Security

Disable Vista's User Account Control prompts while protecting your system

Annoyed by Vista's User Account Control (UAC) constant permissions-seeking? Greg Shultz explores a way to disable UAC's prompts while leaving its protection intact.

You may have already disabled Windows Vista's User Account Control (UAC) in order to avoid its regular "Windows needs your permission to continue" prompts. The only problem with disabling UAC is that once you turn it off, the doors are wide open for inadvertent mistakes or unauthorized changes that can destabilize your system -- both of which can happen to even the most experienced computer user. Because of this potential danger, you may opt to leave UAC in place and suffer the "Are you sure?" prompts.

I recently discovered a more prudent way to disable UAC's prompts while leaving its protection intact by using a tool called TweakUAC from WinAbility Software. I stress the word prudent here because rather than completely disabling UAC, TweakUAC allows you to put UAC in a quiet mode.

In this edition of the Windows Vista Report, I'll introduce you to TweakUAC and describe how TweakUAC's quiet mode is safer than completely disabling UAC.

Using TweakUAC

TweakUAC, which doesn't require installation, is very PowerToys-like in that it performs a single operation very well. Once you download and run TweakUAC's executable file, you'll see the Open File - Security Warning dialog box (Figure A), and then you'll see a UAC dialog box (Figure B). Click Continue.

Figure A

Figure A

The Attachment Execution Services (AES) displays the Open File - Security Warning message because the operating system considers the file dangerous until you tell it otherwise.

Figure B

 Figure B

Vista will display the User Account Control dialog box when you run TweakUAC.
The first time you run TweakUAC, you'll encounter the End User License Agreement dialog box, followed by the main TweakUAC dialog box (Figure C).

Figure C

 Figure C

The main TweakUAC interface is a simple dialog box offering you three choices, including the safety precaution Leave UAC On.

The Turn UAC Off Now option will completely disable UAC, just like in the Control Panel's User Account tool. Selecting this option will require that you restart the system.

To switch UAC to quiet mode, click the Switch UAC To The Quiet Mode option and click OK. You'll see the TweakUAC dialog box (Figure D), which confirms this, and a Security Center icon and message balloon in the notification area (Figure E). The message balloon will fade away, but the Security Center icon will remain until you re-enable UAC.

Figure D

Figure D

You receive a small confirmation dialog box when you enable quiet mode.

Figure E

Figure E

You will see a Security Center icon in the notification area, as well as a message balloon, when you enable quiet mode.

You can now perform most any task that would normally display a UAC, without having to deal with a "Windows needs your permission to continue" prompt. However, the main protective feature of UAC will still be in place. In other words, all applications will still run with the standard user permissions by default, and since TweakUAC's quiet mode of operation only works on accounts with administrator privileges, those with standard user accounts will still encounter the UAC prompt.

If you decide later that you want to re-enable UAC, simply run TweakUAC again. The TweakUAC dialog box will look a little different (Figure F), with the default selection as Leave UAC Operating In The Quiet Mode. Select the Enable The Full UAC option.

Figure F

Figure F

While the options are basically the same, the wording in the TweakUAC dialog box is a bit different.

What's your take?

Have you completely disabled UAC? If so, are you likely to re-enable it and begin using TweakUAC and its quiet mode?

Don't miss a thing!

Delivered each Friday, TechRepublic's Windows Vista Report newsletter features tips, news, and scuttlebutt on Vista development, as well as a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

22 comments
PersonalComputer2010
PersonalComputer2010

A better tool has been released it's called UAC Controller Tool v1.0 and works perfectly for Windows 7. It's easy to use and supports tray area icon. *Works only under Windows 7. However, I suggest this tool.

