Introduction

When I was working on this article, I was trying to figure out something witty for the title, but all I kept coming up with was “Fear and Loathing in UAC.” Very few built-in Windows functions have caused as much teeth-grinding as when Windows Firewall was first implemented, but UAC certainly seems to have reached that level.

Just like Windows Firewall, however, UAC (User Account Control) has had a massive impact on the security of Windows workstation endpoints, increasing the relative security of these systems for the better.

What may surprise most users though is that this feature actually started with Unix, Linux and Mac’s OS X: running a typical user session in a low privilege state, then asking the user to temporarily authorize a specific task.

UAC began its life with Windows Vista. Honestly, this version was massively overtuned, repeatedly prompting users more than it had to. With Windows 7, they started to reduce the criteria that would trigger a UAC prompt while still keeping critical settings secured. They also introduced a slider value for how much a user wanted UAC to intervene, with four distinct levels of prompts. They have continued to use this feature with current versions of Windows.

Configuring User Account Control

To view this slider, you’ll want to go to the Control Panel and select “User Accounts.”

Once here, you will see a number of options available. The one you’ll be looking for is “Change User Account Control Settings.”

After you have clicked on this option, you will be presented with Windows 10’s version of the Slider option values. These are as follows:

  • High — Always Notify
    • Always notify me when apps try to install software or make changes to my computer
    • When I make changes to Windows Settings
      • Purpose: Microsoft recommends this setting if you install new programs consistently and go to potentially unsafe websites 
  • Medium High (default)
    • Notify me only when apps try to make changes to my computer
    • Don’t notify me when I make changes to Windows settings
      • Purpose: Microsoft recommends this setting if you have a specific list of applications that you run and websites that you visit regularly
  • Medium Low
    • Notify me only when apps try to make changes to my computer (do not dim my desktop)
    • Don’t notify me when I make changes to Windows settings
      • Purpose: Microsoft doesn’t recommend using this setting unless you have specific graphic limitations or software restrictions that would affect the dimming of the desktop
  • Low — Never Notify (Disable UAC)
    • Never notify me when apps try to install software or make changes to my computer
    • Never notify me when I make changes to Windows settings
      • Purpose: This function sets UAC as low as it will go. While this effectively disables UAC, there may still be certain protections active. Microsoft does not recommend this setting if at all possible

Please keep in mind that whenever you are modifying UAC levels, you will need to restart the system before the changes will take effect.

UAC has several tricks beneath the surface that you wouldn’t expect — such as dynamically redirecting certain applications that would normally go to secure locations like Program Files (and thus require administrator access) towards their own “virtual store” location without the application being aware of it.

It’s important to remember that programs running in user sessions aren’t the only ones affected by UAC policies. Scheduled Tasks are particularly vulnerable to UAC prompts because they do not interact with users unless otherwise specified. 

Thankfully, there is a one-click fix for this that’s very easy to get to. To get to Scheduled Tasks, right-click on Start and select “Computer Management.”

Once in Computer Management, you will want to drill down through “Task Scheduler” and click on “Task Scheduler Library.” Here you will see your most common Scheduled Tasks. To adjust a Scheduled Task, simply double-click on it to bring up an editing screen.

The checkbox we are looking for is near the bottom — “Run with highest privileges.” Once this box is checked, any applicable UAC prompts will be bypassed for the duration of the task.

UAC honestly is a bit smarter than most users give it credit for. In addition to the basic functionality put in by Microsoft, it also interacts with anti-malware applications through the Antimalware Scan Interface (AMSI). If a piece of malware asks for UAC permissions and is detected, it will immediately be blocked. 

In addition, most of the issues surrounding UAC pop up around installation time rather than during daily use. If at all possible, it is recommended to keep UAC active at least at a minimal level.

Sometimes, however, we have no choice but to try disabling UAC to resolve problems. For starters, not all programs play nicely with UAC. Certain ones, in fact, not only prompt users every time they do something, but they still do not work properly even if you authorize it. 

Some of these can be gotten around if you use the option “Run as Administrator” — which for the most part will prompt you once while the program is open and then run the application in an elevated state until it is shut down. Keep in mind that this particular issue tends to happen more with legacy applications than it does modern ones. If you are moving users up from XP but keeping their programs the same, you may have some complications.

Conclusion

When it comes to protecting users, Windows 10 certainly is far more advanced out of the box than previous versions have been. The enhancements to UAC have certainly made it easier to deal with, as well as tune to your individual requirements. 

While Microsoft definitely recommends that UAC be left active if at all possible, they also recognize that sometimes this isn’t an option and give easy to use controls to adjust its activity level.

 

Sources

  1. How User Account Control works, Microsoft Docs
  2. User Account Control, Microsoft Docs
  3. How to Disable the User Account Control (UAC) in Windows 10, FAQForge
  4. How to turn off and disable UAC in Windows 10, Winaero
  5. How to turn off User Account Control in Windows, Autodesk
  6. Windows 7 Feature Focus: User Account Control, ITPro Today
  7. Guided Help: Adjust User Account Control settings in Windows 7 and Windows 8, Microsoft
  8. Switching off Windows Virtual Store, The IT Corner
  9. Why You Shouldn’t Disable User Account Control (UAC) in Windows, How-To Geek
  10. How to Change User Account Control (UAC) Settings in Windows 10, TenForums

Be Safe

Section Guide

Kurt
Ellzey

View more articles from Kurt

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Kurt
Ellzey

View more articles from Kurt