All about User Account Control (UAC)

[gosh]

All about User Account Control (UAC)

Recently i explored Vista's unattend settings, and much to my surprise there wasn't anything documented to disable or customize user account control (UAC). I really hate UAC, i find it's the first thing i disable after doing a clean install. Figuring there might be a hidden unatten setting for UAC i did some exploring to see what files, registry keys, and settings comprise UAC.

Registry Keys

There is only one way to enable or disable UAC, using the following registry key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

"EnableLUA"=dword:00000001

where 1 - enables UAC, 2 - Disables UAC

Security Center Notifications

When you disable UAC you instantly get an annoying balloon popup that's really annoying. It seems these keys disable that behavior.

HKLM\SOFTWARE\Microsoft\Security Center\AutoUpdateDisableNotify

HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify

HKLM\SOFTWARE\Microsoft\Security Center\InternetSettingsDisableNotify

I assume if you set a dword of 1 you won't get any complaining from security center.

Interestingly, the internal name for UAC must be LUA. So LUA and UAC are used interchangebly.

Running UAC interface from a command line

shell32.dll has this

<!--TurnUserAccountControl(UAC)onoroff-->

<sh:taskid="{F9C55B09-E6DE-4D79-93C4-64A656D20074}"needsElevation="true">

<sh:name>@shell32.dll,-24964</sh:name>

<sh:keywords>@shell32.dll,-24965</sh:keywords>

<sh:command>shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}\9\::{60632754-c523-4b62-b45c-4172da012619}\pageChangeSecuritySettings</sh:command>

</sh:task>

This means you can run the interface from a run box using this command:

shell:::{26EE0668-A00A-44D7-9371-BEB064C98683}\9\::{60632754-c523-4b62-b45c-4172da012619}\pageChangeSecuritySettings

(that's all one line)

Files that look at UAC

c:\Windows\inf\secrecs.inf

c:\Windows\PLA\Rules\Rules.System.Diagnostics.xml

c:\Windows\PLA\System\System Diagnostics.xml

c:\Windows\System32\config\SOFTWARE.SAV

c:\Windows\System32\en-US\msconfig.exe.mui

c:\Windows\System32\powercpl.dll

c:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT

c:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1

c:\Windows\System32\usercpl.dll

c:\Windows\winsxs\Backup\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e.manifest

c:\Windows\winsxs\Backup\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e_secrecs.inf_bf424507

c:\Windows\winsxs\Manifests\x86_microsoft-windows-lua-settings_31bf3856ad364e35_6.0.6000.16386_none_336d896c1da7c520.manifest

c:\Windows\winsxs\Manifests\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e.manifest

c:\Windows\winsxs\x86_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.0.6000.16386_en-us_75e9bb24559d44f2\msconfig.exe.mui

c:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\Rules.System.Diagnostics.xml

c:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6000.16386_none_b1a5cca33386fc09\System Diagnostics.xml

c:\Windows\winsxs\x86_microsoft-windows-powercpl_31bf3856ad364e35_6.0.6000.16386_none_5faa30ff774d32fa\powercpl.dll

c:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\secrecs.inf

c:\Windows\winsxs\x86_microsoft-windows-usercpl_31bf3856ad364e35_6.0.6000.16386_none_8998328751339c1c\usercpl.dll

c:\Windows\winsxs\x86_subsystem-for-unix-based-applications_31bf3856ad364e35_6.0.6000.16386_none_71b195c9f3048b05\psxss.exe

Security Templates to customize UAC

secrecs.inf

sceregvl

Conclusion

There are no documented unattend UAC settings for Vista. Doing research it seems UAC is enable or disabled with a simle policy that i assume is run by group policy on startup (which is why you need to reboot after making changes to UAC). The easiest way to disable UAC is by modifying the registry key. I expect Microsoft to add options to customize UAC in a future Vista service pack.

-gosh

[souldreamer]

You have a tool to enable/disable UAC in msconfig

[gosh]

all that does is modify the registry key. You can't use it for an unattended install.

-gosh

[roko]

i have insert command from msconfig in my unattend to disable uac on w2k8 enterprise x64. after installation is ready i've got a core server without gui !!

[hclarkjr]

here is something i use for UAC and love it, works great http://www.tweak-uac.com/download/

[MagicAndre1981]

this is a tool which is totally nonsense. If you want to startup app with elevated rights and don't want to allow them use the task scheduler service to start them