Windows Insider

UAC: When To Turn It Off

Want to jump into Vista but don't want to deal with UAC? Make it go away!

It's been about 21 months since the initial release of Windows Vista. Nearly all the early driver problems have evaporated, and most application conflicts have been resolved. Home computers for many office workers have already made the jump -- at least for those workers who've bought new computers in the past six months or so. Yet many IT organizations remain resistant to upgrading to Microsoft's newest desktop OS.

While I won't spend time in this column discussing the business reasons for moving to Vista, there remains one architectural decision on the part of Microsoft that sticks in people's minds as a critical reason not to move: User Account Control (UAC).

The efficacy of UAC has been debated in trade magazines ever since Vista's release. Aficionados extol its ability to reduce the risk and impact of malware infection. Deniers -- myself included -- agree in principle with the idea but not with its resulting implementation. Competing software companies with their own OSes to push -- like Apple -- make fun of UAC's in-your-face insistence to ask a second and sometimes a third "are you sure?" for what seems like every action you try to accomplish on the system.

My argument in this month's column is simple: If you're not making the jump to Vista because UAC is painful and just doesn't win in the cost-versus-benefits war, you always have the ability to simply turn it off.

Get It Off Me!
For Vista machines not part of a Windows domain, one easy solution for disabling UAC is through an old tool called msconfig.exe. From a command prompt, enter msconfig.exe to bring forward its GUI interface. Under its Tools tab, highlight the entry Disable UAC and click the Launch button. You'll need to reboot your computer to apply the changes. Congratulations, your machine will no longer be the brunt of the now-classic "Mac has asked you a question. Cancel or Allow?" jokes.

Another tool -- which is available at www.tweak-uac.com -- is called TweakUAC. This tool assists in the process of disabling UAC on individual machines. When launched, this simple tool provides three options to enable or disable UAC, or set it to "quiet" mode, which we'll discuss in a minute. For non-technical users, TweakUAC may be an easier solution than msconfig.exe.

For computers that are members of a Windows domain, the easiest way to accomplish the same task is through Group Policy. Create a new Group Policy Object (GPO) and navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options. There, locate and configure the following settings:

  • User Account Control: Detect application installations and prompt for elevation. Set to Disabled.
  • User Account Control: Behavior of the elevation prompt for standard users. Set to Automatically deny elevation requests.
  • User Account Control: Run all administrators in Admin Approval Mode. Set to Disabled.

Close the GPO Editor and ensure that the policy is applied to the correct organizational unit or your domain to finish the procedure. Like the previously discussed process, this effectively shuts down the functionality of UAC and returns the system to the same way of operating you're used to seeing in Windows XP.

Figure 1
[Click on image for larger view.]
TweakUAC makes it easy to either eliminate or quiet down UAC.

Quiet Down!
Yet with all of these brute-force approaches to eliminating UAC, its functionality has some efficacy in preventing some forms of inappropriate software from infecting your system and network. Not all of UAC's protective benefits arise through its annoying prompts, but all are completely disabled when UAC is turned off using any of the solutions previously discussed. Two examples of these "under the covers" protections that are lost include:

  • Internet Explorer Protected Mode. With UAC disabled, IE's remarkably powerful Protected Mode feature no longer relegates potentially unwanted software to a special area on the system with no privileges and a low level of trust.

  • Executables are no longer initiated with lowest-necessary privileges. With UAC disabled, the running of executables reverts to the pre-Vista architecture where applications run with their configured credentials rather than defaulting to non-administrator rights when not required.

Both of these capabilities are great add-ons to the security of the Vista OS, and their loss reduces Vista's ability to protect itself against rogue code. But there is a way to keep all of the best parts of UAC around while eliminating only its worst -- namely those annoying prompts.

This implementation can be called "UAC quiet mode." When in quiet mode, UAC and its unseen benefits remain functional on a system, while any requests for elevation are automatically approved.

Doing this on a machine not attached to the domain can be done with the TweakUAC tool previously discussed. Set TweakUAC's option to Switch UAC to the quiet mode and reboot the computer. For computers that are attached to a domain, create and apply a Group Policy that minimally configures the following setting:

  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Set to Elevate without prompting.

Other settings under the heading of UAC will change the way the Vista OS handles certain new security features, such as file and registry virtualization. You may find that reconfiguring other additional settings in this location may reduce or eliminate certain app conflicts.

Note that any disabling of UAC will relocate some annoying user notifications from UAC to Windows Security Center balloon pop-ups. If you want to also prevent those notifications, it's possible to use Group Policy to disable the Security Center in its entirety. In the path Computer Configuration | Policies | Administrative Templates | Windows Components | Security Center is a policy setting titled Turn on Security Center (Domain PCs only). Setting this to Disabled will shut down Security Center, which eliminates the notifications. The standard set of disclaimers applies in performing this action.

In the end, UAC is an excellent idea with a very hard-to-swallow implementation. In the future, alternative approaches such as BeyondTrust's Privilege Manager will provide a less "in-your-face" user experience while preserving the goals of UAC.

About the Author

Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.

comments powered by Disqus

Reader Comments:

Tue, Oct 14, 2008 Laken@TekMasters Woodlawn, MD

Excellent write up, Greg. Thanks for your great presentation at TechMentor - Orlando. Your opt-out suggestion may perhaps be the best way to get Vista adoption on track with all the attendant risks that will need to be mitigated. If necessary, users can turn the features back on after the facts, being one event the wiser.

Laken.
TekMasters - High on Technology.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.