With all of the discussion I’ve given here about how to make UAC a little easier to use, I should also throw in a tip that may be useful to those who want UAC to be more secure. By default, UAC forces a non-admin user to type in an admin password, but allows an admin user to simply click OK to consent to a UAC action. That said, it’s also possible to force UAC to prompt for a password for all users, including admins.
To do this, edit the Registry, and set the DWORD value:
to 1. The default value is 2, which is the standard admin behavior. (Click to consent.)
Set ConsentPromptBehaviorAdmin to force administrators to supply a password when UAC comes up.
|(click for image gallery)|
Here’s another security-enhancement tip that may be useful to people who want to run UAC silently, but still want some additional protection against potentially spurious code.
UAC can be set to run programs as admin only if they have a valid digital signature, although by default this feature is turned off. Most program installers have some kind of signature; you can find out if a given app has a signature by right-clicking on the program’s icon, selecting Properties, and looking for the Digital Signatures tab. This is another bit of insurance that the program you’re running is not malicious and has a pedigree of some kind.
To make sure that UAC elevates only signed code, edit the Registry and set the DWORD value:
to 1. This change should take effect immediately.
Keep in mind there may be many perfectly innocuous programs that aren’t signed and will fail if you try to run them as admin with this feature turned on. If you get an error that says “A referral was returned from the server,” that’s a sign that the program you’re trying to elevate isn’t signed. (This is probably why this function was disabled by default, since it would cause a lot of garden-variety software to not work.)
That said, if there’s something you know is valid and you want to run it as admin, you can do so by running it via an elevated command prompt, Explorer instance, or through the Process Explorer trick mentioned previously.