Windows 7 / Security and Privacy

How UAC Has Changed in Windows 7

User Account Control debuted in Windows Vista to a resounding thud, for both users and reviewers. And that's too bad, because as we've noted again and again, UAC is both effective and far less annoying than many realize. But Microsoft is a customer-centric company, and when people complain, they actually listen. And sometimes, when the stars align just right, they do something about it.

In the case of UAC, this action took a number of forms. At a general level, Microsoft has dramatically reduced the number of tasks that require UAC elevation prompts. So the overall experience should be less annoying, assuming you're used to how UAC works in Windows Vista. And Microsoft has even given users a graphical interface, logically called User Account Control settings, for adjusting how UAC behaves.

This graphical interface is only available to those users with administrative privileges. This wasn't always the case, however. During the Windows 7 beta, Rafael and another blogger discovered and reported that UAC did not require confirmation when changing its slider setting, leaving it vulnerable to malware attack. Stubbornly, Microsoft did not budge at first, claiming that UAC worked as designed. It was not until after the issue gained international attention that Microsoft reversed its decision and made several changes to UAC, requiring administrative privileges being one. You can read more about this event on Rafael's blog, Within Windows (see http://tinyurl.com/win7uacissue).

You access User Account Control settings from the Action Center; there's a link in the side pane titled User Account Control settings that will trigger the UI shown below. Or, simply type user account control in Start Menu Search.

User Account Control Settings

User Account Control settings couldn't be easier: there's a simple slider control with four settings, which one might think of as "really annoying," "annoying," "less annoying," and "Windows XP." (Homeland security might consider a similar scale.)

More formally, these settings are as follows:

  • Always notify: At this most heightened level, UAC will prompt you anytime a software install or configuration change is detected, or whenever the user makes changes to Windows settings-just like Windows Vista.
  • Notify me only when programs try to make changes to my computer: This is indeed the default setting. Here, UAC will prompt you anytime a software install or configuration change is detected. But it will not prompt when the user makes changes to Windows settings. Initial setup tasks like setting the clock, updating device drivers, and formatting partitions can now be performed speedily without having to confirm each time.
  • Notify me only when programs try to make changes to my computer: This setting is almost identical to the previous setting, but with one important difference: UAC does not invoke the secure desktop during prompts. This has a few ramifications. First, UAC will be less annoying (though no less frequent) than with the default setting, because you won't see that jarring flash that occurs when the secure desktop is invoked. The screen will not go dark, and the UAC prompt will not be modal, meaning you can do other things instead of addressing the prompt immediately. (On the flip side, you can also easily lose track of the UAC prompt because it will just be one of many potential windows on screen and won't appear prominently or appear special in any way.) Finally, it will be slightly less secure: the secure desktop feature ensures that malicious software applications cannot spoof the UAC dialog.
  • Never notify: In this least secure setting and least recommended setting, UAC will not warn you when software is installed or changed, or when the user makes changes to Windows settings.

So, with all these options, I know you're eagerly awaiting our expert opinion on what it is you should do. And that's maybe the easiest advice we've ever given: you should do nothing. In fact, you should never even visit this UI. Just leave UAC alone and let it do its thing. UAC is there for a reason and, as noted earlier, it gets less annoying over time anyway. There is absolutely no reason to change how UAC works.

Tip When UAC is left at its default setting, Windows 7 automatically elevates a hand-picked list of applications, further reducing the UAC dialogs you see. These applications are referred to as being white-listed for auto-elevation. They include the following:

\Windows\ehome\Mcx2Prov.exe
\Windows\System32\AdapterTroubleshooter.exe
\Windows\System32\BitLockerWizardElev.exe
\Windows\System32\bthudtask.exe
\Windows\System32\chkntfs.exe
\Windows\System32\cleanmgr.exe
\Windows\System32\cliconfg.exe
\Windows\System32\CompMgmtLauncher.exe
\Windows\System32\ComputerDefaults.exe
\Windows\System32\dccw.exe
\Windows\System32\dcomcnfg.exe
\Windows\System32\DeviceEject.exe
\Windows\System32\DeviceProperties.exe
\Windows\System32\dfrgui.exe
\Windows\System32\djoin.exe
\Windows\System32\eudcedit.exe
\Windows\System32\eventvwr.exe
\Windows\System32\FXSUNATD.exe
\Windows\System32\hdwwiz.exe
\Windows\System32\ieUnatt.exe
\Windows\System32\iscsicli.exe
\Windows\System32\iscsicpl.exe
\Windows\System32\lpksetup.exe
\Windows\System32\MdSched.exe
\Windows\System32\msconfig.exe
\Windows\System32\msdt.exe
\Windows\System32\msra.exe
\Windows\System32\MultiDigiMon.exe
\Windows\System32\Netplwiz.exe
\Windows\System32\newdev.exe
\Windows\System32\ntprint.exe
\Windows\System32\ocsetup.exe
\Windows\System32\odbcad32.exe
\Windows\System32\OptionalFeatures.exe
\Windows\System32\perfmon.exe
\Windows\System32\printui.exe
\Windows\System32\rdpshell.exe
\Windows\System32\recdisc.exe
\Windows\System32\rrinstaller.exe
\Windows\System32\rstrui.exe
\Windows\System32\sdbinst.exe
\Windows\System32\sdclt.exe
\Windows\System32\shrpubw.exe
\Windows\System32\slui.exe
\Windows\System32\SndVol.exe
\Windows\System32\spinstall.exe
\Windows\System32\SystemPropertiesAdvanced.exe
\Windows\System32\SystemPropertiesComputerName.exe
\Windows\System32\SystemPropertiesDataExecutionPrevention.exe
\Windows\System32\SystemPropertiesHardware.exe
\Windows\System32\SystemPropertiesPerformance.exe
\Windows\System32\SystemPropertiesProtection.exe
\Windows\System32\SystemPropertiesRemote.exe
\Windows\System32\taskmgr.exe
\Windows\System32\tcmsetup.exe
\Windows\System32\TpmInit.exe
\Windows\System32\verifier.exe
\Windows\System32\wisptis.exe
\Windows\System32\wusa.exe
\Windows\System32\oobe\setupsqm.exe
\Windows\System32\sysprep\sysprep.exe

This list is representative of information available at time of publication. Be sure to check http://www.withinwindows.com for the latest version.

[Previous] [Contents] [Next]