I came across two articles that help "demystify" UAC settings. The first article shows what individual UAC options apply for each UAC Level: http://woshub.com/user-account-control-slider-and-group-policy- The problem with the first article is it does not show individual registry key values or all the options for that matter for each setting. This article provides this information: https://www.ghacks.net/2013/06/20/how-to-configure-windows-uac-prompt-behavior-for-admins-and-users/ . Bottom line - it is possible to customize UAC settings beyond the level setting defaults. Personally, I would just stick with the Microsoft defaults assigned to each UAC level.
Frankly, the "Always Notify" settings set up by microsoft are almost perfect, only setting that needs adjustment is enabling admin approval mode for the built-in admin account, if that account isn't disabled, I don't think it is by default. The fact that standard users use "Prompt for credentials" instead of "Prompt for credentials on the secure desktop" is irrelevant because the "Switch to the secure desktop when prompting for elevation" setting overrides it. But if you're like most people using a single admin account, it wouldn't hurt to set the former to automatically deny elevation requests, even though processes started by you will be running under your admin account and will thus not use that setting but instead use the admin elevation prompt setting when they need to elevate, it never hurts to be 100% sure
I use UAC at default level. I use ReHIPS, so UAC is redundant for me. Majority of time I don't use account belonging to Administrators group. I also have "User Account Control: Behavior of the elevation prompt for standard users" set to "Automatically deny elevation requests".
Remember that UAC original purpose was to be a privacy boundary, not security, so standard users can't access other standard user accounts. The security aspect is a side effect that overthrew the privacy one.
I disagree. The original intent was to get people to use standard user accounts while still being able to elevate admin processes and encouraging software developers to write software that could be used by standard users.. When everyone was using XP they all ran as admin because it was too hard to configure a standard account for apparently most people.
Also subsequent Win versions introduced the limited admin account by default. This allows you to run with standard user privileges but have the capability to switch to admin level via desktop UAC prompt without having to enter full admin credentials. The problem is at default UAC level 3 setting, it is possible for malware to use select Win system utilities, etc. that allow for silent UAC elevation to bypass level 3 prompting. Hence, the need to run at level 4(maximum slider) setting to detect most but unfortunately not all LOL misuse. It appears to me that setting the ConsentPromptBehaviorAdmin reg. key to "3" or equal Group Policy value to prompt for credentials will prevent all hidden UAC bypass attempts. However, this would entail entering your logon password for every UAC elevation request. Note that the default value of this key is "2", no authentication required.
I don't think a UAC bypass is based on whether you're using "prompt for consent on the secure desktop" or "... for credentials ...", in both cases it's on the secure desktop and if every other setting is the same, it shouldn't matter. The former just saves a ton of time, even better if you're not using any password for your account, maximum time-saving, but ofc if you're not living by yourself not the smartest idea. Doesn't matter for thieves cuz if they have physical access a password won't stop them, but it might stop your family member or w/e, in combination with a bios password, disable booting cd, usb etc. and put your case in a metal box with a metal lock (remove the box when you're using the pc so the case can properly cool). Besides, as I always like to say, even if that setting did matter, which I don't think it does but who knows, you'd have to first run the executable that will do the bypass, it won't download onto your drive and run itself
I wonder, what those two new ones do? "EnableFullTrustStartupTasks" "EnableUwpStartupTasks" I have it set like this: Spoiler Code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableFullTrustStartupTasks" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUwpStartupTasks" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d "1" /f
They're not related to UAC https://docs.microsoft.com/en-us/wi...ontrol-group-policy-and-registry-key-settings Something related to this https://docs.microsoft.com/en-us/uwp/api/windows.applicationmodel.startuptask Also there's SupportFullTrustStartupTasks and SupportUwpStartupTasks, they're both (1) for me, and the Enable ones are both (2) for me. Very interesting indeed. Perhaps one can clean install and check the default values, and if they're not respectively (1) for Support... and (2) for Enable... then that means I tweaked some setting that changed those values (I can confirm I haven't explicitly changed those values from my bat file), so then one can monitor the values and see when they're changed and figure out what setting is changing them. Although if I had to guess, I'd say these are the default ones, but who knows
Well, you guys already know my opinion about UAC. It's quite useless, can't believe that there are people that click on that stupid UAC alert, every time they launch a tool like Win Task Manager or Process Explorer.
i can't believe that there are people using admin account as daily account because they can't stand one click on UAC while clicking 20 times on HIPS alerts and anti-script browser addon
The thing is, alerts from HIPS make sense, because you are monitoring app behavior. UAC alerts don't make sense. It simply tells you that a (trusted) process needs admin rights.
UAC is not just for when a process wants to run elevated, UAC is for a lot more stuff, here is some of it, scroll down https://en.wikipedia.org/wiki/User_Account_Control
i believe you don't get the point, please look, at the big picture, not only at your personal situation. Things are made for all people, not just you. Let say you deploy Windows on several endpoints of the company, do you want the employees to be able to run admin tools? i dont think so...
This is totally irrelevant, I believe you have lost the plot. You don't need UAC to lock down PC's. But let's not start all over again.
Of course it is relevant. You confound blocking execution and blocking elevation. I hammered this to you since a while now, you still don't get it. UAC won't prevent malware and legit apps to run if they don't require elevation. But will block them if they do.
@Rasheed187 the UAC prompts provide some useful and important information. they tell if the Publisher is blocked they tell if the application is a windows administrative app if the app is Authenticode-signed and trusted is unsigned or signed but not yet trusted it's all easy to comprehend as long as one is willing to take a few moments to read the prompts.