Possible Improved UAC Implementation

[DarwinCSIWindowscom]

Hello, I have created courses and guides for the nitty gritty internals of UAC. (here is one example: http://csi-windows.com/toolkit/uac-prompt-guide).

I read that Boxstarter disables and reenables UAC simply to suppress the UAC prompt. DIsabling UAC can have several consequence on software installs.

One way to completely side step these issues is to enable the automatic approval of the prompt and then disable it when done.

If you set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, Value "ConsentPromptBehaviorAdmin" to 0 (DWORD) you should see that prompts disappear even though UAC remains intact.

[mwrock]

Hey that is fantastic!

I dont know why I had not heard of that key but I feel much more comfortable changing this than full UAC.

[DarwinCSIWindowscom]

In my experience, the reason you may not have heard of it is that the conventional wisdom is so quick to jump to "disable all of UAC" that safer alternatives are rarely investigated. This "wisdom" developed early under the pure-hatred of UAC in the Vista release. Sorry to use the four letter word "Vista" ;)

You might want to retest any code that you know has a dependency on your current approach - however, personally I feel there shouldn't be much in the way of regression problems.

You might have to change any "checks for UAC disablement" so they return "true" if you have admin rights and this new registry key on at the same time as they would be considered equivalent.

[mwrock]

yep. Those were my thoughts too. It should be relatively straightforward to implement. My biggest concern are unknown edge cases. I played with it a bit last night and it "worked on my box" but boxstarter needs to support win7/2k8r2 and higher which are still relatively modern versions :) But I do need to run it through the gamut of all the various scenarios.