What Is User Account Control? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
User Account Control is a security feature in Windows that asks for your permission before making changes that could affect your computer's settings or security. It helps protect your device from malware and accidental modifications. When you see a UAC prompt, it means a program or process wants to do something that requires special privileges. You can click Yes to allow it or No to block it.
Commonly Confused With
Run as administrator is a specific action a user can take (right-clicking an executable and selecting 'Run as administrator') to force a program to run with elevated privileges. UAC is the underlying system that controls when and how that elevation occurs. Run as administrator is a feature that triggers a UAC prompt; it is not the same thing as the UAC mechanism itself.
If you right-click a setup file and choose 'Run as administrator', UAC will still prompt you for consent. The 'Run as administrator' option is like telling the security guard 'I want to go to the server room', the guard still checks your badge (UAC).
Windows Defender Firewall controls inbound and outbound network traffic based on rules, while UAC controls local system changes on the computer itself. A common confusion arises because both are security features that can block operations, but they operate at completely different layers. Firewall is about network access; UAC is about local privilege elevation.
If a program wants to communicate over the internet, the firewall may block it. If the same program wants to write to the System32 folder, UAC may block it. One is about network ports, the other is about file system permissions.
User Account Management refers to the processes and tools used to create, modify, and delete user accounts, such as the 'User Accounts' Control Panel or the 'Local Users and Groups' snap-in. UAC is specifically about the elevation prompt that appears when a user or program tries to perform a system-level action. They are both part of Windows security but address different aspects, one manages identities, the other manages privilege escalation.
Creating a new user account (UAM) does not cause a UAC prompt unless you are doing it through certain tools. Changing a system setting like the time zone (UAC required) is different from changing your own password (UAM, no UAC needed).
Parental Controls and Microsoft Family Safety allow a parent to limit what websites a child can visit, restrict screen time, and control app purchases. UAC does none of that. UAC is a privilege elevation control for all users, while Family Safety is a set of policy-based restrictions specifically for child accounts. They are often confused because both can present pop-ups asking for permission.
A child tries to install a game. Family Safety may block the installation because of age restrictions. UAC may also prompt, asking for an admin password. The Family Safety block happens at the policy level, while UAC happens at the system access level.
Must Know for Exams
User Account Control is a recurring topic in several major IT certification exams, particularly those focused on Microsoft Windows operating systems, security, and desktop support. In the CompTIA A+ series (Core 2), UAC is specifically covered under exam objective 2.1: "Compare and contrast fundamental security concepts." Questions may ask you to identify what UAC does, when a UAC prompt appears, and how to configure UAC settings in the Control Panel or via Group Policy. You might be presented with a scenario where a user is getting repeated UAC prompts for a legitimate application, and you need to determine the best way to resolve it, such as adjusting the UAC notification level or running the application as an administrator by modifying its compatibility settings.
In the CompTIA Security+ exam (SY0-601 and SY0-701), UAC is discussed under domain 3.0: "Implementation" (specifically 3.2: "Implement secure network architecture concepts") and also under domain 4.0: "Operations and Incident Response." Security+ exam questions may ask you to explain how UAC enforces the principle of least privilege, how it helps prevent privilege escalation attacks, and how it can be bypassed by sophisticated malware. You may also encounter scenario-based questions where you need to recommend UAC settings for different user types (standard vs. admin) in a corporate environment.
For the Microsoft 365 Certified: Modern Desktop Administrator Associate (MD-100), UAC is a core topic. Objective 2.2: "Manage Windows security" specifically includes configuring UAC behavior, understanding the different UAC notification levels (Always notify, Notify me only when apps try to make changes to my computer, etc.), and managing UAC via Group Policy. Exam questions may ask you to identify the correct PowerShell cmdlet to change UAC settings (Set-ItemProperty -Path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA) or to interpret a scenario where UAC is causing application installation failures.
