Skip to content

More secure way to disable UAC. Without losing Protected Mode IE

by Brandon on February 6th, 2007

Warning:  The default configuration of UAC is far more secure, you should not alter it or turn it off!

Warning #2:  Microsoft does NOT endorse any practice that reduces or disables UAC functionality, and neither do I.  I do NOT use this mechanism on my own machines, and run all of them with UAC completely enabled. 

However, if you’re going to turn it off anyway, at least consider the following…

There are TWO ways to effectively disable UAC.  They are:

  1. Hit the big master switch that disables UAC.  This runs every application with admin privileges and access to everything on your system.
  2. Enable the “Elevate without prompting” option.  This means requests for elevation automatically succeed, no prompt.

So how is method #2 different?

  • Applications will still run with non-Admin privileges unless they request them.
  • Requests for elevation will succeed automatically.
  • Filesystem and registry virtualization (ie. the “sandbox”) will still be enabled for applications running with low privileges.
  • Protected Mode IE will still work

You can do it by running this reg file which won’t even require a reboot.  However, it WILL set off the Security Center alert just like completely disabling UAC.  If you had previously disabled UAC using the other method, you will have to re-enable it and reboot first.

So if you currently have UAC disabled, or are going to – try this instead.  No, it is not nearly as secure as the default setup.  Remember, any application requesting elevation will get it without telling you!  But it’s better than just running with everything elevated all the time. 

From → Uncategorized

17 Comments
  1. Hey Brandon. I did remove the full quote from my website as you requested. I do not know why but that’s OK. In case you would make any changes in this post, I would’ve known and updated accordingly anyways.

    Oh, and my email you can see from this or any other of the comments I made on your site …

    Cheers,

    Petar

    P.S.
    Do you know where can I find that Search SideBar gadget I read about – which shows the percentage of the Index, etc…

  2. Luther permalink

    You convinced me – I’ll restore UAC and enable elevation without prompting. 🙂

    Now a little bit off topic:

    In Vista search I’m missing some functionality found in WDS: the ability to search within preview. You know: to find some word in highlighted and previewed document I have to open it and search in associated application. In WDS I just pressed F4 and…

    Is there any chance that this functionality will be included in Vista SP1? 🙂

  3. Oh and BTW, I am apart of that minority who doesn’t mind UAC, and will leave it enabled.

  4. What about an undo reg file?

  5. luc permalink

    Elevate without prompting = a malware or all software can automatically have the full privileges = you’re stupid!

  6. jerryd permalink

    allowing automatic elevation without prompting means every program/malware/exploit will grant the full privileges automatically and this is BAD! Please, don’t apply this stupid Brandon’s trick and don’t disable the UAC

  7. arteekay permalink

    jerryd and luc, did you actually read the post? It’s hard to believe you did and still managed to write what you did.

  8. lol, they’re the same person (same IP address). Weird that someone would make such a stupid comment, let alone make it twice.

  9. Offsprung permalink

    I find it very hard to believe that anyone puts up with win asking permission to run every function and every
    program that someone has used for years. Who’d have guessed it is far WORSE than that mac commercial.
    Wait for some free or older app to get a secure cert? Least they could have done is give us a trusted list option.
    Would be nice if you had an undo to go with this.

  10. Offsprung –

    You shouldn’t see UAC dialogs often at all, and they show up regardless of whether an application is code-signed with a certificate. A “trusted” list doesn’t make any sense as it completely defeats the purpose of UAC.

    If you use an application regularly that requires elevation and shouldn’t, you should complain to the developer.

  11. Offsprung permalink

    True I have not used my ultimate that much yet and only installed a couple of apps. Thought I read in the uac troubleshooting that an app needed a cert. The little I have been doing is normal every day functions that I do numerous times each day and received a uac accept or deny. I could understand on a normal user account, but I grant admin for a reason to administrate. Reminds me of a mac asking for a pwd twice to do everything when attached to active directory.
    So I will hold off on this change to make sure and only diable complex file permissions my second peeve that I found after its install. I was glad I chose dual boot so I can still use xp pro. I think it was that vista dual boot man that complained so you may be right, maybe it is just win asking its admin are you sure you wish to admin!… I guess the m$ logic is since a lot of people grant admin to all we’ll just nag each time for everyone.
    Question, if I stup a standard user and did a run as (with password) does uac still nag?

  12. For those of you who think the the UAC prevents malware infections – read the explanation at the link below. It apparently doesn’t and never was designed for this folklore/urban myth-like characterization. After doing some research today on how to disable UAC and also keep the Security Center icon from annoyingly popping up afterwards I read this post from Jesper J – security guru: https://msinfluentials.com/blogs/jesper/archive/2007/03/01/confusion-about-vista-features-what-uac-really-is.aspx

    I’m going with running UAC with elevated permissions and unfortunately disabling the Security Center notifications through Control Panel. Damn poorly coded LOB app; good news is next version won’t need this reduced security configuration.

    Brandon thanks for your posting and keep up the great work on that Start++ thingy. It rocks!

  13. trr permalink

    I want to turn UAC back on. I turned it off because otherwise I couldn’t open a website, download anything, etc. unless I switched to my admin account. SO how do I turn UAC back on and not have these problems? Is it just IE’s Protected Mode causing me the grief? How do I turn that off?

Trackbacks & Pingbacks

  1. VistaJuice
  2. Secure Way to Disable UAC (From Brandon) « My Mind to Your Mind, Your Thoughts to my Thoughts
  3. » 0×1D7 - UAC by Jordan Hofker
  4. windows vista can be installed on multiple comps correct? - Page 2 - Nissanclub.com Nissan Enthusiast Forums

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS