In the comments to my earlier post about Windows Vista tips, Ken asks a good question: What triggers a UAC prompt? Here’s the answer, straight from Windows Vista Inside Out:
The types of actions that require elevation to administrator status (and therefore display a UAC elevation prompt) include those that make changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%. Among the actions that require elevation:
- Installing and uninstalling applications
- Installing device drivers
- Installing ActiveX controls
- Installing Windows Updates
- Changing settings for Windows Firewall
- Changing UAC settings
- Configuring Windows Update
- Adding or removing user accounts
- Changing a user’s account type
- Configuring Parental Controls
- Running Task Scheduler
- Restoring backed-up system files
- Viewing or changing another user’s folders and files
Within Windows Vista, you can identify in advance many actions that require elevation. A shield icon next to a button or link indicates that a UAC prompt will appear.
I’ve been using the final release of Windows Vista every day for nearly three months. I rarely see a UAC prompt, and when I do, it takes one click to deal with it. On at least two occasions, I have decided against installing something as a direct result of seeing a UAC prompt. It made me stop and think about whether I really trusted the program I was installing. In both cases I went and did more research, found some bad reviews, and decided against installing the program in question. That’s worth the price of admission for UAC, in my book.
Technorati tags: Windows Vista, UAC, User Account Control, security
Ed Bott 
Thanks much. This list will do nicely until my book arrives. 🙂 To my mild surprise, I don’t mind the UAC feature at all. It is a way of reminding me to be a bit more careful before I do what I am about to do.
I may be wrong about this, but I believe that if you’re running as a normal user and have to elevate as Admin to install a program, deleting shortcuts installed by that program also generate a UAC prompt. I suppose this falls under the “other users” files condition, but it’s non-obvious that desktop shortcuts can belong to the admin user instead of the interactive, non-admin user who launched the installer. The bottom line is that it’s a PITA to have to confirm the deletion of a shortcut that lives on your desktop.
I’ve been trying to run as a normal user to see what my end-users will experience, and it’s been a big pain. One major problem is that the UAC prompt defaults to the domain on a domain-enabled PC. Users might have the password for a local admin account, but they shouldn’t have the password for a domain account that’s a local admin on their PC. This means that to run as a normal user on a domain, end users have to type “computername\username” and then a password for every UAC prompt. Again, I’ve been doing this for a while now, and it sucks.
My other option is to continue allowing users to be the Admin of their own PC, which isn’t optimal when you’re trying to prevent malware infections. I guess the functionality is better than XP, but I have a feeling there’s going to be a revolt (and a BIG training issue) due to the constant UAC prompts followed by the “computername\username” dance. Or I can give up security. Neither option is good.
Carl, how often are you seeing UAC prompts? In everyday use, I rarely see them. What kind of circumstances do they pop up in?
Other Carl:
On our domain, the domain account of each computer’s primary user (which, for most users, is a member of Domain Users) is a member of the local Administrators group. This is, in fact, the default configuration with Windows 2003 Small Business Server.
But it’s not the risk that you might suspect, and it’s not as risky as it was in XP, in which practically every user is given full admin privileges on the local machine. The reason? With UAC enabled in Vista, members of the local Administrators group run with a standard token. The administrator token kicks in only after they consent to a UAC prompt, and only for that particular process (and any child processes it launches). For a user running as a local administrator, those prompts don’t require any username/password — just a click. (You can, of course, lock it down more. But my point is, with educated users who don’t automatically consent to every dialog box that pops up, you can make it secure and convenient.)
The shield idea is excellent, but I wish they wouldn’t also use the same shield icon for absolutely everything security-related.
I’m also getting sick of the “Windows four-colour” but it seems every company loves to slap its branding all over the place now. (See also: the obnoxious startup sound. Obnoxious in that you can’t change it, and that it is (confusingly) seperate from all the other sounds to allow for this “functionality”.) Ho hum.
I primarily get UAC prompts around application installs, running various apps that require Admin privileges, moving files on my XP partition, and removing unnecessary shortcuts and startup programs. On some apps (Backup Exec) I’ve got to go through a UAC prompt Every. Single. Time.
Carl Siechert’s advice is actually really helpful. If I understand correctly, on Vista the difference between running as a local Admin and a standard user is that the Admin gets a “Continue” button and the Standard user gets a password prompt. Is this correct? Or are there other security benefits to running as a standard user on Vista?
Application installs, yes. Users shouldn’t be doing that very often, so I don’t see that as a big issue.
Running various apps that require admin privileges? If the apps are doing system-level stuff, like Backup Exec, then that’s normal. If they’re not, like QuickBooks, then you should be beating on the app developers to send updated versions that don’t require an admin process to run. Can you identify the apps?