On the Microsoft Azure Administrator (AZ-104) and Microsoft Security Engineer (SC-200) exams, UAC is less directly tested but still appears as background knowledge for understanding secure Windows images, Azure Virtual Desktop configuration, and advanced threat protection. You might be asked how Windows Defender for Endpoint (now Microsoft Defender for Endpoint) integrates with UAC for behavioral detection.
Common question types include multiple-choice where you select the correct definition of UAC, drag-and-drop where you order the steps of a UAC prompt, and scenario-based where you choose the appropriate UAC level for a given situation. For example, a question might state: "A user needs to install a company-approved software package but receives a UAC prompt each time. The installation requires administrator privileges. What is the best way to allow this without compromising security?" The correct answer might be to run the installation via a Group Policy Software Installation (GPSI) or to use a deployment tool like Microsoft Endpoint Configuration Manager instead of manually installing.
Finally, exam questions often try to trap you into confusing UAC with other security mechanisms like Windows Defender, User Account Management (UAM), or the principle of least privilege in general. You must be precise about what UAC does (elevation prompt for consent) versus what it does not do (antivirus scanning, firewall management, or user authentication). Pay close attention to wording that says "prevents unauthorized access", UAC does not prevent access at the network level; it controls local system changes.
Simple Meaning
Imagine you live in a house with strict rules about who can touch the electrical panel or the main water valve. These areas are locked behind a door that only the homeowner has the key to. Whenever a repair person, a family member, or even a smart device wants to flip a breaker or shut off the water, they have to come to you, explain what they want to do, and ask for permission. You then decide whether it’s safe and, if so, unlock the door for them. This way, no one can make a dangerous or unwanted change without you knowing about it.
User Account Control works exactly like that for your Windows computer. The operating system has a set of sensitive areas, like system files, registry settings, and installed program folders, that can affect the stability and security of the entire computer if they are changed. Normally, you use your computer with a standard user account that doesn't have full access to these areas, just like a guest in a house. When you need to install new software, change system settings, or run a program that might modify system files, UAC steps in and shows a dialog box asking for confirmation. This is the computer saying, "Hey, someone wants to do something important. Are you sure you want to allow it?"
This prompt is your chance to double-check what is about to happen. If you didn't ask for the change or don't recognize the program asking, you can say No and prevent a potential problem. UAC was introduced to reduce the risks that came from users running with full administrative privileges all the time. Before UAC, many people logged in as administrators, meaning any software they ran, including viruses, had total control over the system. UAC changes that by making even administrators operate like standard users for most tasks, only elevating privileges when needed.
Even if a malicious program sneaks onto your computer, UAC can stop it from making system-wide changes without your approval. It doesn't block all malware, but it adds a serious hurdle. Think of it as a security guard standing at the door to the server room. The guard won’t let anyone pass without a signed permission slip from you. If you don’t sign it, the door stays closed. This simple extra step has dramatically improved Windows security since it was introduced in Windows Vista.
Full Technical Definition
User Account Control (UAC) is a mandatory access control (MAC) mechanism built into modern Windows operating systems (starting with Windows Vista and present in all subsequent versions including Windows 10 and Windows 11). It enforces the principle of least privilege by running all processes with standard user rights by default, even when the logged-on user is a member of the local administrators group. Only when an operation explicitly requests elevated privileges does UAC prompt the user for consent or credentials.
At the kernel level, UAC works by creating two separate access tokens for an administrator account: one with full administrative privileges (the elevated token) and one with only standard user privileges (the filtered token). When you log in, Windows uses the filtered token to launch all user-initiated processes, including Explorer.exe, the shell, and any applications started from the desktop or Start menu. When a process requests access to a securable resource that requires administrator rights, such as writing to the Program Files directory, modifying the HKLM registry hive, or changing system-wide firewall rules, the request triggers a call to the Application Information Service (AppInfo). This service evaluates whether the process needs elevation based on file path, publisher certificate, and the embedded requested execution level in the application manifest.
