For IT Specialist

How to Check and set Windows UAC settings with commands

Required Skills

Ability to execute Windows commands. Some understanding of registry settings.

Summary

Introduction to checking and changing UAC (User Account Control) settings with commands. In an organizational setting, there are cases where UAC settings are difficult to grasp from the appearance of the UI and are actually enabled. In such cases, problems may occur, such as some programs pausing after execution and not being displayed, because UAC is not completely disabled. This section also explains how to change the registry settings with the command in such cases.

Interesting experience

One thing I have found interesting in my experience is that in large organizations, there are cases where UAC is supposed to be disabled on the part of the device manager and loaned out, but is enabled during operation. However, it seems difficult to resolve this between the support center and the user because the GUI makes it look as if it is disabled. In such cases, try checking the settings with the command, since EnableUA may be set to 0x1 even though some registry entries related to UAC are set to be equivalent to disable.

Command

The commands are all direct manipulations of the registry. Although these are not settings that will cause the OS to crash, if you are not familiar with them, be careful when entering them.

Command to check registry settings

This command checks each of the four settings. Please read the description of each setting after the command.

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken

Description of their registry settings

The value returned by the command is displayed in hexadecimal, where 0 is 0x0 and 1 is 0x1 in decimal. The following explanation is written in decimal. regedit.exe GUI also displays in decimal.

  1. EnableLUA (Enable User Account Control)
    Value: 0 or 1
    0: User Account Control (UAC) is disabled. This means that applications or scripts that require administrative privileges can be executed without user intervention. Security risks are increased.
    1: User Account Control (UAC) is enabled. Operations that require administrative privileges require user authorization, thus strengthening the protection of the system.
  2. ConsentPromptBehaviorAdmin (Behavior of the administrator's UAC prompt)
    Values: 0, 2, 5, etc.
    0: Allow elevation without prompting the administrator.
    2: Allow administrator to elevate without confirmation on his/her desktop.
    5: Administrator will be prompted for credentials on the secure desktop.
  3. PromptOnSecureDesktop (UAC prompt on secure desktop)
    Value: 0 or 1
    0: The UAC prompt appears on a normal desktop. This could facilitate malicious intervention by malware.
    1: UAC prompts are displayed on the secure desktop and are not visible to other applications. This improves security.
  4. FilterAdministratorToken (Filtering of admin tokens)
    Value: 0 or 1
    0: The administrator account automatically has all privileges without UAC prompts.
    1: Certain operations require authorization through UAC prompts, even for the administrator account.

Command to export the current configuration

If you want to save the current settings, you can export the settings to be changed this time with the following command. The file is saved directly to the C drive. You must have administrator privileges to run this command. The reg file is expressed in DWORD, so the values are displayed as unsigned 32-bit integers in binary. 0x1 is 00000001. 

reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\uac_settings.reg

Commands to modify the registry

You must have administrative privileges to run this command. Please open a command prompt with administrator privileges. The values to be set are arbitrary, based on the settings described in the previous section. In the following, we will write a command to disable EnableLUA; when the EnableLUA setting is changed, a notification will appear asking you to restart the OS as well as the GUI.

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

参考: Microsoft Learn reg command