controlling, browsing etc. Ridiculous.

  151. Asesh says:

    Please remove flash from Windows 7. Most of the security holes are exploited via flash. Just like Vista was hacked via flash (google it). So please remove flash from Windows 7. Those who want to install it, will install it from the web.

  152. kruk7 says:

    UAC leads to problems with standard (non-administrator) accounts.  

    1. Software installation typically fails, even under "Run as administrator". Users have to download home-made "Run as other user" shell extensions from Internet in order to really run as administrators.

    2. When a console program attempts to start a graphical application, the system doesn’t allow the graphical application to start. The user cannot change that behavior. The only available option is to turn UAC off.

    To see more problems, just try to build some UAC software module using non-admin account on Vista with UAC turned on 🙂

    Please, make next version of UAC more friendly to standard users (think about office/enterprise environment).

    Ideal case for me is "like in XP" (UAC is off for non-administrators). Acceptable case is to ask standard users for login/password in situations where Administrator’s UAC asks for a confirmation.

  153. says:

    I am an MCSE 2003 who also has been doing PC support for many years. I am also one of those who disables UAC the moment I build my own machine.

    I know I would leave it on for my Sister or mother, as I am always cleaning up spyware/virus on their XP machines.

    I would like to see something where I can have control of the prompts. Like a 3-5 step level.

    I would use it myself if it would only protect windows system files and anything going into the windows directory. Just to help from unknow things getting in.

    I just want more control of it, and be able to select what it prompts me for.

  154. Syllopsium says:

    There’s another, more serious problems with UAC no-one has mentioned. Basically the whole UI is broken with regards to UAC integration.

    Many admin applets (control panel etc) are very coarsely grained with respect to escalating privilege. Or, in plain language : I don’t expect to click a box or type in a password to examine my network adapter. Changing settings, OTOH, is a different matter.

    The multisecond ‘blank to switch to secure desktop’ is *extremely* irritating as previously mentioned, and it’s even worse with multiple monitors. There really should be a ‘switch to secure desktop without blanking’ option.

    There’s the need for an su, sudo and possibly a setuid for incompatible apps (including Microsoft’s own).

  155. bcthanks says:

    The best thing about UAC is that it forces *ALL* software developers to think about writing their software to run without admin privileges.

    The concept of least-privileges has been there since Windows NT but nobody cared because everyone is Admin by default. It was impossible for knowledgable users who WANTED to guard against malware – by logging in an account w/o admin privileges – to do so because the major software vendors wrote config files into their program files directory and committed other sins.

    That would include the biggest software houses like of Adobe, Symantec, and yes, Microsoft’s own Windows software division.

    As bad as Microsoft software is, it wasn’t until Vista shoved the concept of least-privileges into every user and developer’s face that software vendors realized, oh, wait, security is important.

    A big thanks to Microsoft for forcing the clueless developers to THINK about reliability and security.

    And BTW, as many people have complained about the UAC dialogs, IMO the best way to deal with them is create two accounts: a regular user for real work and a full Admin user for managing the computer. Fast-user-switching in XP and Vista make switching between accts quick enough.

    And demand upgrades or find replacements for crap software that "need" Admin privileges all the time – they are not helping you keep your computer safe from viruses and malware.

  156. andrei.faber says:

    I’d like to propose you a feature for windows security improvement.

    In a nutshell, idea is to set restriction what API’s can be called for every process. For example – any process started from downloaded executable can access GDI and windowing API’s, but can’t access any disk operations API or registry writing functions.

    When process starts, OS creates "API permission map" for this process depending on  origin of executable, location of executable(under Program Files folder or not), system-level rules and so on. And when this process tries to call some API function which is forbidden for him, this function just returns immediately with error code.

    This will efectively prevent the most of malware from functioning, even when it was executed under admin privileges.

    This feature doesn’t require significant architecture changes and can be done with quite small effort, but it can provide really big security boost for Windows.

  157. TigerEyes says:

    1.  Why should we have to wait for W7, give us an improved UAC in a Vista Update?

    2.  I have UAC off as it blocks me doing legitimate things.  I share the same data & the associated app across multiple user accounts.  My solution uses junctions to "point" each "user-name/AppData/app/" folder to "Public/AppData/app", and task scheduler to start the app when a user account gets control & stop the app when a user account loses control.  Thus there’s only ever one instance of the app running using the same data.  Works fine on XP, works fine on Vista with UAC off, does not work with UAC on.  UAC prevents the application accessing data via a junction, the application gets a "file not found" exception when it tries to open it’s data file.