Applications are marked with a requested execution level in their manifest file using the "requestedExecutionLevel" attribute under the "trustInfo" XML namespace. The possible values are: "asInvoker" (run with the same token as the parent process), "highestAvailable" (run with the highest privileges the user can obtain), or "requireAdministrator" (always run elevated). If the manifest says "requireAdministrator", the AppInfo service will prompt for elevation before the application even starts. If it says "asInvoker", the application runs without elevation and may fail later if it tries to do something that requires admin rights, but UAC won't prompt at all.
When elevation is required, UAC displays a Secure Desktop (a separate desktop session that is isolated from user interaction) to prevent malicious code from spoofing the prompt. The prompt shows the name of the program, its publisher (digitally signed), and the origin of the file. The user must then either click Yes (if they are an administrator) or provide administrator credentials (if they are a standard user). This consent or credential verification is handled by the Consent UI (consent.exe) running on the Secure Desktop.
UAC also includes the concept of Auto-Approval for certain well-known Windows components that are digitally signed by Microsoft and stored in protected locations. For these processes, the prompt is automatically elevated without user interaction, reducing friction while maintaining security. Group Policy settings allow system administrators to fine-tune UAC behavior, such as disabling the Secure Desktop, enabling or disabling admin approval mode, and controlling which types of operations trigger elevation.
In enterprise environments, UAC can be configured via Group Policy Object (GPO) settings under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Key policies include "User Account Control: Admin Approval Mode for the Built-in Administrator account", "User Account Control: Behavior of the elevation prompt for administrators", and "User Account Control: Only elevate executables that are signed and validated". These settings allow IT administrators to balance security with usability depending on the organization's needs.
Real-Life Example
Think of User Account Control like the process of getting a special key card to enter a high-security storage room inside a large office building. Everyone who works in the building has a basic key card that opens the main entrance, the break room, and the bathroom. But the storage room contains sensitive documents, expensive equipment, and the main server. Only the building manager has the special key card that grants access to that room.
Now, suppose a normal employee needs to get a file from the storage room for a project. They cannot just walk in. They must go to the manager, explain exactly why they need access, and the manager decides whether to grant it. The manager doesn't hand over the card permanently, they just escort the employee to the room, unlock the door, and let them retrieve the file. Once the employee leaves, the door locks again. If the employee tries to take something else without permission, the manager will notice and stop them.
In this analogy, the office building is your Windows computer. The normal employee is a standard application like a web browser or word processor. The high-security storage room is the area of your system that holds critical files, settings, and installation directories. The building manager is the UAC prompt. The special key card is the elevated administrator token that UAC controls.
When you install a new program, it needs access to the 'storage room' of your system, the Program Files folder, registry, and other protected areas. The program cannot just go there on its own. The UAC prompt appears and you, as the manager, must decide if you trust that program enough to let it in. If you click Yes, you are virtually escorting the program to the protected area and allowing it to make its changes. Once the installation finishes, the administrative token is withdrawn, and the program runs with standard user rights for its daily operations.
This system prevents a malicious program you might have accidentally downloaded from sneaking into the storage room and stealing or damaging things. Even if the harmful code gets into the main office, it doesn't have the special key card. It would need to trick you into giving it access through the UAC prompt, which gives you a chance to stop it. The daily friction of asking the manager every time you need the storage room is a small price to pay for keeping the entire building safe.
Why This Term Matters
User Account Control matters because it is a foundational layer of Windows security that directly reduces the risk of malware infections, accidental system damage, and unauthorized configuration changes. Before UAC, many users and IT professionals logged on as full administrators, giving every program, including malicious ones, unrestricted access to the entire operating system. This made it trivially easy for drive-by downloads, email attachments, and phishing exploits to silently install rootkits, keyloggers, ransomware, and other persistent threats. UAC fundamentally changes this by ensuring that even administrative accounts run most activities in a limited security context.
