Please don’t disable security features, at least while we are testing them

I couldn’t tell you how many times I have either had the question “how do I turn off User Account Control” or heard the statement “boy, I sure hate all those annoying user account control popups in Vista.”

Yeah, security sucks, it gets in the way of doing things, some bad, some good, but that’s a fact of life. The other fact is that User Account Control (UAC) is one of the most important ways that we hope to protect people in Windows Vista. I have many times told the story about how Steve (Riley) and I were at an event when he gets a call from his wife asking for help with her computer. Apparently it was getting all sorts of popups, ads, and other weirdness; clear signs of spyware. He stated that he’d fix it when he got home. When he did he downloaded and ran all kinds of cleaners, and then called me with the astonishing results. The computer had about 168 separate pieces of spyware. So I went and ran the same cleaners on the computer in our kitchen, the one most of the family uses. On that one we found exactly zero problems. The difference? Steve is a nice guy, so he gives his wife administrative access to her computer and everything installed nicely, including the spyware. I am, well, there is a term for it, but it is not suitable for electrons, so none of my users ran as an administrator. The result, nothing installed, including the spyware. This experience obviously does not guarantee that just by running as a normal user you will not get spyware, but it will make it more difficult to get it, and it will make it easier to clean off.

The problem is that without considerable savvy, or lots of time spent in Aaron Margosis’ blog, the vast majority of people today can’t run as a non-admin user. The reason is all the apps that require administrative privileges. To solve that problem, we can do a couple of things. We can try to plead with the app vendors to fix their stuff, and you know how well that has worked in the past. We can stop buying these defective apps, and you know how well that has worked in the past. And, we can build a technology that allows most people to do most of the things they need to do to run the computer on a daily basis as a non-administrator. That technology is called User Account Control.

Windows Vista includes a number of features that work as part of, or in conjunction with, UAC to meet three important goals. The first is that these features allow a lot of applications that did not previously run as a non-administrator to do so. This is done by virtualizing key operating system locations, such as the Windows directory and Program Files. UAC also changes the privileges required for many common tasks, such as changing the time zone, power settings and even installing approved devices and ActiveX controls, so those tasks can be performed by ordinary users. This allows users to run as non-privileged users while allowing many scenarios and applications that did not work that way under Windows XP to still work. The second promise is to create an easy elevation path for applications that really do require administrative privileges, while still allowing even users who are administrators to run as non-administrators most of the time. This means that even for users who are in the administrators group, applications like Internet Explorer and the mail client do not actually have administrative privileges all the time, reducing the damage attacks against those applications can inflict. Finally, UAC allows us to quickly spot all the broken apps out there so that we can either shim them to run as non-admins or get them fixed. This latter is at the same time the most subtle and arguably most important of the things UAC does. It is also in many cases the most obvious, and the reason many people want to turn UAC off. By doing so, they allow applications with fundamental design flaws to still work, reducing the pressure to actually fix those applications so they work as non-privileged users, as most of them should.

None of that will work unless people use the feature. To do all those things we need your help, yes, yours, as a beta tester of Windows Vista. Unless we get feedback on what works and what does not we can’t fix it. If you disable critical technologies that we are trying to get to work, we can’t fix them. That means that, yes, some things will be annoying and not work quite right in the final release, unless people work with us to fix them. Going out with statements like “this is the worst feature ever and I already disabled it and will never re-enable it” based on unfinished beta code is simply silly. Why not instead realize that allowing people to run as a non-admin is one of the most important things that can be done when it comes to protecting your system, and that it won’t happen if the only people trying to get it done are a few program managers at Microsoft. Work with us on this one and help us build a great, usable, and useful UAC. If you find prompts that are absolutely egregious and need to go, send us feedback on that. We need to know. If you can’t find any other way to submit it, send me a comment on the blog and I will get it filed.

