Friday, October 03, 2008

Messing with the UAC - the Admin Approval Mode

Initially when I got Vista, I disabled UAC completely in my account and turned off Security Center alerts. However, my friend suggested that he can keep the UAC enabled, yet not get the annoying prompts. He did this by enabling the built-in Administrator account and using it.

So I thought of fiddling with the hidden settings of UAC to find out if I can re-enable UAC yet get rid of those prompts in my account with administrator privileges. This is my own account, not the built-in Administrator account.

The hidden settings can be accessed by typing in secpol.msc in the Start menu, Run dialog or a command prompt. They are under Local Policies > Security Options. All the settings concerning UAC start with the words "User Account Control." Note: secpol.msc may not be available in Home Premium or lower.

After fiddling around, I found out that what my friend thought he is doing, is actually wrong. One of the settings here is "Admin Approval Mode for the Built-in Administrator account." This setting is Disabled by default, and that means no prompts what-so-ever will be displayed in the built-in Administrator account.

However, the very feature of displaying consent prompts is named by Microsoft as "Admin Approval Mode." Therefore, turning this off is exactly the same as turning UAC off via Control Panel. If you change the above mentioned setting to Enabled, even the built-in Administrator will start to display UAC prompts, just like other accounts.

There is another setting to about the Admin Approval Mode, namely "Run all administrators in Admin Approval Mode." This setting is Enabled by default. Now, disabling this will cause the prompts to be no longer displayed in any account. But it also means that UAC is completely turned off. I had UAC turned on prior to changing this setting, and after I changed it, UAC was found to be turned off.

In fact, turning off UAC in Control Panel actually toggles the above mentioned setting.

The only true way to keep UAC turned on, but get rid of the prompts is by utilizing the setting called "Behavior of the elevation prompt for administrators in Admin Approval Mode." The default choice is Prompt for consent, but you can change this to Elevate without prompting. It means the UAC prompts are still there, but Windows automatically clicks the Continue button for you. (This is just a description to make it easy to understand. You won't see Windows actually doing it on screen. You won't even see the prompt or the Secure Desktop.)

For the above mentioned setting to work for the built-in Administrator account, the first setting mentioned in this post must be enabled. Otherwise UAC will just be disabled in that account. Also, Security Center will continue to show that UAC is off, even though it appears turned on in Control Panel.

Although I did not get any more UAC prompts despite the fact that UAC is still turned on, I ran into other problems with software that I regularly use. Most notably, enabling UAC caused the programs to run underprivileged, and certain programs generated "Access Denied" errors when trying to access files in drives other that C drive. The problem did not occur when I ran the programs as Administrator.

Due to these problems, I reversed all my changes and went back to keeping the UAC turned off. Bottom line, if you know what you are doing with your computer and won't do anything silly to get it infected, an annoying security feature is really unnecessary.

No comments:

Post a Comment

Comments are moderated, and are usually posted within 24 hours if approved. You must have a minimum of OpenID to post comments.


Related Posts with Thumbnails