Taming Vista's User Account Control
By: Arie SlobAlthough Microsoft's intentions were good when they decided to design the User Account Control (UAC) feature* for Windows Vista, the end result was less than desirable, especially for the 'more than average' users who use their PCs for more things then to surf the Internet & read email.
One of the most heard complains is that Vista's UAC drives people crazy be asking them again & again if they are sure they want to run the application they just tried to launch. I will admit myself that it drives me nuts at times too.
Don't get me wrong: I think Microsoft's intentions are good here, but the implementation (still) leaves a lot to be desired. Another factor is that Windows users have never been exposed to anything like it. In the Unix/Linux world it is standard practice that you log onto a system with reduced privileges, and only 'switch user' to an administrator account when needed. The problem with Windows Vista at this point is that there are still too many things that require administrator privileges to complete the action. Want to see details of your Network connection? You'll get a UAC prompt. Want to take a look in the Event Viewer? Another UAC prompt. I think UAC should only prompt if changes are going to be made to the system.
Because of the number of UAC prompts, a lot of users are looking for ways to 'kill' UAC. A quick Internet search (or a search in Vista's Help & Support) will point them in the direction to switch of Vista's UAC (Figure).
However, switching off UAC weakens Vista's security defenses. For example, switching off UAC will make Internet Explorer start with its protected mode switched off. IE's Protected Mode in Vista has the advantage that Internet Explorer cannot modify user or system files and settings without your consent. Protected Mode requires you to confirm any activity that tries to put something on your machine or start another program. By using Protected Mode, the likelihood of automated and/or unwanted software installation is reduced.
When Internet Explorer 7 is running in Protected Mode (which is the default in all but the "Trusted" security zone) the process runs with low rights, even if Internet Explorer is being run by an administrator. This means that even if an attacker defeated all defense mechanisms and got control of the Internet Explorer process and managed to run some arbitrary code, it would be severely limited in what it could do. Nearly all of the file system and registry would be off-limits for writing, reducing the ability of an exploit to modify the system or harm your files. The code wouldn't have enough privileges to install software, put files in your Startup folder, hijack browser settings, or do other nasty things.
I do not suggest you just switch off UAC. My suggestion is that you should run with UAC enabled for some time. It's normal that during the installation/initial setup of Vista you'd encounter more UAC prompts than some time later. If you still insist on turning off UAC, make sure you understand that you are exposing your computer to additional risks!
To change Vista's UAC behavior it is better to use some registry settings that exist for just this purpose. Using the settings below will not switch off Internet Explorer's Protected Mode, something that switching off UAC via Vista's Control Panel will do.
The other benefit is that applications will still run with limited non-admin privileges in standard user mode until the program requests administrator rights.
The first setting deals with what Microsoft calls "Protected Desktop". When you receive an UAC prompt, your user desktop will appear to dim and the window that caused the elevation request and the elevation UI will be made more prominent:
The other side effect is that you have to respond to the UAC prompt, you can't do anything else.
To switch off this part of UAC, make the following change in your registry:
- Start the Registry Editor
- Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
- Right-click the value PromptOnSecureDesktop, and select Modify
- Change the Value data from 1 to 0
- When ready, press OK and close the registry editor
I found that by making just this small change, I could live with the UAC prompts (for now). Remember, making this change will make your computer less secure. The reasoning behind the secure desktop is that this will prevent the UAC prompt from being 'hijacked'. Makes sense, but if someone (or some program) is in the position to hijack your UAC prompt, it means that you already have spyware/malware on your computer. It may not be capable of taking over your entire system, but modern spyware/malware typically doesn't need to do that. It'll be perfectly 'happy' with just running under your user account, either sending spam emails, or being part of a botnet.
This is what the UAC prompt will look like after making the change above:
You can still do other things on your computer, and respond to the UAC prompt when you want it.
The next change you can make is to let the UAC prompt 'disappear' altogether. Well, it doesn't really disappear, but instead the prompt is silently acknowledged. This is the change you have to make to the registry:
- Start the Registry Editor
- Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
- Right-click the value ConsentPromptBehaviorAdmin, and select Modify
- Change the Value data from 2 to 0
- When ready, press OK and close the registry editor
Again, this reduces your security & you should only consider this if you know what the consequences are.
One unfortunate side-effect you'll get with this last setting is that Windows Security Center will show the red 'alert' shield and pop-up a message each time you start your computer (Figure). The only way to stop this message is to stop all pop-up messages from Windows Security Center, something you may not want to do.
*) One thing you should realize is that UAC is not a single feature, but rather a collection of features of which the elevation dialog is probably the most visible.
This is one of the functions performed by: