Windows User Account Control (UAC) PromptIn last week’s TR Dojo Challenge question, I asked TechRepublic members how to capture a screenshot of the Windows UAC prompt. This problem can be a real annoyance for IT pros that need to create process documentation, or for editors who want to use an image of the UAC prompt in their weekly Web video.

At first, it would seem you could use one Windows’ built-in methods for capturing screenshots–pressing the Print Screen key (capturing the entire screen) or Alt-Print Screen (capturing the active window). Unfortunately, neither methods works.

What about third-party screen capture applications? Couldn’t you just put one on a timer to capture the screen after the UAC prompt appears–getting around the locked desktop? Unfortunately, this method also fails. I tried a several applications and none was able to get around the UAC’s locked desktop.

Windows Secure Desktop mode

Both the built-in Windows methods and the third-party applications fail because Windows automatically switches to something called “Secure Desktop mode” when the UAC prompt appears. Secure Desktop mode allows only trusted processes running as SYSTEM to run. It also prevents you from clicking on anything other than the UAC prompt. This is the same thing that happens on the Windows login screen, and when you press Ctrl-Alt-Delete. The Microsoft User Account Control blog has a pretty good explanation of the process.

Microsoft designed Secure Desktop mode to prevent malicious code from spoofing what’s shown on the screen and thereby trick the user into installing malware or revealing sensitive information–like their user name and password. Unfortunately, it’s also prevents us from taking our UAC screenshot.

What’s the answer? As it turns out, there are a handful ways to get around the UAC’s locked desktop. Here they are in order of my preference.

Disable Secure Desktop mode

While UAC can be a real annoyance, at least it’s configurable. And, you can prevent UAC from switching to the secure desktop when the prompt appears.

Windows Vista Business or Vista Ultimate users can change their machine’s local security policy settings through the Group Policy Editor or the Local Security Policy settings window.

To use the Group Policy Editor:

  1. Click Start
  2. Enter gpedit.msc in the Search box
  3. Browse to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options  [Note: You can also enter secpol.msc in the Start menu Search box. This will take you directly to the Security Settings area within Group Policy Editor. From there, you can browse to Local Policies | Security Options as described in Step 3.]
  4. Double-click the policy named “User Account Control: Switch to the secure desktop when prompting for elevation” to open the policy’s settings window
  5. Under the Local Security Setting tab, click Disable
  6. Click OK
  7. Close the Group Policy Editor

To use the Local Security Policy window:

  1. Click Start
  2. Type Security in the Search box
  3. Click Local Security Policy from the Programs list
  4. Browse to Local Policies | Security Options
  5. Double-click the policy named “User Account Control: Switch to the secure desktop when prompting for elevation”
  6. Under the Local Security Setting tab, click Disable
  7. Click OK
  8. Close the Local Security Policy window

As neither the Group Policy Editor nor its Local Security counterpart is available in Windows Vista Home, those running this OS will need to modify the machine’s local security policy through a quick registry edit.

[Note: The following steps involve editing the Windows registry. Using the Windows Registry Editor incorrectly can cause serious problems that could require you to reinstall your operating system. Use the Registry Editor and the following directions at your own risk.]

To prevent Windows from switching to Secure Desktop mode when the UAC prompt appears:

  1. Click Start
  2. Enter regedit in the Search box
  3. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  4. In the right-hand pane, right-click, select New, and then DWORD (32-bit) Value
  5. Enter PromptOnSecureDesktop for the new entry’s name
  6. Right-click your new entry and click Modify
  7. Enter 0 in the Value data box and click OK
  8. Close the Registry Editor

Within Windows 7, disabling UAC’s activate of Secure Desktop mode is even easier.

  1. Logon with an account that has administrative privileges
  2. Open Control Panel
  3. Click User Accounts
  4. Select Change User Account Control settings
  5. Move the slider to the second notch from the bottom, which should configure UAC to “Notify me only when programs try to make changes to my computer (do not dim my desktop)”.
  6. Click OK

Remember, a system reboot may be required for all the above changes to take effect.

Use a virtual machine

If editing the Windows Registry and fiddling with the group policy settings aren’t for you, a virtual machine might be the ticket. Several members suggested installation a separate Windows VM and taking a screenshot of the VM window when the UAC prompt appears. Virtual machines are a great way to test operating systems and software.

Use Remote Desktop

Along the same lines as using a virtual machine, using Windows Remote Desktop allows you to view one machine’s screen (the target) on a second machine (the host). Keeping the target’s Desktop in a Remote Desktop window on the host, you can grab a screenshot of the window and thus, the UAC prompt. This method however, requires that you have two machines.

And the TechRepublic swag goes to…

Several TechRepublic members submitted answers that described ways to disable UAC’s activation of Secure Desktop mode, but I’m awarding coffee mugs to techrepublic@… (who first suggested changing the group policy) and Jacky Howe (who provided the registry key and the Windows 7 tip). I’m also sending TechRepublic swag to GG who was the first to suggest running Windows in a virtual machine and taking a screenshot of the VM’s window when the UAC prompt appears. The last coffee goes to DLeach4512@…, who was the first to suggest that you use Remote Desktop.

Finally, I’m giving honorable mentions to all the members who suggested using a digital camera to take a photo of the monitor when the UAC prompt was on the screen. While this would give you an image of the UAC prompt, I wouldn’t technically classify that image as a screenshot. Kudos for the suggestion, but it just misses being swag-worthy.

Thanks to everyone who submitted an answer. If you don’t see your answer here, be sure to give this week’s question, “How can you quickly save images within a Microsoft Word document as separate files?” a try.

You can also sign up to receive the latest from the TR Dojo through one or more of the following methods: