Windows Vista Secret #4: Disabling UAC

If you're a reader of this blog, I'm going to take a low-risk gamble and assert that you probably consider yourself a power user. You pride yourself in the responsibility of having full and absolute control over your machine environment and anything that comes between that perfect human-machine symbiosis is to be spurned. If only there were a way to turn User Account Control off on a Windows Vista machine, you'd upgrade immediately. Well, dear reader, I'm here to help.

Firstly, it's worth a brief digression into the benefits of this feature. Running as admin is a bad thing, as most of us know. Aaron Margosis has blogged extensively on this issue, and I won't rehash it here. But for reasons of compatibility, running as a standard user can still be a somewhat painful proposition. Windows Vista attempts to give you the benefits of both worlds by allowing administrators to execute most processes in the context of a standard user and only elevating the privileges on their user token by consent, in addition to allowing standard user accounts to perform administrative tasks by selectively elevating a process to use administrator-level credentials.

In general, UAC has turned out pretty well. It was pretty intrusive in early builds, prompting often and sometimes capturing focus at the wrong time. For the vast majority of users, UAC will offer a valuable level of security protection that will protect against malware: it simply won't have the rights to perform invasive actions like installing device drivers or services. Once a system is configured, you'll rarely see UAC prompts unless you're an inveterate settings tweaker. Incidentally, you can find out a great deal more about how UAC works, what you need to do to your own applications so that they co-operate well with UAC, and the rationale for its design at the official UAC blog.

It is possible to switch UAC off. I really don't recommend it - if you like full control over your machine, surely you want to know when something is attempting to perform an administrative-level action? Nevertheless, I'd prefer to have you run Windows Vista without UAC than having you run a different operating system.

There are two ways to disable UAC. The easy solution is through Control Panel. Type "UAC" into the search bar at the top of the screen and you'll see this task presented:

This approach is pretty brute-force, though. It just switches the whole thing off. There's a more subtle configuration choice that gives you some of the benefits of UAC without any of the prompting. You'll need to edit the local security policy to control this, as follows:

  1. From the Start search bar, type "Local Security Policy"
  2. Accept the elevation prompt
  3. From the snap-in, select Security Settings -> Local Policy -> Security Options
  4. Scroll down to the bottom, where you'll find nine different group policy settings for granular configuration of UAC.

Perhaps the best choice to select is to change the setting:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
from Prompt for consent to Elevate without prompting.

What does this do? Despite the warning from the Windows Security Center, UAC isn't actually switched off. It's still there, and all your processes will still run as a standard user. To prove this, open a command prompt and try to save a file to the c:\ directory. You'll get an access denied error message. However, when a process is marked for elevation, instead of getting the secure desktop elevation prompt, the request will be silently approved. To show this in action, right click on a command prompt shortcut and choose "Run as Administrator". You'll see the command prompt open without elevation, but the window title will show that you're running with full administrative privileges.

Using this approach is better than nothing, but it's a bit like relying on everyone else having a vaccination against measles to protect yourself from infection. Read the explanations on the second page of the property sheet for each policy setting before tinkering, and be careful!