User Account Control (UAC) – quick update

There’s been a ton of interest in how we have improved user account control (UAC) and so we thought we’d offer a quick update for folks. We know most of you have discovered this and picked a setting that works for you, and we're happy with the feedback we've seen. This just goes into the details on the choice of defaults. --Steven

In an earlier blog post we discussed the why of UAC and its implications for Windows, the ecosystem, and our customers. We also talked about what we needed to do moving forward to address the data and feedback we’ve received. This blog post will provide additional detail on our response and what you can expect to see in the upcoming beta build in early 2009.

As mentioned in our previous post, and your comments supported this, the goals for UAC are good and important ones. User Account Control was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. It is important not to abandon these goals. Instead, we want to address feedback we’ve received and build on the telemetry we have using those to improve the overall experience without losing sight of the goals with which we agree.

For those of you using 6801 you have started to see the benefits of prompt reduction and our new and improved dialog designs. You also have seen our efforts to give the user greater control of their system – the new UAC Control Panel. The administrator now has more control over the level of notification received from UAC. Look for the UAC Control Panel to appear in Start Search, Action Center, Getting Started, and even directly from the UAC prompt itself. Of course, the familiar ways to access it from Vista are still present.

User Account Control control panel.

Figure 1: UAC Control Panel

The UAC Control Panel enables you to choose between four different settings:

  1. Always notify on every system change. This is Vista behavior – a UAC prompt will result when any system-level change is made (Windows settings, software installation, etc.)
  2. Notify me only when programs try to make changes to my computer. This setting does not prompt when you change Windows settings, such as control panel and administration tasks.
  3. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. This is the same as #2, but the UAC prompt appears on the normal desktop instead of the Secure Desktop. While this is useful for certain video drivers which make the desktop switch slowly, note that the Secure Desktop is a barrier to software that might try to spoof your response.
  4. Never notify. This turns off UAC altogether.

We know from the feedback we’ve received that our customers are looking for a better balance of control versus the amount of notifications they see. As we mentioned in our last post we have a large number of admin (aka developer) customers looking for this balance, our data shows us that most machines (75%) run with a single account with full admin privileges.

Distribution of number of accounts per PC

Figure 2. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.

For the in-box default, we are focusing on these customers, and we have chosen number 2, “Notify me only when programs try to make changes to my computer”. This setting does not prompt when you change Windows settings (control panels, etc.), but instead enables you to focus on administrative changes being requested by non-Windows applications (like installing new software). For people who want greater control in changing Windows settings frequently, without the additional notifications, this setting results in fewer overall prompts and enables customers to zero in on the key remaining notifications that they do see.

This default setting provides the right degree of change notification that a broad range of customers’ desire. At the same time we’ve made it easy and readily discoverable for the administrator to adjust the setting to provide more or fewer notifications via the new control panel (and policy). As with all of our default choices we will continue to closely monitor the feedback and data that come in through beta before finalizing for ship.

--UAC, Kernel, and Security program managers

Comments

  • Anonymous
    January 15, 2009
    I'm really not entirely impressed. The standard user is set to an 'administrator', important settings like the properties of the network adapter are not run through UAC for the default(admin) user and most importantly the admin tools are not in the slightest bit granular. I'll grant you the network applet is doing something funky, though, as netsh refuses alterations from an unelavated command prompt even under the default 'admin' user. A non admin user cannot use the network settings dialog to see (but not alter) the settings without going through UAC entering a password. Undoubtedly in some cases (installation of new programs from the web springs to mind) the multiple UAC confirmations were overkill. For the remainder it's down to poor program and user interface design. Need I mention that Microsoft's Visual Studio Express 2005, amongst others, triggered UAC prompts in Vista due to requiring admin privilege. It's not always about 'what the customer wants' - customers don't care about security until the moment their system is hacked out of existance. More intelligent admin tool design and shims to handle misbehaving programs (dare I say it, a setuid equivalent) would remove the majority of user concerns. However, I suspect that due to marketing and timescales the security/UI teams currently have no option to prepare more sophisticated options. Unfortunately. As it is, I suppose this is an improvement on Vista, but it falls short of the ideal.

