Security

Video: Bypass Windows Vista's User Account Control (UAC) prompt

Windows Vista's User Account Control (UAC) was designed to improve security. But, constant UAC prompts can also be a real pain. In this IT Dojo video, Bill Detwiler shows you how Task Scheduler and a custom desktop shortcut let you run UAC-restricted programs without encountering those annoying UAC prompts.

Windows Vista's User Account Control (UAC) was designed to improve security. But, when you're running Vista with anything other than administrator the constant UAC prompts can be a real pain. In this IT Dojo video, I'll show you how Task Scheduler and a custom desktop shortcut let you run UAC-restricted programs without encountering those annoying UAC prompts.

After watching the video, you can learn more about managing Windows Vista's UAC feature by reading Greg Shultz's article, "Run UAC restricted programs without the UAC prompt"--the basis for this video.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

58 comments
Richard Dokter
Richard Dokter

No, not annoying. Big deal, so you have to click on a UAC dialog box. What do you do if you are browsing the internet? You click hunderds of times and nobody's complaining ;-)

stoprambling
stoprambling

Here's the absolute BEST workaround to UAC prompts: Buy a Mac!

Stimpi
Stimpi

I am a software developer - I might be able to "KEEP UP WITH YOU" considering I am developing the software you LEARNING to tweak. Security? If you want security get a dog, this is the internet people - Stupid topic, UAC is for dumb people and it simply ask's "are you sure?" There is a simple reg change that is so easy that will stop it - not all of this boring conversation. Peace..

Spiritusindomit
Spiritusindomit

But this saddens me. It's not something I would ever recommend or tell somoene how to do.

Shane A.
Shane A.

This did not work on my computer. The shortcut works, but I still get UAC popup each and every time I run the program.

hforman
hforman

After reading a lot of the posts here, I have to say this. Data security is like a teeter-totter. If one side is ease-of-use and convenience and the other side is security, you'll find (in general) that pushing down on data security pops up the ease-of-use side and pushing down on that side pops up the data security side. Rarely do you see something that is easy AND secure. The problem with that analogy is that some folk think there there should be a 'balance'. Not true. There has to be a minimum amount of data security that can be measured by the engineering sysmbol, "$". That is, how much will this cost you if information gets leaked or destroyed? Turning UAC off is like turning off the firewall. Makes life a lot easier, but at what cost? Most of you who say that you will turn it off at your place of work may NOT necessarily have the right to do that. There are individuals called "CIOs" and "CISOs" that may have a different opinion. At work, we lost three laptops and the cost was over $500,000. They got off cheap.

mmelick
mmelick

Unrealistic work around, create a task for each app you wanna run without a prompt. Ok!!!!!!!

john3347
john3347

I wish someone could enlighten me as to how UAC enhances security on my Vista computer. UAC doesn't know whether the website you request is a dangerous site or not. It doesn't give you any indication whatsoever as to whether it may or may not be safe. It only senses a keystroke or a certain sequence of keystrokes and asks you to verify that you want to go where you just said you want to go. (sometimes asking for verification 2 and even 3 times per site) If UAC sent a "scout" to the website and came back and reported that a certain site displays signs of danger, or something like that, I can see the security enhancement. There is no security enhancement when it just requires you to verify two or three times your original request!!!!!!

Gis Bun
Gis Bun

Create a batch or CMD file with a name. Add the following lines: taskkill /F /IM explorer.exe start c:\windows\explorer.exe Create a shortcut pointing to the file created. Make it run in a context of an administrator. After double clicking on the icon, it will ask for the UAC prompt. After that any applications you run from the desktop, Start menu, or task bar will run as an administrator. This state will be as is until you log off. You can create a second icon as above with no administrator context instead of logging off.

pjboyles
pjboyles

There are several ways to handle the UAC prompts. - Turn them off. - Turn to silently succeed - You can use the Application Administrative Toolkit to create shims for applications. These can be installed on any computer running the app. - Create a manifest file for the application. - Or use the work-around outlined with task scheduler. The issue is that turning it off is the only way to easily regain complete access. That opens IE back up as some of the enhanced IE security is linked to UAC (bad idea, IE should have been independent). UAC also affects remote connectivity. This penalizes remote support. I had to add a registry hack to disable it for remote support. Being able to access things like administrative shares with a local administrative enabled account is important to fix things sometimes. This also impacts remote WMI and other remote management processes. MS really did everyone a huge disservice with this one. It should be simple to set ???remember my answer??? and all the changes should have been much more clearly enumerated. ----------------------- Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup. The registry entry is ???HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system??? LocalAccountTokenFilterPolicy, Reg_DWORD 0 | 1 When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled. ----------------------- http://blogs.msdn.com/vistacompatteam/archive/2006/09/22/766945.aspx http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx

brill.garnet
brill.garnet

Hmm. I disable it on my machine. It's the most annoying thing with Vista. Anyway, I've been forced to use vista not because wanted Vista. Vista is wonderful however it has too many annoying features. All cheap new notebooks came with Vista, you can't avoid it. I'm thinking of switching OS.

