If you want to leave UAC protection in place, but you're about to perform operations that will generate a lot of UAC prompts, try this trick to temporarily turn the feature off.
I've been receiving a lot of e-mail lately from Microsoft Windows XP users who are buying discounted Windows Vista computers now in order to get the free Windows 7 upgrade. Most of the questions revolve around how best to deal with Windows Vista's User Account Control (UAC). As you know, going from XP to Vista and encountering UAC prompts for the first time can be very frustrating — especially if you consider yourself an experienced computer user who isn't likely to fall into the kind of traps that UAC is designed to protect computer users from.
As such, many of these users have permanently disabled UAC in order to avoid what they perceive to be a regular onslaught of "Are you sure?" type of prompts. However, the reality is that over the course of a normal computing session, you don't encounter UAC prompts all that much.
On the other hand, when you are performing certain types of operations, you are encountering UAC prompts every step of the way. That's when they become annoying.
Now, I know that the easiest way to deal with UAC prompts is to simply disable the UAC feature. The problem with permanently disabling UAC is that once you turn it off, the doors are wide open for inadvertent mistakes or unauthorized changes that can destabilize your system — both of which can happen to even the most experienced computer user.
Because of this potential to accidentally fall victim to a disastrous event, I normally recommend leaving UAC in place and suffering the indignities of the prompts. Better safe than sorry.
However, I recently discovered a technique that will allow you to temporarily disable UAC during those times when you know that you will be performing operations that generate a lot of UAC prompts and then re-enable UAC when you are done. That way you will be able to avoid UAC prompts when they are most likely to occur, yet leave the UAC protection in place when it will most likely save you from disaster.
This blog post is also available in PDF format in a free TechRepublic download.
A security policy setting
The crux of this technique relies on a security policy setting called User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. This setting, which is accessible in the Local Security Policy console in Vista Business and Ultimate, yet actually tied to a key in the registry that is available in all versions of Vista, is designed to allow you to configure how the UAC prompts are to appear for an Administrator-level user account.
This setting has three levels:
- Prompt for Consent: An operation that requires elevation of privilege will prompt an administrator in Admin Approval Mode to click either Continue or Cancel. If the administrator clicks Continue, the operation will continue with the administrator's highest available privilege. (This is the default level.)
- Prompt for Credentials: An operation that requires elevation of privilege will prompt an administrator in Admin Approval Mode to enter a user name and password. If valid credentials are entered, the operation will continue with the applicable privilege.
- Elevate without Prompting: This value allows an administrator in Admin Approval Mode to perform an operation that requires elevation without providing consent or credentials.
Of course, the Prompt for Consent level is the default, and the Elevate without Prompting level is the one that we will employ in this technique.
The beauty of the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting is that changing it doesn't dramatically affect the UAC feature and as such doesn't require you to restart. (When you completely disable UAC, you are required to restart Vista.)
The registry edits
As I mentioned, the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting is actually tied to a key in the registry. As such, you can easily switch between the Prompt for Consent level and the Elevate without Prompting level, with a pair of simple registry edits.
While you can use the Registry Editor to make these changes, it is much easier to make them via a couple of Reg files, which you can easily create. One of the Reg files changes the setting to the Elevate without Prompting level while the other one changes the setting back to the Prompt for Consent level. Let's take a closer look.
To begin, click the Start button, type Regedit in the Start Search box, and press [Enter]. When you do, you'll encounter a UAC and will need to respond accordingly. Once the Registry Editor launches, locate the following key:
Once you open the System Key, locate the
ConsentPromptBehaviorAdminsetting. Now pull down the File menu and select the Export command. When you see the Export Registry File dialog box, locate the folder of your choice and set the file name to EnableUACPrompt, as shown in Figure A, and click the Save button. Then, close the Registry Editor.
Name the file that you export from the registry EnableUACPrompt.At this point, locate the EnableUACPrompt.reg file in Windows Explorer, right-click on it, and select the Edit command to open the EnableUACPrompt.reg file in Notepad. The file will contain the entire contents of the System key, which in this case is unnecessary. You can whittle the contents of the file down to three lines, as shown in Figure B, and save it.
You can remove all but three lines from the EnableUACPrompt.reg file.Now, change the last number in the third line to 0 and save the file as DisableUACPrompt.reg. As you do, make sure that you select All Files from the Save As Type drop-down menu, as shown in Figure C.
After you change the last number in the third line to 0, you can save the file as DisableUACPrompt.reg, making sure that you select All Files from the Save As Type drop-down menu.
Using the techniqueNow, when you know that you will be performing operations that generate a lot of UAC prompts, just right-click on the DisableUACPrompt.reg file and select Registry Editor from the Open With menu. (If Registry Editor is the default program associated with Reg files, you can simply double-click the Reg file.) When you do, you'll encounter a UAC prompt and will need to respond accordingly. Once you do, you will encounter a warning message from the Registry Editor. When you click Yes to continue, you'll see a confirmation message from the Registry Editor. These steps are shown in Figure D.
When you run either of the Reg files, the Registry editor will display these messages.
When you are finished with the operations, you can right-click on the EnableUACPrompt.reg file and select Registry Editor from the Open With menu. When you do, you'll encounter the warning and confirmation messages from the Registry Editor, UAC will be re-enabled, and you'll be protected.
While you have the UAC prompt disabled, the Other Security Settings section in the Windows Security Center will indicate that UAC is turned off. Eventually, a red shield icon will appear in the notification area, warning you that UAC is turned off. However, once you re-enable UAC, those warnings will disappear.
What's your take?
Have you completely disabled UAC? If so, are you likely to re-enable it and begin using this technique to temporarily disable the UAC only when you need to and be protected the rest of the time? If you have any questions or comments concerning the disabling UAC feature, please take a moment to drop by the TechRepublic Community Forums and let us hear from you.
TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!