    3.  Junctions are "core" feature of NTFS, task scheduler is a "core feature" of NT.  So why does UAC prevent their use in this way?  If you can answer in language that a language that a non sysadm can understand I’d be grateful, I’ve been asking for about 18 months.

  158. snaven says:

    UAC? I hate UAC. It is the worst thing ever to happen with Windows. It popup every time I do something. If you are going to continue with UAC. I hope you make it more smart, and obly pops up when it should (Open a dangerous program, not when I insert a music CD). And the UAC needs to remember, so it doesn`t popu-up for the same things each time (exept dangerous stuff).

  159. guilhermem says:

    From a previous comment:

    The best thing about UAC is that it forces *ALL* software developers to think about writing their software to run without admin privileges.

    I completelly agree.

    But the worst thing about UAC is that in order to force DEVELOPERS from fixing their software, billions of innocent people were atacked by super annoying and instrusive message boxes.

    But going forward is good to know that Win 7 will learn from Vista’s feedback.

  160. ThierryVos says:

    Can’t UAC be used as an additional control method for Executable files?

    In the UNIX world for instance a file is not executable until the executable bit is set in the Access Control Entry. I feel it will make Windows a hell of a lot harder to hack/attack when a .exe (or script for that matter) is put on the system and cannot be executed until you OK this via UAC. (In other words, UAC will provide the "X" ACE entry and executable files are just "R" or "RW" by default).

    I’m not saying that UAC should control ALL executable files, but to a certain level. Microsoft Windows provided .exe files which should always be executable should of course not trigger a UAC prompt. Signed executables should also be able to run instantaneously, but for any user generated script or unsigned executable I can see this raising the bar security-wise very very much!

    Let me know what you think!

  161. salontafels says:

    Snaven, you are right. I get frustrated all the time. But then I think, why do I even bother. It only takes me 1 sec to press alt-F4

  162. pskovacs says:

    UAC is the lazy answer to the fundamental problem that Windows can’t distinguish between software-initiated processes and user-initiated processes.

    User-devices (or more specifically, their drivers), should have their messages flagged as having been generated by a person. An *actual* mouse click is not the same as a code-generated click.

    Then the O/S could stop asking me to confirm what I just told it to do, and only prompt me for risky actions initiated by something other than me.

    Please, don’t argue about the security of the drivers either. If the input device drivers are hacked, you have bigger problems.

  163. phil1970 says:

    – When the UAC prompt is displayed, it should not affect the performance of other applications (for example, audio/vidéo software that are running)

    – It should be possible to specify that only the main display is darkened when the UAC promp. When the second display is used for a presentation, we do not want user to knows that we have to confirm a UAC prompt. The same thing should apply when using Ctrl-Alt-Delete. It should be possible for secondary display to not switch to the secure desktop. If we have to kill an application while doing a presentation, we do not want the secondary screen to become black (and if the presentation is a video, it should continue to be displayed).

    – It should be possible for the user to control the UAC and virtualization for each program by displaying shortcut properties. In fact, it should be possible to have tradition run-as under another account.

    – It should be possible to disabled some prompt and have the displayed again if the system detect that the application was modified (update or virus).

    – For file operations on external hard drives, there are far too much prompt. Most people would like to uses external drive for their documents and it should be easy to setup a drive to default its security for "current user documents" or "all user documents". And it should be easy to do the same thing for folders. It should also be easy to use some folder for applications or data on the external drive.

    – When a program must run as an administrator and creator files, it should be possible to create/open files as if the program was run as a normal user. Same for registry. Thus it should be possible to give a program some administrator rights without chaging the owner of created files (or registry keys). Some program requires administrator right but then created files that does have desired security when opened from an another application without admin rights.

    – For software developper, it should be possible to knows when virtual store is used. That way when an application is updated and do not uses virtualization anmore, it will be possible to find files created by a previous version or by other sibling applications that share the data (and some might not yet have been updated)

  164. hypotheek berekenen says:

    Thanks for your input Phil! I hope the new Windows will be good!

  165. andrei.faber says:


    actually, it’s still possible to distinguish software-generated "user input emulation". It can be achieved by intercepting SendMessage/PostMessage calls on the sender’s side.

    It’s very easy, working prototype can be made in a few days.