  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    January 15, 2009
    >I want a button in the UAC dialog that says Run non-elevated Seconded. Currently, when faced with an application that demands admin privs before it will consent to run, we have three options to get around that:

  1. Edit its manifest ourselves
  2. Install a RunAsInvoker shim using the Application Compatibility Toolkit
  3. Copy the application into a virtual machine and run it there instead A RunAsInvoker mode availble off the right-click menu would be nice.
  • Anonymous
    January 15, 2009
    This is not related to the current posting but i would like to bring it up since i know so many people out there would love this feature include in 7. I think it would be great if you guys add a Folder copy que feature that would obviously allow to create a cue when moving or copying several folders. I think this would be a killer feature that many people would make great use of it. It's been noted recently that now Windows 7 has the feature that if a file is being used by another program it will let you know what program it is. I am hoping with my finger crossed that you guys can add a que to the copying or moving of folders.

  • Anonymous
    January 15, 2009
    Too many settings! I'm glad the default is #2 instead of #1. The Vista behavior is overkill: I trust the control panel. #4 is clearly unsafe and dangerous. Hopefully, the new default will be not annoying enough to push people to #4 Now, #2 vs #3 is far more interesting. If the "secure desktop" is the only difference, why not just create a secure window? Something like this already exists for email protections in Outlook... I say, make a #2.5 and delete this entire dialog and setting.

  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    January 15, 2009
    "I would like Windows to give ME the control of my OWN computer, currently, if a program has a admin manifest, there is NO WAY for me to run it as non admin (other than turning off UAC and rebooting)" Anders, you do realize once UAC is off, EVERYTHING is ran as admin (unless you run as a standard user, then those programs that DO require admin access will be denied and there's little you can do about it), right? Contrary to what you believe, UAC DOES give you control. Given what I just said. There should be a way to have the option of running a program as a standard user. Currently, it's either "Yes" or "No" if you want to run the program. What the options really should be are "Run as Admin", "Run as Standard User", "Don't run the application". UAC was designed with this in mind, but how come it's not implemented in the UI?

  • Anonymous
    January 15, 2009
    I'm curious how you are able to accurately distinguish between software controlling the mouse and a human controlling the mouse. For many years, the message back was that due to accessibility & tutorial/training type of technology built into windows, it wasnt physically possible to distinguish between a human controlling the mouse and a piece of software controlling the mouse. Has this changed in Vista & W7?  Or how is this problematic scenario handled?

  • Anonymous
    January 15, 2009
    The comment has been removed

  • Anonymous
    January 15, 2009
    >I'm curious how you are able to accurately distinguish between software controlling the mouse and a human controlling the mouse. Vista and Windows 7 switch to a separate, isolated desktop (indicated visually by the screen-dim effect) to display UAC prompts, so the user's other processes can't interact with them.

  • Anonymous
    January 15, 2009
    UAC is ok, but:

  • Like some mentioned. We need an easy way to run as non-elevated (as simple as an advanced settings on the popup window?
  • A simpler solution to turn of the irritating flashing secure desktop.
  • Anonymous
    January 15, 2009
    Reading this post you'd think all they changed was a slider bar with a lower default.  But I'm using the Windows 7 beta, and it rocks.  No more double prompts and far less of them.  So far, I'm keeping UAC turned on.  I guess this post is the "PM" sales story for something the developers thought up.  Cool. I agree with the poster above that the difference between #2 and #3 is confusing.

  • Anonymous
    January 15, 2009
    For some very strange reason though, the Gadgets don't work when the UAC is turned off. I have to say this is very annoying. I can get it to work when replacing elements of the Win7 sidebar with elements of Vista, but this obviously isn't a feasible workaround.

