I suppose, many working with Vista now are considering disabling User Account Control in Vista. There is at least one good reason to do so, but there also some reasons to give UAC a chance.

Latest posts by Michael Pietroforte (see all)

When I first was confronted with these UAC prompts, I was quite disappointed how Microsoft solved this common problem. Windows sysops usually logon with an Administrator account, because without this you simply can't administrate a Windows machine. I already pointed out my view about UAC pop-ups before. Constant prompting is not the solution.

However, this "Secure Desktop Prompting" is only a part of UAC. Since you can disable UAC prompts easily, there is not enough reason to turn off UAC, altogether. UAC has other features which are more interesting and quite useful.

For example, it reduces the risk of so-called shatter attacks. Malware often makes use of the fact that applications are able to communicate with Windows and with each other. UAC compliant software helps to isolate privileges of processes, thereby reducing the risk to compromise other parts of the system. At the moment, there are not many UAC compliant applications available. But this will certainly change soon.

In theory, UAC can also manage legacy applications by virtualizing the registry and parts of the the file system for them. Thus, some applications needing Administrator privileges on a XP machine might work with standard user rights under Vista. However, this usually doesn't work with administration tools since they simply need real Administrator rights by nature.

Another interesting feature of UAC is that standard users can start applications with Administrator privileges more easily than under Windows XP. Sometimes, it can be useful to allow computer savvy users to install software themselves. On a XP machine, you could add the user's account to the local Administrator group until she is finished the installation.

In Vista, a user can just enter the credentials of an account having enough privileges to fulfill the task. You could create a domain account with local Administrator rights. Every time a user needs admin privileges on his machine, you enable this account with a little script. So it costs you only a mouse click to give this user enough rights. It is just one example where this UAC feature can be useful.

At the moment, I know of only one reason, why you might have to disable UAC altogether. If you have many legacy applications which are incompatible with UAC, you simply have no other choice. Many Windows programs need admin privileges, and UAC probably will fail to detect this correctly in many cases. Please check out the Related section at the end of this post for more information.

There are several ways to disable UAC. The most common way is thru the User Account tool in the Control Panel. You've to reboot afterward. Unfortunately, it is not that easy to disable UAC with Group Policy. By default you can only configure some of its settings there. However, it is possible to disable UAC with a registry setting:

Subscribe to 4sysops newsletter!

You've to set EnableLUA to 0. So, you could create an ADMX file and disable UAC this way for multiple computers.

  1. TR 16 years ago

    EnableUA > EnableLUA

  2. Thanks! I corrected it in the text.

  3. Lee 16 years ago

    Doesn’t disabling the UAC elevation prompts allow automatic privilege escalation, and thus allow shatter attacks?

    I disabled UAC altogether. But then, I don’t have a car alarm because the annoyance isn’t worth what limited protection they provide. In fact, the annoyance reduces the protection.

    LoJack got it right. Security should be invisible until it’s needed.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account