mongo617
mongo617

This is going to definitely be helpful for me as I am constantly doing driver installs to new machines we put Vista on and having to keep seeing the UAC pop-up after every restart so I can finish loading the drivers needed is a pain. Thanks.

dbalcells
dbalcells

It's a good article, i tried it and it works perfectly, however it doesn't work for drag & drop, i mean, you cannot drag & drop a file to this shortcut and expect that the program, pointed by the shortcut, will open it. It doesn't work to me, also tried parameters %1 $1 and stuff like that but i cannot make it to work.

fanboi
fanboi

Yes, this feature is so damn annoying that I disable it on every fresh install within the company. I don't want to have to approve a copy paste of a document that I wrote, it's just rediculous. If I didn't have to run windoze at work I'd be running a mac and have none of these Vista 'improvements' to have to worry about.

Dumphrey
Dumphrey

Thanks for this, I missed the original article. I can see many uses for this, especially a admin cmd prompt from the desktop (i use this alot).

Bill Detwiler
Bill Detwiler

When not wearing my TechRepublic hat, I'm an adjunct professor and part-time lecturer in the criminal justice departments at two local universities. When teaching crime prevention, I always discuss people's tendency to disable or circumvent overly-complicated or annoying security measures. I wish a few Windows Vista developers had taken my class before creating Windows Vista's User Account Control (UAC). Microsoft designed UAC to improve security. But, constant UAC prompts can also be a real pain. In an IT Dojo video, I show you how Task Scheduler and a custom desktop shortcut let you run UAC-restricted programs without encountering those annoying UAC prompts. Original post: http://blogs.techrepublic.com.com/itdojo/?p=175 To make matters worse, it appears Microsoft meant for UAC to actually annoy end users. As Andy Moon wrote in TechRepublic's IT News Digest blog: "At the RSA Security conference in April 2008, a Microsoft official claimed that annoying users was the actual aim of the User Account Control (UAC) feature in Vista. Microsoft?s goal, he said, was to try to force smaller software vendors to write more secure code." Is Windows Vista's UAC so annoying that you disable it?

yarbrough2
yarbrough2

UAC is not something that MicroSoft imposed on it's users. It was designed and implemented as a result of their user base requesting a more secure computing environment. Security is never easy to deal with, but it is worth the hassel. After all what would it cost if your bank account and SSN were stolen? The reality is that there are people on the internet that want your data, and will take it if not protected.

Spiritusindomit
Spiritusindomit

UAC is not about protecting you from web invasion on a webpage level. UAC *IS* about protecting machine level security from unauthorized executions. It's stupid to try and protect you from web content, there's too many variables. It is smart to deny execution of anything you could potentially get infected by from the web and make you manually review it.

Tank252ca
Tank252ca

if you want to check websites before loading them in your browser, there are apps on the market that will do that. AVG Antivirus has a plugin that will check search results for you. For example, if you perform a search in Google, AVG will place a green check mark next to each search result that comes back clean and will flag sites serving malware. Of course, like any anti-virus app, it won't catch zero-day attacks (new viruses that are not yet in their database) but it's a bit of added protection that doesn't seem to slow my browser down any.

JCitizen
JCitizen

operating system, like the things you do when logged in as administrator. The UAC lets you know an app or Internet Explorer page control is attempting to gain privelege excalation to your computer. Knowing this is important, if you don't want some cracker code to gain control of your machine and have a free hand at taking it over completely. I haven't used Vista as a restricted user yet, but I wouldn't think this would be a problem during normal surfing on the web as a restricted user. IE 7 shouldn't be trying to do much of anything at that level unless you are trying to dowload installs that require administrative rights. If this is the case you shouldn't be doing this in a restricted account anyway, unless your're just too lazy to logon as administrator. However, in this case, it may be great, as you could give escalation permission as needed for trusted events. (EDITED) I am using Vista x64 now and am completely satisfied with the UAC as is (so far)

Tony Hopkinson
Tony Hopkinson

That's just a stupendous screw up waiting to happen. Might as well just turn UAC off and log on as admin.

bilal32
bilal32

Thanks for the link. We haven't rolled out Vista yet but as an ISSB tech support, we get to use both XP & Vista Enterprise.

rich
rich

I haven't seen this tool before but it's exactly what I'm after.

