Windows 7 / Security and Privacy

User Account Control in Windows 7

Most administrators know that users should log on to their computers using accounts that are members of the Users group, but not the Administrators group. By limiting your user account's privileges, you also limit the privileges of any applications that you start-including software installed without full consent. Therefore, if you can't add a startup application, neither can a malicious process that you accidentally start.

With versions of Windows prior to Windows Vista, however, not being a member of the Administrators group could be very difficult, for a few reasons:

  • Many applications would run only with administrative privileges.
  • Running applications with elevated privileges required users to either right-click the icon and then click Run As or create a custom shortcut, which is inconvenient, requires training, and requires that the user has a local administrator account (largely defeating the purpose of limiting privileges).
  • Many common operating system tasks, such as changing the time zone or adding a printer, required administrative privileges.

UAC is a feature of Windows Vista and Windows 7 that improves client security by making it much easier to use accounts without administrative privileges. At a high level, UAC offers the following benefits:

  • Most applications can now run without administrative privileges Applications created for Windows Vista or Windows 7 should be designed to not require administrator credentials. Additionally, UAC virtualizes commonly accessed file and registry locations to provide backward compatibility for applications created for earlier versions of Windows that still require administrator credentials. For example, if an application attempts to write to a protected portion of the registry that will affect the entire computer, UAC virtualization will redirect the write attempt to a nonprotected area of the user registry that will affect only that single application.
  • Applications that require administrative privileges automatically prompt the user for administrator credentials For example, if a standard user attempts to open the Computer Management console, a User Account Control dialog box appears and prompts for administrator credentials. If the current account has administrator credentials, the dialog box prompts to confirm the action before granting the process administrative privileges.
  • Users no longer require administrative privileges for common tasks Windows Vista and Windows 7 have been improved so that users can make common types of configuration changes without administrator credentials. For example, in earlier versions of Windows, users needed administrator credentials to change the time zone. In Windows Vista and Windows 7, any user can change the time zone, which is important for users who travel. Changing the system time, which has the potential to be malicious, still requires administrator credentials, however.
  • Operating system features display an icon when administrator credentials are required In earlier versions of Windows, users were often surprised when an aspect of the operating system required more privileges than they had. For example, users might attempt to adjust the date and time, only to see a dialog box informing them that they lack necessary privileges. In Windows Vista and Windows 7, any user can open the Date And Time properties dialog box. However, users need to click a button to change the time (which requires administrative privileges), and that button has a shield icon indicating that administrative privileges are required. Users will come to recognize this visual cue and not be surprised when they are prompted for credentials.
  • If you log on with administrative privileges, Windows Vista and Windows 7 will still run applications using standard user privileges by default Most users should log on with only standard user credentials. If users do log on with an account that has Administrator privileges, however, UAC will still start all processes with only user privileges. Before a process can gain administrator privileges, the user must confirm the additional rights using a UAC prompt.

Table below illustrates the key differences in the behavior of Windows 7 with UAC installed when compared to Windows XP.

Behavior Changes in Windows 7 with UAC When Compared to Windows XP

Windows XPWindows 7 with UAC
When logged on as a standard user, administrators could run administrative tools by right-clicking the tool's icon, clicking Run As, and then providing administrative credentials.Standard users open administrative tools without right-clicking. UAC then prompts the user for administrator credentials. All users can still explicitly start an application with administrator credentials by right-clicking, but it is rarely necessary.
Using a standard user account could be a nuisance, especially for technical or mobile users.Standard accounts can perform many tasks that previously required elevation, and Windows 7 prompts users for administrator credentials when required.
When a user was logged on as a standard user, an application that needed to change a file or setting in a protected location would fail.When a user is logged on as a standard user, UAC provides virtualization for important parts of the system, allowing the application to run successfully while protecting the operating system integrity
If a specific Windows feature required administrative privileges, the entire tool required administrative privileges.Windows 7 displays the UAC shield on buttons to warn users that the feature requires elevated privileges.
When a user was logged on as an administrator, all applications ran with administrative privileges.When a user is logged on as an administrator, all applications run with standard user privileges. UAC confirms elevated privileges before starting a non-Windows tool that requires administrative privileges. Windows features that require administrative privileges automatically receive elevated privileges without prompting the user.

Windows 7 can reduce the number of UAC prompts when compared to Windows Vista. Instead of requiring multiple prompts for a file operation that performs multiple administrative tasks, all prompts are merged into a single prompt. Similarly, prompts from Internet Explorer are merged. When logged on as an administrator, you will no longer be prompted when Windows functions require administrator credentials. Additionally, there are now four levels of UAC notifications to choose from, as discussed later in the tutorial.

The sections that follow describe UAC behavior in more detail.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Client Protection
  2. Understanding the Risk of Malware
  3. User Account Control in Windows 7
  4. UAC for Standard Users
  5. UAC for Administrators
  6. UAC User Interface
  7. Secure Desktop
  8. How Windows Determines Whether an Application Needs Administrative Privileges
  9. How to Control UAC Using Application Properties
  10. How UAC Examines the Application Manifest
  11. UAC Heuristics
  12. UAC Virtualization
  13. UAC and Startup Programs
  14. Compatibility Problems with UAC
  15. How to Configure UAC
  16. Group Policy Settings
  17. Control Panel
  18. Msconfig.exe
  19. How to Configure Auditing for Privilege Elevation
  20. Other UAC Event Logs
  21. Best Practices for Using UAC
  22. AppLocker
  23. AppLocker Rule Types
  24. Auditing AppLocker Rules
  25. DLL Rules
  26. Custom Error Messages
  27. Using AppLocker with Windows PowerShell
  28. Using Windows 7 Defender
  29. Understanding Windows Defender
  30. Automatic Scanning
  31. Real-Time Protection
  32. Windows Defender Alert Levels
  33. Understanding Microsoft SpyNet
  34. Configuring Windows Defender Group Policy
  35. Configuring Windows Defender on a Single Computer
  36. How to Determine Whether a Computer Is Infected with Spyware
  37. Best Practices for Using Windows Defender
  38. How to Troubleshoot Problems with Unwanted Software
  39. Network Access Protection
  40. Forefront