Freigeben über

Windows Vista Secret #4: Disabling UAC

  • Artikel

If you're a reader of this blog, I'm going to take a low-risk gamble and assert that you probably consider yourself a power user. You pride yourself in the responsibility of having full and absolute control over your machine environment and anything that comes between that perfect human-machine symbiosis is to be spurned. If only there were a way to turn User Account Control off on a Windows Vista machine, you'd upgrade immediately. Well, dear reader, I'm here to help.

Firstly, it's worth a brief digression into the benefits of this feature. Running as admin is a bad thing, as most of us know. Aaron Margosis has blogged extensively on this issue, and I won't rehash it here. But for reasons of compatibility, running as a standard user can still be a somewhat painful proposition. Windows Vista attempts to give you the benefits of both worlds by allowing administrators to execute most processes in the context of a standard user and only elevating the privileges on their user token by consent, in addition to allowing standard user accounts to perform administrative tasks by selectively elevating a process to use administrator-level credentials.

In general, UAC has turned out pretty well. It was pretty intrusive in early builds, prompting often and sometimes capturing focus at the wrong time. For the vast majority of users, UAC will offer a valuable level of security protection that will protect against malware: it simply won't have the rights to perform invasive actions like installing device drivers or services. Once a system is configured, you'll rarely see UAC prompts unless you're an inveterate settings tweaker. Incidentally, you can find out a great deal more about how UAC works, what you need to do to your own applications so that they co-operate well with UAC, and the rationale for its design at the official UAC blog.

It is possible to switch UAC off. I really don't recommend it - if you like full control over your machine, surely you want to know when something is attempting to perform an administrative-level action? Nevertheless, I'd prefer to have you run Windows Vista without UAC than having you run a different operating system.

There are two ways to disable UAC. The easy solution is through Control Panel. Type "UAC" into the search bar at the top of the screen and you'll see this task presented:

This approach is pretty brute-force, though. It just switches the whole thing off. There's a more subtle configuration choice that gives you some of the benefits of UAC without any of the prompting. You'll need to edit the local security policy to control this, as follows:

  1. From the Start search bar, type "Local Security Policy"
  2. Accept the elevation prompt
  3. From the snap-in, select Security Settings -> Local Policy -> Security Options
  4. Scroll down to the bottom, where you'll find nine different group policy settings for granular configuration of UAC.

Perhaps the best choice to select is to change the setting:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
from Prompt for consent to Elevate without prompting.

What does this do? Despite the warning from the Windows Security Center, UAC isn't actually switched off. It's still there, and all your processes will still run as a standard user. To prove this, open a command prompt and try to save a file to the c:\ directory. You'll get an access denied error message. However, when a process is marked for elevation, instead of getting the secure desktop elevation prompt, the request will be silently approved. To show this in action, right click on a command prompt shortcut and choose "Run as Administrator". You'll see the command prompt open without elevation, but the window title will show that you're running with full administrative privileges.

Using this approach is better than nothing, but it's a bit like relying on everyone else having a vaccination against measles to protect yourself from infection. Read the explanations on the second page of the property sheet for each policy setting before tinkering, and be careful!

Comments

  • Anonymous
    September 19, 2006
    I have a different route to do it, which I found in beta2 (don't think the control panel icon way was available then).
    click windows and type in "msconfig" it will launch the config tool and under tools is an option to enable and disable uac.

  • Anonymous
    September 19, 2006
    I had blogged about this earlier too.

    http://rachit.wordpress.com/2006/08/25/uac-problem-with-wcf-on-vista/

    Thanks

  • Anonymous
    September 20, 2006
    Hopefully this will not have the side affect of the "brute force" option - that is, every time you boot you get a really annoying toast telling you you've turned it off.

    aaaaaaaaaaaaaaaaaaarrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrggggggggggggggggggggggggg!

  • Anonymous
    September 20, 2006
    I was lost to OS X in 2003. It only prompts me for the admin password when I am administering something, not when I want to do something. I can install all the programs I want in my home folder and I have full access over them. Windows Vista is a kludge but don't let that stop you having fun administering it rather than doing anything constructive like personal computing.