  • Anonymous
    January 15, 2009
    I think you're ignoring a bigger problem here.  You shouldn't be setting up users as administrators in the first place.  The UAC should be a convenience item for non-admins.  Set up an admin account, but setup the user accounts as a non-admins; then when the UAC prompt appears then get them to enter the admin password (have the username preselected (or remember the last one used) so you don't have to type machine or domain nameusername AND the password).  If the user does not want to elevate then the app runs with its current credentials. Be secure by default.  If the end user wants to run as an administrator, then there is not much you can do about it.  Administrators should not be bothered with UAC…except when running  IE (should be run with no privileges (similar to dropmyrights) )where the user is prompted to elevate for things like activeX installs etc.

  • Anonymous
    January 16, 2009
    There is a problem with one UAC scenario:

  • I can't delete my monitor profile (it turns pictures fawny) since color management applet can't elevate itself.
  • Anonymous
    January 16, 2009
    The comment has been removed

  • Anonymous
    January 16, 2009
    The comment has been removed

  • Anonymous
    January 16, 2009
    xiphi, "Given what I just said. There should be a way to have the option of running a program as a standard user. Currently, it's either "Yes" or "No" if you want to run the program. What the options really should be are "Run as Admin", "Run as Standard User", "Don't run the application". UAC was designed with this in mind, but how come it's not implemented in the UI?" I would assume because if a program requires admin rights to run, then it will not run without those rights.  In fact, most programs I have seen that require admin rights to run, if you try to use them logged on as a standard user, just crash leaving some weird error message that confuses users.  Also, what sense does "run as standard user" make for a program that was clearly designed to run as admin because it performs some admin task? Bringing everything down to a simple yes or no makes things easier for users. JamesNT

  • Anonymous
    January 16, 2009
    Honestly, UAC has been a godsend to LUA wanting users the world over, which is hillarous when people who claim that running as Admin all the time is a crime, but turn around and say UAC is annoying. Try using XP as a limited account for a week. Then tell me UAC is annoying. It also works better then sudo imo, as it prompts when you need the access rather then telling you access denied, then reminding you to use it. Still, the major annoyance anyone had was of course duplication prompts, such as from IE asking if you want to open a file, then UAC asking if you want to give access to that executable, even though IE just asked you about it twice (once to download, once to open). A good solution will fix these problems before touching UAC. But I'm sure the Win7 dev team knows this already.

  • Anonymous
    January 16, 2009
    I'd just like to say that I've been using the Win7 Beta for almost a week now, and I love the new UAC.  I've kept it on the default setting, and I'm only prompted when an application needs to elevate.  Changing system settings, copying files to the desktop, deleting files, all run with no prompts. Fantastic job on reworking a misunderstood (but needed) Vista feature.

  • Anonymous
    January 16, 2009
    The setting second to the last feels about right.  I really like how it just feels like any confirmation dialog now.  I can't figure out how to make it never prompt for certain things, like running a new shell as admin.  It would be nice to be able to just have it do that for me. Overall it has really gotten out of the way and makes the Vista experience much better ;)

  • Anonymous
    January 16, 2009
    @xiphi: clearly, when turning off UAC, I'm not running as admin user @JamesNT: Thats not my feeling, take installers made by NSIS for example, Vista detects them as installers that need admin access, no matter what. Inno Setup installers are also very admin happy, after unpacking by hand, most of this stuff works 100% as non admin

  • Anonymous
    January 16, 2009
    @xiphi: just to make it clear, when UAC is on, yes you have the option of running something or not, but HOW it's run is up to the programmer that made the program, not me. If I want to deny write access to HKLM and no drivers etc. that should be MY choice (and also my fault if the program does not work)

  • Anonymous
    January 16, 2009
    Been testing the Windows 7 beta myself for a few days and UAC seems to be much improved over Vista. Not that I had any real issue with UAC in Vista to begin with, but the less prompts I see, the easier my life is. That is based on the assumption of course that the protection provided by UAC has not been scaled back in anyway! Assuming the controls are not too onerous, I'll take better security over convenience any day.

  • Anonymous
    January 16, 2009
    I've already submitted this via Send Feedback, but running regedit with UAC setting #2, which should only prompt for non-Microsoft software such as installs, displays a UAC prompt.

