"How do I turn off that annoying User Account Control?"



Hi, Aaron Margosis here.  I’m not actually on the UAC team, but we’re good friends and share a common passion about running Windows with least privilege.


Those of you who follow this blog are probably aware that there has been… well, let’s say dissatisfaction … (yes, that’s putting it nicely)… with the current implementations of UAC.  One of the frequently asked questions about Vista today is “How do I turn UAC off?”, and even some “experts” suggest turning it off.


There are two ways to answer the question.  There is the technically correct answer involving Local Security Settings, and then there is the better answer that Jesper Johansson recently posted on his blog that offers a compelling argument for leaving it on.  If you’re thinking of turning off UAC, read what Jesper has to say.  Why?  Because he’s right! 🙂


Comments (17)

  1. keeron says:

    I agree with most of things said in that blog. This is a beta OS for god sake! If you don’t like a feature, you turn if off and then you report a bug saying "Hey! that F*@(*@ site installed a spyware on my system! what sh*** OS you have here!" Its a pity people installing "beta" software call themselves "beta testers".

    Even though UAC can be "annoying" (as some may call), I think its a great step foward in making people realize admins aren’t supposed to be your daily users. I haven’t installed the latest CTP build yet on my dev machine, but the changes done in Beta 2 are pretty good as far as UAC is concerened. The shield icon tells you if something requires an admin access. YOu can still launch your IDE or command prompt with full access if you are doing something that requires constant admin priv. With the posts done here and other blogs on the forthcoming changes in UAC, i am sure the expereince is going to be better.

    But please for these "beta testers" leave that group policy setting 🙂

    I am sure the admins in their corporation/company will make sure its not turned off 🙂

  2. Gordon Fecyk says:

    I had one of those:

    http://www.antiwindowscatalog.com/index.asp?mode=rant&id=13

    Sometimes I feel like a doctor who keeps telling their patient to quit smoking.  Or the parent who keeps telling their kid to use their bike helmet or seat belt.

    I normally tend not to blame the user, though.  It’s not like they have a choice sometimes.  Too much garbage out there requires admin access just to run.  That’s what really needs to change, and if it takes an annoying UAC prompt to do it, well, too bad.  This is Microsoft’s OS.  You want to develop for it, you develop by their rules.

    Vista Team: Don’t bend to public pressure.  You’re in a unique position to dictate the new terms of desktop computing, and finally force PC security to evolve.  Let the Linux and MacOS X fanatics whine and moan; after all, you’re just practicing what they were preaching for the past decade.  And let the users whine and moan, too; they will make developers fix their garbage or go out of business by ignoring them.

  3. Luca says:

    I love the UAC, it’s your security! I think Microsoft shouldn’t put a way to disable it.

  4. Gordon Fecyk says:

    Are there any cases that would require any software developer to run their IDE or compiler with full admin access?

    I have to admit I preach some pretty tough desktop security that even blocks stuff that isn’t in Program Files or %systemroot% from running.  But this isn’t the default security — a limited user on XP or 2K can run something they download from the net, and a developer can compile something to My Documents and run it from there.

    This being the case, is there any reason for a developer to develop with admin?  Cases like the <a href="http://www.gamespot.com/pc/action/halflife2/news_6076314.html">Half-Life 2 source code theft</a> could have been prevented if our Valve developer didn’t run Outlook with admin.  Yet the mainstream media and the masses blamed Outlook for it.

    Maybe there’s a need if you’re developing a service and need to add and remove the service code using Instsrv.exe.  Why not have just one command prompt open with admin to install and control a service in development?  And what about device drivers?  Aren’t modern devices supposed to support installation and removal without restarting the computer?  Or what about a much simpler solution of testing code on a machine other than the one you’re developing on?