Tony Hopkinson
Tony Hopkinson

The only way I know of to get that is if you are sticking stuff in protected areas of the drive, i.e. root, program files, Windows ect. You should get warned about that. Now I'll admit getting a UAC prompt when logged on as Admin is exetremely annoying, but there was little alternative due to the earlier MS security disaster of 'everyone' being logged on as admin. It would have been interesting if MS had made logging on as admin more 'difficult' instead of UAC as admin, may be people would stop doing it so much then. Running as admin without UAC, you might as well not have bought Vista in the first place, it was about the only feature in it worth the fresh install.

techrepublic
techrepublic

I have followed the steps in your video thinking that this was just the ticket to get around a problem of a certain program not being able to run via a standard user. Well, I can't get it to work. Actually, it may be working but not the way I had hoped. I created the task to run the needed program and then created the shortcut. When I click on it nothing really happens from the standard user's screen. If I check task manager, and have it show processes for all users, The task is running via the admin's user account but nothing shows up under the standard user's account. So, that does me NO good. Any ideas for letting programs run for standard users without UAC asking for an admin's password? Do I have to turn off UAC?

chatch
chatch

In the system tray, it will still annoy you by telling you that UAC is disabled. There is the User Account Balloon Disabler if you don't want to bother with the registry settings.

Thack
Thack

Bearing in mind that Microsoft released that toolkit for making individual programs run without the UAC prompt, I wonder if this workaround using Task Manager might be an oversight on their part. If so, do you think it could potentially be a security hole? Perhaps malware could use this to run code silently. Also, if it was an oversight, I wonder if MS might close it. Incidentally, I've never read so much nonsense about UAC as in this thread. What on earth are people doing to get UAC prompts when browsing the Internet or downloading PDFs? My PC is used for a vast array of tasks, including the full set of MS Office activities, video editing, audio processing and editing, graphics design and editing, software development in Delphi and the Visual Studio languages, website development, and so on. The only time I get UAC prompts are when I'm running a non-Vista-compatible program, or doing some sort of administrative task. Personally I'm very pleased that Vista asks for confirmation when something with security implications is about to happen. But this really isn't at all frequent. And how could it possibly be objectionable? What the heck are people doing (or what crappy old software are they using) for them to be getting UAC prompts all the time? SteveT

MKleinpaste
MKleinpaste

As informative as this IT Dojo episode was, it's still nothing more than a hack. Further proof, in my opinion, that Vista is a PoS. I shouldn't have to hack my system to access applications I need even when I AM the administrator! As an admin, I'm accessing disk management to do my job, so I don't the Chihuahua barking at me. The bottom line is the UAC is as effective as car alarms at preventing security abuses. It gets ignored by memorizing the "arrow key + Enter" stroke and then eventually turned off as soon as people figure out how to do so. Microsoft's implementation of security is and has been 3rd rate at best.1

PhotoGene47
PhotoGene47

I had previously tried to configure TS to run a Norton program which always fails unless I manually start it. I liked your video presentation and recorded a step-by-step procedure for Device Manager. Unfortunately, whenever I start Device Manager via the shortcut, I see a fast flash on the screen and then nothing. It is as if something is killing the program immediately. I am in an admin account and I followed the procedure exactly. I do have Windows Vista SP1 loaded. Any ideas?

The Truth
The Truth

One less annoying thing about bloated Vista. Linux on live cds and usb is great.

yagar
yagar

I'm not a rocket scientist but.... When I installed my firewall (XP), it asked for every program that I tried to open, if I wanted to allow it to run. If I checked the box that says remember this option then I never hear from it again about that program. Why can't UAC do this. I look at it as a shortcoming in MS program. UAC is annoying and most folks have it shut off. The task manager fix is a good one but it's a whole lot of steps to take when you should be able to click a box and let UAC remember. When you add this to all of the other annoying things that come with Vista it's no wonder MS is pushing out the beta of Windows 7 as fast as they can. Folks (or business) are not going to spend extra money just so they can say they run Vista. Some people are happy with Vista, some live with it and complain, some I am formatting and switching them back to XP. Just depends what they need to do with their machine. Personally I see no need for Vista. It is Windows Millennium II.