BobVal
BobVal

What would be nice is if instead of turning off all messages that when the message was asked there would be an option to not ask me again FOR THIS APPLICATION only. I have a program "Intel Matrix Storage Console" and every time I run it Windows 7 gives me the message "Do you want to allow the following program...", well for this program I would like to say YES and do not ask me again. But for the others I want to know (or at least know the first time and have the option of passing on it for furture). Any chance you would post the code for your program so maybe if it is C++ I could make changes to do this. Bob Valentino BobVal@BowlingBrackets.com

RoninV
RoninV

As one of the posters indicated, UAC can be configured from within the OS, for non-administrator access control. Even this has its limitations. I'm going to be adding a few Vista Business Edition machines to a 2000/2003 Server network, which is currently has all XP clients. Absent a computer use policy, UAC will have the tech guys running all over the place, since Vista appears to require Admin access to do just about anything.

nljam23
nljam23

Hi All. As a 10 year Windows Sys-Admin. and recent (last 3 years) Linux afficianado, I have to say UAC is a welcome addition to the Windows OS. From my use of Linux and Mac OS, I have discovered how easy it can be to run as a non-admin user. Either "su" at the command-line or respond to admin password prompt in GUI to elevate priv. As a result, I have been running Windows XP and now Vista as a non-admin user for the past 18 months. I have an alternative local admin account set up to use as administrator credentials when needed. XP is more difficult as applications try to run in the current user mode unless they are begun in admin mode (right-click, runas). Vista UAC improves this behavior by not only adding the "Run-As Administrator" option to the right-click menu but also pausing and prompting for administrator credentials if elevation is required in the course of running an application. Last, for sys-admin duties on my network I either leverage a virtual XP box running with my domain admin credentials or local RDP to any server needed to do my work. I have found that running local PC's with the practice of least-privileged-access is the single best way to avoid exploitation of OS vulnerabilities.

george.jenkins
george.jenkins

I don't believe we should rely on third party solutions for this type of OS function. There should be an administrators tool or group policy setting that disables this annoying "feature."

rmhc
rmhc

Hi Mark, The program works as you said, but I have no Security Icon on the taskbar to remind me. How do I get the icon to appear. Thanks rmhc.....

Chug
Chug

I'd like to know exactly what this utitlity is doing in the background. I'm sure it's changing some registry or local security policies. I'd like to know what they are. I know there are a bunch of local security policies tied to UAC that can be customized to do all kinds of things.

anealysr
anealysr

DO NOT RUN THIS IF YOU HAVE FIREFOX!!!!!!!!!! I tried it 3 times the first I let it reboot while I had firefox open and I could not run firefox I got an error saying I need to shutdown the previous session. Then I disabled UAC and rebooted, Firefox ran asking did I want to restore the previous session I said yes, downloaded it again and tried but this time I closed everything and rebooted and got the same error. I disabled UAC and rebooted then tried a 3rd time and still could not start Firefox. The reason I run Firefox is the speed, I wish IE was this fast.

NaughtyMonkey
NaughtyMonkey

with the security policy,but the tool may be needed for home versions since I have heard complaints that they do not have access to the security policy.

jy
jy

OK, I had disabled my UAC; and after reading your article have turned it back on, run TweakUAC and selected Quiet Mode. Not sure how I would know that's it's more protected, but I figured it couldn't hurt! Thanks.

Tony Hopkinson
Tony Hopkinson

with this sort of thing. If there's one thing you can guarantee about a windows security measure, is that there's a way to turn it off. Presumably version two will go silent for non admin users after you store an admin user and paassword in it. Bad, bad, bad idea, simply because for vista UAC to serve it's purpose, you should not be able to do it.

admiralthrawn999
admiralthrawn999

So how is this different than just downgrading permissions on a program to the user level? And can this be used to still elevate programs to the Administrator level so that they don't put files into the virtual vault?

