This chapter covers User Account Control (UAC), a critical security feature in Windows that helps prevent unauthorized changes to the operating system. UAC is a key topic in CompTIA A+ Core 2 (220-1102) under Objective 1.3, which focuses on configuring and securing operating systems. Expect approximately 5-10% of exam questions to reference UAC, often in the context of security best practices, troubleshooting, or configuration settings. Understanding UAC's mechanism, configuration options, and common misconceptions is essential for passing the exam and for real-world IT support.
Jump to a section
Imagine a large office building where employees have different levels of access. Most employees have a standard badge that lets them enter the main lobby and their own cubicle area. However, certain rooms—like the server room, executive offices, and HR filing area—require a special key card that only a few trusted employees possess. When a standard employee tries to access one of these restricted rooms, a security guard stops them and says, "This room requires additional authorization. Do you have permission?" The employee must then present the special key card, which the guard verifies against a list of authorized personnel. If the card is valid, the guard unlocks the door; if not, the employee is denied entry. Importantly, the guard does not grant permanent access—the next time the employee tries to enter, the guard again asks for the key card. This is exactly how User Account Control (UAC) works: standard user accounts run with limited privileges; when an action requires administrative rights, UAC prompts for consent or credentials, and only then does the system elevate the process for that specific task. The guard (UAC) ensures that even if a standard account is compromised, the attacker cannot access sensitive system functions without explicit approval.
What is User Account Control (UAC)?
User Account Control (UAC) is a security feature introduced in Windows Vista and present in all subsequent versions, including Windows 10 and Windows 11. Its primary purpose is to prevent unauthorized changes to the operating system by requiring explicit permission from an administrator before allowing actions that could affect system security or stability. UAC helps mitigate the impact of malware by ensuring that even if a user is logged in with an administrative account, most processes run with standard user privileges unless elevated. This concept is known as the "least privilege" principle.
Why UAC Exists
Before UAC, Windows users often ran with full administrative privileges, which meant that any application, including malware, had complete control over the system. UAC was designed to reduce the attack surface by running most applications with standard user privileges, even if the user is an administrator. When an action requires administrative rights, UAC prompts the user for consent (if they are an administrator) or for credentials (if they are a standard user). This prompt is known as the "UAC elevation prompt."
How UAC Works Internally
UAC operates through a mechanism called "token filtering." When a user logs on, Windows creates an access token that contains the user's security identifiers (SIDs) and privileges. If the user is a member of the Administrators group, Windows creates two separate tokens:
Filtered token: This token has most administrative privileges removed. It is used to launch all applications by default, including Windows Explorer. This ensures that even an administrator runs with standard user privileges until a task specifically requests elevation.
Full token: This token contains all administrative privileges. It is not used for normal operations but is stored in memory. When an application requests elevation, Windows uses this full token to run the process.
When a process attempts to perform an action that requires administrative rights (e.g., writing to the Program Files folder, modifying system registry keys, or installing drivers), the system checks the token. If the process is running with a filtered token, the action is denied, and the system triggers a UAC prompt.
UAC Elevation Prompt
The UAC prompt appears in one of two forms depending on the user account type:
Consent prompt: For administrative accounts. It asks the user to click "Yes" or "No" to approve the elevation. The user does not need to re-enter credentials.
Credential prompt: For standard user accounts. It asks for the username and password of an administrative account. This is more secure because it requires explicit authentication.
By default, the UAC prompt appears on the secure desktop, which is a separate, isolated desktop that prevents other applications from interfering with the prompt. This prevents malware from simulating clicks or capturing the prompt.
UAC Notification Levels
Windows provides four UAC notification levels, configurable via the "User Account Control Settings" applet:
Always notify (highest): UAC prompts whenever a program tries to install software or make changes to the computer, and when the user makes changes to Windows settings. The prompt appears on the secure desktop. This is the most secure setting but can be disruptive.
Notify me only when programs try to make changes to my computer (default): UAC prompts only when a program attempts to make a change. Changes made by the user directly (e.g., via Control Panel) are automatically allowed without prompting. The prompt appears on the secure desktop. This is the default setting in Windows.
Notify me only when programs try to make changes to my computer (do not dim my desktop): Same as above, but the prompt does not appear on the secure desktop. This is less secure because other programs may interfere with the prompt.