  • Anonymous
    January 16, 2009
    Can you please add "Run as Admin" in the context menu of BAT, CMD, MSI, MSP, VBS, JS, WSH and WSF extensions besides EXE? For file types that are considered executable and in situations where they aren't called by a .EXE, things break with UAC turn on.

  • Anonymous
    January 16, 2009
    @nwoolls: regedit might be a MS program, but if it did not prompt, people could do evil things by importing .reg files. The whole manifest approach is wrong IMHO, regedit can only know at runtime if it should elevate or not (I guess this could be worked around by giving it a asInvoker manifest and restarting itself with ShExec(.."RunAs"..) and a special param when a write access to HKLM/HKCR is needed)

  • Anonymous
    January 16, 2009
    @nwoolls, UAC documentation never states any thing about Microsoft or Non Microsoft software. Prompting (or like double cheking with the user) for RegEdit is a safe thing to do. It will take me a day at the max to write a bot to launch regedit, do all harmful things and close it, even faster than a user can notice it..

  • Anonymous
    January 16, 2009
    I second people asking for an option to run any software asking for admin rights (thus evoking UAC prompt) as a standard user rights. As Anders puts that, if the program fails then its users headache. But user should get a chance to run it as standard user until the actual developer (or company) updates the software to run in both modes.

  • Anonymous
    January 16, 2009
    UAC in Windows 7 beta 1 is ALOT more better than UAC in Vista. One notification - not two. One issue with compatibility is that Windows soes not notify when a program tries to do things it is not allowed to (Because of UAC), and therefore the program crashes. I don't like that we must restart our computer to disable/enable UAC. But, the UAC is much more improoved and not so much anoying like in Windows Vista. Martin

  • Anonymous
    January 16, 2009
    I'm also interested to know how Windows differentiates between mouse and keystrokes coming directly from a user and those coming from a program. In Vista it did not matter since every action that triggered UAC switched to the secure desktop, so only something running in the secure desktop could acknowledge the UAC prompt.  However, in Win7 many things that would trigger UAC in Vista no longer do.  For example you can create a new administrator without triggering a UAC prompt. However, I noticed that the sendkeys method in VBscript does not seem to work with mmc for example.  I think that is good, but I'm curious how it was done.  Also what are the risks of someone being able to bypass UAC in Win7 by simulating user input. Overall I'm pleased with the improvements in UAC.  This is probably what people were hoping for when they complained about UAC prompts being too intrusive in beta 1 of Vista.

  • Anonymous
    January 16, 2009
    "It also works better then sudo imo, as it prompts when you need the access rather then telling you access denied, then reminding you to use it." "One issue with compatibility is that Windows does not notify when a program tries to do things it is not allowed to (Because of UAC), and therefore the program crashes." Why not show a UAC prompt when the running program requires admin rights to continue? For example, when the administrator wants to save the changes to a text file in another user's Documents. Instead of coming up with an error, why are programs not given a way to request for admin rights when they need it? It could be in the same way like how Windows prompts you about writing into a restricted folder.

  • Anonymous
    January 16, 2009
    I think the UAC and secure desktop are a  great idea, but I ama little more adept at working with computers than some of the people that I deal with. As a MS partner I understand the need for security, but face it even the most adept small buisness owner does not want to answer prompts to run a peice of software. Please make it so I can continue selling MS Solutions, I actually have a customer who wants to switch to Apple because of UAC. And as far as the Average User...wow they just want to do those things that impower the repair industry. As far as that goes, a lot of software is not written correctly as to allow user to install in an elevated state, but I do not think that re-writting all the software that does work in Windows 7 would be economically viable for most developers and software companies in at least the immediate future, maybe you could include a dialog to allow the installation with elevated privledge, because if Joe User happens to modify the Local Security Policy that person will be put at risk and also Windows 7 may not be successful.

  • Anonymous
    January 16, 2009
    The comment has been removed

  • Anonymous
    January 17, 2009
    @Asesh -- you can read more about the secure desktop http://technet.microsoft.com/en-us/library/cc709628.aspx and learn more about the process/security model of the secure desktop.

