Disabling User Account Control

for Windows 7

Before beginning you should weigh the merits of User Account Control (UAC). UAC is a
security measure designed to stop unwanted system configuration changes. Users
with the proper credentials (administrators) will be able to approve of system
configuration changes of their own accord. Instead of disabling UAC you may want to
utilize it. This guide will take you through the steps of changing default settings so that
you can either customize UAC or disable it completely.

1. Start • Click the Start button then click Control Panel, click User
Accounts and Family Safety, then click User Accounts.
• Alternately you can click Start, then click your user icon at
the top of the start menu.
2. User Account Control Settings Click Change User Account Control settings. This brings up the UAC
settings where you can set the sensitivity of UAC notifications. For
the purposes of this guide we’ll select Never Notify. If you are
choosing to keep using UAC a more detailed list of the effects are as
follows:
• Always notify: The UAC prompt is displayed with a secure desktop. Nothing but the prompt can be selected with a
secure (shaded) desktop. Unless responded to, after 150 seconds the prompt is automatically denied. The prompt
will display even if you are making changes to windows settings. This is the most secure setting.

• Notify me only when programs try to make changes to my computer: The UAC prompt is displayed with a secure
desktop. Unless responded to, after 150 seconds the prompt is automatically denied. The prompt will not display if
you are making changes to windows settings, it will however if a program attempts to make changes to the computer
or windows settings. This is the default setting.
 • Notify me only when programs try to make changes to my computer (do not dim my desktop): The UAC prompt is
displayed without a secure desktop. The UAC prompt will display if a program attempts to make changes to the
computer. The UAC prompt will only display if a program not included in windows attempts to make a change to
windows settings. In this case using a utility like MSCONFIG will not warrant a UAC prompt.

• Never notify: The UAC prompt will not display. If you are an administrator it will automatically approve the request.
If you are a standard user it will automatically deny the request. Choosing this setting requires a system restart.

Note about user tokens: When a user logs in the system generates a access token. Depending on the user’s credentials
(standard or administrator) the access token will be a standard user access token or administrator access token. Administrator
accounts generate two tokens (standard user and administrator tokens). When an operation is attempted the standard user
token is used to perform the task. If the standard user token is insufficient the user is prompted for administrator approval (to
use the administrator token).

3. Open the Group Policy Editor • Click Start, in the search field type Run then press enter.
• Alternately you can open the Run program by clicking Start,
then click All Programs, click Accessories, and then you’ll
click Run. Type GPEDIT.msc and press enter.
4. Find User Account Control Policies The UAC policies will be found under your Local Computer Policy,
click Computer Configuration, click Windows Settings, click Security
Settings, click Local Policies, and then click Security Options. Scroll
down the list of Security Policies to the policies titled User Account
Control.
5. Editing UAC Policies Editing UAC Policies can help you maximize your Windows 7
experience. Not all settings need to be changed but here’s a list of
notable policies you may want to:

Admin Approval Mode for the Built-in Administrator account: Use this policy to control whether the Built-in Administrator
(not to be confused with the Administrators group) has UAC enabled or not. By default this setting is disabled. This is notable
if you’re logging in as the default administrator.

• If Enabled: When logging in under the default administrator account you will have to approve of any operation that
requires elevation of privilege.
• If Disabled: When logging in with the default administrator account all applications will run with full administrative
privileges.

Behavior of the elevation prompt for administrators in Admin Approval Mode: When an administrator is logged in and a
program tries to run using the credentials of a standard user this policy takes effect. This policy controls how the elevation
prompt behaves for administrators.

• Elevate without prompting: This policy setting will have the application run with an administrator token without
notifying the current user.
• Prompt for credentials on the secure Desktop: When a program that has the standard user credentials tries to
perform an operation that requires administrator credentials the user will be prompted on a secure desktop for
administrator credentials (user name and password). Once entered the program can continue the operation with
administrator privileges.
• Prompt for consent on the secure Desktop: When a program tries to perform an operation that requires an
administrator token the user will be prompted on a secure desktop for consent (Permit or Deny). Once approved the
program can continue the operation with administrator privileges.
• Prompt for credentials: When a program tries to perform an operation that requires an administrator token the user
will be prompted to input administrator credentials (user name and password). The user will still have access to the
desktop.
• Prompt for consent: When a program that has the standard user credentials tries to perform an operation that
requires administrator credentials the user will be prompted for approval (Permit or Deny). The user will still have
access to the desktop.
• Prompt for consent for non-windows binaries: When a non-Microsoft program tries to perform an operation that
requires an administrator token the user will be prompted for approval (Permit or Deny). This is the default setting.
 Behavior of the elevation prompt for standard users: This policy determines the behavior of the elevation prompt for
standard users:

• Automatically deny elevation requests: When a standard user performs and operation that requires a administrator
token they will receive an access denied, message.
• Prompt for credentials: This setting prompts a user to input administrator credentials when an operation that
requires an administrator token occurs.
• Prompt for credentials on the secure desktop: This setting prompts a user to input administrator credentials against
the secure desktop when an operation that requires an administrator token occurs.

Detect application installations and prompt for elevation: Windows can detect when an application attempts to install. This
policy determines the behavior of the elevation prompt for application installations.

• If Enabled: Any application installation packages that require an elevation of privilege to install will trigger the
configured elevation prompt. This is the default setting in the Home edition.
• If Disabled: Installation detection is not required and therefore not used. This is the default setting in Enterprise
edition.

Switch to the secure desktop when prompting for elevation: When the secure desktop is active the desktop will be
darkened and the prompt will be the only object selectable.

• If Enabled: The secure desktop will become active when a prompt occurs.
• If Disabled: The secure desktop will not become active when a prompt occurs. This can leave your computer at risk to
certain types of viruses that the secure desktop would otherwise inhibit.

Run all administrators in Admin approval mode: Use this policy to turn UAC on or off.

• If Enabled: This policy setting will turn UAC on. Admin Approval Mode and all other UAC policies are dependent on
this option being enabled. Changing this setting requires a system reboot.
• If Disabled: This policy setting will turn UAC off. The overall system security will be reduced by doing this.
 To disable any prompts use:

Admin Approval Mode for the Built-in Administrator account- Disabled. Behavior
of the elevation prompt for administrators in Admin Approval Mode-Elevate
without prompting. Detect application installations and prompt for elevation-
Disabled. Run all administrators in Admin approval mode-Enabled.

Using the above mentioned settings will stop the elevation prompts
6. Conclusion