Never notify (lowest): UAC is effectively disabled. No prompts appear, and all processes run with full administrative privileges if the user is an administrator. This is not recommended.
UAC Virtualization
UAC virtualization is a compatibility feature that redirects write attempts to protected system locations (e.g., Program Files, HKEY_LOCAL_MACHINE\Software) to a per-user virtual store. This allows legacy applications that expect to write to these locations to function without requiring elevation. The virtual store is located at:
For files: %USERPROFILE%\AppData\Local\VirtualStore
For registry: HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE
Virtualization is only applied to 32-bit applications that do not have a requested execution level (as defined in the manifest). It is not applied to 64-bit applications or applications that explicitly request elevation.
UAC and Application Manifest
Applications can declare their required execution level in a manifest file. The manifest includes a requestedExecutionLevel element with one of three values:
asInvoker: The application runs with the same privileges as the parent process (usually standard user). No UAC prompt.
highestAvailable: The application requests the highest privileges available to the current user. If the user is an administrator, a UAC prompt appears; if standard user, no prompt but runs with standard privileges.
requireAdministrator: The application requires full administrative privileges. A UAC prompt always appears, and the user must be an administrator.
If an application does not have a manifest, Windows applies heuristics to determine whether to prompt. For example, if the application's name contains words like "setup" or "install", Windows may automatically prompt for elevation.
UAC Group Policy Settings
UAC can be configured via Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Key policy settings include:
User Account Control: Admin Approval Mode for the Built-in Administrator account: Enables or disables Admin Approval Mode for the built-in Administrator account. Default is disabled.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Options include "Elevate without prompting," "Prompt for consent," "Prompt for credentials," and "Prompt for consent for non-Windows binaries." Default is "Prompt for consent."
User Account Control: Behavior of the elevation prompt for standard users: Options include "Automatically deny elevation requests" and "Prompt for credentials." Default is "Prompt for credentials."
User Account Control: Detect application installations and prompt for elevation: Enables or disables automatic detection of installation packages. Default is enabled.
User Account Control: Only elevate executables that are signed and validated: Enforces digital signature requirements for elevation. Default is disabled.
User Account Control: Run all administrators in Admin Approval Mode: Enables or disables Admin Approval Mode for all administrator accounts. Default is enabled.
User Account Control: Switch to the secure desktop when prompting for elevation: Enables or disables the secure desktop prompt. Default is enabled.
User Account Control: Virtualize file and registry write failures to per-user locations: Enables or disables UAC virtualization. Default is enabled.
UAC and Command Line
When running commands from an elevated command prompt, the prompt is titled "Administrator: Command Prompt." To run a command as administrator from a non-elevated prompt, use the runas command:
runas /user:Administrator "cmd.exe"Alternatively, right-click the command prompt icon and select "Run as administrator."
UAC and PowerShell
PowerShell also respects UAC. To run a script that requires elevation, you must start PowerShell as administrator. You can check if the current session is elevated using:
[System.Security.Principal.WindowsPrincipal]::new([System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)This returns True if elevated, False otherwise.
UAC and Remote Connections
UAC does not apply to remote desktop connections in the same way. By default, Remote Desktop users are assigned a filtered token, but UAC prompts are not displayed on the remote session. Instead, remote administration tools like psexec can bypass UAC if run with the -s flag (system account). This is a common attack vector.
Troubleshooting UAC
Common issues include:
UAC prompts not appearing: Check Group Policy settings, especially if UAC is disabled via policy.
Applications failing to run with elevation: Ensure the application has a proper manifest or use compatibility settings.
UAC prompts appearing too frequently: Lower the notification level, but be aware of security implications.
Secure desktop not appearing: Check Group Policy setting "Switch to the secure desktop when prompting for elevation."
To verify UAC status from the command line, use:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUAA value of 1 means UAC is enabled; 0 means disabled.
UAC and Windows 10/11 Features
Windows Defender: UAC helps protect Windows Defender settings from unauthorized changes.
Windows Update: UAC prompts when changing update settings.
Installing software: Most installers trigger a UAC prompt unless they are per-user installations (e.g., AppX packages).
Summary of Key Values
Default UAC level: Notify me only when programs try to make changes to my computer (default).
Default Admin Approval Mode: Enabled.
Default for built-in Administrator account: Admin Approval Mode disabled.