Disabling UAC also removes many other protections. For instance, if you set the “User Account Control: Run all administrators in Admin Approval Mode” security policy item to disabled you actually remove all of the benefits of the integrity controls and the restricted security tokens from your administrative account. That means that Internet Explorer, for instance, will run as a full administrator, just like it does under Windows XP. By extension, it means that any missed click or accidental navigation could completely compromise your system, just like under Windows XP. If you have to disable UAC temporarily, for example while you are building out the system and you can’t stand all the prompts, do not turn off Admin Approval mode. Instead, change the behavior of the elevation prompt for administrators in Admin Approval mode to not prompt. That way you at least leave Internet Explorer protected with a low integrity token.

Once the OS is released, if you absolutely can’t stand a security feature that is designed to protect you, by all means, turn it off. For now though, realize that this is beta code. It is not quite done yet, and it won’t be quite right unless we get help from the people entrusted with pre-release copies of the operating system.

To learn more about UAC, check out the UAC team blog. A lot of questions and concerns about UAC are probably already addressed there.

Comments (41)

  1. Anonymous says:

    So you loaded up Vista and you want to try it on a SBS network… so while you ‘can’ … I’d read the…

  2. Anonymous says:

    Een vraag die vrij snel gesteld wordt, ik denk dat een deel van de testers deze gedachte wel eens…

  3. Anonymous says:

    Please firstread what Jesper Johansson has to tell us about this. In a related post, Jeff Joneswrite

  4. Anonymous says:

    Jesper apparently stirred up things a bit with his latest post, Please don’t disable security features,…

  5. Anonymous says:

    For your viewing pleasure.. an excellent video from TechEd

    Windows Vista System Integrity Technologies

  6. Anonymous says:

    Een vraag die vrij snel gesteld wordt, ik denk dat een deel van de testers deze gedachte wel eens…

  7. Anonymous says:

    I have blogged in the past about how much I hate the current implementation of UAC (User Account Control)…

  8. Jonathan says:

    I would be interested in seeing how many Vista systems get compromised by malware in the first few months after its full release and then comparing that with the number of those systems that have disabled the built-in security and protection systems that the developers at Microsoft have been working on.  I would imagine that, while only a percentage of wide open systems will be breached, almost all breached systems will have the security measures disabled. Of course, all the blame for this will go squarely on the shoulders of Microsoft and, being a large corporation with a public image to maintain, they will just have to take it.

  9. Josh Einstein says:

    You convinced me. Good post.

  10. Joop says:

    I have a related question. When being a member of the Administrators group most applications do not actually run with Administrator privileges. Is running as an admin with UAC enabled less secure than running as User with UAC enabled? (Assuming there is a user at the keyboard who knows what (s)he is doing and does not click "Allow" blindly.)

    The answer is Yes probably because some processes do in fact run with Admin privileges? Which are these?

  11. Miguel Garrido says:

    My biggest gripe with Vista (as of Beta 2) is that there is no way to elevate myself to work with control panel applets, I have to start an elevated copy of Windows Explorer, navigate to the Control Panel and THEN work on whatever changes I needed to make (ie. Remove networks from the Network List).

    This is mainly a bother with the control panel, but this happens as well in other parts of the OS where there is no clear way of elevating priviledges to accomplish a task.

  12. Mike S says:

    "…so none of my users ran as an administrator. The result, nothing installed, including the spyware."

    Here’s the crux of the problem — computers exist to be usable for productive work.  Systems administrators act like computers exist to make as little work as possible for them.  

    I realize the author problem didn’t mean to write that he has nothing installed on his computer.  But really, if no one ever uses an administrator account, more software is unusable than usable.

    And this is the user’s fault?  We’re supposed to beta test this stuff so that Microsoft knows what we need to do and what we don’t need?  I’m not on Microsoft’s payroll.  

  13. Kevin D says:

    If you are not willing to beta test software because you are not on Microsoft’s payroll, why are you running Vista? Is it just so you can say "I’m cool – I’m running Vista!"?

    Part of the responsibility of running the beta software is to give your knowledge back to the creator of the software. I know of no cases where Microsoft has come along and forced a user to install software from a beta program on their machine – generally people volunteer for the privilege of being in a beta program. However with privilege comes responsibility – follow the test protocol, report errors fully and completely, and give feedback on your experience. It’s not just a popularity contest.

    Sorry if this seems like a rant – but I have to "support" beta users who think that beta program member = I’m in the cool crowd.