henriklugn
henriklugn

There are much better ways then this actually not so good way (speaking about TweakUAC) to turn the UAC on without having to see ANY messages at all. When i was installing Vista i did following: When Vista installation is finished, boot up and let it start so far you reach "Enter desired account name and password". 1. Do not enter anything yet, instead press SHIFT+F10key togheter to launch the command prompt. 2. In the launched command prompt, type TASKMGR and press enter to launch task manager. 3. Go to process tab, locate the program called MSOOBE.EXE, select the process with a left click on the mouse and click "End process" button to terminate it. The account creation screen disappear and the welcome screen appear. A user called "Other User" is now visual (but dont login yet) 4. Click on the arrow button in the right corner, and click "Restart" 5. Upon initial stage of system bootup, press F8key and go to safe mode 6. In safe mode go to Start > Run > and type CONTROL USERPASSWORDS2, the user account settings will appear. 7. Go to advanced tab, in advanced user management section click on Advanced. 8. There will be two folders named User & Groups, double click on users folder then right click on the icon named Admininstrator, and then uncheck the setting that says "Account is Disabled" Click OK and OK again if needed and restart the computer. Now your UAC will be turned ON without giving ANY messages whatsoever! Not even in tray ;) This guide is for the more advanced user that know atleast something about Windows since before. I agree that TweakUAC could be a nice program for newbies, but please dont recommend it to any advanced users. Instead make something of my little guide here to them. Peace out, take care, and keep up with me if you can :D (Edit: Changed Description 2007-09-01 and added following info below) http://img231.imageshack.us/my.php?image=uacib7.png When loaded the link, click on the image to enlarge it. (This clearly shows how windows say my UAC works) Though im not 100% sure about the technical issues by doing as i said, so i better not say yes or no to any questions about this method. I was not even a helper to Microsoft when they developed Vista, so your questions are better answered by Microsoft inc. But i do know that you Will get rid of all the UAC+security center messages, and keep UAC status "ON and OK".

conceptual
conceptual

Most of us make our mistakes at 3 in the morning. What I'm trying to say is that there are times and circumstances when even experts need to be protected from themselves. I'm not sure this solution is really a solution.

Chug
Chug

What 3rd party solution are you referring to? UAC can be easily completely disabled within the OS itslef. Just go the Control Panel then Users and there is an option to turn User Account Control off (or back on). There are also several Local Security Policy settings that can easily be either manually configured or set via group policy to customize how UAC works.

Tony Hopkinson
Tony Hopkinson

in IE7 now. Turn UAC off, you lose that and end up with IE6 with tabs.

RichardRoe
RichardRoe

At the system prompt just enter C:\>net user administrator /active This will unlock the hidden real Administrator's account on all versions of Vista. Home versions of Vista will not be able to enter the 'Computer Administration' as you're suggesting. Log-in and use the real 'Administrator' account. This will give you full control of your computer. No UAC questions asked anyway. After you've done all of your jobs, you can always go back and log-in as an ordinary pseudo-admin or even a simple user. Deactivation of Administrator account: C:\>net user Administrator /active:no This is much simpler and will leave the computer as it was before while giving full computer access to the ones who know & need.

Stimpi
Stimpi

I am a software developer - I might be able to "KEEP UP WITH YOU" considering I am developing the software you LEARNING to tweak. Security? If you want security get a dog, this is the internet people - Stupid topic, UAC is for dumb people and it simply ask's "are you sure?" There is a simple reg change that is so easy that will stop it - not all of this boring conversation. Peace..

jy
jy

I was worried that the bottom bar said unprotected before, and it is On now! Thanks for sharing that info!!

JCitizen
JCitizen

So far I haven't had too much annoyance at UAC prompts; but I'm used to using apps like Commodo that give a lot of feedback on what file is modifiying which, so I suppose I'm used to it. As you say; Windows is dangerous enough without disabling everything that barely makes it safe. I must admit, I will use this tweak after I purchase Vista x64; Oh! I better check and see if it works on 64bit while I'm at it!

Tony Hopkinson
Tony Hopkinson

like to keep stum about. Seeing as I have to use IE7 at work, I consider protected mode a must. Also I can't turn UAC off, I'm developing for Vista, so I want to know that I've triggered it with the app, so I can make it truly compatible. Was a pain at first, but I only average about two confirmations a day, except when I go on an install splurge or some such. A few extra dialogs aamongst the multiplicity you get anyway, isn't worth the risk of removing.