Underground_In_TN
Underground_In_TN

...is MS's assertion that they made it so to force software vendors to write more secure code, when I encounter the UAC prompt almost exlusively when running Vista programs and configuration tools, such as Visual Studio. The phrase "Physician Heal Thyself" just leaps out, wearing bright orange coveralls and waving its arms in the air for attention. It's almost as ironically amusing as a book from Microsoft Press called "Writing Secure Code." The point to the UAC is to prevent a trojan from running and/or installing malicious programs, and from reconfiguring your system to be less secure. But can someone please explain to me why Vista can't tell the difference between a program being run from another program, and being run by the click of a mouse or keystroke? If it's the former, then yes, please do prompt the user to make sure he really meant to install/run the program. But if I execute the program/installer from a mouse click, the Start/Run tool or a command line, it seems obvious to me (and should be to Vista) that malware isn't behind the act. UAC is not needed there, thank you.

jerlin
jerlin

Windows Vista's UAC is so annoying that you disable and seem to serve no purpose that I can find. If I did not want a program to run I would not have started it. It would be fine if there was actual security but anyond can hit an extra "enter" and the program runs. What good is it?? I have had to repair many clients machines that hit the "enter" button after being requested bu UAC and ended up runnning malicious programs. So what good does UAC do?

Tearat
Tearat

When I am working on someone?s computer But re-enable it when I finish I also tell the owner of the computer what it is for and show them how to turn it off and on Its their computer not mine On my machine it was turned off until I gave up on Vista Next time if I use Vista again all the offending software will be run in an emulator or VM Now I have seen your video I will show people how to use task manager to manage UAC Sometimes you just don?t see the little things Sometimes they can be so important UAC is very frustrating for so many Vista users How can you sleep at night? You have just ruined Microsoft?s plans to annoy people Are you Anti-MS? (Just a joke Bill) Thanks for the Blog Cheers Steve Wait what am I saying It?s another damn thing I have remember No just kidding

spawnywhippet
spawnywhippet

On nearly every Vista machine I have ever used, UAC has been disabled by the owner. I work for one of the worlds largest IT companies and the Vista rollout has UAC disabled in the COE build. It's Chinese water torture method seems designed to pass the security onus to the end user by forcing them to bypass security rather than have MS accept responsibility for security.

Tony Hopkinson
Tony Hopkinson

if it is you should not be using Vista until those vendors (including the huge ones) write code better suited to windows newer security model. Actually I don't think it made matter's worse to nag. I think it was there only option short of not being able to run the code at all. If (given the resources) MS had done privilege separation properly, no existing windows code would have worked. Obviously that was a complete non-starter. Smaller vendors, yeah right.....

Tank252ca
Tank252ca

Vista flags some legacy apps as unrecognized applications and generates the security warning every the app is run. Imagine how you would feel if MS Word generated a UAC pop-up every time it ran. I have encountered this with a client's Address Book application which only runs under Vista with admin rights because of the way it uses the old Borland Paradox database engine. The app is perfectly safe to run, so why put up with the UAC pop-up every time? The same goes for some games. I installed Neverwinter Nights on my daughter's new Vista system. It only needed XP Compatibility mode in order to run, yet it generates a UAC warning every time. It's a bloody game, not some Windows system utility. These are the kind of results that drive people to turn UAC off. Pop-ups for everyday tasks. I for one appreciate this work around since it means that my client and my daughter will be less likely to turn UAC off without my knowledge.

john3347
john3347

I really don't understand the meaning of the terms "privilege escalation", and "escalation permission". (I'm not being argumentative here, I'm just trying to understand this pain-in-the-butt that I have disabled on my computer.) I am the sole user of my Vista computer (as are the majority of home users) and when I request to download an application from download.com, or a .pdf file from TechRepublic.com, etc., etc.; how is security increased by being asked to verify 2 and sometimes 3 times that I want to download the application or file? If I give permission to do as I requested and someone "out there" has malicious intent, am I not equally vulnerable whether I gave permission 2 or 3 times or not? Had I not been confident of the safety of my request, I would not have made the request to start with. I still do not understand how UAC can increase my security. You decide that you want to download a certain application and UAC, without knowing whether the site may be safe or dangerous, requests that you verify that you want to do what you just said you want to do.