In an IT environment, UAC protects not just individual workstations but also the network as a whole. A single compromised endpoint with full admin rights can be used to spread malware across the domain, modify Group Policy, or extract credentials from LSASS. By restricting privileges at the desktop level, UAC makes lateral movement harder for attackers. It also helps enforce the principle of least privilege, which is a core security concept in frameworks like NIST and CIS Controls.
For IT support professionals, UAC also serves as an audit trail and a behavioral check. When a user reports that an application is not working correctly, one of the first troubleshooting steps is to check whether UAC is blocking necessary write operations to protected directories or registry keys. Many legacy applications were not designed with UAC in mind and fail silently when they cannot write to their own installation folder. Understanding UAC helps you quickly identify whether a problem is due to missing permissions rather than a software bug.
UAC also introduces some operational challenges. Overly aggressive UAC settings can frustrate users and slow down workflows, leading some organizations to disable it entirely, a bad security practice. IT professionals need to know how to configure UAC through Group Policy to strike the right balance between security and usability. For example, setting the elevation prompt to automatically deny for standard users while prompting for credentials for administrators can maintain security without excessive interruptions. Ultimately, UAC is not a silver bullet, but it is a critical component of a defense-in-depth strategy that every IT professional must understand, manage, and troubleshoot.
How It Appears in Exam Questions
Exam questions about User Account Control typically fall into several distinct patterns: definition-based, scenario-based, configuration-based, and troubleshooting-based.
For definition-based questions, you might see: "Which Windows security feature requires a user to provide consent or credentials before allowing actions that could affect system settings?" The answer is clearly User Account Control. A more advanced variant might ask: "Which component is responsible for displaying the UAC prompt on the Secure Desktop?" The correct answer is the Consent UI (consent.exe). These questions test your ability to recall precise terminology and components.
Scenario-based questions are very common, especially in CompTIA A+ and Security+. For example: "A small business owner uses a standard user account for daily work. They need to install a new printer driver that requires administrator privileges. What will happen when they attempt to install?" The correct answer is that a UAC prompt will appear asking for administrator credentials. Another scenario: "An IT administrator wants to run a legacy application that requires full admin rights without prompting every time. What is the best approach?" Options might include disabling UAC entirely (bad practice), running the application as an administrator by right-clicking and selecting 'Run as administrator' (single session), or modifying the application's compatibility settings to always run as administrator (better for frequently used apps). The correct answer depends on the specific exam and the provided choices, but the key is understanding that disabling UAC is rarely the recommended solution.
Configuration-based questions appear mostly in Microsoft exams (MD-100, AZ-104). You might be asked: "You are configuring a new Windows 10 deployment for a finance department. You want to ensure that users see a UAC prompt for every attempt to change system settings, even if they are logged in as an administrator. Which UAC notification level should you set?" The answer is 'Always notify', the highest level. Another config question: "Which Group Policy setting controls whether the built-in Administrator account is subject to UAC prompts?" Answer: 'User Account Control: Admin Approval Mode for the Built-in Administrator account'. You must know the exact names of these policies.
Troubleshooting-based questions ask you to diagnose why something is failing. Example: "A user reports that they cannot install a company-approved application. The installation log shows a '5' (access denied) error. UAC is enabled. What is the most likely cause?" Answer: The user is running as a standard user and the installer requires elevation. The solution is to use deployment tools or temporarily provide credentials. Another troubleshooting scenario: "After changing the UAC level to 'Never notify', users can no longer see UAC prompts, but some applications still fail to install. Why?" The answer might be that 'Never notify' disables the prompt but applications that require elevation still need to run as administrator; the system silently denies elevation requests when set to this level in older Windows versions. In Windows 10 and 11, 'Never notify' actually does allow elevation without prompting, so you need to know the specific behavior of the version tested.
Finally, exam questions sometimes ask about UAC's interaction with other components. For example: "Which Windows service determines whether an application requires elevation?" Answer: the Application Information Service (AppInfo). Or: "UAC uses which type of token for standard user processes?" Answer: a filtered token. Knowing these details helps you answer multi-step questions that combine UAC with authentication, group policy, or software deployment.
