Site menu:

Windows 7 > Tips

Adjust Windows 7 User Account Control (UAC)


You will find many people advising you to switch of Windows 7 User Account Control (UAC). UAC is responsible for those (irritating) prompts "Are you sure you want do this?" In Windows Vista UAC could drive even a sane person mad; but Microsoft significantly improved it in Windows 7, and it did a pretty good job.

Yes, you'll still find some software that will prompt you to run. The default UAC setting produces this result:

Standard User Account Control (UAC) Prompt

Note that the above example is for an unsigned application. If an application is signed (with a security certificate) you'll receive a slightly different prompt (Figure) Windows 7 User Account Control Prompt (Signed App).

Personally I prefer the prompt without the desktop blacking out, so I set UAC one 'click' below the default setting which is listed as Notify me only when programs try to make changes to my computer (do not dim my desktop). Using this setting does present a slightly elevated security risk over the default setting, because the UAC dialog box isn't on the secure desktop with this setting, other programs might be able to interfere with the visual appearance of the dialog box. This is a small security risk if you already have a malicious program running on your computer.

To change your UAC settings, type uac in Windows 7 Search programs and files box on the Start menu, and click the listed Control Panel result (Figure) Windows 7 User Account Control. Move the slider to the level of notification you want and click the OK button to confirm the change (Figure) Windows 7 User Account Control Settings

More on User Account Control

Before the introduction of User Account Control (UAC), when a user logged on as an administrator, that user was automatically granted full access to all system resources (any Windows OS prior to Windows Vista). While running as an administrator enabled a user to install legitimate software, the user could also (whether or not intentionally) install a malicious program. A malicious program installed by an administrator can fully compromise the computer and affect all users.

With the introduction of UAC, the access control model changed to help mitigate the impact of a malicious program. In Windows 7 (or Vista for that matter), when an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs have been removed. The standard user access token is used to start applications that do not perform administrative tasks (standard user applications).

When a user attempts to start an administrator task or service, the User Account Control dialog box asks the user to click either Yes or No before the user's full administrator access token can be used. If the user is not an administrator, the user must provide an administrator's credentials to run the program. Because UAC requires an administrator to approve application installations, unauthorized applications cannot be installed automatically or without the explicit consent of an administrator.

When you are notified by UAC that there is a pending change to your computer, you should carefully read the contents of each dialog box before allowing changes to be made to your computer.

I would never suggest you turn off UAC completely. If you use turn off UAC any program that runs on your PC will have the same access to the computer as you do. This includes reading and making changes to protected system areas, your personal data, saved files, and anything else stored on the computer. Programs will also be able to communicate and transfer information to and from anything your computer connects with, including the Internet.

For more indepth information on Windows 7 User Account Control, see this Microsoft TechNet Magazine article: Inside Windows 7 User Account Control.