  14. Excellent post Jesper! All these whining people should shut up, help test Vista, and submit constructive feedback to MS. First people blast MS for crappy security, now they blast them for being too secure. No matter what MS does people want to yell at them.

  15. Mitch says:

    Microsoft Sucks!! Disable everything and format hard drive!!! Why would anyone use a product that is so crappy unsecure and spys on you as a user and keeps that in a database. MICROSOFT is a criminal company.

  16. Thanks for posting this, Jesper. It has been picked up by some of the news outlets (e.g. eWeek) so hopefully there will be a wider audience starting to get this message.

    I was pretty annoyed when one of the Tech-Ed presenters suggested turning UAC off during testing. As you have said, it is only through proper testing of Vista and getting the feedback to MS that we are going to all benefit and get a version of UAC that works as everyone needs it to work.

    UAC is a big improvement – my step-son recently got hit by spyware. Vista can’t come soon enough with its tighter security as far as I’m concerned.

  17. Tom K says:

    Well this has been a problem for a long time, and it is the software writers that are to blame not Microsoft. A lot of simple programs write temp or other files to protected areas that then require you to run the program as an administrator. We have been using WINDOWS NT long enough to know how to write programs so they Do not need to have administrator rights, why has it not happened? Because NO ONE MAKES THEM FIX THEIR SOFTWARE! Look at PALM sync software, you have give the user ADMIN rights, then install it to a directory they have normal rights to read and write from, then you can remove their ADMIN rights… This is the FIX they posted on their website. It is totally absurd. I should be able to install the software as an administrator for every user on the PC then log off and the software should work. I think what Microsoft is doing with this software is great, one it should give the software vendors more opportunity to see how their software is broken and FIX IT, two it will hopefully stop administrators for given USERS admin rights that they should NEVER have. I wish I could have been in the BETA to see it first hand.

  18. Gilles says:

    Second post, it cancel previous one.

    I use Vista with standard parameters and I test my application in this mode.

    I test installation of my programs, that use MSI technology and a Boostrap setup.exe

    I have prerequisite to install. So to avoid nested installation, I use Prerequisite. The Bootstrap launch sub setup.exe before launching the main msi .

    But to install each sub setup.exe, I have UAC Windows…

    I read that for installation, the high privilege was transmitting from on program to another one. Is it true?  Is there something to do to allow sub setup to be installed without any UAC Dialog box?

    Thanks for your help.


  19. shawn says:

    Why not make the UAC functionality ask only once per logon session but, with a timeout that is configurable. So say you need to do some admin priv stuff, you enter your credentials and after 5-10 minutes the credentials expire. If that is not long enough or is too long, let the use configure the timeout.

    The best of both worlds.

  20. SEO Rules! says:


    On one hand I gotta admit, you are now thinking of security which is good, ofcourse.

    On the other hand, these features are from the stone age (in *nix). Vendors SHOULD be pressed!

    If microsoft doesnt take this task serious who will?

    Backward compatibility is not everything.

    Old software must be unsupported until rewritten.

    Security is too big of an issue to wait for lots of lazy people.

    Sure enough, when their software won’t run anymore because of the need for an admin account, the get off their bums and redesign their software so that it is compatible.

    Microsoft should set a date, deliver proper info both online and offline (to the top 100 software developers with compatibility problems).

    After this date, there is no excuse for the developers.

    I also heard microsoft stopped developing their FS.

    This is a simple FS idea. But a 2-layer database will be more prone to errors.

    SEO Rules!

  21. Molly C says:

    In the next beta release, Microsoft should simply not allow UAC to be turned off, thereby forcing the "beta testers" to actually test the feature and report feedback rather than turning it off.

  22. David V says:

    This feature is ill-considered, at best. There are far simpler and less annoying ways to secure user accounts. Look at how the Mac does it.

  23. DrSubliminal says:

    Microsoft *FORCE* vendors to change their code?

    Can we say ANTI-trust?  Wow, where have you been for the last 10 years while MS has been spending billions defending their practices.

    The people who hate UAC hate the fact that they lose some ease of use during installs?  SO WHAT?  Can we drive 100mph on a highway all the time?  Sure.  Should we?  Not if we value our lives.