Practise User Account Control Questions
Test your understanding with exam-style practice questions.
Example Scenario
You work as a desktop support technician for a medium-sized company. One morning, you receive a support ticket from a user named Sarah in the accounting department. Sarah says she cannot install a new version of the company's accounting software on her Windows 10 laptop. She is a local administrator on her machine because her job requires installing various financial tools from time to time.
When you remote into Sarah's computer, you see that she is trying to run the setup file, which is named AccountPro_2025_Setup.exe. She double-clicks the file, and a UAC prompt appears immediately, asking: "Do you want to allow this app to make changes to your device?" The publisher is listed as "Unknown" because the software was downloaded from an internal company portal that does not use a code-signing certificate. Sarah clicks 'Yes', but then the installation proceeds for about 30 seconds and fails with an error message saying: "Installation cannot write to C:\Program Files\AccountPro."
You suspect the problem is related to UAC and file permissions. You check the C:\Program Files\AccountPro directory and find that the permissions on the folder are set to 'Read & Execute' for all users, including the Administrators group. However, because the setup program did not explicitly request elevation (it has 'asInvoker' in its manifest), Windows launched it with Sarah's filtered token, not her full administrator token. The filtered token does not have write permission to that folder, hence the failure.
To resolve this, you explain to Sarah that she should right-click on AccountPro_2025_Setup.exe and select 'Run as administrator' from the context menu. This explicitly tells Windows to launch the installer with the elevated administrator token. The UAC prompt still appears, but this time the installer will have sufficient privileges to write to the Program Files folder. You also note that the publisher shows as 'Unknown' because the file is not signed, which is a security concern. You recommend that the IT team digitally sign the installer in the future to avoid this issue.
After Sarah runs the installer as administrator, the installation completes successfully. You also show her how to check whether the program needs elevation by looking at its properties under the Compatibility tab, there is a checkbox labeled 'Run this program as an administrator' that can be set permanently. You decide not to lower the UAC level or disable it, as that would weaken the security of the laptop. Instead, you educate Sarah on why the prompt appears and how to safely handle it.
Common Mistakes
Disabling UAC completely to avoid prompts.
Disabling UAC removes the elevation prompt entirely, meaning all processes run with full administrative rights and no security boundary. This exposes the system to malware and accidental misconfiguration. Many IT professionals disable UAC for convenience, but this violates the principle of least privilege and is a common finding in security audits.
Instead of disabling UAC, configure it to a lower notification level such as 'Notify me only when apps try to make changes to my computer (do not dim my desktop)'. This reduces prompts while keeping the security layer active. For specific applications, use compatibility settings to auto-elevate or deploy via Group Policy.
Thinking UAC is the same as antivirus software.
UAC does not scan for malware, block malicious downloads, or monitor network traffic. It only controls whether a process gets elevated privileges. Many beginners assume UAC will protect them from all threats, but it is just one layer in a defense-in-depth strategy. Malware can still run without needing elevation, for example, in the user's AppData folder, and UAC will not stop it.
Always combine UAC with antivirus (like Microsoft Defender), a firewall, and safe browsing practices. Understand that UAC only helps when a program tries to access system-wide resources that require admin rights.
Believing that clicking 'Yes' on a UAC prompt automatically grants permanent admin rights to a program.
When you click Yes to a UAC prompt, the program runs elevated only for that session. Once the program closes, the elevated token is released. The program does not gain permanent administrator rights. Some users think that after allowing an installer once, the installed program will always run as admin, but that is not true unless the program's manifest says 'requireAdministrator' or you set the compatibility option.
Remember that UAC elevation is per-process, not per-application. If an application needs permanent admin rights to function, set it to 'Run as administrator' in the compatibility settings, but be aware of the security implications.
Confusing UAC with User Account Management or user authentication.
UAC is about privilege elevation, not about logging in or verifying user identity. Some people think UAC is the same as entering a username and password to log into Windows. It is not. UAC appears after you are already logged in, just before a sensitive operation. It is a consent mechanism, not an authentication mechanism.
