The GW Micro blog has been discontinued. For instant updates on GW Micro products and events, follow us on Twitter, and like us on Facebook.
Take Command of Vista without Disabling UAC
by Aaron Smith on Thursday, September 20 2007Power users often find Vista's new security model a bit intrusive. Unlike your average user who rarely encounters a UAC dialog (because they usually don't perform tasks that require elevation), administrators, IT professionals, even those who like to poke and prod are easily annoyed by the pesky, "Are you really sure you meant to do that?" admonishment.
That being said, I believe that UAC has its place, and can be an important feature that helps keep random nasties from throwing autonomous frenzied infection parties. But what if we want the freedom to launch applications without interruption, while not sacrificing the potential benefit of UAC? After all, UAC is system wide: turn it off for you and it gets turned off for everyone, including your 13-year old who has the propensity to discover the most cantankerous of mishaps.
The solution is to keep a handful of administrative tricks up your sleeve that give you the power, rather than having to disable UAC, or leave the decision making up to the operating system.
The first and most evident way to launch an application with administrative privileges is to bring up the context menu of the executable, and choose the "Run as Administrator" menu item.
A second method is to type the name of the application in the Vista Start Search edit box, then instead of pressing ENTER to launch it, press CRTL-SHIFT-ENTER to launch with administrative privileges.
Although it's simple enough to launch an application with administrative privileges by using either of the previous two methods, you still have to accept a UAC prompt every time the application is run. So how do we create an environment where we can launch applications with administrative privileges without being hassled by UAC?
I have two potential solutions: an elevated command prompt, or an elevated task manager.
The command prompt is my best friend. Back around 1980, my father introduced me to his Sinclair ZX81. I was hooked (despite the fact that it took several minutes to load and save applications using a cassette tape), and I've been typing out what I want to do ever since. Even now, using a command prompt to launch applications is more natural to me than anything I can do by going "clicky-clicky." And here's the nifty part about command prompts: processes launched from command prompts inherit the command prompt's security. In other words, launching applications from an elevated command prompt means those applications will launch elevated as well.
We learned previously that launching applications from Vista's Start Search edit box with CTRL-SHIFT-ENTER will run them elevated. So all we have to do is enter cmd into Vista's Start Search edit box, press CTRL-SHIFT-ENTER, confirm a single UAC dialog, and then whatever we run from the ensuing elevated command prompt will also be elevated without additional UAC dialogs.
Ta da! We just created a nice little environment where we're free to do what we want (because we trust ourselves) without compromising the security of the system for everyone else. You still have the normal caveats to deal with. For example, if you've mapped a network share in Explorer, or a non-elevated command prompt, it probably won't be available in the elevated command prompt. Just remap (using the net use command), and you'll be all set.
I also mentioned using an elevated task manager. Instead of typing cmd in the Vista Start Search edit box, type taskmgr, followed by CTRL-SHIFT-ENTER. Confirm a single UAC, and then an elevated Task Manager will be running. "What's the point in elevating the utility used to shut down processes," I hear you ask. Just press ALT-F to bring up the File menu, and you'll hear what I'm up to. The first option is "New Task (Run)?" Press enter, and you're in a Run dialog box, much like if you had pressed WINDOWS-R, only this one will launch applications with elevated permissions (because Task Manager is also elevated). You can keep Task Manager minimized in the background, and use it to launch elevated apps whenever you need to without being bothered by the UAC.
The command prompt solution is a bit more intuitive, I think. But it's nice to have options. Speaking of the command prompt again, if you don't want to get in the habit of remembering CTRL-SHIFT-ENTER to launch an elevated command from the Vista Start Search edit box (and trust me, it's a hard habit to get into), you can create a shortcut to an elevated command prompt on the desktop by following these steps:
- Press WINDOWS-D to focus the desktop
- Press SHIFT-F10 to bring up the context menu
- Press W to select the New pull down
- Press S to select the Shortcut option
- In the "Type the location of the item" edit box, type cmd, followed by ENTER
- In the "Type a name for this shortcut" edit box, type Admin Command Prompt, followed by ENTER
- Select the newly created shortcut on the desktop, and press ALT-ENTER to access the shortcut properties. The Shortcut tab should be the selected tab control by default. If it is not, you'll need to select it
- Press ALT-D to open the Advanced dialog
- Press SPACE BAR to check the "Run as Administrator" check box
- Press ENTER, followed by ENTER again to save and close respectively
Now you have a shortcut on the desktop to an elevated command prompt. You could even assign a shortcut key to it, making access even easier.
It's true that you'll usually encounter one UAC dialog when entering this elevated environment, but after that, you're UAC free, and you haven't compromised the security of your system. Once again, you're back in control, and the world continues to be round. Of course, there's a good possibility that you can't be trusted yourself, in which case, you didn't hear any of this from me.