    However, I’m afraid nobody reads these comments and Microsoft will do as they usually do – invent something overcomplicated and poorly functioning 😉

  166. Bitbasher says:

    I work in computer forensics and UAC would make the kind of work we do unbearable. We’re are holding onto our current XP licenses for dear life. Our toolbox for operating systems and software is vast and so is the range of data and hardware we need to be able to handle every day. Vista usability and UAC is just a hindrance at the moment.

    Despite that I’ve stuck my head above the parapet and installed Vista on a new forensic worksation, to looks of pity and disdain from my colleagues. And UAC is now off – no great surprise.

    The idea behind UAC is great and so is the positive effect it’s apparently had on stamping out lazy programming. It just needs a complete usability overhaul – pointless to accuse users of being irreponsible by not paying any attention to the meaning behind an endless stream of uninformative UAC prompts. UAC-click fatigue really is a design failure, not a user defect.

    It would be illuminating to track the rate of UAC dialogs that occur during normal usage, for different profiles of computer user: home, corporate, hobbyist, developer, deep technical, admin etc, simply to quantify the level of disruption it can cause some people at the power user end of the spectrum. Many of our core forensic tools have a high "RSI index" which is outside of our control – UAC-induced RSI just makes it worse.

    It’s been done to death by some great suggestions in this blog, but the *option* to use a whitelist, and/or an *option* for a training mode, would be fantastic. These options could be locked out in user environments where that flexibility is inappropriate.

    Administrators need to administer without hindrance and some of my *cough* relatives could do with a heavy handed UAC… and you have the vast gamut of users in between the two extremes. Deep down I like enough of Vista to give it and its successor a real chance in the workplace, but I am in a very small minority here. At some point we’ll have to choose between upgrading to Windows 7 or running an alternative platform with emulators and virtual environments – that decision will be influenced by whatever lets us just get on and do our job.

  167. jeremychone says:

    Thank you for posting this information. I understand all your points, however, some applications (e.g., Adobe CS4 Premiere Pro) will just not start when the UAC is on.

    So, I had to turn it off.

    So, please, do not remove the capability for the user to turn UAC off (sometime it is the only solution to use a software)

  168. aaron.f says:

    Why not just ditch UAC altogether and focus more on integrating Symantec and Norton anti-virus programs into the OS?

    And make rollbacks 1-click painless.

    In your head, conceptually equate "malware" with "the possibility that someone will deface a Wikipedia article".  

    Both will always be there, like gravity.

    Frankly, if something gives me a virus, I’d rather just 1-click my way back to a point in time where I didn’t have the virus.  That, instead of having to work under constant Q&A inspection.

  169. DeltaFalcon says:

    User Account Control is not all about that. The article uses parental control as an example. Say the system of allowing the user to make changes was allowed and the rollback system was implemented…

    Protecting parental controls would become useless because they would then be easily bypassed becase they’re allowed to edit them.

    Is it possible to have UAC implement a white list and an ‘inclusions’ function?

    So programs on the white list are always allowed and will not generate UAC prompts. The inclusions feature would allow a system administrator to add Windows functions and third party applications that require UAC confirmation before being allowed to continue? For example, trying to disable a third party application that’s required to be running on any given system.

  170. EMTyler says:

    Mark Twain said there are three types of lies: 1) Lies, 2) D*** Lies, and 3) Statistics.

    I’m curious if the data reported about user experience and ecosystem changes is being interpretted correctly. For example, could the  user sessions with a UAC prompt and in the number of applications requiring one, instead, be due to users disabling UAC altogether, at least in part?

  171. blad3runn69 says:

    Great blog, thanks! so far windows 7 is very impressive! Luv ya work Microsoft Team! 🙂

  172. velo says:

    Not at all shockingly, Linux has been handling UAC properly for years.  Even as a regular Linux user for several years and having grown quite accustomed to the nix version of UAC, the mindboggingly terrible way in which it was implemented in Vista literally made me spitting mad at times.  Disabling UAC may not be a good move for security, but I assure it’s the first thing I recommend anyone do in order to preserve their sanity.  The actions that prompt UAC in Linux are, for the most part, pretty logical and

    I am hoping 7 is better than Vista and am glad to see this info.  So far, I’m refusing to allow anyone on my network to use Vista even though there have been requests.  I don’t need my system admins spending all their time "fixing" the operating system right out of the box and fielding complaints.  I’m testing Win7 as a virtual machine and will see if jumping directly from XP to 7 makes more sense for my users and admins.  

    Instead of new bells and whistles and a ridiculous upsurge in necessary system resources, it would be nice if MS would do what it has needed to do for years and re-write the kernel.  