Virtualization: Enabled for 32-bit apps without manifest.
Secure desktop: Enabled by default.
User Logs On
When a user logs on to a Windows system, the Local Security Authority (LSA) creates an access token. If the user is a member of the Administrators group, LSA creates two tokens: a filtered token with most administrative privileges removed, and a full token with all privileges. The filtered token is used to launch the shell (Explorer.exe) and all subsequent applications by default. The full token is stored and only used when an application requests elevation.
Application Attempts System Change
A user runs an application that attempts to perform an action requiring administrative privileges, such as writing to the Program Files folder or modifying system registry keys. The operating system checks the token of the process. Since the process is running with the filtered token, the action is denied, and the system triggers a UAC elevation request.
UAC Prompt Appears
The UAC prompt appears on the secure desktop (if enabled). For an administrative user, the prompt asks for consent (Yes/No). For a standard user, it asks for administrator credentials. The secure desktop prevents other processes from interacting with the prompt, reducing the risk of clickjacking or credential theft.
User Responds to Prompt
If the user clicks 'Yes' or provides valid credentials, the system creates a new process using the full administrative token. This process runs with elevated privileges. If the user clicks 'No' or cancels, the action is denied, and the application may fail or run with limited functionality.
Elevated Process Executes
The elevated process runs with the full token, allowing it to make system changes. The elevation is temporary and applies only to that specific process. Any child processes launched by the elevated process also run with elevated privileges unless they explicitly request a lower level. Once the process ends, the elevated rights are gone.
In an enterprise environment, UAC is a critical layer of defense against malware and unauthorized system changes. For example, a company deploys Windows 10 workstations for its employees. The IT department configures UAC via Group Policy to enforce the highest notification level on all user workstations. This ensures that any attempt to install software or change system settings triggers a UAC prompt. Help desk staff are trained to recognize legitimate UAC prompts and to verify that users are not blindly clicking 'Yes' to malicious prompts. In this scenario, UAC helps prevent ransomware from encrypting system files by requiring explicit elevation for any write operations to protected directories. Another common scenario is in a software development environment where developers need to test applications that require administrative privileges. The IT team configures UAC to prompt for credentials for standard users, so developers must enter an admin account's credentials to run elevated tests. This prevents accidental system changes while still allowing necessary development work. A misconfiguration that often occurs is disabling UAC entirely to reduce user frustration. This is a serious security risk because it removes the protection against unauthorized system changes. In one case, a company experienced a malware outbreak because UAC was disabled on all workstations, allowing the malware to install itself without any prompts. The fix involved re-enabling UAC via Group Policy and retraining users to expect and respond to prompts. Performance considerations: UAC prompts can cause a slight delay (1-2 seconds) when an elevation is requested, but this is negligible on modern hardware. The secure desktop switch can cause a brief screen flicker, which is normal. At scale, managing UAC via Group Policy is straightforward and consistent across thousands of machines.
The CompTIA A+ Core 2 (220-1102) exam tests UAC under Objective 1.3: "Configure and secure operating systems." Specifically, you need to know: (1) The purpose of UAC: to prevent unauthorized changes by running most programs with standard user privileges. (2) The difference between the consent prompt and credential prompt. (3) The four UAC notification levels and their default. (4) How to configure UAC via the Control Panel and Group Policy. (5) The concept of token filtering and the two tokens (filtered and full). (6) UAC virtualization and its limitations. (7) The runas command. Common wrong answers: (1) Choosing "UAC prevents all malware" — it does not; it only limits the privileges of running processes. (2) Thinking that UAC prompts appear for every action — only for those requiring administrative rights. (3) Believing that disabling UAC improves security — it actually reduces security. (4) Confusing UAC with Windows Defender or BitLocker. Exam-specific numbers: Default UAC level is "Notify me only when programs try to make changes to my computer." The default for built-in Administrator account is Admin Approval Mode disabled. The default for standard users is "Prompt for credentials." Terms that appear verbatim: "Admin Approval Mode," "filtered token," "full token," "secure desktop," "UAC virtualization." Edge cases: UAC does not apply to the SYSTEM account; services run with SYSTEM privileges bypass UAC. Also, UAC can be bypassed using techniques like DLL hijacking or using psexec with -s flag — the exam may test that UAC is not a complete security solution. To eliminate wrong answers, focus on the mechanism: if an answer says UAC requires a password for administrators, that is false (consent prompt does not require password). If an answer says UAC prevents all changes, it is false — it only prompts for elevation.
