Free Certification Practice Tests and Study Guides
Join Us! | Login | Help




70-680 Study Guide - Configure User Account Control (UAC)


:: Return to Main Menu ::


User Account Control (UAC):

If you logged on with a user account that was a member of the local administrators group in previous versions of Microsoft Windows, such as Windows XP, you automatically had administrator-level access at all times. This would not present a problem on its own, however, administrators would login with their admin account even when they weren't performing admin tasks. The problem with this is that any program run by a user logged on with an administrative account runs with the rights and privileges of that user. This created a security risk which is addressed with UAC.

User Account Control (UAC) is a security feature in Windows 7. It provides the users with notification of all the system-level changes that an application makes onto the system. If you configure UAC to notify the changes its popups ask users for their confirmation when software makes changes, that can harm your computer and therefore it adds another layer of security to Windows. It improves the security in Microsoft Windows by enforcing standard user privileges on application software, until it is authorized by the administrator to increase or elevate the user privileges. In this way, only the trusted applications receive administrative privileges, which implies that a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved or the user explicitly authorizes them. Windows Vista only offers you two types of UAC settings: on and off, but in Windows 7, you can choose from a wide range of settings. Windows 7 provides you with four UAC settings, which are:
  • Always notify – You can select this UAC setting if you want to get notified whenever a program tries to install or make changes to your computer system. This option can also be selected if you want to be notified when you make changes to the Windows settings. This is the most secure setting.
  • Notify me only when programs try to make changes to my computer – You can select this option when you need notifications only when programs attempt to make changes in your windows settings. When you select this option you don’t get notifications when you yourself make some changes in the windows settings.
  • Notify me only when programs try to make changes to my computer (do not dim my desktop) - You can select this option when you need notifications only when programs attempt to make changes in your windows settings and your desktop will not be dimmed with this option. When you select this option you don’t get notifications when you yourself make some changes in the windows .
  • Never notify – It disable the User Access Control. You can select this option when you don’t want to receive any sort of notification whenever you or any of system programs makes any change in the windows settings. This is the least secure setting.
Secure Desktop:

Secure Desktop ensures that malware is unable to alter the display of the UAC prompt as a method of tricking you into allowing administrative access. When you configure UAC to use the Secure Desktop, the desktop is unavailable when a UAC prompt is triggered. You must respond to the UAC prompt before you can interact with the computer. The secure desktop actually makes a bitmap copy of the current screen which is why if you have a video running when the secure desktop comes up, the video will appear to freeze. If you do not respond to a UAC prompt on a Secure Desktop after 150 seconds, Windows will automatically deny the request and return to the standard desktop.

Configuring User Account Control (UAC):

Use the following steps to configure UAC.
  1. Click Start and type UAC in the search box.
  2. Click Change User Account Control Settings.
  3. This loads User Account Control Settings panel. On this screen you can adjust the notifications using the slider in the left pane. You can select from the following UAC settings:
    • Always notify me 
    • Default
    • Default (Without Dimming) 
    • Never notify 



  4. Select the appropriate setting and then click OK. The computer must be restarted for changes to take effect.
Typically, only a user with administrative rights will get UAC warnings because it is disabled by default for standard users.

Configuring UAC With Local and Group Policies:

Besides changing the notification behavior of UAC, you can also control the behavior of the UAC by using local or group policies. Local policies are managed from each local computer while group policies are managed as part of Active Directory.

Follow these steps to change UAC settings:
  1. Click Start, type secpol.msc in the Search programs and files box, and press Enter.
  2. From the Local Security Policy tree, click Local Policies and then double-click Security Options
  3. The UAC policies are at the bottom of the list. To modify a setting, simply double-click on it and make the necessary changes.


Below are the policies that can be modified and what they do.

PolicyDescription
Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are:

  • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
  • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
  • Allow UIAccess applications to prompt for elevation without using the secure desktop This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.

  • Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
  • Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
  • Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are:

  • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.
  • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
  • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
  • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
  • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
  • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
  • Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are:

  • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
  • Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
  • Prompt for credentials on the secure desktop: (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
  • Detect application installations and prompt for elevation This policy setting controls the behavior of application installation detection for the computer. The options are:

  • Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
  • Disabled: (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
  • Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are:

  • Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
  • Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
  • Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:

  • …\Program Files\, including subfolders
  • …\Windows\system32\
  • …\Program Files (x86)\, including subfolders for 64-bit versions of Windows


  • Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are:

  • Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
  • Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
  • Run all administrators in Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are:

  • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
  • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
  • Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are:

  • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
  • Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
  • Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are:

  • Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
  • Disabled: Applications that write data to protected locations fail.