Cougar Mountain Software Support Productivity Tools

For Cougar Mountain Software Support's
Professional Version (V2009/10, V12, V11, V10, V9, V8 & V7)

Disable User Account Control (UAC) the Easy Way on Windows Vista

I've previously written about a way to enable or disable UAC from the command line. This is an easier method that you can use to do the same thing from the GUI interface. To recap my earlier article, UAC is ANNOYING.

Note: Disabling UAC will lead to a less secure system, so be warned.

Open up Control Panel, and type in "UAC" into the search box. You'll see a link for "Turn User Account Control (UAC) on or off":
uac1.png

On the next screen you should uncheck the box for "Use User Account Control (UAC)", and then click on the OK button.

uac2.png

You'll need to reboot your computer before the changes take effect, but you should be all done with annoying prompts.

 

One of the new features that you will immediately notice in Vista is User Account Control or UAC. It is designed to prevent unauthorized changes to your computer. Each time you attempt to perform a task that requires administrative rights, a dialog box appears prompting you for permission.

This feature is enabled by default and Microsoft recommends that you leave it turned on. However, if you are the only one who uses your computer, you may find the constant prompting annoying. In such cases, you can use the steps listed below to turn this feature off.

  1. Click Start and click Control Panel.
  2. Click User Accounts and Family Safety.
  3. Click User Accounts
  4. Click Turn User Account Control on or off.
  5. Click the box beside the Use User Account Control (UAC) to help protect your computer option to remove the check mark.
  6. Click OK.

 

Windows User Account Control Step-by-Step Guide

This step-by-step guide provides the instructions necessary to use User Account Control (UAC) in a test environment.

This document is not intended to provide a comprehensive, detailed description of UAC. Additional resources include the following:

All users of this step-by-step guide will also be interested in Getting Started with User Account Control on Windows Vista (http://go.microsoft.com/fwlink/?LinkID=102562).
For additional information for IT professionals, see Understanding and Configuring User Account Control in Windows Vista (http://go.microsoft.com/fwlink/?LinkId=56402).
For information for developers and independent software vendors about how to develop applications for Windows Vista® or Windows Server® 2008, see The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC) (http://go.microsoft.com/fwlink/?LinkId=89654).

What is User Account Control?

User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.
 
Note:
  UAC is also a component of Windows Server 2008.

When an administrator logs on to a computer running Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows® to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.

The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks and can only install per-user software.

To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.

Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.

 
Important:
  Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment will affect the prompts and dialog boxes seen by standard users, administrators, or both.

Who should use this guide?

This guide is intended for the following audiences:
IT planners and analysts who are evaluating the product
Security architects who are responsible for implementing trustworthy computing
Administrators who need to control the behavior of UAC
 

Why use this guide?

The groups listed above should use this guide to test how their line-of-business (LOB) applications run in Windows Vista. Because UAC makes a clear distinction between administrator and standard user processes, some existing LOB applications might need to be either redesigned by the independent software vendor (ISV) or internal tools team, or marked to always run elevated.

In this guide

Requirements for User Account Control
Key scenarios for User Account Control
Scenario 1: Requesting an application to run elevated one time
Scenario 2: Marking an application to always run elevated
Scenario 3: Configure User Account Control
Logging bugs and feedback
Additional Resources

Requirements for User Account Control

We recommend that you first use the steps provided in this guide in a test environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Vista features without accompanying documentation (as listed in the Additional resources section), and should be used with discretion as a stand-alone document.

Setting up the test lab

The lab configuration needed for testing UAC includes a domain controller running Windows Server 2008 (or Windows Server® 2003) a member server running Windows Server 2008 (or Windows Server 2003), and a client computer running Windows Vista. The domain controller, member server, and the client computer should be on an isolated network and should be connected through a common hub or Layer 2 switch. Private addresses should be used throughout the test configuration.

Key scenarios for User Account Control

This guide covers the following scenarios for UAC:
Scenario 1: Request an application to run elevated one time
Scenario 2: Mark an application to always run elevated
Scenario 3: Configure User Account Control
 
Note:
  The three scenarios included in this guide are intended to help administrators become familiar with the UAC feature of Windows Vista. They include the basic information and procedures administrators need to start using UAC. Information and procedures for advanced or customized UAC configurations are not included in this guide.

 

Please let us know what info we can send you now and what are the areas that are of most important to your organization.
 


Please fill in below, or call us on (714) 228-5444 or fax us at (800) 531-2944...

First Name :
Last Name :
Title :
Organization :
Work Phone :
FAX :
E-mail :                                          
URL / Website:
Number of Concurrent Users:  

What info can we send you?

 

email us at sales@CougarMtnSupport.com  //  phone (714) 228-5444.

(We are not Cougar Mountain Software in Boise, we take their excellent product and make it better.   We offer software products, enhanced reports, services, training and hardware that maximize the value out of this powerful accounting program.  We have been customizing solutions for Cougar Mountain since 1990.  We are located in California.