Windows Vista User Account Control Step by Step Guide

This Step-by-Step Guide provides the instructions necessary to use User Account Control (UAC) in a test lab environment.
This document is not intended to provide a comprehensive, detailed description of UAC. Additional documentation is planned for UAC prior to the release of the Microsoft® Windows Vista™ and Windows Server “Longhorn” operating systems. Additional resources include:

What is User Account Control?

User Account Control (UAC) is a new security component Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.
When an administrator logs on to a computer running Windows Vista Beta 2, the user is assigned two separate access tokens. Access tokens, which contain a user’s group membership and authorization and access control data, are used by Windows® to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious programs could install on users’ computers without notifying the users. (This is sometimes referred to as “silent” installation.)
Even more damaging, because the user is an administrator, the malicious programs could use the administrator’s access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.
The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks and can only install per-user software.
To help prevent malicious programs silent installation and computer-wide infection, Microsoft developed the UAC feature for Windows Vista. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.
After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.
Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.
Important
Because the user experience is configurable with the Security Policy Manager snap-in (secpol.msc) and with Group Policy, there is not solely one UAC user experience. The configuration choices made in your environment will affect the prompts and dialogs seen by standard users, administrators, or both.
Who should use this guide?

This guide is intended for the following audiences:

  • IT planners and analysts who are evaluating the product
  • Early adopters
  • Security architects who are responsible for implementing trustworthy computing

Why use this guide?

The groups listed above should use this guide to test how their line-of-business (LOB) applications run in Windows Vista. Because UAC makes a clear distinction between administrator and standard user processes, some existing LOB applications might need to be either redesigned by the independent software vendor (ISV) or internal tools team, or marked to always run elevated.
In this guide

  • Requirements for User Account Control
  • Key scenarios for User Account Control
  • Scenario 1: Requesting an application to run elevated one time
  • Scenario 2: Marking an application to always run elevated
  • Scenario 3: Configure User Account Control
  • Logging bugs and feedback
  • Additional Resources
  • Requirements for User Account Control

    We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-Step guides are not necessarily meant to be used to deploy Windows Vista features without accompanying documentation (as listed in the Additional Resources section), and should be used with discretion as a stand-alone document.
    Setting up the test lab

    The lab configuration needed for testing UAC includes a domain controller running Microsoft Windows Server® Code Name “Longhorn” (or Microsoft Windows Server™ 2003) a member server running Windows Server “Longhorn” (or Windows Server 2003), and a client computer running Windows Vista. The domain controller, member server, and the client computer should be on an isolated network and should be connected through a common hub or Layer 2 switch. Private addresses should be used throughout the test lab configuration.
    Key scenarios for User Account Control

    This guide covers the following scenarios for UAC:

    Note
    The three scenarios included in this guide are intended to help administrators become familiar with the UAC feature of Windows Vista. They include the basic information and procedures administrators need to start using UAC. Information and procedures for advanced or customized UAC configurations are not included in this guide.
    Scenario 1: Request an application to run elevated one time

    In Windows Vista, UAC and its Admin Approval Mode are enabled by default. When UAC is enabled, local administrator accounts run as standard user accounts. This means that when a member of the local Administrators group logs on, they run with their administrative privileges disabled. This is the case until they attempt to run an application or task that has an administrative token. When a member of the local Administrators group attempts to start such an application or task, they are prompted to consent to running the application as elevated. Scenario 1 details the procedure to run an application or task as elevated one time.
    Note
    To perform the following procedure, you must be logged into a client computer as a member of the local administrators group. You cannot be logged in with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account. (The built-in administrator account is disabled on new installations of Windows Vista.)
    To request an application to run elevated one time

    1. Start an application that is likely to have been assigned an administrative token, such as Microsoft Windows Disk Cleanup. A User Account Control prompt is displayed.
    2. Verify that the details presented match the request you initiated.
    3. In the User Account Control dialog box, click Continue to start the application.Scenario 2: Mark an application to always run elevated

