Windows User Account Control Step-by-Step Guide

This step-by-step guide provides the instructions necessary to use User Account Control (UAC) in a test environment.

This document is not intended to provide a comprehensive, detailed description of UAC. Additional resources include the following:

User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.

When an administrator logs on to a computer running Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows® to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.

The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks and can only install per-user software.

To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.

Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.

This guide is intended for the following audiences:

The groups listed above should use this guide to test how their line-of-business (LOB) applications run in Windows Vista. Because UAC makes a clear distinction between administrator and standard user processes, some existing LOB applications might need to be either redesigned by the independent software vendor (ISV) or internal tools team, or marked to always run elevated.

We recommend that you first use the steps provided in this guide in a test environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Vista features without accompanying documentation (as listed in the Additional resources section), and should be used with discretion as a stand-alone document.

The lab configuration needed for testing UAC includes a domain controller running Windows Server 2008 (or Windows Server® 2003) a member server running Windows Server 2008 (or Windows Server 2003), and a client computer running Windows Vista. The domain controller, member server, and the client computer should be on an isolated network and should be connected through a common hub or Layer 2 switch. Private addresses should be used throughout the test configuration.

This guide covers the following scenarios for UAC:

In Windows Vista, UAC and its Admin Approval Mode are enabled by default. When UAC is enabled, local administrator accounts run as standard user accounts. This means that when a member of the local Administrators group logs on, they run with their administrative privileges disabled. This is the case until they attempt to run an application or task that has an administrative token. When a member of the local Administrators group attempts to start such an application or task, they are prompted to consent to running the application as elevated. Scenario 1 details the procedure to run an application or task as elevated one time.

Scenario 2 is similar to the previous scenario in that you want to run an application or process as elevated with the administrator access token. However, in this scenario you want to run an application that has not been marked by the developer or identified by the operating system as an administrative application. Some applications, such as internal line-of-business applications or non-Microsoft products might require administrative rights but have not been identified as such. In this scenario, you mark an application to prompt user for consent, and if granted, run as an administrative application. The following procedure steps you through that process.

Scenario 3 outlines some common tasks that local administrators perform during the set up and configuration of client computers running Windows Vista. The following procedures step you through the tasks of turning off UAC, disabling Admin Approval Mode, disabling UAC from prompting for credentials to install applications, and changing the elevation prompt behavior.

Use the following procedure to disable UAC.

To perform the following procedure, you must be able to log on with or provide the credentials of a member of the local Administrators group.

Use the following procedure to disable Admin Approval Mode.

Use the following procedure to disable UAC from prompting for credentials to install applications.

Use the following procedures to change the elevation prompt behavior for UAC. You can configure the behavior of the elevation prompt separately for administrators and for standard users.

Since UAC is a feature of Windows Vista, support is available directly from Microsoft and from user communities. For information about support, see http://go.microsoft.com/fwlink/?LinkID=76619.