When you try to install software or make certain changes on your computer, you might see a window like this:
This is from the UAC (User Account Control) feature on Windows. Let’s take a look at what UAC is and why it’s important to keep enabled.
What Is UAC?
UAC is a security feature first introduced in Windows Vista. In essence, it allows you to prevent applications from gaining administrative rights until and unless they actually require them. It also allows you to provide admin rights from any user account.
We can learn more about why UAC exists and how it works by examining the history of this feature. Then we’ll look at what it does in modern versions of Windows.
The History of UAC
Windows XP had two main types of user accounts: Administrator and Standard. Administrators had rights to do everything on the computer, including installing software, changing system settings, adding accounts, and more.
Standard accounts didn’t have these privileges. They could still make small changes, such as modifying their wallpaper and own password, but didn’t have control over installing/removing software and other admin tasks.
Because many Windows XP programs were written to only work if the user had admin rights, a lot of software would often simply refuse to run on Standard accounts. Thus, on XP it was common for users to run an Administrator account for everything to avoid the hassles of switching back and forth.
However, this was a major security risk. While using an admin account on Windows XP, everything that wanted to run with admin rights did so without your confirmation. Because of this, an attack could compromise an admin account without you knowing and gain full access to the system.
UAC in Windows Vista
To remedy this issue, Microsoft included the UAC feature in Vista. No matter whether you were using an Administrator or Standard account, you would see a prompt to confirm actions that required admin rights. These include adding a new account, uninstalling software, changing the clock, and similar.
Administrators can simply click Yes to allow these changes, while Standard accounts have to enter an administrator’s username and password.
While this was a good step and solved many of XP’s security problems, Vista’s initial implementation was too heavy-handed. It displayed prompts to confirm nearly every action you took, which became grating for many users. This lead to some turning the feature off, defeating its purpose entirely.
Apple mocked this feature in one of its “Mac vs. PC” commercials.
What Is UAC Good For?
UAC is still present in Windows 7 and newer versions, but it’s significantly less annoying.
By default, when you’re logged into an admin account, it only prompts you to confirm changes related to software and system-wide changes. Minor adjustments, like changing the clock or adding a printer, don’t require confirmation for an admin, but still do for a standard account.
Further, UAC displays its prompts in a few different colors depending on what’s requesting access:
- A blue prompt signifies a trusted app, such as when running the Command Prompt as an administrator.
- A yellow prompt means the program’s publisher is unknown. This may or not be safe to run, depending on the software.
- Red prompts signify blocked programs that Windows has identified as dangerous.
After reviewing its history, you might wonder what the point of UAC is. As it turns out, there are two main advantages.
Limit Standard Accounts Without Having to Switch
It’s considered good security practice to use a standard account in your day-to-day computer use. Without admin rights, you have a smaller chance of running into an exploit that abuses them. But it’s also inconvenient to switch to an admin account every time you need to make a change.
UAC allows any user on the computer to run programs with admin rights when needed. When a standard user tries to make a system change or install software, they’ll see a prompt to enter an admin password. This allows an IT administrator or other trusted entity to authorize the action without having to log into another account.
Meanwhile, standard accounts can still perform actions that don’t require authentication. This keeps the overall system safer and doesn’t have the Windows XP problem of making Standard accounts mostly useless.
Confirmation as an Admin
Even when you’re logged in as an admin, you’re technically running programs as a standard user thanks to UAC. Any program that wants to run as an admin has to ask you first, which results in you seeing a UAC prompt.
An administrator only has to click Yes to authorize these, as opposed to entering an admin username and password. This isn’t as secure, but still solves the Windows XP problem of programs being able to do whatever they want without asking you.
UAC’s Levels
You can check UAC on your system by searching for UAC on the Windows Start Menu. Click Change User Account Control Settings to open its dialog.
This lets you choose from four different levels. From top to bottom, these are (as an administrator):
- Always notify: This is similar to Windows Vista’s behavior. It will ask you for confirmation when apps try to make changes to your computer and when you make changes to Windows settings.
- This offers maximum security, but will likely annoy you with the amount of prompts it displays.
- Default: The standard setting warns you when apps request admin permissions, but not when you make changes to Windows settings.
- This is a good balance for most users.
- No dimming: By default, UAC dims your desktop when it displays a prompt. You can keep UAC on but disable this dimming with this option.
- This isn’t usually a good idea, as it makes the security prompt less clear.
- Never notify: This disables UAC completely and never asks you for confirmation. As it’s essentially the Windows XP model, this is not recommended for two reasons.
- First, it allows any software to make changes without prompting you, which is dangerous.
- Second, it won’t display a UAC prompt when a Standard account tries to make a change. These requests will simply fail with no confirmation.
UAC Demystified
For our clients, we enable and monitor UAC to improve overall security and prevent viruses and malware from running unrestricted.
Hopefully after walking through the history and reasoning behind UAC, you now understand why it’s such an important feature. Managing access to administrator rights helps keep Windows safe by making sure that access doesn’t fall into the hands of someone (or some software) that doesn’t need it.
UAC is a good example of the principle of least privilege, which states that for security purposes, every process, user, and program should not have more permissions than it needs. This helps keep everything straight and secure, especially in business environments with many users and computers in use.
Hello – so should one choose Yes or No to the UAC when installing an app and how does the YES affect your computer and what happens if one clicks No?
Thank you in advance,
Robert
Robert,
What you choose depends on the UAC prompt in question. If you are trying to install software and see a UAC prompt that the software wants to make changes to your computer, that is expected, so it’s safe to approve. If you accidentally click an advertisement online and then see a UAC popup from a utility you’ve never heard before, you should say No as it could be some kind of malware trying to gain access.
When you say Yes, you are granting that process the authority to run as an administrator. That means it can effectively do anything it wants, so you shouldn’t grant this access lightly. If you say No, you deny the program access to run as an administrator, so it can’t make changes to your computer. Depending on how the software is coded, it may tell you that it couldn’t complete the action, or just fail completely.
I hope this helps!
Very good and clear article ! …
So if I get this right, for protecting yourself from malware and exploits in a home environment, there is no real advantage in running a user account instead of an admin account, if UAC is turned on …
Because the only difference is having to enter a password in UAC prompts. So if a malware fools you in believing he is legitimate, the password doesn’t make any difference.
Note that in this reasoning, I assume that a malware or exploit won’t be able to circumvent or bypass the UAC watch dog … If it’s not the case, then running a simple user account would have security advantages over running an admin account.
I really would like to know about this, i.e. if UAC is foolproof in monitoring possible rogue activities in your session (that fooled your anti-virus in the first place) …
Thanks, JF
Hi JF,
Thanks for reading and for your comment. You’re right that there is technically no difference between running admin accounts and regular user accounts with UAC enabled. The primary difference is whether you need to click “Yes” or enter an admin password to approve a UAC prompt.
I suppose there could be cases where malware is able to circumvent UAC, but this would likely be difficult and rare. For a malicious program to be able to manipulate UAC in such a way to get around it, it would need to have admin rights, which the user would have to grant it first.
UAC is not bulletproof — the easiest way around it is simply to trick the user into approving something they shouldn’t, which would unfortunately be easy in a lot of cases due to human negligence.
I hope this helps!