  • Anonymous
    January 17, 2009
    The comment has been removed

  • Anonymous
    January 17, 2009
    I trust everyone here recognizes the fact that almost none of you will get UAC to do what you want it to do.  MS must design and implement UAC with security for the masses in mind - that means your pet idea for how UAC would not annoy you may never happen. JamesNT

  • Anonymous
    January 17, 2009
    It is an interesting step forward, but it isn't too hard to make the system think code initiated the action instead of the user.  

  • Anonymous
    January 17, 2009

  1. when I click "Run as administrator" and run some application, I don't have later clear info, that this application has got admin privileges (it would be good to have something like "(Admin mode)" added to window title)
  2. when I run cmd and later chkdsk, it displays, that, that needs admin privileges. Can't it simply display disk info only then ?
  3. can't Run window in Start menu have "Run as administrator" option ?
  4. there are 4 levels of UAC in 7. But still: what exactly actions are blocked or not on each one ? how does system know, that something was initiated by user or not ?
  5. Explorer - it displays the same info, when you try to enter link directory (C:documents and settings) and when you try to enter directory, where you don't have access (c:system volume information"). BTW, it a very funny for me, that Explorer is not able to enter link directory....
  • Anonymous
    January 17, 2009
  1. there is great SysInternals Suite available on MS page. You have such tool like ProcessExplorer there. I was very surprised, that it's still not used instead of Task Manager. And I'm very surprised - when ran it in limited mode, it can display some info about all processes (at least exe names, cpu usage, etc.). Task Manager needs clicking button "show processes from all users". could you fix it ?
  • Anonymous
    January 17, 2009
  1. I hear a lot about increasing security here. But:
  • Windows 7 doesn't allow user to see, if there is some traffic over concrete network interface (yes, in XP it was possible to display animated icon for each card)

  • Windows 7 doesn't have option "Disable all network interfaces" in menu for Network Sharing Center displayed near clock

  • Windows 7 doesn't display clear, what servers and what ports should be opened for good system work (for example - user doesn't know, if this OK or not, when Windows Update contacts server 192.168.1.1...)

  • Anonymous
    January 17, 2009
    UAC in Windows 7 is much better than in Vista, that is true. But one thing I did not understand in Vista, that still does not work in Windows 7 Beta is inability to do drag&drop between a non-elevated app and elevated one. For example, if I run Visual Studio as elevated user, I cannot drag files from Windows Explorer in it. At the same time, the same files are easily (not so easily as with drag&drop though) opened via the File->Open command. Clipboard is also accessible by both elevated and non-elevated processes. What is so secure in disabling drag&drop?

  • Anonymous
    January 17, 2009
    What's the big deal about UAC? It takes 1 second to click "OK" yet gives many hours of piece of mind!

  • Anonymous
    January 18, 2009
    The comment has been removed

  • Anonymous
    January 18, 2009
    The comment has been removed

  • Anonymous
    January 18, 2009
    Steven, I think one major thing missing from UAC design is a way of white listing/black listing applications. I think if the some sort of UI, where we can add application which can run with elevation with out prompt all the time, and some which should not be running with elevation (not even a prompt) will be good. The same way how we configure windows firewall. this will satisfy most of the advanced users, and people trying to turn of UAC will be less.

  • Anonymous
    January 18, 2009
    Don't forget that the majority of the people have no any knowledge about Windows XP/Vista. I am sure that the rest who's complaining about UAC or have to tell something about UAC or that it's a pain in the *ss, that their handling is already above any regular user. A regular user to me is a user who use their pc for reading Email, do Word, want Skype and use IE to browse. That said, i think UAC is a very good tool to protect users that accidentally unwanted installing software. They can't help them self, really! Those people already don't know what is an Windows update, installing Skype is for them also a big issue! (according to MS, 30% of the people don't do a WIndows update). I am pretty sure they aren't aware if it of the existence of Windows update. Not because they are dump ( i know doctors having this problem), they just use XP/Vista to get their Email, do Word, Skype and Browsing. They are just not interested to learn, knowing or whatever Windows or apps need to make them work properly. It just have to work and I can't blame them for that (do u know what to do if u by accident put a wrong fuel in your car?) Although i agree that UAC for advanced users was very very very limited. In Vista, it was ON or OFF.

