What is UAC & Why You Should Never Turn it Off ??

When Windows Vista was launched, User Account Control (UAC) has been the most criticized and misunderstood feature. Even though it is very important for security, many people have chosen to disable it and expose their systems to possible security problems. Also, lots of sites have published different 'tweaks' for this feature which render it useless and expose users to problems. Windows 7 brings further changes to this feature which has caused additional controversy. This is why I will try to bring more clarity about this feature. I will explain what UAC really is, how it works, what options you have and why you should never disable it. If you are thinking to turn it off, please read this article so that you better understand this feature and how it helps you.

What Is User Account Control (UAC) ?

UAC is a security feature of Windows Vista and Windows 7 which helps prevent unauthorized changes to your computer. These changes can be initiated by applications, viruses or other users. UAC makes sure these changes are made only with approval from the administrator of the computer. If these changes are not approved by the administrator, they will never be executed and the system will remain unchanged.

How Does User Account Control (UAC) Work ?

In Windows Vista and Windows 7, applications run by default without any administrative permissions. They have the same permission levels as a normal user would. They cannot make any changes to the system.
When an application wants to make system changes such as: modifications which affect other users, modifications of system files and folders, installation of new software, UAC prompts the user to ask for permission. An UAC prompt in Windows 7 looks similar to the one below.

If the user clicks on No, the change won't be performed. If the user clicks on Yes, the application receives administrative permissions and is able to make system changes. These permissions will be given until the application stops running or it is closed by the user.
For an easier understanding, the UAC algorithm is explained in the diagram below.

What Changes Require Administrative Privileges ?

There are many changes which require administrative privileges and, depending on how UAC is configured, they can cause an UAC prompt to pop-up and ask for permissions. These are the following:

• Running an application as an administrator
• Changes to system-wide settings or to files in the 'Windows & Program Files' folders
• Installing and uninstalling drivers & applications
• Installing ActiveX controls
• Changing settings to the Windows Firewall
• Changing UAC settings
• Configuring Windows Update
• Adding or removing user accounts
• Changing a user’s account type
• Configuring Parental Controls
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files
• Changing the system date and time

What's The Difference Between UAC Levels ?

Unlike Windows Vista, where you had only two options: UAC turned On or Off, in Windows 7 there are four levels to choose from. The differences between them are the following:

• Always notify - at this level you will be notified before applications make changes to your computer or your Windows 7 settings that required administrative permissions. When an UAC prompt shows up, your desktop will be dimmed like in the screenshot below, and you must choose Yes or No before you can do anything else on your computer. Security Impact: this is the most secure setting but also the most annoying. If you do not like the UAC implementation from Windows Vista, you won't like this level.

• Notify me only when programs try to make changes to my computer - this is the default level and it notifies you only before programs make changes to your computer that require administrative permissions. If you manually make changes to Windows 7, then you will not be notified by UAC. This level is less annoying as it doesn't stop the user when making changes to the system; it only shows prompts if an application wants to make changes. When an UAC prompt is shown, the desktop is dimmed and you must choose Yes or No before you can do anything else on your computer. Security Impact: this is less secure due to the fact that there can be malicious programs created which simulate the keystrokes or mouse moves of a user and change Windows 7 settings. However, if you are using a good security solution, these scenarios should never occur.
• Notify me only when programs try to make changes to my computer (do not dim my desktop) - this level is identical to the one above except the fact that, when a UAC prompt shows up, the desktop is not dimmed and other programs might be able to interfere with the UAC dialog window. Security Impact: this level is even less secure as it is easier for malicious programs to simulate keystrokes or mouse moves which interfere with the UAC prompt.
• Never notify - at this level, UAC is turned off and it doesn't offer any protection against unauthorized system changes. Security Impact: if you don't have a good security solution you are very likely to have security problems with your PC. With UAC turned off it will be easier for malicious programs to infect your computer and take control of it and/or its settings.

Should I Disable UAC When I Install My Applications & Turn It On Afterward ?

The biggest annoyance level for users is when you install Windows 7 and all your daily applications. At this time you can receive lots of UAC prompts and you might be tempted to disable it temporarily, while you install all your applications and enable it back when done. In some scenarios this can be a bad idea. Certain applications, which make lots of system changes can fail to work once you turn on UAC after their installation and they will work if you install them with UAC turned on. The failures happen because, when UAC is turned off, the virtualization techniques used by UAC for all applications are inactive. This causes certain user settings and files to be installed to a different place and no longer work when UAC is turned back on. To avoid these problems, it is better to have UAC turned on at all times.

Where To Find UAC & How To Change Its Level ?

We have covered this topic in one of our previous articles, called How To Change User Account Control (UAC) Levels. There you will find a complete guide with all the information you need.

Conclusion

Microsoft has listened to the feedback they received from Windows Vista users and have seriously tweaked UAC. We now have many options to choose from. These new settings provide a pretty good balance between security and usability. For those of you who are still not satisfied with the usability level of UAC, we will continue to look for additional tips and tricks which can tweak it further without compromising your security. If you already have some tips, don't hesitate to share them with us using the comments form below.