User Account Control Technical Reference
Updated: August 3, 2009
Applies To: Windows 7, Windows Server 2008 R2
This document contains detailed information about User Account Control in Windows 7 for the IT professional. If you need help and how-to information for using User Account Control in Windows 7 at home, see the following:
- What is User Account Control? (http://go.microsoft.com/fwlink/?LinkId=159927)
- What are User Account Control settings? (http://go.microsoft.com/fwlink/?LinkId=159926)
- When should I allow programs to make changes to my computer? (http://go.microsoft.com/fwlink/?LinkId=159928)
- Turn User Account Control on or off (http://go.microsoft.com/fwlink/?LinkId=159929)
When users are logged on to their computers as local administrators, they can install and uninstall applications and change system and security settings. As a result, it can be difficult for IT departments to gauge the overall status and security of their environments. In addition, every application that these users start can potentially use the administrative-level of their account to write to system files and the registry or to modify system-wide data. Common tasks such as browsing the Web and checking e-mail can become unsafe in this scenario.
User Account Control (UAC) is a significant focus of Windows 7 and a fundamental component of Microsoft's overall security vision. With the introduction of UAC, the access control model changed to help mitigate the impact of a malicious program. When a user attempts to start an administrator task or service, the User Account Control dialog box asks the user to click either Yes or No before the user's full administrator access token can be used. If the user is not an administrator, the user must provide an administrator's credentials to run the program. Because UAC requires an administrator to approve application installations, unauthorized applications cannot be installed automatically or without the explicit consent of an administrator.
In Windows 7 and Windows Server 2008 R2, UAC functionality is improved to:
Increase the number of tasks that the standard user can perform that do not prompt for administrator approval.
Allow a user with administrator privileges to configure the UAC experience in the Control Panel.
Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for local administrators in Admin Approval Mode.
Provide additional local security policies that enable a local administrator to change the behavior of the UAC messages for standard users.
This technical reference provides IT professionals with detailed information about the following UAC topics: