Jump to content

Recommended Posts

Posted

You pride yourself in the responsibility of having full and absolute control over your machine environment and anything that comes between that perfect human-machine symbiosis is to be spurned. If only there were a way to turn User Account Control off on a Windows Vista machine, you'd upgrade immediately. Well, dear reader, I'm here to help.

Firstly, it's worth a brief digression into the benefits of this feature. Running as admin is a bad thing, as most of us know. Aaron Margosis has blogged extensively on this issue, and I won't rehash it here. But for reasons of compatibility, running as a standard user can still be a somewhat painful proposition. Windows Vista attempts to give you the benefits of both worlds by allowing administrators to execute most processes in the context of a standard user and only elevating the privileges on their user token by consent, in addition to allowing standard user accounts to perform administrative tasks by selectively elevating a process to use administrator-level credentials.

In general, UAC has turned out pretty well. It was pretty intrusive in early builds, prompting often and sometimes capturing focus at the wrong time. For the vast majority of users, UAC will offer a valuable level of security protection that will protect against malware: it simply won't have the rights to perform invasive actions like installing device drivers or services. Once a system is configured, you'll rarely see UAC prompts unless you're an inveterate settings tweaker. Incidentally, you can find out a great deal more about how UAC works, what you need to do to your own applications so that they co-operate well with UAC, and the rationale for its design at the official UAC blog.

It is possible to switch UAC off. I really don't recommend it - if you like full control over your machine, surely you want to know when something is attempting to perform an administrative-level action? Nevertheless, I'd prefer to have you run Windows Vista without UAC than having you run a different operating system.

There are two ways to disable UAC. The easy solution is through Control Panel. Type "UAC" into the search bar at the top of the screen and you'll see this task presented

uacrr2.png

This approach is pretty brute-force, though. It just switches the whole thing off. There's a more subtle configuration choice that gives you some of the benefits of UAC without any of the prompting. You'll need to edit the local security policy to control this, as follows:

From the Start search bar, type "Local Security Policy"

Accept the elevation prompt

From the snap-in, select Security Settings -> Local Policy -> Security Options

Scroll down to the bottom, where you'll find nine different group policy settings for granular configuration of UAC.

uacpolicyvy1.png

Perhaps the best choice to select is to change the setting:

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

from Prompt for consent to Elevate without prompting.

What does this do? Despite the warning from the Windows Security Center, UAC isn't actually switched off. It's still there, and all your processes will still run as a standard user. To prove this, open a command prompt and try to save a file to the c:\ directory. You'll get an access denied error message. However, when a process is marked for elevation, instead of getting the secure desktop elevation prompt, the request will be silently approved. To show this in action, right click on a command prompt shortcut and choose "Run as Administrator". You'll see the command prompt open without elevation, but the window title will show that you're running with full administrative privileges.

Using this approach is better than nothing, but it's a bit like relying on everyone else having a vaccination against measles to protect yourself from infection. Read the explanations on the second page of the property sheet for each policy setting before tinkering, and be careful!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...