How do I know when it's safe to allow programs that cause the User Account Control (UAC) notification to occur?
Helping people with computers... one answer at a time.
User Account Control or UAC asks when programs need special permissions to do something. I'll look at when those are, and are not appropriate.
With Vista and now Windows 7, I get prompted to allow or dis-allow programs looking to access my computer - to give my permission for that or to deny. I have no idea how to know what is legit, illegitimate, or grey area (like manufacturer of my laptop collecting info on my computer use to try to sell me more stuff). Any ideas?
•
What you're seeing, of course, is Windows "User Account Control" or UAC - a feature not unlike that present in both Linux and the Mac operating systems. The basic premise is that before software does anything that would (or could) potentially install software or otherwise harm your computer, the system simply asks first.
The knee-jerk reaction is "if you're not sure, say no". However, there are some things you can keep in mind that will let you be a little more sure a little more often, and as a result allow you to make a more informed decision.
•
UAC kicks in because when running as administrator, you're not really running with full administrative privileges. There are certain things you cannot do, certain places you cannot store files or settings, and certain operations you cannot complete until or unless your access has been "elevated" to full administrative access.
That's all the UAC dialog is asking you for permission to do.
When you respond "yes", the program that's requesting it is granted true, full, administrative access to your machine. It can do anything - much like all programs could in Windows XP and prior versions if you were logged in as administrator.
The most obvious case where you want to say yes is when you actually are installing software. This is typically an operation that requires elevation, because the setup program will need to write into protected areas of your hard disk as well as the registry.
Another good example of when "yes" is appropriate is when you run software and it checks for updates to itself. This is much like an install, and requires that same elevated level of privilege to write things where in normal day-to-day operations software shouldn't be writing things.
At the other end of the spectrum a clear case for "no" is if you're surfing the web and the notification comes out of seemingly nowhere. That's a Big Red Flag that something sinister might be going on. It's also a clear case for the "if you're not sure, say no" default answer.
In reality, that "if you're not sure" is the crux of both the issue, and the problem.
If you're doing something that you expect might need special access to your machine - most typically adding or modifying the software installed on your machine - then it's reasonable to expect the UAC notification to happen, and to respond with a "Yes". The bottom line is that you're expecting it.
When it's not expected, it's time to look more closely.
As you can see from the message itself, the program that's requesting elevated privileges will be identified. This isn't 100% fool-proof, since of course malware can call itself whatever it likes, but it's a good sanity check. If you get the notification unexpectedly, you might look at the program requesting access, and say to yourself "oh yeah, that makes sense" and allow it.
Saying "no" is sometimes also a good diagnostic tool. If you get an unexpected notification and say "no", after which something you expected to work fails - in a way that might make sense to you as having needed those elevated privileges to do something - well, then you've got more data with which to make a decision. You might elect to re-run whatever made the request and say "yes" this time.
It's important to note that normal day-to-day operations shouldn't require elevation. Web surfing, emailing, writing documents or any of a number of normal activities just shouldn't result in a UAC notification. It's only when you're doing something that is about to make a system modification - like installing software - that UAC would normally pop up.
If you're seeing it at other times, and you weren't expecting it and you're not really sure why it's asking - say no. At least say no until you can determine more clearly why it's asking.
Because sometimes the "why" is something you don't want at all: malware.
Article C4207 - March 7, 2010 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
March 9, 2010 9:16 AM
When I run a regular program, I get UAC and have to say Yes. This program runs from the internet to get current data. Is their a way to list programs you know are good, and not trigger the UAC?
Thanks
~Jack
March 9, 2010 11:02 AM
I've noticed that sometimes certain programs need to access system files and will fail otherwise, even if they're not modifying it. (One example is a hardware diagnostic tool. Another example is a Windows 9x game that spits out an error about not being able to access a DLL file.)
March 10, 2010 7:55 AM
Good article. It expands the spectrum for making a more informed decision about verifying an operation. I get lots of UAC notices. My knee jerk is to say yes (I don't want to be delayed) but now I will test a few UAC notices.
March 11, 2010 4:39 PM
As a relative simpleton, I very much like the UAC notification. It gives me a few seconds to think about what I’m about to do -- and verify that I really *do* want to do what I’m about to do.
Off topic -- the more I use and learn about Win7 the more I like it.
March 26, 2010 12:07 PM
Nice post! It’s always dangerous to get into the habit of clicking “yes” or “allow” so UAC is helpful because it makes you think about what you’re doing. This is something I will try to pay more attention to in the future.