  • Anonymous
    January 20, 2009
    I was hoping that there would be a change in UAC to have it activated on the "SAVE" action, not "View"... Many times you just want to look at something, a network property, a control panel setting, with no intention of ever changing the setting.  UAC kicks in at the "looking" action, not the "save" action, which, I believe is too early.   Thousands of user UAC impressions would be eliminated if UAC only kicked in when you were actually changing things... Keep up the good work! Chris

  • Anonymous
    January 29, 2009
    My idea is User Account Control in Windows Seven is very very better than Windows Vista, because in Vista we couldn't to change our control access, but in Windows Seven we can moderate our user's access to each other. So Windows Seven's UAC is better than Vista's UAC.

  • Anonymous
    January 29, 2009
    Please REMOVE the !insecure! UAC options. Even a child understands that the options that don't "dim screen" don't protect you at all, giving false sense of security. If any of these insecure options is used (as it is by default) malicious program can do anything. It can even disable UAC completely. The "security feature" that any malicious app can disable is useless! http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/

  • Anonymous
    February 02, 2009
    The comment has been removed

  • Anonymous
    February 24, 2009
    In the earlier blog post that talked about "the why of UAC and its implications for Windows, the ecosystem, and customers", it seems that all of the reason for the diminished UAC elevation prompts, was the improvement of the "ecosystem". I seriously doubt that ALL of that huge decrease in UAC elevation prompts was due to improved third-party and Microsoft applications.  I'll bet that a large percentage of it, larger than the article wants to admit, comes from users who gave up in frustration and searched the Internet to find out how to turn off the prompts completely.  THAT would reduce the number of prompts over time: when more and more people get frustrated with them. There is a mention in the article how a few intrepid souls, explorers on the farthest edges of the universe, managed to somehow turn off the UAC prompts.  Really, it's not that hard to find instructions on this, or for casual users to ask their techie friends how to do it.   Are there any statistics on what percentage of users have turned off the elevation prompt?  I haven't seen those numbers. I was disappointed to see that the Windows 7 engineers didn't seem to CONSIDER this, or admit to it as a possibility. And yes, I agree that too many prompts will result in users not reading them.  The user suggestions that ask for the prompts to be clearly worded, as in "Are you trying to install a new program?" would be HUGE improvements. David Walker

  • Anonymous
    February 25, 2009
    Well, I saw in another blog where Steven Sinofsky says that 92% of users run with UAC enabled.  Frankly, that's more than I expected.  It's good to know the percentage, though. One of the blog entries on UAC, which I can't find right now, says something like MS has heard the feedback: "Don't ask me if I want to do someting I just clicked on", etc.   However, I didn't see that MS has taken notice of the feedback that says "I trust this program -- allow it to do its thing", and don't ask me again.  That might not be desirable for Windows Explorer, but are there any other comments on this point?

  • Anonymous
    April 07, 2009
    The comment has been removed

  • Anonymous
    August 20, 2009
    Hi All, Can any one suggest me the behaviour of UAC shield in desktop shortcut. Suppose if i set UAC as "Always notify" should all desktop icons have that shield ? and also if i set UAC as "Never notify" should all desktop icons should be without shield ? I will be thankful if anyone help in this regard. Thanks, Krishna

  • Anonymous
    May 30, 2010
    I just bought a gaming pc with windows 7. I have owned it for six weeks and can not play a single new game. I have tried everything. Microsoft engineers tell me it is a driver problem eventhough I tell them about the "run as admin" which does not work. I am held at ransom for $165.00 to people that tell me my drivers are bad. Microsoft should fess up and fix their products that we purchased in good faith. Where are their ethics?

  • Anonymous
    July 20, 2010
    The comment has been removed

  • Anonymous
    November 05, 2010
    The comment has been removed

  • Anonymous
    May 25, 2012
    my uac is not disable am click ok and not happening. What to do pliz help me!!!