User Account Control (UAC) Cautions - Public Information

For the public, in general: Discussion regarding limitations of turning off User Account Control in Windows Vista Basic & Home (all versions)

Undocumented in KnowledgeBase articles, to date...architectural coverage exists within TechNet and addresses the following [very short] discussion

Background: TechNet; I strongly suggest you perform your own research regarding the following discussion. Windows Vista is such a new OS and has been in general distribution only a month when this opinion was written. We, as users and administrators, have much to learn regarding its architecture and interaction with its configuration and programs (APIs). Even though the OS was available for over a year in BETA, there remains widespread lack of driver support both with OEMs and within the OS itself. The same is true for extensions and software (APIs) presently on the shelves of retailers. I have, however, experienced very little problems with OEM pre-installed drivers, extensions and/or software. Vista is a memory HOG; the first line of defense against problematic behavior is 2GB RAM and double the RAM size in the paging file. Turn on System Restore!

Installing programs: Turning off UAC in user accounts, even though those accounts are granted Administrative rights can cause MSI to fail, esp. if it fails to propagate elevated installation rights, as needed. This has been observed with some Intuit & Symantec programs, most recently QuickBooks 2007 Premium & LiveUpdate, respectively and certainly exists within other APIs as well as having the potential for problematic driver installations and updates.

Installing and/or Running programs: The problem [for end-users] seems to lie within the Vista design, in that even though an account is already granted Administrative rights, policy defaults require elevated propagation [authentication to succeed] of rights before passing rights down to the API layer. The API layer may be MSI, an API, a component or components of an API, or a module called by MSI or an API to which it needs to pass values or retrieve values. When UAC is turned off, authentication fails because [of course] the prompt to the user (basis of UAC - to thwart unrestricted access to the system) to grant permission is turned off. Hence, authentication is indirectly turned off.

Security Policies (SecPol.msc): Policies in Vista Pro, Vista Premium, & Vista Enterprise can be modified to allow pass-thru of these rights even without assigning Administrative rights to a user account and with turning off UAC for that account. For the procedure(s), you will have to refer to the TechNet web site User Account Control Overview and Understanding and Configuring User Account Control in Windows Vista. However, Vista Basic & Home Editions do not allow modification to user or system level policies; as has any other Home Edition release. Therefore, non-business distribution networks for desktops, notebooks, TabletPCs, and handhelds [having been distributed largely with Vista Basic & Home Edition (or embedded versions)] lack sufficient controls to modify security policies in such a manner as to make it safe to turn off UAC.

This [problematic] design can further disrupt API execution within the API (as described above in Running Programs), even though it may have been pre-installed or originally installed with Administrative rights assigned. Apparently, utilization of either of Advanced Properties, Compatibility or Security settings within an API's shortcut properties remains ineffective in overriding security policy design within Vista Basic & Home Editions.

Conclusion: Assuming you, as a user have disabled UAC, develop or observe oddities, failures to execute, API startup/splash followed by immediate shutdown of the API, messages regarding program or module communications, MSI startups stacking up in Task Manager and never completing, (just to mention my most recent observations) then reconsider the impact of turning off UAC. It is likely that the issues discussed herein are far greater in performance impact than early experiences suggest, and as Microsoft strengthens the security policies in order to thwart trojans, viruses, phishing, adware, as well as other types of malware [both real and to be developed] UAC will experience further integration with AI in order to evolve in to Microsoft's vision of a 'dynamic protector.' We must learn to live with UAC while encouraging Microsoft to incorporate administrators' capacity to configure it within ALL versions of Vista and reduce redundancy and unnecessary interruption in daily productivity.

Disclaimer: The information offered herein is based upon my personal interpretation of TechNet articles and Community Discussions. It is offered for public viewing on an "as is" basis with no further warranty as to its accuracy, completeness or appropriateness in any particular situation. The opinions herein are based upon personal experiences and observations as both an end-user and computer technician. I hope you find the information useful and enlightening, and if so, please append your experiences and observations so that others may benefit from it.

David Chapman, A+, Net+, Microsoft Partner
davfchap@hotmail.com