UAC's Secure Desktop is a hard block

By Ed Bott

User Account Control is one of Windows Vista's most controversial and most misunderstood features. In this walkthrough, I'll help you smooth over some of its harder edges without shutting it off completely.

By default, the consent dialog box appears on a dark background. That feature is called the Secure Desktop, and it demands your undivided attention. Until you click Continue or Cancel, you can't do anything else.

If you're running Vista Business, Ultimate, or Enterprise, you can use the Local Group Policy Editor (gpedit.msc) to change this security setting. Double-click the entry circled in red and change it from Enabled to Disabled.

On systems running Vista Home Basic or Home Premium, the Local Group Policy Editor isn't available, so you'll have to edit the registry. Open the key shown at the bottom of this window and change the PromptOnSecureDesktop value to 0, as shown here.

After you've successfully disabled Secure Desktop, the consent dialog box continues to appear, but it doesn't demand your attention with nearly as much insistence. In fact, you can leave the dialog box open and continue to use other Windows programs and features.

If you turn off UAC, you get rid of the annoying dialogs, but yo also turn off some useful security features. A better solution? Use the Group Policy option shown here (or a matching registry edit) to automatically approve all consent requests. Use this option only if you understand the security risks, and keep reading for my advice on the best way to use it.

One way to make effective use of the "elevate without prompting" option is to assign it to an administrative account that you use only for administrative tasks. Start here in Control Panel, creating a new account and clicking the Administrator option.

After creating an account that you'll use only for administrative tasks, use this account management option to change your everyday account so that it runs as a standard user.

After choosing the Standard user option, click Change Account Type. You can now safely use this account for everyday work, and switch to the other account when you need to perform administrative tasks.

If you choose the option to automatically elevate UAC consent requests without prompting, it applies to all accounts in the Administrator group. In that case, you want to make sure you have one and only one Administrator account; all the rest should be Standard accounts, as shown here.

Do you have a program or utility that badgers you for consent every time you run it? If your account is in the Administrators group, you can use this trick as a workaround. Start by Opening Task Scheduler and clicking the Create Task link on the right.

On the General tab of the Create Task dialog box, enter a name (I've highlighted it in yellow here) and click the Run with highest privilege box at the bottom.

On the Actions tab, click New and then select Start a Program from the Action list. Enter the full path of the program as shown here, with any optional arguments or a starting directory or both.

Don't let the "scheduled" part of this utility fool you. Click the Settings tab and make sure tis option is selected. Instead of running at a specified time or in response to an event, you choose when to fire off the task.

If you always had to open the Task Scheduler program to run the task you just defined, it wouldn't be much of a time-saver, would it? Instead, create a shortcut using the command syntax shown here. Make sure the command name, in quotes, exactly matches the name of the command you created earlier.

In the final step of the Create Shortcut wizard, enter a descriptive name for the shortcut and then click Finish. You can now drag that shortcut onto the Sart menu, the Quick Launch bar, the desktop, or any other place that is convenient for you. When you double-click it, your program opens with full administrative privileges but without any UAC dialog boxes.

Fixing Windows Vista, Part 2: Taming UAC