UAC uses token filtering: filtered token for standard tasks, full token only for elevated tasks.
Default UAC level: 'Notify me only when programs try to make changes to my computer' (level 2 of 4).
Administrators see a consent prompt; standard users see a credential prompt.
UAC virtualization redirects writes to protected locations for 32-bit apps without a manifest.
The built-in Administrator account is not subject to UAC by default.
UAC can be configured via Group Policy under Security Options.
The runas command can be used to run programs as a different user, including administrator.
Disabling UAC reduces security and is not recommended for general use.
These come up on the exam all the time. Here's how to tell them apart.
UAC Enabled (Default)
Most processes run with standard user privileges (filtered token).
UAC prompts for consent or credentials when elevation is needed.
Helps prevent unauthorized system changes and malware installation.
Compatible with most modern applications; legacy apps may use virtualization.
Recommended for all users, including administrators.
UAC Disabled
All processes run with full administrative privileges if user is an admin.
No UAC prompts; any process can make system changes without notification.
Significantly increases security risk; malware can easily modify system files.
May improve compatibility with very old applications that require admin rights.
Not recommended except in isolated, controlled environments like kiosks.
Mistake
UAC requires a password every time an administrator makes a change.
Correct
For administrative accounts, the default UAC prompt is a consent prompt (Yes/No), not a credential prompt. Only standard users are prompted for an administrator password.
Mistake
Disabling UAC makes the computer more secure because it reduces interruptions.
Correct
Disabling UAC removes a key security layer, allowing any process to run with full administrative privileges. This significantly increases the risk of malware infection and unauthorized system changes.
Mistake
UAC protects against all malware.
Correct
UAC only limits the privileges of processes; it does not prevent malware from running. Malware that runs with standard user privileges can still cause damage (e.g., to user files). UAC is one component of a defense-in-depth strategy.
Mistake
UAC virtualization applies to all applications.
Correct
UAC virtualization only applies to 32-bit applications that do not have a requested execution level in their manifest. 64-bit applications and those with a manifest are not virtualized.
Mistake
The built-in Administrator account is subject to UAC by default.
Correct
By default, the built-in Administrator account (which is disabled by default in Windows 10/11) runs with full administrative privileges and is not subject to Admin Approval Mode. UAC prompts do not appear for this account.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To disable UAC, open the Control Panel, go to User Accounts > User Accounts > Change User Account Control settings. Move the slider to 'Never notify' and click OK. You can also disable it via Group Policy: set 'User Account Control: Run all administrators in Admin Approval Mode' to Disabled. Disabling UAC is not recommended for security reasons.
The consent prompt appears for administrative accounts and asks the user to click 'Yes' or 'No' to approve the elevation. The credential prompt appears for standard user accounts and requires the user to enter an administrator username and password. The credential prompt is more secure because it requires authentication.
The secure desktop is controlled by the Group Policy setting 'User Account Control: Switch to the secure desktop when prompting for elevation.' If this is disabled, the prompt appears on the regular desktop. Additionally, if the notification level is set to 'Notify me only when programs try to make changes to my computer (do not dim my desktop),' the secure desktop is not used.
Yes, UAC can be bypassed using various techniques, such as DLL hijacking, using the SYSTEM account (e.g., psexec -s), or exploiting trusted binaries that auto-elevate. This is why UAC should be part of a layered security approach, not the sole defense.
UAC virtualization is a compatibility feature that redirects write attempts by legacy 32-bit applications to protected system locations (like Program Files) to a per-user virtual store. The virtual store is located at %USERPROFILE%\AppData\Local\VirtualStore for files and HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE for registry. This allows the application to run without elevation while still appearing to write to the original location.
Use the runas command: runas /user:Administrator "cmd.exe". You will be prompted for the administrator password. Alternatively, right-click the Command Prompt icon and select 'Run as administrator' to start an elevated session.
Windows services run under the SYSTEM account or a specified service account, which are not subject to UAC. Services can perform administrative actions without prompting. However, services should be configured with the least privilege necessary.
You've just covered User Account Control (UAC) — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?