  173. markweee says:

    Mac gives me smaller or bigger icons when I want to, but not Win7. Why can’t the backups be removed? Shouldn’t updates be working and fully compatible? You means those posted ain’t safe that I shouldn’t even update in the first place?

  174. cirurgia plastica says:

    There were a lot of comments saying they wanted "Run as Administrator", but I didn’t see any with the option I was looking for, "Run as limited account".  I’m sure a lot of us here fit into the category of poweruser that generally logs in as an admin account and is pretty smart about not running malicious applications/navigating to infected sites.  What I would like though, when I have an application I’m less sure of, or when browsing the internet, is to specify from the outset that I less than trust this application.

    As it is now I have to run a VPC to handle these kinds of issues, but it’s cumbersome and in some cases not possible (when not on my machine).

  175. Navi Ranjan says:

    as i mailed you earlier (approx half months) it has been found that during connecting windows 7 enabled laptops and pc’s from security key enabled WiFi connection it has been observerd that the key which network administrator enters is not secure in this operating system when you go in network properties in security there is provision for show charecter by clicking it,it displays key which admin enters it will create huge loss to Wifi service providers and it has been told to microsoft by me earlier near half a months ago bu this severe security lapse is not concidered by microsoft so,it should be resolved quickly it creates huge challange for individual one country security.

  176. steroids buy says:

    Only one thing to say, keep the system protected by default but give possibility to desactivate this security. User mustn’t be jailed with something he don’t want.

  177. Ivan Davies says:

    Yes it is an annoyance with the popups, sometimes they appear a few times for one action, but I would rather this happen than to have a system that is inferior in security.

  178. UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. I’ve learned a lot about UAC’s impact.

  179. John Budding says:

    User Account Control in Vista stopped Access 2003 Linked Table Manager from providing a connection between the Access Database and Paradox database files. However turning off UAC allowed the connection.

    I have upgraded to Windows 7 and cannot, apparently, now turn off UAC, so my Access MDB cannot now work at all.

    There was never any problem with the same MDB when running under Windows XP.

    Is there a workaround available? (Urgent)

  180. net-a-porter says:

    Any sports figure who succeeds at a early age seems to give up just being a kid. Maybe now she can just enjoy being herself. <a href=>net-a-porter</a>Good Luck!

  181. Very interesting post. Thanks again.. Please Keep it Up!!

    <a href="">new era Boston Red Sox hats</a>

  182. A good website recommend to

    you:, they sell New Era Hats, <a href="">new era Pittsburgh Pirates Hats</a>, Dc Shoes Hats, Red Bull Hats,<a href="">new era San Francisco Giants Hats</a>,NFL Hats And Famous Hats at cheap price.

  183. Dear friends, our web site provides a variety of cheap price  <a href=>fade rolex watches</a> , welcome your arrival,just kick here .

  184. fade rolex watches says:

    Dears, our web site provides a variety of cheap price  <a href=>fade rolex watches</a> , welcome your arrival,just kick here .

  185. fade watches says:

    Dear friends, our web site provides a variety of cheap price  <a href=>fade omega watches</a> , welcome your arrival,just kick here .

  186. Teofil Urban says:

    I believe that Britain's economy will grow in the next few years until 2014 due to the growth of the Pacific region. But my concern is the budget deficits, and the value of the Pound. In David we trus.

    <a href="…/a&gt;

  187. G Karthik Krishnan says:

    I didn't have to read past "most machines (75%) have a single account with full admin privileges" – in fact that was the only sentence I read. But I know this is just corporate BS. You create a program that is so lax on security that you have to restrict the owner's own movements within the system to make sure "security is not compromised".

    Windows windoze, winblows, and wingoes.

    Screw 75% – I'll tell you what 90% of the cases – people who buy computers for personal use. Meaning they will be the only ones using it. No it does not mean it will be shared with half the population of the world. It means single user. Oh you don't understand single user. One human being only – the one human being who purchased the license, who purchased the computer, who uses the computer will ever use it. Still don't understand do you? I'm sure you'll have IgNobel prize winning argument that supports User Account Control in a single user environment.

    You know the worst part? I had to pay for the license to this half baked bug filled, restrictive dictatorship of an operating system.

  188. Ray Potter says:

    This virus is unreal it partitions your HDD it takes total control of machine, turns off TMC, controls net with"trusted installers" acually moves dir's to recycle bin deletes what it wants !

    Please help!

Comments are closed.

Skip to main content