What is UAC (User Account Control) and why you should never turn it off

When Windows Vista was launched, User Account Control (UAC) was the most criticized and misunderstood feature. Even though it is essential for security, many people have chosen to disable it and expose their systems to security problems. This feature has been improved in the next versions of Windows and, even though it adds a lot to the safety of the operating system, some users still choose to disable it. That's why, in this article, we clarify what this feature is, how it works and the benefits of keeping it active, in any version of Windows:

What is User Account Control (UAC) in Windows?

User Account Control or UAC for short is a security feature of Windows which helps prevent unauthorized changes to the operating system. These changes can be initiated by applications, users, viruses or other forms of malware. User Account Control makes sure certain changes are made only with approval from the administrator. If the changes are not approved by the administrator, they are not executed, and Windows remains unchanged. It is as if nothing happened. UAC was first made available for Windows Vista, and since then it was improved with each new version of Windows.

How does a User Account Control (UAC) prompt look and what does it share and request?

When you double-click on a file, a setting or an app that is about to make important changes to Windows, you are shown a User Account Control (UAC) prompt. If your user account is an administrator, the prompt looks like in the screenshot below. There you can see the UAC prompt in Windows 10 (top), in Windows 7 (middle) and Windows 8.1 (bottom).

UAC, User Account Control, Windows

The UAC prompt displays the name of the program that is about to make a system change that requires the approval of an administrator, the publisher of that program and the file origin (if you are trying to run a file). All it needs from the administrator is a click or tap on Yes, to let the program or the file do the changes that it wants.

If your user account is NOT an administrator, the prompt looks different. For example, in Windows 10, the UAC prompt requests for the administrator's PIN (if it has set one) or password.

UAC, User Account Control, Windows

In Windows 7 and Windows 8.1, the UAC prompt always requests the administrator's password, as shown below.

UAC, User Account Control, Windows

When this happens, you need to enter the administrator's PIN or password and press Yes. Unless both actions are performed, the changes that are requested are not made.

The UAC prompt also has a link that says "Show more details" (in Windows 10) or "Show details" (in Windows 7 and Windows 8.1). If you click on it, you see more information including the exact location on the disk of the program or file and the publisher's certificate, which shows you more information about who created what you want to run.

UAC, User Account Control, Windows

How do I know that a file or setting will trigger a UAC prompt?

Files that trigger a UAC prompt when run have the UAC symbol on the bottom-right corner of their file icon, similar to the screenshot below.

UAC, User Account Control, Windows

Apps and system settings that trigger a UAC prompt also have the UAC symbol near their name or in their icon. You can see some examples highlighted below, that are encountered in the Control Panel.

UAC, User Account Control, Windows

Remember the UAC icon and each time you see it, you know beforehand that you are about to need the administrator's approval.

How does User Account Control (UAC) work?

In Windows, applications run by default without any administrative permissions. They have the same permissions a standard user account has: they cannot make any changes to the operating system, its system files or registry settings. Also, they cannot change anything that's owned by other user accounts. Applications can change only their files and registry settings or the user's files and registry settings.

When an application wants to make a system change like: changes which affect other user accounts, modifications to Windows system files and folders, installation of new software, a UAC prompt is shown, asking for permission. If the user clicks or taps No, the change won't be carried out. If the user clicks or taps Yes (and enters the administrator password, if required) the application receives administrative permissions, and it can make the system changes it wants. These permissions are given only until the application stops running, or it is closed by the user. The same goes for files that trigger a UAC prompt.

For an easier understanding, the UAC algorithm is explained in the diagram below.

UAC, User Account Control, Windows

Which changes trigger a UAC prompt in Windows?

There are many changes which require administrative privileges. Depending on how UAC is configured on your Windows computer, they can cause a UAC prompt to show up and ask for permission. These are the following:

  • Running an app as administrator
  • Changes to system-wide settings or files in the Windows or Program Files folders
  • Installing and uninstalling drivers & applications
  • Viewing or changing another user's folders and files
  • Adding or removing user accounts
  • Configuring Windows Update
  • Changing settings to the Windows Firewall
  • Changing UAC settings
  • Changing a user's account type
  • Running Task Scheduler
  • Restoring backed up system files
  • Changing the system date and time
  • Configuring Parental Controls or Family Safety
  • Installing ActiveX controls (in Internet Explorer)

What is different between UAC levels in Windows?

Unlike Windows Vista, where you had only two options: UAC turned On or Off, in newer versions of Windows there are four levels to choose from. The differences between them are the following:

UAC, User Account Control, Windows
  • Always notify - at this level you are notified before applications and users make changes that require administrative permissions. When a UAC prompt shows up, the desktop is dimmed. You must choose Yes or No before you can do anything else on the computer. Security impact: this is the most secure setting and the most annoying. If you did not like the UAC implementation from Windows Vista, you wouldn't like this level.
  • Notify me only when programs/apps try to make changes to my computer - this is the default level, and UAC notifies you only before programs make changes that require administrative permissions. If you manually make changes to Windows, then a UAC prompt is not shown. This level is less annoying as it doesn't stop the user from making changes to the system, it only shows prompts if an app or file wants to make changes. When a UAC prompt is shown, the desktop is dimmed, and you must choose Yes or No before you can do anything else on your computer. Security impact: this is less secure than the first setting because malicious programs can be created to simulate the keystrokes or mouse movements made by a user and change Windows settings. However, if you are using a good security solution, such situations should not occur.
  • Notify me only when programs/apps try to make changes to my computer (do not dim my desktop) - this level is identical to the previous except the fact that, when a UAC prompt is shown, the desktop is not dimmed and other desktop apps can interfere with it. Security impact: this level is even less secure as it makes it even easier for malicious programs to simulate keystrokes or mouse moves that interfere with the UAC prompt.
  • Never notify - at this level, UAC is turned off, and it doesn't offer any protection against unauthorized system changes. Security impact: if you don't have a good security suite you are very likely to encounter security issues with your Windows device. With UAC turned off it is much easier for malicious programs to infect Windows and take control.

If you want to learn how to switch between UAC levels, read and follow this tutorial: How to change the User Account Control (UAC) level in Windows.

Should I disable UAC when I install desktop apps and turn it on afterward?

The biggest annoyance for users is when they install Windows and their most used desktop apps. During this procedure, lots of UAC prompts are shown, and you might be tempted to disable it temporarily, while you install all applications and enable it again when done. In some situations, this can be a bad idea. Desktop apps that make lots of system changes can fail to work once UAC is turned on, after their installation. However, they will function properly if you install them when UAC is turned on. When UAC is turned off, the virtualization techniques used by UAC for all applications are inactive. This causes certain user settings and files to be installed to a different place. They will not work when UAC is turned back on. To avoid such problems, it is better to have User Account Control (UAC) turned on at all times.

Do you leave UAC turned on?

Now you know everything that is important about User Account Control (UAC) in Windows and its role in securing your system. Before closing this article, share with us whether you chose to keep it turned on or not. The comments form is accessible below.

Discover: Security System and Security Tutorials Windows
Join the discussion: See the comments Comment