      Scenario 2 is similar to the previous scenario in that you want to run an application or process as elevated with the administrator access token. However, in this scenario you want to run an application that has not been marked by the developer or identified by the operating system as an administrative application. Some applications, such as internal line-of-business applications or non-Microsoft products might require administrative rights but have not been identified as such. In this scenario, you mark an application to prompt user for consent, and if granted, run as an administrative application. The following procedure steps you through that process.
      Note
      To perform the following procedure, you must be logged into a client computer as a member of the local administrators group. You cannot be logged in with the computer (or built-in) administrator account because Admin Approval Mode does not apply to this account.
      Important
      This procedure cannot be used to prevent UAC from prompting for consent to run an administrative application.
      To mark an application to always run elevated

      1. Right-click an application that is not likely to have been assigned an administrative token, such as a word processing application.
      2. Click Properties, and then select the Compatibility tab.
      3. Under Privilege Level, select Run this program as an administrator, and then click OK. Note
        If the Run this program as an administrator option is unavailable, it means that the application is blocked from always running elevated, the application does not require administrative credentials to run, the application is part of the current version of Windows Vista, or you are not logged into the computer as an administrator.

      Scenario 3: Configure User Account Control

      Scenario 3 outlines three common tasks that local administrators perform during the set up and configuration of client computers running Windows Vista. The following procedures step you through the tasks of disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.
      Disable Admin Approval Mode

      Use the following procedure to disable Admin Approval Mode.
      Note
      To perform the following procedure, you must be logged into a client computer as a local administrator.
      To disable Admin Approval Mode

      1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
      2. If UAC is currently active, a User Account Control dialog box will appear. If so, verify that the details presented match the request you initiated, and click Continue.
      3. From the Local Security Settings console tree, click Local Policies, and then click Security Options.
      4. Scroll down and double-click User Account Control: Run all administrators in Admin Approval Mode.
      5. From the User Account Control: Run all administrators in Admin Approval Mode Properties dialog box, click Disabled, and then click OK.
      6. Close the Local Security Settings window.

      Disable User Account Control from prompting for credentials to install applications

      Use the following procedure to disable UAC from prompting for credentials to install applications.
      Note
      To perform the following procedure, you must be logged into a client computer as a local administrator.
      To disable UAC from prompting for credentials to install applications

      1. Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
      2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
      3. Scroll down and double-click User Account Control: Detect application installations and prompt for elevation.
      4. From the User Account Control: Detect application installations and prompt for elevation Properties dialog box, click Disabled, and then click OK.
      5. Close the Local Security Settings window.

      Change the elevation prompt behavior

      Use the following procedure to change the elevation prompt behavior for UAC.
      Note
      To perform the following procedure, you must be logged into a client computer as a local administrator.
      To change the elevation prompt behavior

      1. Click Start, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
      2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
      3. Scroll down to and double-click User Account Control: Behavior of the elevation prompt for administrators or User Account Control: Behavior of the elevation prompt for standard users.
      4. From the drop-down menu, select one of the following settings:
        • No prompt
        • Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated, and is the default for standard users)
        • Prompt for consent (this is the default setting for administrators only)
      5. Click OK.
      6. Close the Local Security Settings window.

      Top of page

      Logging bugs and feedback

      Since UAC is a new feature of Windows Vista, we are very interested in your feedback on your experiences with UAC, problems you encountered, and the usefulness of the documentation.
      When you log bugs, use the instructions on the Microsoft Connect Web site (Search Microsoft.com. We are also interested in requests and general feedback about UAC.
      General feedback and requests for UAC can be sent to uacdoc@microsoft.com.

      Top of page

      Additional resources

      The following resources provide additional information about UAC:

      Additional information for IT professionals is available on TechNet:

      Additional information for ISVs and developers is available on MSDN:

      Technology Adoption Program support

      If you are a beta tester and part of the special Technology Adoption Program (TAP) beta program, you can also contact your appointed Microsoft development team member for assistance.