I did it... I took the plunge..., installed Vista on my development laptop... (I feel almost like I went and buy something from incredible connection), anyhow, as, I come across little niggles, I will attempt to document my findings in this blog as well. So... for those of us in need to have full and absolute control over our machine environment and anything that spoils our perfect human-machine symbiosis is to be spurned. Well, here are some tips.
Firstly, it's might be worth a brief digression into the benefits of this feature. Running as admin is usually a bad thing, as most of us know. ;) Many people have blogged about this topic (Aaron Margosis has blogged extensively on this issue, and no need to rehash it here... but I guess I am doing this for some of my colleagues... just in-case). For reasons of compatibility, running as a standard user can still be a somewhat painful proposition. Vista attempts to give you the benefits of both worlds by allowing administrators to execute most processes in the context of a standard user and only elevating the privileges on their user token by consent, in addition to allowing standard user accounts to perform administrative tasks by selectively elevating a process to use administrator-level credentials.
In general, UAC seems to have turned out pretty well. For the vast majority of users, UAC will offer a valuable level of security protection that will protect against malware: it simply won't have the rights to perform invasive actions like installing device drivers or services. Once a system is configured, you'll rarely see UAC prompts unless you're a consummate “Settings Tweaker”. Incidentally, you can find out a great deal more about how UAC works, what you need to do to your own applications so that they co-operate well with UAC, and the rationale for its design at the official UAC blog.
It is possible to switch UAC off. I really don't recommend it - if you like full control over your machine, surely you want to know when something is attempting to perform an administrative-level action? Nevertheless, I'd prefer to have you run Windows Vista without UAC than having you run a different operating system.
There are two ways to disable UAC. The easy solution is through Control Panel. Type "UAC" into the search bar at the top of the screen and you'll see this task presented:
Figure 1- Brute-force Approach
This approach is pretty brute-force, though. It just switches the whole thing off. There's a more subtle configuration choice that gives you some of the benefits of UAC without any of the prompting. You'll need to edit the local security policy to control this, as follows:
- From the Start search bar, type "Local Security Policy"
- Accept the elevation prompt
- From the snap-in, select Security Settings -> Local Policy -> Security Options
- Scroll down to the bottom, where you'll find nine different group policy settings for granular configuration of UAC.
Figure 2 - Subtle Approach
Perhaps the best choice to select is to change the setting:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
from Prompt for consent to Elevate without prompting.
"Well, this was the approach I took, coupled with another tweak that will describe in another post..."
What does this do? Despite the warning from the Windows Security Center, UAC isn't actually switched off. It's still there, and all your processes will still run as a standard user. To prove this, open a command prompt and try to save a file to the c:\ directory. You'll get an access denied error message. However, when a process is marked for elevation, instead of getting the secure desktop elevation prompt, the request will be silently approved. To show this in action, right click on a command prompt shortcut and choose "Run as Administrator". You'll see the command prompt open without elevation, but the window title will show that you're running with full administrative privileges.
Using this approach is better than nothing, but it's a bit like you relying on everyone else having a vaccination against measles to protect yourself from infection. Read the explanations on the second page of the property sheet for each policy setting before tinkering, and be careful!