  5. Jesper apparently stirred up things a bit with his latest post, Please don’t disable security features,…

  6. David Hopwood says:

    To answer the question in the title: see

    http://www.petri.co.il/disable_uac_in_windows_vista.htm

    😉

  7. Gordon Fecyk says:

    I don’t suppose David Hopwood works for an anti-virus firm, no?  This sounds just like the kind of thing they’re capable of.

    You don’t need to go through such technical detail anyway.  Nothing like social engineering to do the trick.  Only this project must be undertaken on a global scale:

    http://www.antiwindowscatalog.com/index.asp?mode=rant&id=38

  8. David Hopwood says:

    No, I don’t work for an anti-virus firm. I fail to see any point in limiting access to information on how to turn off UAC, though.

  9. Yuhong Bao says:

    How about a UAC mode where UAC is enabled in every way except in prompting, in which it elevates without prompting, since even if that is done, there is still some benefits from UAC. For example, injected code is harder to elevate, since it requires a separate process, and even if a new process is started, it can be easily noticed. Also it requires file system access, which requires permissions.

    Also, for looping UAC prompts, how about add an option to kill the process that started it, or any other process.

  10. Alex says:

    Yuhong Bao, the behavior you describe is possible. See this post on policy settings http://blogs.msdn.com/uac/archive/2006/01/22/516066.aspx. The policy that you want is "User Account Control: Behavior of the elevation prompt for administrators" set it to No Prompt.

    – Alex

  11. Carl says:

    At first I had no issues with it. Then the more I used Vista the more I was annoyed with it.

    I think the whole system needs to be revamped. With linux you don’t have to worry about increasingly annoying boxes everytime, why should I have to worry with it with MS?

  12. philip gregory says:

    All of you ‘oh, so wise’, ‘better-than-thou’ preachers advocating giving control of our OWN property to a piece of code written by a 20-something, who makes more money than god,… BITE-ME!

    I want control, COMPLETE control, of MY property.  Internet security is vital – those are strangers accessing my computer.  But, Micro-brains have set up Vista to stop ME from accessing drives and folders on MY computer – for reasons I can’t even guess – presumably because they are part of my old (still installed, but not operating) XP.

    At any rate stop your stinking preaching and tell us how to stop this annoying crap!

  13. Andre Tremblay says:

    I think that it is a good IDEA… But Annoying like…

    Is there a way to turn it off for program that have been installed and you know they are ok ?

    Thanks…

  14. Charles says:

    Its simple to turn of UAC. Just GOTO Control Panel , Classic View, Administrative Tools, Local Security Policy, Local Policies, Security Options, and you can turn off or customize how UAC works on your system. UAC is annoying if your a power user of your system and know what your doing. If you want protection by Nortons that dont keep you from using your PC without being annoyed with it. Now we can all work on the top of how to get MCE to work with ATI allinwonder TV Tuners

  15. Charles says:

    A simpliar way is to also goto control panel , user accounts , and you have the option to turn off uac, you might need to customize some features using the Secuirty Policies options. Anyone know how to get ATI All-In-Wonder X800L to work with media center. I figured out nearly ever other issue between software and hardware including MMORPGs how to get them to work now just need my ATI TV Tuner to work.

  16. I have read posts on how to turn User Account Control (UAC, formerly LUA) in Windows Vista off. Others

  17. Sean says:

    The basic problem, is that Joe Average user is going to get used to those dadgum windies that keep poppin’ up, is probably going to go a few months before he even knows that the acronym UAC has anything to do with his problem…

    … and then is going to find a bunch of sites telling him he’s a moron if he doesn’t turn it off…

    … and is going to end up thoroughly conditioned to just authorizing everything that pops up, completely defeating the purpose of UAC.

    Outgoing program control isn’t anything new. And if you remove the "User" part (especially since Joe Average is probably going to have one, count them, one account on his computer anyway), that’s all UAC is.

    The way other programs manage this, is very, very simple: REMEMBER WHAT PROGRAMS AND PROCESSES YOU’VE OKAYED ALREADY.

    The solution is too painfully obvious not to have been presented and shot down already.

Skip to main content