Your permission, please

Understanding User Account Control in Windows Vista

By Charlene Shepard

About a year ago, using my computer became maddening. It ran like molasses on a cold day in winter. My web browser had extra toolbars that I didn’t remember installing, and some programs seemed to start automatically when I started Windows. I suspected that my computer was infected with a virus or some other form of malicious software. I ran some cleanup tools, but eventually I had to reformat my hard disk and reinstall Windows XP to remove all those unwanted software intruders.

How did it get to this point? I consider myself fairly savvy with computers. I'm careful about what websites I visit, what e-mail attachments I download, and what programs I install. But somehow the malicious software slipped by me undetected.

You’re in control with User Account Control

Fortunately, Windows Vista includes a new feature designed to help prevent this kind of situation. It's called User Account Control (UAC). The basic idea is to make you aware of changes that will be made to your computer and let you decide whether to allow them. That way, you can prevent malicious software from being installed your computer.

UAC works by adjusting the permission level of your user account. If you’re doing tasks that can be done as a standard user, such as reading e-mail, listening to music, or creating documents, you have the permissions of a standard user—even if you’re logged on as an administrator. When you try to do a task that requires the permissions of an administrator, such as installing software or changing system settings, UAC prompts you. If you grant permission, you’re temporarily given the rights of an administrator to complete the task and then your permissions are returned back to that of a standard user. This makes it so that even if you're using an administrator account, changes cannot be made to your computer without you knowing about it. Previous versions of Windows did not include this extra layer of protection—if you were logged on as an administrator, you always had administrator-level permissions.

The way that you interact with UAC is through dialog box prompts. When an action that requires administrator permissions is started, your screen will become dim and you’ll be prompted to either continue with the action or cancel it. You won't be able to do anything else on the computer until you address the dialog box.

The way that you're prompted depends on the type of user account you have. If you’re using an administrator account, you’ll see buttons to Continue or Cancel. For example, if you want to create another user account on your computer, and you're logged on as an administrator, you’ll see the following dialog box.

Picture of User Account Control dialog box when logged on as an administrator
If you’re an administrator, click Continue to keep going

However, if you’re logged on as a standard user, you’ll see the following dialog box.

Picture of User Account Control dialog box when logged on as a standard user
To continue, ask an administrator on the computer to type a password

Instead of clicking Continue, you’ll need to provide the administrator password. If you don’t know the password, ask someone who has an administrator account on the computer to type his or her password. The user name of the administrator account is displayed in the UAC dialog box. The person who set up the computer is typically the administrator. If there is more than one administrator account on the computer, you can choose which account to use.

Myth vs. reality

Much has been written about User Account Control in the media. You might have heard that it's a big headache to have dialog boxes popping up all the time, that it slows you down, or that you really don't need it. It's true that UAC can be jarring when you first encounter it. It's a different way of working with your computer, and it can take some getting used to. But I’ve been using it for months now, and I don’t find it intrusive at all. For me, the peace of mind I receive knowing that malicious software can’t silently install itself on my computer is worth the small inconvenience of occasionally clicking a dialog box prompt.

Let's address some common myths about UAC.

Myth: Dialog boxes are popping up all of the time.

Reality: How often you’re prompted for permission really depends on what you’re doing. When you first set up your computer, you should expect to see quite a few UAC dialog box prompts—especially if you are installing a lot of software or customizing settings in Windows Vista. Over time, as you shift to day-to-day use of your computer, the “noise level” will go down significantly. You should only be prompted when you make a change to your computer that affects all users, such as installing software or changing global settings. Not all prompting that you receive on your computer is from UAC. Other programs, such as Internet Explorer, have built-in security features that will prompt you when you are downloading files or trying to open something on a webpage that requires a program outside of the program you’re using. You can look at the title of the dialog box to see the source of the prompt. If it’s UAC, the title of the dialog box is “User Account Control.”

Myth: UAC takes away my control over my computer.

Reality: UAC actually does the opposite: It informs you of changes—including those not initiated by you—to your computer and lets you decide if you want to allow them. This can be a bit of a hassle if you are purposefully making a change—such as installing software—and you're asked if you want to continue, but it can also save your bacon when harmful or unwanted software tries to install itself on your computer. If you're an administrator on the computer, you have the same permissions in Windows Vista that you had in Windows XP; you can still install programs and make changes to the computer. The difference now is that programs cannot take over your computer without you authorizing them to do so.

Myth: UAC slows me down.