Learn the difference: Authentication (login) proves who you are. Authorization (UAC) determines what actions you can perform. UAC does not replace login credentials; it supplements them by requiring explicit approval for elevated actions.
Assuming all UAC prompts are dangerous and should always be denied.
While caution is good, many legitimate system tasks, such as installing updates, adding hardware drivers, or configuring network settings, require elevation. Denying all prompts will prevent normal system maintenance and software installations. It can also cause applications to fail silently or malfunction.
Read the UAC prompt carefully. Look at the program name, publisher, and the color of the prompt (yellow for a signed Microsoft component, blue for an unknown publisher, red for a blocked publisher). Use your judgment: if you initiated the action and the program is trustworthy, click Yes. If you did not initiate anything or the publisher is suspicious, click No and investigate further.
Exam Trap — Don't Get Fooled
{"trap":"The exam question says: 'A user runs a program that requires administrative privileges. The user is logged in as a standard user. What happens?' The distractor answer says: 'The user is prompted to enter an administrator username and password, and after providing correct credentials, the program runs with elevated privileges.'
Another distractor says: 'The program runs without any prompt because the user is the primary user of the computer.'","why_learners_choose_it":"Learners often choose the distractor that seems convenient (no prompt) because they think Windows 'knows' the user should have admin rights. Or they think that a standard user cannot elevate at all and the program simply fails.
In reality, a standard user can elevate by providing admin credentials, and this is a common exam scenario. The distractor that says the program fails is also tempting because it sounds plausible.","how_to_avoid_it":"Remember the exact UAC behavior: For a standard user, UAC will prompt for administrator credentials (username and password).
If they provide correct admin credentials, the program runs elevated. For an administrator logged in normally (with filtered token), UAC prompts for consent (Yes/No), no password needed. This distinction is critical.
Practice this mental model: Standard user = credentials prompt. Admin user = consent prompt (unless 'Admin Approval Mode' is disabled for the built-in admin). If the exam asks 'what happens first?'
, the answer is the UAC prompt appears, regardless of admin or standard user context."
Step-by-Step Breakdown
User or program triggers an action that requires elevation
This could be the user double-clicking an installer, changing a system setting (like turning off Windows Defender), or a running program trying to write to a protected directory. The operating system detects that the requested action needs administrative privileges because the target resource (file, registry key, service) has an access control list (ACL) that only grants write or modify access to the administrators group.
Application Information Service (AppInfo) evaluates the request
The AppInfo service checks the executable file's manifest to see its requested execution level. It also checks the file's digital signature, its path (is it in a protected location like Program Files or System32?), and the UAC Group Policy settings. Based on this, it decides whether a UAC prompt is necessary. For example, a Microsoft-signed installer from the Windows Update path may be auto-approved without prompting the user.
UAC switches to the Secure Desktop
Before displaying the prompt, Windows switches the display to a separate, isolated desktop session called the Secure Desktop. This prevents any malicious program running on the normal desktop from intercepting the user's response or spoofing the UAC dialog. The Secure Desktop is a blank blue or gray background with only the UAC prompt visible. The user cannot interact with any other application until the prompt is resolved.
Consent UI (consent.exe) displays the prompt
The Consent UI process shows the elevation prompt. For administrators, it presents a Yes/No option. For standard users, it shows fields to enter an administrator username and password. The prompt includes information about the program: its name, publisher (if digitally signed), file origin (downloaded from internet, local intranet, etc.), and a shield icon that varies in color based on the trust level (green for verified Microsoft components, yellow for unknown, red for blocked).
User responds to the prompt
If the user clicks Yes (admin) or enters correct credentials (standard user), the process is granted an elevated access token. This token is created by copying the user's full administrator token from the logon session and assigning it to the requesting process. The process then has full access to system resources. If the user clicks No or closes the prompt, the action is denied, and the program receives an 'access denied' error (typically error code 5).