  • Anonymous
    September 20, 2006
    There's always a Mac fanboy in every forum or blog.

  • Anonymous
    September 20, 2006
    Tim Sneath is on a roll with his series of Windows Vista Secrets posts, and rumour has it he has something...

  • Anonymous
    September 21, 2006
    The comment has been removed

  • Anonymous
    September 21, 2006
    PingBack from http://cyber-knowledge.net/blog/2006/09/21/5-windosws-vista-secrets-you-must-know/

  • Anonymous
    September 21, 2006
    The comment has been removed

  • Anonymous
    September 21, 2006
    @Mike Peter Reed: The only reason UAC prompts come up so often when installing applications are that none of these applications or setup programs have been written to take into account UAC and write to shared or system areas, which launches the UAC prompt.
    It would be the same on a Mac if apps were written incorrectly and wanted to write to non-user areas.

  • Anonymous
    September 28, 2006
    If there's one thing that puts me off an application, it's when it unnecessarily inserts itself into...

  • Anonymous
    October 02, 2006
    PingBack from http://www.shahine.com/omar/FlickeringAndDimmingInVista.aspx

  • Anonymous
    October 03, 2006
    PingBack from http://larchoye.com/2006/10/04/10-windows-vista-secrets-and-more-tim-sneath-vista-blogs/

  • Anonymous
    October 04, 2006
    PingBack from http://www.belshe.com/2006/10/04/security-by-lawyers-vistas-elevation-prompts/

  • Anonymous
    October 19, 2006
    The comment has been removed

  • Anonymous
    October 23, 2006
    Help how do I config UAC so it auto-elevates without prompt ONLY for command prompt shortcut in start menu and nothing else.. There must be a way..

  • Anonymous
    November 02, 2006
    User Account Control is, as I mentioned in secret #4 , an important part of the security protection that

  • Anonymous
    November 02, 2006
    If there's one thing that puts me off an application, it's when it unnecessarily inserts itself into

  • Anonymous
    November 04, 2006
    You should be disabling UAC like this:- go to security policy and disable "run all administrators in admin approval mode" Changing "Behavior of administrators in admin approval mode" doesn't really turn off disable UAC services underneath.

  • Anonymous
    November 19, 2006
    Tim Sneathが彼のブログで「Windows Vista Secret」という連載(?)をやっています。役に立ちそうなものもあるので、ここでタイトルだけ日本語化して紹介します。詳細は(英語ですが)リンク先を見てください。

  • Anonymous
    November 24, 2006
    can i elevate myself from the commandprompt? (possible getting a prompt for verification if it is not set to elevate silently?

  • Anonymous
    November 28, 2006
    Mike Peter Reed  - "I was lost to OS X in 2003. It only prompts me for the admin password when I am administering something, not when I want to do something. I can install all the programs I want in my home folder and I have full access over them. Windows Vista is a kludge but don't let that stop you having fun administering it rather than doing anything constructive like personal computing. " Construstive things like going around to other peoples blogs and telling them they are stupid for using PC's....good one there Mike! "There's always a Mac fanboy in every forum or blog." Yes there is always a Mac fanboy on every forum or blog because thats all Macs are really good for, surfing the web...might as well use a mobile phone probably has as richer applications!

  • Anonymous
    May 08, 2007
    Want to disable Vista's UAC? Here's how: http://blogs.msdn.com/tims/archive/2006/09/20/windows

  • Anonymous
    July 30, 2007
    Tim Sneath hat einige sehr hilfreiche Windows Vista Secrets veröffentlicht die euch das Leben mit dem...

  • Anonymous
    September 04, 2008
    PingBack from http://www.winextra.com/2006/09/20/uac-begone/

  • Anonymous
    October 08, 2008
    PingBack from http://www.asktheadmin.com/2008/10/simple-turn-off-uac-instructions.html