  24. Bart says:

    The idea of user feedback works really well in the open source areana where you don’t have to pay for the software, or the community support.  But to simply reduce the cost of development for Microsoft at the expense of my time is too much to ask.  The theoretical reason why someone would actually pay for software is because it is already better then the open source options.  Get it right the first time and charge, or make it open source join the rest of the global community.

  25. John says:


    I have an ASP (not an ASP.NET) application accessing Sql Server 2005 database installed in Vista Beta 2 (Build : 5384). I am unable to access my application in server. UAP is blocking my application. I dont want to change system level UAP configuration using msconfig or secpol.msc.

    Can any one suggest me some idea to change application level UAP configuration, so that I can access by ASP application.

    Thanks in Advance.


  26. John says:


    I have an ASP (not an ASP.NET) application accessing Sql Server 2005 database installed in Vista Beta 2 (Build : 5384). I am unable to access my application in server. UAP is blocking my application. I dont want to change system level UAP configuration using msconfig or secpol.msc.

    Can any one suggest me some idea to change application level UAP configuration, so that I can access by ASP application.

    Thanks in Advance.


  27. Rich says:

    i read your article, and i’m still turning it off. it’s stupid and annoying.

  28. gideon21us says:

    am also convinced to leave it on–fine post, point well taken and recieved that yes, this is beta… haven’t gotten around to turning anything off, but now I won’t and I’ll submit feedback as well

  29. Barry Abrahamson says:

    People are unfortunately never happy with change, but in todays world change is necessary, especially for the protection of our identities in an ever increasing virtual world. As more and more people become permanently online and as technology spreads and becomes more widely available, its common sense that the biggest operating system vendor in the world would need to set new standards on security to combat current and future threats, so please stop being pestering about complying with new technology, instead lets join forces to create more secure systems for our own protection.

  30. Mats Olsson says:


    Unfortunally the biggest software vendor that outputs software that requires users to be admins tends to be Microsoft itself.

    A very current exampel of this is the printer installation routines. It’s no problem for me as an admin to silently install local printers, as long as they are lpt devices. Are they usb devices they uasully requires the dot4 printer support and this component can’t be pre or silently installed acccording to MS support.

    The effect of this is that we have to give every laptop user that needs to plug in to a usb printer admin priviliges since I cant preinstall a list of allowed modells without plugging each of them into each laptop.

    Another issue for mobile users is that XP (atleast) requires users to be admins to change the speed of ther nics. This is a major issue since we got cat3 and cat5 networks with sometimes faster switches. The switch and the Computer will negoiate a link speed that they can do, regardless of the cabeling. Ofcourse this means problems then a computer tries to use Gbit on cat3.

  31. Mats, yes, Microsoft has a checkered record on apps that require admin privileges, but the example you give is not great. Installing printers is an administrative task since it involves installing kernel drivers. Not that it helps a lot right now, but that is changing in Windows Vista. You get a lot more flexibility as well as usermode drivers.

  32. Mats says:

    Hi again

    Yes i agree, installing a printer is admin work but as this piece of SW is done an admin can’t do it since it would require that admin to manully plug in every USB printer that the company allows into each box before handing it over to the user. Lets say that you got about 30-40 difrent printers types and a 1000 laptops. This is ofcourse not doable.

    MS solved this for lpt based printers with the exelent  utility called dpinst. Dpinst can preinstall the drivers into the pnp cache. Since the driver now is in the cache it doesn’t need admin to be installed then the printer is connected. Therefore I as an admin can create a package or a script that will preinstall all allowed models during the automated installation of the box

    Unfortunally this can’t be done with usb so the alternative is to give the user admin……..

    I’m looking forward to vista in about 2 years time then all our apps hopefully will support it and osi layer 8 and 9 has realised it’s time for a change

  33. Chris says:

    What about going into control panel as admin and allowing a particular app to run as admin by default.

    Then once an app that has to run that way can still be allowed and UAC is still intake

  34. Bill C says:

    You asked for feedback, from the perspective of an ISV, I want easier deployment and maintenance of client application with the ease and maintainability traditionally associated with web applications … and that don’t make my users (personas) feel stupid when they go about using them.

