See User Account Control in Action

We created this video to show those who haven’t had a chance to try Windows Vista yet what User Account Control looks like and to demonstrate the benefits of running Windows as a standard user.


Start video.


This 12 minute video includes:

  • Introduction from Microsoft Security VP Mike Nash on the overall security improvement in Windows Vista.

  • Demonstrations from Windows Vista Security Director Austin Wilson that show the risks of running as an administrator, how UAC makes it easier on Vista, explanations on the different types of prompts, and a look at the progress we have made to reduce the number of prompts since the early beta versions.

To everyone who’s commented that it takes multiple prompts to delete a desktop shortcut, here’s proof that this will be changed in the RC1 build. (This is shown around the 11th minute of the video.)


We hope you enjoy this video and find it useful.


– The User Account Control Team


Comments (19)

  1. Marc L. says:

    Great video! Keep up the good work for RC0.

  2. Microsoft today published a video on Vista’s controversial User Access Control (UAC) feature. Warning: Contains acronyms, depictions of violence against desktop icons.

  3. Steve says:

    I have some questions:

    Upgrading from XP to Vista, as an administrator user and without a password set, what will happen to my account?

    And will the invisible XP’s"Guest" account be removed?

    Do you suggest to remain as administrator (to be able to bypass dialog boxes just clicking without inserting every time a password) or switching to a standard account anyway?

    And for example, today’s XP programs that require an administrative account to be installed, will run if executed from a standard account? In Vista, of course.

    I have a bit of confusion 😉

  4. Gattsuru says:

    I like the ideas here from a security standpoint.  Changing it over to a "per-change" rather than "per-view" is a remarkably nice change.

    One question : why are you all ‘shimming’ the millions of insecure and unimportant applications, as opposed to the dozens of programs that actually need to be secure?

    It seems like it would have been easier to never check and allow people to install to a :/Program Files folder all they want, but have the important stuff in :/Windows/Program Files, and have that one require heightened security for.

    Same with Registry : have the Registry that progams would normally write to be replaced by a per-user one, and

    From what I’ve seen (and I know I’m not an expert) a vast majority of existing UACs occur not because the application actually NEEDS to access something beyond the initial user, but simply because the application’s development team choose to affect things on a large scale rather than on a small one.  Why not build the operating system to fool them, rather than build traps outside the operating system on an individual basis?  I don’t think we can change how every other company does their work – it’d be easier to change things inside Microsoft.

  5. LOL says:

    I hate this stupid feature

  6. ph says:

    man, this is really news, lol. Linux has had it for years….

  7. David Hopwood says:

    Any attacker who knows what they’re doing is going to make sure that the Big Scary Red Warning doesn’t appear on an elevation prompt, by signing their app. This does not make the attacker traceable; they can either take advantage of certification authorities’ lax procedures, or break into some other developer’s machine and steal their private key.

    IOW, the Big Scary Red Warnings are only going to appear for *legitimate* applications (and attacks by clueless script kiddies, and in marketing demos).

  8. Mike says:

    This has to be the most annoying thing that I have used on a system.

    It nowhere near compares to Linuxes asking for privledge passwords.   If is far more pervasive and annoying! Who ever designed this seems bound and determined to further piss off system administrators.  

    I think it is great for non-administrators.  For administrators this needs to be streamlined BIG TIME! Or just get rid of the darn thing!  

  9. BillD says:

    The first user account in Windows Vista beta2 is an *administrator* protected by UAC. But why not force to use a *Standard user* protected by UAC?

    Microsoft should force the users to create 2 accounts: Administrator with UAC + Standard with UAC. Only in this way there’s a chance that

    many users will run Vista as Standard account.

  10. mudsfriend says:

    I agree with Mike and mud from his other post that there are problems with UAC currently.  As mud mentioned and as Gattsuru noted, it is easier to change things at Microsoft than per application.  Because of this, as mud mentioned, Microsoft should make installs by the user install in a virtualized environment and NOT affect the real system at all.

    If my cousins, sister, etc need to install a file for school or play a game from a friend, many applications will require elevation.  The admin (some computer savy person in the household) will probably give it to them, at which time the application can easily mess up the real direcotries or install spyware.

    Take another example.  A computer admin for a bunch of graduate students sets up a couple of test computers in a small lab.  Graduate students will need lots and lots of programs, and the administrator will be forced to give out the administrator password.  In a linux system (like many of the labs at my school are currently), there is no need.  The standard user can install into his/her own space and the system administrator never has to worry about it.

    Therefore, I suggest like mud that normal installs by a user should install to a virtualized environment.  Right clicking an install exe should present 2 options, run as admin (as suggested by mud) and run as sandbox.  Run as admin would install in the actual system directories, while run as sandbox will install into the virtualized environment of a sandbox user who has no access to anything except his own user directory.  In this way, insecure files like games you download off of the internet and funny exes friends give you can be run in the sandbox without fear (but since its in the environment of a user still, saves will still work).