Reality: It's true that the UAC dialog box prompt presents an extra step for certain actions. But sacrificing some convenience is the tradeoff for more effectively preventing the installation of unwanted software on your computer. Think about how much time it takes to clean up your computer if you have software on it that you don’t want. Or even worse, think about how much time and data you may lose if you get a virus. As a standard user, you can work more efficiently in Windows Vista than you did in Windows XP because you don’t have to log off and log back on as an administrator to do things that require administrator permissions; you can enter a user name and password in the UAC dialog box and keep rolling.

Myth: UAC breaks my computer—my programs won't work.

Reality: Newer programs or programs that have been updated for Windows Vista should give you the UAC dialog box prompt when you start the installation process. Some older programs might not automatically prompt you for permission. You can still run these programs by right-clicking the setup file and then clicking Run as administrator. If you are trying to run a program that does not seem to be working, try this technique.

Myth: I don’t need UAC; I already have security software on my computer.

Reality: Using an antivirus program, a firewall, and anti-malware software are all essential practices for protecting your computer and your data. UAC offers something that these programs cannot: protection against malicious and unknown or unwanted software. When I was running Windows XP, I had an antivirus program and antispyware software on my computer, but I still got those pesky toolbars and some sort of virus. None of these programs are foolproof, which is why UAC alerts you to every piece of software that is being installed on your computer.

When should I expect to see the dialog box prompts?

Throughout the Windows Vista user interface, a security shield icon Picture of security shield icon appears next to actions that require administrator permissions. Examples of these actions include creating a user account, making changes to Windows Firewall settings, and installing device drivers. Outside of settings that are specific to Windows, activities like installing or running software that need administrator permissions will also cause you to be prompted.

How will I know what to do?

If you receive a User Account Control prompt and you’re not actively trying to install software or change a setting that is marked with a security shield icon Picture of security shield icon, use caution before continuing. Read the message in the dialog box prompt carefully, and then make sure the name of the action or program that's about to start is one that you intended to run.

One thing you might notice is that there are different types of dialog box prompts. The following sections show the different types and provide guidance on how to respond to them.

Show all

Windows needs your permission to continue

A setting or feature that is part of Windows needs your permission to start. If you get this type of prompt, it's usually safe to continue. If you are unsure, check the name of the program or function to decide if it’s something you want to run. To learn more about the item, click the Details button.

Picture of User Account Control dialog box showing the Details view
To get more information, click the Details button

A program needs your permission to continue

A program outside of Windows needs your permission to start. It has a valid digital signature, which helps to ensure that the program is what it claims to be. Make sure the program is the one that you intended to run.

Picture of User Account Control dialog box for a program
Make sure the program is one you want to run before clicking Continue

An unidentified program wants access to your computer

An unidentified program is one that doesn't have a valid digital signature from its publisher. This doesn't necessarily indicate danger, as many older, legitimate programs lack signatures. However, you should use extra caution and only allow a program to run if you obtained it from a trusted source, such as the original CD or a publisher's website. If you are unsure, look up the name of the program on the Internet to determine if it is a known program or malicious software. For more information about searching the Internet, see Tips for searching the Internet.

Picture of User Account Control dialog box for an unidentified program
Look up GetRichQuick.exe on the Internet to check the source

This program has been blocked

An administrator on the computer has specifically blocked a program from running. To run it, you must contact the administrator and ask to have the program unblocked. Typically, programs are blocked because they don’t have valid certificates or are known to be from an untrusted source.

Picture of User Account Control dialog box for a blocked program
If your administrator has blocked a program, you probably shouldn’t run it

Don’t turn it off

If you are frustrated or confused by UAC dialog boxes popping up, you might be tempted to turn UAC off. While the choice is yours, I don't recommend this. Although turning off UAC might reduce some of the initial frustration, it's really opening up a Pandora’s box—you are knowingly opening up your computer to potential security risks, especially if you're using an administrator account. UAC is turned on by default in Windows Vista because it's the recommended way to operate your computer.

Relax: Windows Vista is keeping you informed

After you’ve been using Windows Vista for a while, you'll know when to expect a UAC dialog box prompt and what to do when you see one. Make a habit of checking the name of the program or function to decide if it’s something you want to run. The bottom line—if you are unsure, click Cancel. You can always restart what you were doing after you verify that the program is indeed something that you intended to install or run. UAC isn’t perfect, but it goes a long way toward protecting you from having unwanted programs on your computer.

About the author

Picture of columnist Charlene Shepard

Charlene Shepard is a writer on the Windows team at Microsoft, specializing in Windows security and networking. Previously, she worked as a writer, a web developer and designer, and a user interface specialist for NASA and several software companies. In addition to writing, she enjoys scuba diving and gourmet cooking.

Have a comment for this columnist? Enter your feedback using the tool below. (You'll see the comment box after you click one of the buttons.) Note that although the columnist will read your feedback, personal replies are not possible due to the volume of feedback received.