The User Account Control feature in Windows Vista has been known to drive some people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. It helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection.

UAC has four major benefits:

1. On a shared computer, you can set up standard user accounts for users who don’t have the experience or training to make smart decisions about installing software or making system changes. As a result, they won’t be able to do any damage if a malicious website fools them into trying to install a piece of spyware or a Trojan.
2. As an administrator, you get a warning before a piece of software attempts to make a change that can adversely affect the system. In Windows XP, clicking OK to a single malicious installer program could install a dozen programs in the background, with no warning to you. In Vista with UAC, you’ll have to give consent to each installation [and presumably will say No, early and often.]
3. Badly written programs sometimes try to write user data to system areas, such as the Windows or Program Files folder or a registry key that affects all users. In Windows XP, running this type of program as a standard user would probably cause the program to fail. With Vista, those operations are intercepted and written to a virtualized location in your user profile. The program thinks it wrote a file to the Windows folder, but the actual file appears in your profile.
4. Internet Explorer 7 runs in Protected Mode when UAC is on. That causes processes in a browser window to run at a low integrity level, where they’re blocked from interacting with processes that have a higher integrity level. The net effect is to stop entire classes of web-based attacks in their tracks.

Following are three techniques for toning down the hard edges of UAC without sacrificing its protection.

Technique 1

Stop UAC from blacking out the background

On some systems, the most annoying part of User Account Control is the delay while the background goes dark before the consent dialog box appears. That feature is called Secure Desktop, and it’s a way to prevent shatter attacks that can pass messages [and dangerous code] from one running process to another.

With the following setting in place, the consent dialog box appears on a normal desktop background, and you can continue to interact with running programs and process and with Windows itself, even when the consent dialog box is visible.

For Vista Business, Ultimate, or Enterprise editions, open the Local Group Policy Editor [gpedit.msc], and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Switch to the secure desktop when prompting for elevation. Change the setting from its default, Enabled, to Disabled. Click OK to close the dialog box.

For Vista Home Basic or Home Premium editions, the Local Group Policy Editor is not available. Instead, you’ll need to edit the registry. Open Regedit.exe [Caveat Emptor]. Locate this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

In the right-hand pane, double-click PromptOnSecureDesktop and change its value to 0 [the default is 1]. Click OK to save the change.

Technique 2

Create a UAC-free Administrator account

For Vista Business, Ultimate, or Enterprise editions, open the Local Group Policy Editor [gpedit.msc], and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Change the setting from its default, Prompt for consent, to Elevate without prompting. Click OK to close the dialog box.

For Vista Home Basic or Home Premium editions, the Local Group Policy Editor is not available. Instead, you’ll need to edit the registry. Open Regedit.exe Caveat Emptor. Locate this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

In the right-hand pane, double-click ConsentPromptBehaviorAdmin and change its value from the default 2 to 0. Click OK to save the change.

After making this change, you’ll discover that User Account Control is still on, but clicking a shortcut that previously required elevation now takes you straight to the option you chose, with no intervening UAC dialog boxes.

This is a significant improvement over disabling UAC completely, because file and registry virtualization still work, and so does Protected Mode IE7. But if you can put up with occasional UAC prompts, you’ll be even better off using a standard account and saving your one [and only one] Administrator account for administrative tasks.

Technique 3

Create one-click elevated shortcuts

If a tool you use regularly requires that you click through a UAC prompt every time you start it up, the extra clicks can quickly become annoying. Some programs [Regedit, for example] are hard-coded to require UAC consent. Others, such as Task Manager, work differently if they’re launched with administrative credentials.

There’s no way to configure an ordinary program shortcut to bypass a UAC prompt, but you can use the Windows Vista Task Scheduler to create a special shortcut that bypasses the consent dialog box and works with a single click.

NOTE: This technique works only if your account is already a member of the Administrators group. If you’ve set yourself up with a Standard account, you can’t use this tip. Also, you’ll notice a window flash open and very quickly close as the Scheduled Task command executes and calls the program you really want to run.

1. To get started, open Task Scheduler [type task in the Start menu search box and it should pop to the top of the list]. You’ll have to approve a UAC consent dialog box to continue. In the main Task Scheduler window, click Create Task.
2. On the General tab, enter a name for the task [you’ll use this name to run the command later], and click the Run with highest privileges checkbox. This setting tells Windows to use the administrator token [the one you normally unlock via UAC] when you run this task.
3. On the Actions tab, enter the full path of the command you want to run. In this example, we are using Taskmgr.exe, which will open Task Manager and display all running processes.
4. On the Settings tab, be sure that Allow task to be run on demand is selected. You’re not actually going to schedule this task but instead are going to run it from a shortcut. Click OK to save the task.
5. Right-click an empty space in a folder or on the desktop and choose New, Shortcut. In the Create Shortcut wizard, enter this command:
   
   schtasks /run /tn “task_name“
   
   Substitute the name of the task you created in Step 2 and click Next.
6. Finally, give the shortcut a name and click Finish.

Drag this shortcut to the Start menu, the Quick Launch bar, or any convenient location. You can now double-click this shortcut to run the task with full Administrator privileges and no UAC prompt.

Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. We cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Special Note: If you are working on a Corporate Desktop - it may be locked due to your corporate security policy -- consequently you may not be able apply many of the Tips, Hints and/or Tweaks found here. Most Corporate Desktops are prevented from making changes of any kind.