    Can we agree that for all practical purposes for the still remaining ISVs, the web is the starting point for 99% of the users (personas) for initially coming into contact with (smart) client applications?

    Then what do I need from Microsoft to provide a delightful experience for my personas using my application on Vista?

    Well for starters, much better deployment technology without sacrificing much better security:   There is absolutely no doubt in my mind that UAC is going to improve security, etc, but that is just a small part of what I have to be concerned about with from the perspective of an ISV, whether I have an old application moving up to Vista, or something new.  

    Let’s take Jesper’s own story.   What is Jesper really saying about himself versus Steve and his wife?   Sure Jesper doesn’t create admin accounts for everyone in the family, but is he really saying he never wants them to get anything productive done (like a web download and install) unless he’s standing there over the shoulder?   Chances are this story means his family members have the admin password written down somewhere on paper.  How is that any better than what Steve is doing?

    Bottom line, under this new UAC model, is it Microsoft’s intentions that the consumer marketplace have admin "over the shoulder" to help elevate when needed?  This is unrealistic.   Mike S’s comment that "computers exist to be usable for productive work.  Systems administrators act like computers exist to make as little work as possible for them" is dead on point.   That is exactly what Cooper’s ‘inmates running the asylum’ is suggesting and I see plenty of evidence of it going on, but I am very glad you are looking for feedback.

    I agree that UAC is a big step in the right direction, but without addressing the other deployment related issues, you might find that you’ve won the battle, but lost the war as far as the future of smart-client applications is concerned.  Seems like something else is needed.

    For example, is there any discussion for a more sandboxed model so that smart client applications (especially for the consumer marketplace) never ever need to cross the priv elevation model?  So that in the future it really will be Steve’s own fault if he continues to be a ‘nice guy’.  Today he’s not only nice … he’s simply being practical … time will tell whether he’ll continue to have to be practical after Vista releases.  

    We need an even better model.

  35. aaron says:

    The problem with UAC is it prompts on things it should no it prompts so often that people will start blindly clicking yes to everything. Therefore the so called protection is bypassed anyways because you made an army of robot yes clickers.

    Yes I understand security is needed but when you make things aggervating and unproductive people just quit using them it is down right human nature. I have seen this in work places if IT makes something secure but aggravating people just quit using it.

    UAC in theory is heading in the right direction but the implementation to this point is completey and utterly in the wrong direction.People will take the path of least resistance and try to make things easy for them. Unless you tone down the amount of clicks you are inviting people to just disable the UAC feature period.

    If Microsoft really wants the feature to work they better start rethinking what cause a click and what does not. That pop up should be an alert to the user not just another click that waste time which is what it is at this time.

  36. Anonymous Oracle says:

    Those who fail to understand UNIX are doomed to reimplement it. Poorly

  37. S.H.Bouwhuis says:

    [quote Aaron]The problem with UAC is it prompts on things it should no it prompts so often that people will start blindly clicking yes to everything. Therefore the so called protection is bypassed anyways because you made an army of robot yes clickers.[/quote]

    You hit the nail on its head! This is exactly how I respond to the ‘The publisher could not be verified. Are you sure you want to run this software?’ messagebox.

    Being a software developer myself I know that 90% of my messageboxes aren’t even read and just blindly answered with ‘Next’ / ‘Ok’ / ‘Accept’ / …

    Knowing this, I disable those buttons for about 5 seconds for really critical questions (think: delete records from the database, remove photos, …)

    I think the privileges should be asked for once and remembered. But, there should be someway to revoke the privileges as well.

  38. Santiago says:

    [quote Aaron]The problem with UAC is it prompts on things it should no it prompts so often that people will start blindly clicking yes to everything. Therefore the so called protection is bypassed anyways because you made an army of robot yes clickers.[/quote]

    I also agree. Improving security with the UAC seem to be great, but walking on the nervs of users will not help improving security.

    I´am convinced in keeping the uac working, to make the tests, but I hope there will be a better solution in the release version.

    Do not think users would read any popups, which have an accept/next/ok-button. Especially not, if the amount of popups increase.