Elevated process runs with full privileges
The elevated process runs in the same user session but with an unrestricted access token. It can now write to protected directories, modify system settings, and interact with other high-integrity processes. The elevation lasts only for that process and its child processes. Once the process terminates, the elevated token is discarded. Other processes launched later (even the same executable) will start again with a standard token unless the action is repeated.
Practical Mini-Lesson
User Account Control is not just a pop-up you have to deal with, it is a fundamental security boundary that every IT professional must understand deeply to manage Windows environments effectively. In practice, UAC works by assigning integrity levels to processes and resources. Windows uses a Mandatory Integrity Control (MIC) system where processes run at Low, Medium, High, or System integrity levels. Standard user processes run at Medium integrity, while processes that have been elevated run at High integrity. Protected system processes run at System integrity. A process at a lower integrity level cannot write to resources at a higher integrity level, even if the DACL (Discretionary Access Control List) would allow it. This is called the 'no write up' policy.
When you configure UAC through the Control Panel, you are actually changing a setting in the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. The key value is 'ConsentPromptBehaviorAdmin' for administrators and 'ConsentPromptBehaviorUser' for standard users. The values range from 0 (never prompt) to 2 (prompt for credentials always). There is also 'EnableLUA' which must be set to 1 for UAC to be active at all. Group Policy provides a more granular interface, but at the registry level it is these three values that control everything.
In an enterprise setting, you will almost never manually configure UAC on individual machines. Instead, you use Group Policy Objects (GPOs) from Active Directory to enforce consistent settings across all workstations. Common configurations include setting the prompt behavior for admins to 'Prompt for consent for non-Windows binaries' (which is the default) and for standard users to 'Prompt for credentials' (also default). You can also use GPO to configure the 'Secure Desktop' behavior, the automatic elevation of trusted publishers, and whether to switch to the Secure Desktop.
One of the most practical skills is learning how to test and troubleshoot UAC behavior. If an application is failing, you can use tools like Process Monitor (Procmon) from Sysinternals. Filter by the process name and look for 'ACCESS DENIED' events in the Result column. This will show you exactly which file or registry key the application was trying to access and what integrity level it was running at. You can also use the 'whoami /groups' command to see the integrity level of the current command prompt. If you open a normal command prompt and run 'whoami /groups', you will see 'Medium Mandatory Level'. If you open an elevated command prompt (Run as administrator), you will see 'High Mandatory Level'.
Common issues include applications that do not have a manifest specifying 'requireAdministrator' but still try to write to Program Files. In that case, the solution is not to disable UAC, but either to use a proper deployment tool (like Microsoft Endpoint Configuration Manager) that installs the software in the system context, or to modify the application's compatibility settings to 'Run this program as an administrator'. For legacy applications, you can use the Application Compatibility Toolkit (ACT) or Shim infrastructure to create a fix that will work silently.
Security professionals also need to be aware of UAC bypass techniques. While UAC is effective against casual threats, sophisticated malware can bypass UAC through various methods, such as DLL hijacking, registry key manipulation (especially the 'fodhelper' technique), or using the 'IFileOperation' interface to perform privileged operations without a prompt. These bypasses are patched by Microsoft over time, but they highlight that UAC is not a complete security solution. It is a defense-in-depth layer that should be combined with endpoint protection, application whitelisting, and proper group policy.
Finally, when preparing for exams, remember these key numbers: The UAC prompt appears when a process requests a token with a higher integrity level than its current token. The default behavior for Windows 10/11 is to prompt for consent for administrators (unless the binary is signed by Microsoft and located in a trusted location). The only way to run a program permanently elevated without a prompt is to set it in the compatibility tab, but this is not recommended for security reasons.
Memory Tip
UAC: 'Unless Approved, Changes stop', remember that UAC stands for User Account Control, and it controls changes by requiring your approval before any system-altering action can proceed.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1101CompTIA A+ Core 1 →SY0-701CompTIA Security+ →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.