We use cookies on our website to provide you with the best experience. If you continue browsing, you are consenting to our use of these cookies, but if you would like to know more, including how you can change your settings, take a look at our Privacy Notice.

User Account Control (UAC) and virtualisation

$kcs_do_not_edit

This article explains how User Account Control works in Windows 10, 8, 7 and Vista.

Sage software is fully tested on all supported operated systems. If the software is used in a variation on a standard operating environment, for example a virtual environment, we will attempt to assist as far as we can with normal troubleshooting. In certain cases it may be necessary to refer you to your IT support for issues that we believe may be down to the environment that you are running your Sage software in.

User Account Control (UAC)

One of the big security features introduced in Windows Vista is User Account Control (UAC). UAC allows administrators to run as standard users whilst still allowing them to perform administrative tasks.

How UAC works

When logging on to Windows 2000, XP and 2003 you are granted an access token which reflects your status. An administrative token includes everything from the standard users token plus additional rights. When a member of the administrators group logs on to Windows 7 or Vista, they receive a standard users token plus a separate administrative token.

  • The administrative token is disabled during the logon process, effectively reducing the administrator to a standard user.

  • The administrator therefore uses the operating system as a standard user but when they try to perform an admin task the UAC confirmation window appears.

    To perform the requested admin task, the administrator must click Continue before their disabled administrative token is enabled. As soon as the task is complete, the administrative token is disabled and the administrator reverts back to using their standard user token.

  • If a standard user attempts to perform an admin task they are prompted for the password of an administrator account.

Why was UAC introduced?

UAC was introduced to prevent any virus or malicious code from performing admin tasks. Because you function as a user in Windows 7 or Vista, if your computer becomes infected by a virus, or any form of malicious code, the virus inherits the standard user token and is prevented by the operating system from performing admin tasks and doing any real harm.

Protected Operating System Areas and virtualisation

Windows 7 and Vista protect the following folders and registry key preventing programs from writing to these areas:

  • C:\Windows
  • C:\Program Files
  • HKEY_LOCAL_MACHINE

These areas can be written to when a program is installed because Windows 7 and Vista automatically detect installers, for example, InstallShield, and allows them to run using an administrative token.

Programs which are written to be UAC compliant, or UAC aware, should not attempt to write to these locations under normal running conditions and are therefore unaffected by these protected areas.

Older programs which are not UAC aware, may attempt to write to these protected locations to store configuration settings or program data. For example, sage.ini and payroll.ini stored in C:\Windows.

To bypass the write restrictions on these protected areas and to write to these areas in the normal way, a program can be run with an administrative token:

  • Right-click the program shortcuts > choose Run as administrator > enter the login details of the administrative account.

To prevent programs failing under Windows 7 and Vista, file and registry virtualisation is used to maintain the integrity of the operating system whilst still allowing non-UAC aware software to operate correctly.

File and Registry Virtualisation

When a program attempts to write to a protected area the operating system actually writes the file to a different, user specific, location without making the program aware of the new location.

The next attempt by the program to read or write to this data sees the operating system intervene and redirect the request to the virtualised set of data. The program is not aware that the data is not in the expected location and therefore performs as expected.

File Virtualisation

  • Any attempt by a program to write to C:\Program Files results in the file being virtualised into the following user-specific folder:

    C:\Users\<username>\AppData\Local\VirtualStore\Program Files

  • Any attempt by a program to write to C:\Windows results in the file being virtualised into the following user-specific foler:

    C:\Users\<username>\AppData\Local\VirtualStore\Windows

Registry Virtualisation

  • Any attempt by a program to write to HKEY_LOCAL_MACHINE results in the entry being virtualised into the following user-specific registry key:

    HKEY_CLASSES_ROOT > VirtualStore

Turn off UAC.

You must only turn off the UAC security feature on Windows Vista, 7, 8 or 10 and it must only be for troubleshooting purposes. You must turn UAC back on once you've finished troubleshooting as UAC provides an essential level of security within the operating system.

Windows 10

  1. Ensure all software is closed.
  2. Press the Windows key and X.
  3. Click Control Panel then click User Accounts.
  4. Click User Accounts then click Change User Account Control settings.
  5. Make a note of the current setting.
  6. Drag the slider to the bottom to Never Notify then click Yes.
  7. Restart the computer.

To turn on UAC, repeat the above steps and reset the slider to its original position.

Windows 8

  1. Ensure all software is closed.
  2. Press the Windows key and X then click Control Panel.
  3. Click User Accounts and Family Safety then click User Accounts.
  4. Click Change User Account Control settings then make a note of the current setting.
  5. Drag the slider to the bottom to Never Notify.

    When prompted Do you want to allow the following program to make changes to this computer, click Yes.

  6. Restart the computer.

To turn on UAC, repeat the above steps and reset the slider to its original position.

Windows 7

  1. Ensure all software is closed.
  2. Click Start then click Control Panel.
  3. Click User Accounts then click Change User Account Control settings.
  4. Make a note of the current setting.
  5. Drag the slider to the bottom to Never Notify.

    when prompted Do you want to allow the following program to make changes to this computer, click Yes.

  6. Restart the computer.

To turn on UAC, repeat the above steps and reset the slider to its original position.