Gis Bun
Gis Bun

And that's your opinion. If you noticed, no one else but you commented on it.

ejhonda
ejhonda

I'm willing to bet a vast majority of people did not "buy" Vista so much as have it foisted upon them when they purchased a new PC.

jamador
jamador

you probably are missing a space between schtasjs and /run or between /run and /TN Cheers

JCitizen
JCitizen

except that after every time the code of the particular application changed; such as after an update, the UAC would look at it as a different situation, I would think, and flag it as a new escalation event. Not all that annoying but your fix would be great, even in this scenario.

accessd
accessd

The issues with the Vista machine have forced many major compaines to hesitate when adopting the product. One large installation that I have been current working on, comprised of over 1100 sites, with an average of 30 stations per site, are having the techs re-imaging right over the default Vista. Until the Vista issues are resolved client are simply using their feet to walk away. MS should choose their next steps with care.

Tony Hopkinson
Tony Hopkinson

UAC simply highlights privilege separation issues. If it's highlighting a lot of them, then they should be fixed. Turning UAC off is a three wise monkeys solution, ie stupid. You still have the issues, you just can't see them while your head is buried in the sand. Now it might be that you have no practical alternative but to turn it off, but that simply says you should not have rolled out Vista in the first place. The only person responsible for security is us. MS are responsible for their own security, given a competitive market they need to sell us the tools so we can be. UAC is a necessary first step in addressing how far MS was behind other OS's which were gaining traction because pre Vista MS's idea of security and privilege separation sucked even more than it does now. If you want more secure, you get more security checks. No checks equals no security. We have UAC on at work, I have it on at home, I rarely notice and when it does pop up unexpectedly that tells me something very useful.

MKleinpaste
MKleinpaste

As a limited user the UAC makes sense. However, as an Admin the UAC is nothing more than a Chihuahua constantly barking. In addition, the fricken' UAC "barks" for 3rd party application updates like Adobe Pro and Firefox. Seriously!?

jbergman
jbergman

"Pop-ups for everyday tasks." A perfect description. Normally for security you would first analyse the activity before tagging it as a risk. Microsoft did not do this, UAC is useless because they did not listen and people turn it off. BTW because of activex/visual basic controls the whole MS Office suite should be run with no net connection and a big three screen security disclaimer not just a UAC prompt.

Tony Hopkinson
Tony Hopkinson

This means what exactly, everbody else thought it was so great an idea it wasn't worth mentioning? Let's face it, what you are doing is the same as running up a linux session and logging in as root. Handy on occasion, but not something you want to make standard practice for all your work. If you had added that proviso I would have no argument.

Tony Hopkinson
Tony Hopkinson

Any business with it's own IT resource that put itself in that position...... Using Vista at work was a conscious choice for my team. We needed to develop for it. Using Vista at home for me was also a conscious choice. I was prepared to cope with UAC being on in return for the benefit of knowing that teh software in question could be doing something I didn't want it to. To me that's no different to closing a port on my firewall or disabling a service I do do not need.

PhotoGene47
PhotoGene47

Thanks for your reply and, previously, I had checked that possibility. The problem was that I had inadvertently used task manager instead of device manager in one location. It works like a charm now - and I do have an icon for the task manager as well. Thank you for the courtesy of a reply.

JCitizen
JCitizen

is not a problem at all. I can finally ditch Commodo Firewall Pro as I feel this is way sufficient for what I'm concerned about.

Tank252ca
Tank252ca

If the code gets changed via a software update, then UAC *should* pop up again. That is also how software firewalls work. It prevents malware infections from getting past your security measures. I think a whole lot less people would be complaining if Vista simply had a check box to remember granted permissions as was suggested. I don't mind answering the pop up once, but to have to respond to it every single time that I run a particular app is just poor design on MS's part.

MKleinpaste
MKleinpaste

They just take the Dell downgrade option and view the charge as worth the $$$.

Tony Hopkinson
Tony Hopkinson

I agree completely. However as user privilege levels were something sort of tagged onto windows as an after thought when NT came out. Most home users log on as adminstrator and as they are basically appliance users, they are far from competent. Any software that raise a UAC challenge is doing something a competent administrator needs to know. ie it will impact more than the user who's logged on, including administrator. Now that might be the point, but the UAC gate controls access to particular resources, if was also a free pass for authorisation, it would get spoofed and MS would still be getting killed in the security argument with other OS's I am not saying UAC is great, just the best that MS could do with what they have, in the time frame they were allowed. And it's way better than nothing.

Editor's Picks