How to setup UAC?
Permanent link:
What is “UAC”?
UAC is an acronym for User Account Control and it is a security feature in Microsoft Windows Operating system (Vista or higher) which are made to your computer. The default UAC setting notifies you when programs try to make changes to your computer, but you can change how often UAC notifies you.
Why is it a security issue?
UAC notifies you before changes if anybody (e.g. virus, remote user) requires administrator-level permission. You can refuse this change, but if UAC is switch off, the change can anybody perform without yours approval.
How to fix it?
Configuration via GUI
- Open User Account Control Settings by clicking the Start button, and then clicking Control Panel.
- In the search box, type uac, and then click Change User Account Control settings.
Here you can now move the slider to four different settings:
- Always Notify
- Notify me only when programs try to make changes to my computer
- Notify me only when programs try to make changes to my computer (do not dim my desktop)
- Never Notify
This is where you can turn off or disable UAC in Windows Vista/7. However, I would recommend not turning it off completely since they now give you a selection of choices so that you don’t have a pop-up message every time you make some small change to your computer.
The Always Notify option will always pop up a message any time you install a program or when a program tries to make a change to the computer. Also, any change it Windows settings will bring up a UAC box.
The second item in my bullet list will notify you only when programs try to make changes, not when you install a program or when you make changes to your Windows settings.
The third item is the same as the second, but your desktop will not be dimmed! The dimming is called secure desktop. You can also disable secure desktop using a registry hack so that it does not affect which UAC setting you decide to go with. We would recommend this setting for most people.
The Never Notify option will never warn you about anything, including changes to your Windows settings. Not good if you end up getting malware or something like that.
Configuration via Group policy
- Press
Win+r(or Start ›› Run) and typeGpedit.msc+ pressENTER(If you are prompted for an administrator password or for confirmation, type the password, or click Allow) - Expand: Computer Configuration ›› Windows Settings ›› Security Settings ›› Local Policies ›› Security Options
- There are 10 Group Policy settings (set them according to our recommendation)
Configuration via Windows registry
- Start
regedit(as administrator) - Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - Setup all registry keys according to our recommendations
Recommended configuration
| Registry Key | Recommended value |
|---|---|
| FilterAdministratorToken | 0 (Default) = Disabled1 = Enabled |
| EnableUIADesktopToggle | 0 (Default) = Disabled1 = Enabled |
| ConsentPromptBehaviorAdmin | 0 = Elevate without prompting1 = Prompt for credentials on the secure desktop2 = Prompt for consent on the secure desktop3 = Prompt for credentials4 = Prompt for consent5 (Default) = Prompt for consent for non-Windows binaries |
| ConsentPromptBehaviorUser | 0 = Automatically deny elevation requests1 = Prompt for credentials on the secure desktop3 (Default) = Prompt for credentials on the secure desktop |
| EnableInstallerDetection | 1 = Enabled (default for home)0 = Disabled (default for enterprise) |
| ValidateAdminCodeSignatures | 0 (Default) = Disabled1 = Enabled |
| EnableSecureUIAPaths | 0 = Disabled1 (Default) = Enabled |
| EnableLUA | 0 = Disabled1 (Default) = Enabled |
| PromptOnSecureDesktop | 0 = Disabled1 (Default) = Enabled |
| EnableVirtualization | 0 = Disabled1 (Default) = Enabled |