User Account Control (UAC) in Windows Vista restricts the user and software to change major settings. This first hurdle must prevent the system to be infected by malicious software, but makes it more difficult to install and run software as well. Although UAC makes Windows safer, for many it is annoying. This security rule frequently interrupts all activity, because every change in systemsettings must be confirmed individually by the user. Unfortunately the frequency is very high, which causes the user to click them away as fast as possible. By clicking automatically to proceed malicious software will soon pass this security test and User Account Control won't be of any use. The executalbe files and system changes which have to be confirmed by UAC can be recognized by the shown administrator shield, which informs the user about the popup which will show up.
Changing Local Policies
The temporarily (until the
security alert has been confirmed) secured desktop is an unpleasant side effect of the User Account Control.
This annoying interference can be disabled by Administrative Tools in the
Control panel, Local Security Policy, Local Policies, Security Options, deactivate the
policy for User Account Control: Switch to secure desktop when prompting for
elevation. Administrator accounts won't be
bothered with this security alert anymore after changing the policy User
Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode
from Prompt for consent to Elevate without prompting.
Be aware that disabling the security messages lowers the security level of the
whole system, that's why the
Security Center
will frequently show a warning.
TIP: User Account Control can also be disabled (temporarily) by the Control panel, User Accounts, option Turn user Account Control on or off. This can be useful to be able to make many system changes at once (don't forget to enable this option again afterwards).
|
|
LOCAL SECURITY POLICY NOT AVAILABLE?The option Local Security Policy
is not available in all Windows
Vista versions. In these cases, changes in the policy settings can only be
realized by editiing registry
values manually. Change respectively the DWORD-values PromptOnSecureDesktop
to 0 (instead of 1) and ConsentPromptBehaviorAdmin to 0 (instead
of 2) in the following registry key: |
Running programs with
administrator rights
In some cases programs don't behave as they are
supposed to do (like not saving the changed settings or added data), because Windows Vista
doesn't allow the user account (administrator accounts included!) to access the
files and registry keys which need to be changed to function properly. These
kind of problems (like a failing product registration) can be 'solved' by
running a program with administrator rights by right clicking the shortcut or
program and to select Run as administrator (not necessary for setup
files). This way, many programs (which work fine in combination with Windows
XP) can work in combination with Windows Vista as well! Does running as
administrator fix the problem, the program can be run as administrator by
default by right clicking the shortcut,
Properties, tab
Shortcut,
button Advanced.
Running as administrator by default is only necessary when this does not fix the
problem permanently.
DISABLING USER ACCOUNT CONTROL PERMANENTLY?User Account Control has been added to Windows Vista for a security reason, that's why it's not wise to disable UAC permanently. It seems that UAC has a big influence on procedures concerning the security of the overall system. For example, saving the history of the visited websites (which makes it possible to autocomplete while typing the URL in the address bar of the Internet Explorer to a previously visited website) saved differently when User Account Control is disabled. After disabling UAC, the Internet Explorer protected mode (shown in the Status Bar) will be off as well. |
Because of the additional permissions, some files (or registry settings) can't be changed by a certain user account (even the administrator accounts). In some cases, opening/reading files (outside the personal folders) is no problem but saving the same files can be almost impossible because of the limited permissions to write or modify files in these folder.
The individual permissions can be taken care of in two ways: 1) running the program as administrator, or 2) changing the assigned permissions. This can be done by right clicking the file (or the folder/partition containing the file) in the Windows Explorer and to select Properties, tab Security. This screen will show that the group administrators have been assigned full permissions, while the group Users doesn't have any rights to make any changes in the files. These reduced permissions cause the error messages which indicate that the file can't be overwritten (but saving with another filename is no problem). These settings can be changed by clicking the button Edit, selecting the group Users, enabling the option Full control in the column Allow and clicking OK. If the changed permissions only need to be applied to one user account, the user name can be added first by clicking Add to add the name of the user account.
WHAT IF THE FILES ARE BLOCKED...If it's not possible to delete or move certain files because one of the running processes keeps it on hold? Track and disable the process with the Windows Task Manager (key combination CTRL-SHIFT-ESC) or Process Explorer (download: www.microsoft.com). Replacing the Windows Task Manager by Process Explorer (Options, Replace Taskmanager) is in Windows Vista only possible by disabling User Account Control permanently (because that's not desirable, Process Explorer must be run by a shortcut). |
© 2001-2022 - Menno Schoone - SchoonePC - Rotterdam - The Netherlands