logo

Home page
Articles for Windows, Linux, OS X
Mac tips and articles
Mac tips
Windows 8 tips and articles
Windows 7 tips and articles
Vista Tips
XP Tips
Linux tips and articles
Read the blog
Online store
Windows, Linux, OS X programs
Links
About

Windows Vista hints and tips

5 registry hacks for User Account Control

User Account Control (UAC) is one of the most controversial features in Windows Vista. It improves the security by preventing applications or users, either accidentally or possibly maliciously, from changing important system settings. It provides a barrier to programs and users, but it doesn't stop authorised people from making whatever changes they want to the system.

If you have Windows Vista you will be well aware of UAC and you will be familiar with the pop-up dialogs that prompt you to confirm actions or provide an administrator username and password to continue with some action. It is irritating when you are logged in as an administrator to have to confirm simple actions like changing the date or time, so it isn't surprising that many people turn off UAC soon after upgrading to Vista.

If you frequently make lots of configuration changes to Windows then it certainly is worth switching off UAC, but you should do so only temporarily. Once you have set up Windows to work the way you want it to you will rarely need to perform any tasks that cause UAC dialogs to be displayed. In ordinary day-to-day PC usage you won't see many UAC prompts, so you should turn UAC back on if you switched it off because of the security benefits it provides.

The easiest way to turn User Account Control on and off is to go to the Control Panel and open User Accounts. Click the link labelled Turn User Account Control on or off and then either tick or clear the box on the next screen to enable or disable it. You will need to restart Windows after making the change for it to take effect.

There is actually more to User Account Control than this and it isn't simply on or off. These are just two possible settings and there are many more. Unfortunately, they can't be accessed through simple dialogs and you need to modify the settings in the registry using regedit.

Click the Start button and enter regedit to run the regsistry editor (clicking through the UAC dialog if you have UAC turned on). In the left hand pane navigate to HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \System.

On the right you will see a value called EnableLUA. This is the master control for User Account Control and if you examine the value when UAC is turned on and off in the Control Panel you will see that it changes from one to zero and back again. Values of zero and one in the registry often mean off and on, false and true, so 0 means UAC is off and a value of 1 means that it is turned on.

(Sometimes the effect of changing a value in the registry is immediate, but sometimes you have to restart Windows before the change takes effect. If nothing happens after changing a registry value then restart Windows.)

User Account ControlDouble click EnableLUA and set the value to one to turn it on and then look at a value called ConsentPromptBehaviorAdmin. This determines what UAC does when you are logged on with an administrator account. The value of ConsentPromptBehaviorAdmin defaults to 2 with UAC turned on. What would happen if we set it to 1 or 0?

Double click ConsentPromptBehaviorAdmin and set the value to 1. Click OK and close the registry editor. Now try and do something that would normally cause a UAC prompt to appear. For example, click the clock at the right side of the taskbar, click Change date and time settings and then the Change date and time button. A UAC dialog appears, but it is different to the usual one and even though you are logged on as an administrator you will be prompted to enter your password. When ConsentPromptBehaviorAdmin is set to 1 you must enter a password, but when ConsentPromptBehaviorAdmin is set to 2 you are simply asked to click Continue. A setting of 1 is therefore more secure, or more irritating depending on your viewpoint.

What if we set ConsentPromptBehaviorAdmin to zero? Start the registry editor again and return to the key above (regedit remembers the last location viewed). Double click ConsentPromptBehaviorAdmin and set it to zero. Click OK and quit the registry editor. No try changing the date and time again. This time you won't see any UAC prompts at all because UAC is turned off.

You may have noticed that there are other values at this registry key, so what do they do? Double click ConsentPromptBehaviorUser and set it to either one or zero. A value of zero prevents someone logged on to Vista with a standard user type of account from doing anything that would cause a UAC prompt to appear. It totally locks down the standard users and it blocks all changes to the system and tools like regedit. Setting ConsentPromptBehaviorUser to a value of one causes a UAC dialog to be displayed and the user can select an administrator and enter a password to continue. So providing the standard users knows an admin username and password they can still make system changes.

EnableInstallerDetection affects the way that software is installed. When it is set to one, the default, it automatically detects programs that try to install using admin rights and a UAC dialog is displayed. If it is set to zero then no warning is given when programs try to install.

You will notice that whenever a User Account Control dialog appears on the screen, the dialog is displayed as normal, but the rest of the screen darkens and clicking on other windows and objects has no effect. This is a secure desktop and you must choose an option in the UAC dialog before you can do anything else. It is possible to turn off the secure desktop though.

Run the registry editor and return to the key mentioned above and look for a value called PromptOnSecureDesktop. This value is normally set to one, but since zero and one often mean off and on, what if we set it to zero? Double click it and set it to zero, click OK and quit the registry editor. Now try changing the date and time. Assuming UAC is turned on, you will see a UAC dialog, but this time the screen hasn't gone dark and instead the dialog is on a normal interactive desktop. It is obviously less secure, but if you are the only user of your computer and you know what you are doing then you might prefer it.

There are several different registry values controlling how User Account Control works and there are two or more settings for each one. By using different combinations of values there are quite a range of different security levels available. The ones you choose are up to you and everyone has different requirements. At least you now know what the settings are and how to change them. Here's a summary table that should help you to decide the right settings for you:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

ConsentPromptBehaviorAdmin

0 = No UAC prompt for administrators
1 = UAC prompts administrator for password
2 = Prompts administrator to approve action

ConsentPromptBehaviorUser

0 = Standard users can't do actions that require UAC
1 = Standard users prompted for admin username/password

EnableInstallerDetection

0 = Software allowed to install
1 = Software that requires admin priviledges detected

EnableLUA

0 = User Account Control off
1 = User Account Control on

PromptOnSecureDesktop

0 = UAC appears on ordinary active desktop
1 = UAC appears on inactive secure desktop

Tips index

copyright