Moving files on your XP partition? Add the user account to the permissions list on the folders where data is stored. (Properties, Security tab, Edit, Add, enter user name, click Full Control box.) The default settings are only the owner and Administrators group, which is why a standard user has to keep approving UAC prompts. That’s easy to fix.
Carl will gladly point out the benefit of running a standard user account. I won’t step on his line here…
Exactly so. Local admins can run processes that require elevation with just a click, whereas standard users will be prompted for credentials of an admin account.
There are some other, more subtle differences between admin and standard. For example, an admin who launches Device Manager gets an elevation prompt, after which s/he can do anything in Device Manager. A standard user, by contrast, gets no prompt; Device Manager just opens right up. But it’s in a read-only mode, so the standard user can’t make changes. Many MMC consoles are configured this way, so standard users are actually likely to see fewer UAC prompts.
UAC is one of my reasons for having Vista at all. I already have the “I’m a Standard User” decal on my laptop, and I do everything I can to make it work on XP SP2, but it is painful.
On my one Vista machine so far, I do find that I tend to automatically clcik through the UAC prompts that come up while I am in administrator. I will have to watch that.
I also found a smoother routine for elevating my own privileges from time to time.
First, as a standard user, in my limited user account, I will go into control panel and change my user account to an administrator. I have to give an administrator password to do that, and I do.
Now I have two administrators but the account I am running in is actually not elevated — I didn’t log out.
When I do an install or other thing, and it asks for an administrator approval, I use the one for my current account. This has installs be under the correct user – my LUA account – and that is usually the only user I want software installed for (unless it is truly administrative or security software). If I were to use the official administrator, I often find that software ends up being customized for that account and not mine.
When I am done fooling around, I can go into control panel again and demote my current account back to limited user. So the next time I log in I will still be a limited user.
That tells you how obsessive I am about this, but it also gets installs to turn out right more often than not. (I manually delete or move things from all users to my limited user account to keep it that way.)
The one problem I have with elevating under SP2 is that I have to log in to the account to have any elevated privileges and I too often forget to reset the account’s privilege level before shutting down.
Oh, and the book arrived yesterday. Heh.
One thing which triggers a UAC prompt is writing to the root of a drive — typically C:, although I’m fairly sure it happens on other drives as well.
Note that if you’re moving around files on another drive that was formatted on another OS (like XP) and has files that were tagged with that OS’s users (i.e., their ownership cannot be traced to any user in the current Vista install), then you’ll probably get a UAC warning until you take ownership of those files or, as Ed said, grant explicit permission. I had something akin to this when I installed Vista and tried to diddle with some files on another drive; taking ownership of the whole drive solved the problem. (Caveat: if you do that and boot back into the old OS, of course, you’re liable to see permissions issues all over again, so take ownership on the platform you’re going to do most of your work in. I’m on Vista more or less for keeps now, so I didn’t mind doing that.)
As far as the domain issues are concerned, I’m currently looking into a product from a company called BeyondTrust that’s making some advanced tools for Vista in corporate settings where UAC alone may not cut it (according to their press pitch). It sounds interesting but I can’t say anything definitive about it until I actually get my hands on it and look at it up close.
Orcmid, is there any way to script the promote/demote procedure you’re talking about? That sounds like it could be a useful thing to have an in admin kit…
Serdar,
I think there is a way to script it.
I would do a Run As … to kick it off and it should work. Oddly, I need a Run As … to kick it down too, because my running LUA account is still a limited user.
That would be a lot easier and I will look around for a way to do it. I think Aaron Margosis may have already provided the necessary bits, and it should be almost as convenient in XP as well as Vista.
Great question! I’ll let you know what I find.
BTW, the Windows Startup sound CAN be disabled. Go to Control Panel | Sounds | Sounds tab, and uncheck “Play Windows Startup Sound.”
I took apart Aaron Margosis’s MakeMeAdmin scripts and found pieces that do what I want. I am looking at some edge cases and how to document these. I’d been meaning to do this for almost two years. I’ll put up a comment when I have something confirmed on both XP and Vista and I have the edge cases down. (There’s also some cool material in a book called “Window Vista Inside Out” that I might be able to adapt.)
I am getting to a point that is making me sick with UAC. If I leave it on, I might go through lets say 120 webpages and get prompted 100 of them. Thats too much.
Plus, if I do turn it off … it magically turns itself back on after a windows update.
Jason, that is not normal behavior.
I am going to send you an e-mail requesting that you run a test for me. I’ll report the results here.
Well I deactivate User Account Control on my computer with windows vista because it’s really annoying and keep warning me every single time I try to run something