Changing How UAC Works (The Hard Way)
Okay, we recognize that giving advice is easier than taking it. With that in mind, there are a number of low-level changes you can make to this infamous Windows feature outside of the previously described new UI. If you really must futz around with UAC, look to User Account Control settings first. Or, if you're a real meddler, you can try the less obvious methods described in this section.
Disabling User Account Control
We don't recommend this; but as mentioned earlier, many people are going to be annoyed by User Account Control despite its good intentions, and they're going to want to simply disable it. As it turns out, Windows 7 makes disabling User Account Control very easy, much easier than it was in Vista. Simply open the Start menu and type user account control into Start Menu Search and press Enter. Then, drag the slider to its lowest setting.
After clicking OK, two things will happen immediately. First, UAC will prompt you to confirm the change with a UAC dialog! (Naturally.) Then, Action Center will throw out a balloon help window warning you that you must restart the system in order for the change to take place. If you miss this prompt, you can simply click the Action Center tray icon, which has taken on a red "x" overlay.
Or you can choose to open Action Center.
If you later change your mind, you can re-enable User Account Control by simply reopening User Account Control settings and dragging the slider back up to the desired position. As is the case with disabling UAC, a reboot is required to fully re-enable it. Configuring User Account Control
If you're the tweaker type and are running Windows 7 Professional, Enterprise, or Ultimate, Microsoft makes a number of User Account Control settings available through the hardto- discover Local Security Settings management console. To launch this console, open the Start menu and type secpol.msc in Start Menu Search. This displays the administrative console shown.
To access the User Account Control options, expand the Security Settings and Local Policies nodes in the tree view in the left pane of the management console and then select Security Options. When you do so, the right pane will be populated with a list of security options. Scroll to the bottom, where you will see several options related to User Account Control.
Table below highlights these settings and explains what each one does. To change a setting, double-click it. In the resulting dialog, just select the option you want (Enabled or Disabled for most of the UAC-related features) and then click OK.
TipThe Local Security Policy management console should be used only on PCs that are not centrally managed by a Windows Server-based Active Directory (AD)-based domain. Unless you work for a large company, it's unlikely that your PC is centrally managed in this way.
Customizable User Account Control Features
Security Option | What It Does | Default Setting |
Admin Approval Mode for the built-in administrator account | Toggles Admin Approval Mode for the built-in administrator account only. When Admin Approval Mode is off, UAC is said to be in "quiet" mode. | Disabled |
Allow UIAccess applications to prompt for elevation without using the secure desktop | Determines whether properly installed applications that need to be run with administrative privileges can prompt for elevation without entering the secure desktop. "UIAccess" applications are applications that are installed in "trusted" shell locations such as the Windows directory or the Programs Files directory. | Disabled |
Behavior of the elevation prompt for administrators in Admin Approval Mode | Determines what type of prompt adminlevel users receive when attempting admin-level tasks. You can choose between a consent dialog, a credentials dialog, and no prompt. | Prompt for consent |
Behavior of the elevation prompt for standard users | Determines what type of prompt standard users receive when attempting admin-levels tasks. You can choose between a consent dialog, a credentials dialog, and no prompt. | Prompt for credentials |
Detect application installations and prompt for elevation | Determines whether application installs trigger a User Account Control elevation dialog | Enabled |
Only elevate executables that are signed and validated | Determines whether only signed and validated application installs trigger a User Account Control elevation dialog | Disabled |
Only elevate UIAccess applications that are installed in secure locations | Determines whether only properly installed applications can be elevated to administrative privileges | Enabled |
Run all administrators in Admin Approval Mode | Determines whether all admin-level accounts run in Admin Approval Mode, which generates User Account Control consent dialogs for admin-level tasks. When Admin Approval Mode is off, UAC is said to be in "quiet" mode. | Enabled |
Switch to the secure desktop when prompting for elevation | Determines whether the secure desktop environment appears whenever a User Account Control prompt is initiated by the system | Enabled |
Virtualize file and registry write failures to per-user locations | Determines whether User Account Control virtualizes the Registry and file system for legacy applications that attempt to read from or write to private parts of the system. Do not disable this option. | Enabled |
If you're running Windows 7 Starter, Home Basic, or Home Premium, you need to edit the Registry to manipulate these UAC policies:
- Open the Start menu, type regedit into Start Menu Search, and press Enter.
- Navigate to HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Policies, and finally System. The resulting display is shown.
- In the right pane, double-click the value name associated with the setting you want to edit and set its value data appropriately, using Table below for reference.
Tip If a value doesn't exist, fear not. Simply click Edit → New → DWORD (32-bit) Value from the Registry Editor menu and then type in the appropriate value name and value, according to Table below.
User Account Control Features and Their Corresponding Registry Value Names
Security Option | Registry Value Name | Possible Data Values |
Admin Approval Mode for the built-in administrator account | FilterAdministratorToken | 0 - Disabled 1 - Enabled |
Allow UIAccess applications to prompt for elevation without using the secure desktop | EnableUIADesktopToggle | 0 - Disabled 1 - Enabled |
Behavior of the elevation prompt for administrators in Admin Approval Mode | ConsentPromptBehaviorAdmin | 0 - Elevate without prompting 1 - Prompt for credentials 2 - Prompt for consent |
Behavior of the elevation prompt for standard users | ConsentPromptBehaviorUser | 0 - Automatically deny elevation requests 1 - Prompt for credentials |
Detect application installations and prompt for elevation | EnableInstallerDetection | 0 - Disabled 1 - Enabled |
Only elevate executables that are signed and validated | ValidateAdminCodeSignatures | 0 - Disabled 1 - Enabled |
Only elevate UIAccess applications that are installed in secure locations | EnableSecureUIAPaths | 0 - Disabled 1 - Enabled |
Run all administrators in Admin Approval Mode | EnableLUA | 0 - Disabled 1 - Enabled |
Switch to the secure desktop when prompting for elevation | PromptOnSecureDesktop | 0 - Disabled 1 - Enabled |
Virtualize file and registry write failures to per-user locations | EnableVirtualization | 0 - Disabled 1 - Enabled |
In this tutorial:
- Users, Accounts, and UAC
- Understanding User Accounts
- Creating the Initial User Account
- Understanding Account Types
- User Account Control
- How UAC Works
- How UAC Has Changed in Windows 7
- Changing How UAC Works (The Hard Way)
- Parental Controls
- Configuring Parental Controls
- Running as Standard User with Parental Controls
- Extending Parental Controls with Windows Live Family Safety