User Account Control

User Account Control
Component of Microsoft Windows
UAC Def10Logo.png
User Account Control prompting access to Windows Terminal in Windows 11
TypeSecurity option
Introduced inWindows Vista

User Account Control (UAC) is a security feature included in Windows Vista and later, which limits applications to standard user privileges unless they are explicitly granted administrator privileges. The process of authorizing a program to run at administrator privileges is called elevation and usually involves a consent prompt that includes information that identifies the program. The UAC prompt may also display a password prompt if the current user does not hold administrator privileges, requiring an administrator to enter their credentials in order for the elevation to succeed. UAC is similar to the sudo command in Unix-like operating systems, although Windows does not have any equivalent of a root user known from the other platforms.

Elevated processes are isolated from non-elevated processes by running at a higher integrity level, which prevents most interactions initiated by lower-level processes in order to avoid privilege escalation attacks.

It works by initializing consent.exe (which shows the UAC prompt) under the SYSTEM account, and an application called "SSSecure_UAC_Background" (someone correct me if this isn't the name of it), which hides the desktop with a slightly gray screen. After the Windows 8 Developer Preview, it just shows the desktop icons and the watermark. By Windows 10, only the wallpaper and a keyboard layout button on the bottom right, provided that multiple input languages have been selected.

User Account Protection[edit | edit source]

In its early implementation, User Account Control was known as User Account Protection (UAP). It could be enabled or disabled through the use of a Start menu shortcut to toggle.exe, rather than through the user control applet within Control Panel. However, the early UAP implementation used a different keyword for the administrator privilege request. Unlike the modern implementation, which uses the keyword asInvoker, the early implementations used requireAdministrator instead. This leads to an inability to run modern programs within builds that used this implementation as they will produce a run-time error. It is possible to modify a program's manifest to use the older keyword to trigger the UAP prompt, in turn allowing the program to run correctly. However, programs that perform an integrity verification (such as setups) will not run due to the program's checksum no longer matching the checksum it is verified against.

Gallery[edit | edit source]

Windows Vista to Windows 10 November Update[edit | edit source]

Windows 10 Anniversary Update and later[edit | edit source]

Windows 11[edit | edit source]