    I personally don’t see how this is any less secure than the current Vista system, since installing an application into local virtualized space can’t do more damage than a user just running a random uninstalled exe (as noted by mud).  It is actually more secure because the only things in the system wide directories would be things that many users use and really trusted applications.  Everything else will be user local and standard users will never screw up the entire system and yet can run whatever they want.  It is the system linux, freebsd, and other variants of unix use and has worked very well.

    Sorry for the long post, please cut it short/delete if you want.

  11. Hans Olsson says:

    Dear Gattsuro,

    I do not believe that the problem is that developers "choose to affect things on a large scale rather than on a small one".

    As I see it the problems with programs not running as non-administrator is that:

    1. The architects did a design based on one user per machine, e.g. placing per-user directories inside the program installation.

    Changing that takes a redesign of the program. _Having_ to install every program for every user would be a major step backwards, and a shim must be adapted to the particular application to redirect specific directories/files in the installed program directory to a user-directory (or some form of generic shadowing).

    My experience is that given some time the programs can be redesigned.

    2. The developers made mistakes.

    E.g. as a standard user in XP I could not spell-check in Word in Works 7.

    The reason: some registry keys were opened for full access. (As I understand it the keys were just read).

    I still agree with "mudsfriend" regarding sandbox-installs.

    Best regards,


  12. Nick says:

    Up until recently trains in the UK were fitted with a system which would sound an alarm as they approached an amber signal (which warns a red stop signal is approaching) they could press a button to dismiss this alarm, if they did not the train would automatically halt.

    Later they would get another alarm when they were approaching the red stop signal, once again they could press a button to dismiss the alarm, if they did not the train would auto stop.

    Despite these safe guards crashes still occurred because drivers went through red lights. Various studies concluded that because drivers were being inundated with alarms (some might say ‘prompts’!) they eventually tuned them out and just automatically pressed the dismiss button on reflex.

    Ok, the situations don’t compare that well when it comes down to the details, but hopefully you get my point.

    I actually quite like the standard user UAC, it’s the admin experience which bothers me, if inexperienced users get their hands on an admin account (which they surely will) I think they’ll just ignore the prompts, because of the number of them, and worse because they don’t understand what they are warning them about!

  13. LinuxMacWindowsUser says:

    I agree with mudsfriend and Gattsuru.  Shimming is quite useful because of the way many applications were designed.  Installs of programs into a user specific directory is also very important, and not yet implemented.  I believe when someone installs a program, the prompt should not just ask for a password, but have 2 extra "buttons" with text similar to

    "Install for current user only

    – In this mode, only the current user will be able to run this program"

    "Install in sandbox

    – In this mode, only files in the currentuserdir/Sandbox will be accessible to the program"

    I will take mudsfriends idea one step further and make it more similar to what some linux command line users are doing, which is a sandbox user for *each* user.  It whould be stored in currentuserdir/Sandbox, which has the same directories as a normal user account.  This will allow easy moving in and out of files into the sandbox directory to interact with unsafe programs (such as copying a log.txt out or maybe the program converts between one text format to another or maybe it plays a video).

    On a side note, mudsfriend’s scenario applies to me.  I am a computer administrator for a bio university department and we have switched many computers to linux because many students need software installed and they keep requesting permission.  On linux, there is no need for permission, but it is still very safe!  So even if the sandbox mode is not implemented due to too much change in the code, PLEASE implement user installs into their own virtualized environment.

  14. Gordon Fecyk says:

    To the Linux poster who claimed:

    "man, this is really news, lol. Linux has had it for years…. "

    Windows 2000’s had it for years, too.  Only back then they called them ‘Restricted Users.’  Still works today.

  15. David Hopwood says:

    Running applications in a standard account is all very well, but even if it could be made to work perfectly for all apps, it still only addresses a small part of the problem. The main problem is that applications need to be protected *from each other*. An ACL-based system with a single account per user will always be vulnerable to one application tampering with or snooping on files used by another, against the wishes of the user.

    It is possible to solve this problem, and still allow files to be shared between apps when that is what the user wants, without introducing useless security prompts: see

  16. L’UAC (User Account Control) est l’une des nouvelles fonctionnalités de Windows Vista les plus controversées…

  17. Duster says:

    This UAC thing is damn annoying!!

    Ok..we want us to be protected? Do a hole free OS and stop buging us with this UAC!

    Come on! There is now way to tell it "Ok…I already decided to allow this thing to be opened…stop asking me!"

    I hope this thing will be fixed in the final release…

  18. Something says:

    You are coming to a sad realization, cancel or allow?