Image: anyaberkut, Getty Images/iStockphoto

For a standard level user of Microsoft Windows 10, any attempt to run or install an application requiring elevated or administrative privileges will be met with a prompt from the User Access Control (UAC) system. The user will then have to enter the proper credentials to continue. This security procedure plays a vital role in protecting PCs running Windows 10 from malware and other nefarious applications.

With an edit or two of some very specific configuration settings, you can change the normal prompting behavior in Windows 10 to automatically deny the UAC elevation request from standard-level users. Modifying this behavior can be useful in networked environments (business or personal) where standard users are not allowed to install unauthorized applications—ever.

This tutorial shows you how to edit configuration settings in Windows 10 using both the Local Policy Editor and the Registry Editor to automatically deny UAC elevation requests from users with standard-level credentials.

SEE: Windows 10 May 2019 Update: 10 notable new features (free PDF) (TechRepublic)

How to automatically deny UAC elevation requests with policy editor

If your PC is running Windows 10 Pro, the most effective way to change UAC behavior is with the Local Group Policy Editor. Type “edit group policy” into the search box on your Windows 10 desktop and click or tap the appropriate item in the list of results.

Navigate to this folder, shown in Figure A:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options


Figure A

In the righthand window, scroll down until you reach a setting with this label:

User Account Control: Behavior of the elevation prompt for standard users

Double-click it to open the policy screen as shown in Figure B. Click the dropdown menu to change the setting to automatically deny an elevated UAC prompt. Click OK to apply the change.


Figure B

If at any time you want to change back to the default behavior, just reopen the setting using the Local Group Policy Editor.

How to automatically deny UAC elevation requests with registry edit

Disclaimer: Editing the Windows Registry file is a serious undertaking. A corrupted Windows Registry file could render your computer inoperable, requiring a reinstallation of the Windows 10 operating system and potential loss of data. Back up the Windows 10 Registry file and create a valid restore point before you proceed.

To change UAC prompt behavior for non-Pro versions of Windows 10, you will have to edit the Windows Registry file. Type “regedit” into the desktop search box and click or tap the appropriate result from the list.

Navigate to this key in the registry editor, as shown in Figure C:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem


Figure C

Find the key labeled ConsentPromptBehaviorUser and double-click it to reveal the configuration screen shown in Figure D.


Figure D

The Value can be set to 0, 1, or 3. Unfortunately, the editor does not indicate what setting each number represents. Here are the available choices:

0 – Automatically deny elevation requests

1 – Prompt for credentials on the secure desktop

3 – Prompt for credentials (Default)

Change the value to zero and then click OK to confirm your choice. Exit out of the registry editor app to complete the process.

Now, when a user with standard-level credentials attempts to install an application or perform some other activity requiring elevated credentials, they will be denied automatically without prompting.

Subscribe to the Developer Insider Newsletter

From the hottest programming languages to commentary on the Linux OS, get the developer and open source news and tips you need to know. Delivered Tuesdays and Thursdays

Subscribe to the Developer Insider Newsletter

From the hottest programming languages to commentary on the Linux OS, get the developer and open source news and tips you need to know. Delivered Tuesdays and Thursdays