{
	"id": "6089983e-f666-42d5-b33d-b8f29ea5837d",
	"created_at": "2026-04-06T00:13:56.120238Z",
	"updated_at": "2026-04-10T03:19:56.984014Z",
	"deleted_at": null,
	"sha1_hash": "08e6790b5d6d5f38d6e061eca6ff5a70108b83a3",
	"title": "User Account Control (Design basics) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70808,
	"plain_text": "User Account Control (Design basics) - Win32 apps\r\nBy jwmsft\r\nArchived: 2026-04-05 15:11:47 UTC\r\nNote\r\nThis design guide was created for Windows 7 and has not been updated for newer versions of Windows. Much of\r\nthe guidance still applies in principle, but the presentation and examples do not reflect our current design\r\nguidance.\r\nA well designed User Account Control experience helps prevent unwanted system-wide changes in a way that is\r\npredictable and requires minimal effort.\r\nWith User Account Control (UAC) fully enabled, interactive administrators normally run with least user\r\nprivileges, but they can self-elevate to perform administrative tasks by giving explicit consent with the Consent\r\nUI. Such administrative tasks include installing software and drivers, changing system-wide settings, viewing or\r\nchanging other user accounts, and running administrative tools.\r\nIn their least-privileged state, administrators are referred to as Protected administrators. In their elevated state,\r\nthey are referred to as Elevated administrators. By contrast, Standard users can't elevate by themselves, but they\r\ncan ask an administrator to elevate them using the Credential UI. The Built-in Administrator account doesn't\r\nrequire elevation.\r\nscreen shot of 'allow program' security message\r\nThe Consent UI, used to elevate Protected administrators to have administrative privileges.\r\nscreen shot of message asking for password\r\nThe Credential UI, used to elevate Standard users.\r\nUAC provides the following benefits:\r\nIt reduces the number of programs that run with elevated privileges, therefore helping to prevent users from\r\naccidentally changing their system settings, and helping to prevent \"malware\" from gaining system-wide\r\naccess. When elevation is denied, malware is only able to affect the current user's data. Without elevation,\r\nmalware can't make system-wide changes or affect other users.\r\nFor managed environments, well designed UAC experiences allow users to be more productive when\r\nrunning as Standard users by removing unnecessary restrictions.\r\nIt gives Standard users the ability to ask administrators to give them permission to perform administrative\r\ntasks within their current session.\r\nFor home environments, it enables better parental control over system-wide changes, including what\r\nsoftware is installed.\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 1 of 8\n\nDevelopers: For implementation information, see Redesign Your UI for UAC Compatibility.\r\nIn Windows Vista, Protected administrators can choose to be notified about all system changes or none. The UAC\r\ndefault setting is to notify about all changes, no matter what their origin. When you're notified, your desktop will\r\nbe dimmed, and you must either approve or deny the request in the UAC dialog box before you can do anything\r\nelse on your computer. The dimming of your desktop is referred to as the secure desktop because other programs\r\ncan't run while it's dimmed.\r\nWindows 7 introduces two intermediate UAC settings for Protected administrators, in addition to the two from\r\nWindows Vista. The first is to notify users only when a program is making the change, so administrators are\r\nautomatically elevated when they make a change themselves. This is the UAC default setting in Windows 7, and it\r\nalso makes use of the secure desktop.\r\nThe second intermediate setting in Windows 7 is the same as the first except that it doesn't use the secure desktop.\r\nscreen shot of four uac settings in windows 7\r\nWindows 7 introduces two intermediate UAC settings.\r\nNote: Guidelines related to writing code to support User Account Control are presented in a separate article.\r\nDesign concepts\r\nGoals\r\nA well designed User Account Control experience has the following goals:\r\nEliminate unnecessary elevation. Users should have to elevate only to perform tasks that require\r\nadministrative privileges. All other tasks should be designed to eliminate the need for elevation. Often\r\nlegacy software requires administrator privileges unnecessarily by writing to the HKLM or HKCR registry\r\nsections, or the Program Files or Windows System folders.\r\nBe predictable. Standard users need to know which tasks require an administrator to perform or cannot be\r\nperformed at all in managed environments. Administrators need to know which tasks require elevation. If\r\nthey can't predict the need for elevation accurately, they are more likely to give consent for administrative\r\ntasks when they shouldn't.\r\nRequire minimal effort. Tasks that require administrative privileges should be designed to require a single\r\nelevation. Tasks that require multiple elevations quickly become tedious.\r\nRevert to least privileges. Once a task that requires administrative privileges is complete, the program\r\nshould revert to the least privilege state.\r\nElevation task flow\r\nWhen a task requires elevation, it has the following steps:\r\n1. Entry point. Tasks that require immediate elevation when UAC is fully enabled have entry points marked\r\nwith the UAC shield. In this case, users should expect to see an Elevation UI immediately after clicking\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 2 of 8\n\nsuch commands and they should be extra cautious when they see Elevation UI from tasks that don't have a\r\nshield.\r\nscreen shot of uac shield icons and their labels\r\nIn this example, the parental control and user accounts control panel items require elevation.\r\nWhen UAC is partially enabled or turned off completely, the UAC shield is still displayed to indicate that\r\nthe task involves system-level changes and therefore requires elevation, even if the user might not see\r\nElevation UI. Always displaying the UAC shield for tasks that require elevation keeps the UI simple and\r\npredictable.\r\n2. Elevation. For Protected Administrators, the task requests consent using the Consent UI. For Standard\r\nusers, the task requests administrator credentials using the Credential UI.\r\nscreen shot of two types of elevation\r\nThese examples show the Credential UI and the Consent UI.\r\n3. Separate elevated process. Internally, a new elevated process is created to perform the task.\r\n4. Revert to least privilege. If necessary, revert to least privilege to complete any steps that don't require\r\nelevation.\r\nNote that tasks don't \"remember\" elevated states. For example, if the user navigates back and forth over an\r\nelevation entry point in a wizard, the user must elevate each time.\r\nUsage patterns\r\nUser Account Control has several usage patterns (in order of preference):\r\n1. Work for Standard users. Design the feature for all users by limiting its scope to the current user. By\r\nlimiting settings to the current user (as opposed to system-wide), you eliminate the need for an Elevation\r\nUI entirely, and enable users to complete the task.\r\nIncorrect:\r\nscreen shot of message: you do not have privilege\r\nIn this example, Windows XP users had to have administrative privileges to view or change the current\r\ntime zone.\r\nCorrect:\r\nscreen shot of date and time dialog box\r\nIn this example, the time zone feature was redesigned in Windows 7 and Windows Vista to work for all\r\nusers.\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 3 of 8\n\n2. Have separate UI elements for Standard users and administrators. Clearly separate Standard user tasks\r\nfrom administrative tasks. Give all users access to useful read-only information. Clearly identify\r\nadministrative tasks with the UAC shield.\r\ngraphic of uac shield showing elevation required\r\nIn this example, the System control panel item shows its state to all users, but changing the system-wide\r\nsettings requires elevation.\r\n3. Allow Standard users to attempt task, and to elevate on failure. If Standard users can view the\r\ninformation and are able to make some changes without elevation, allow them to access the UI and have\r\nthem elevate only if the task fails. This approach is suitable when Standard users have limited access, such\r\nas with properties of their own files in Windows Explorer. It is also suitable for settings on Control Panel\r\nhybrid hub pages.\r\nscreen shot of access is denied message\r\nIn this example, the user attempted to change program file properties but didn't have sufficient privileges.\r\nThe user can elevate and try again.\r\n4. Work for administrators only. Use this approach only for administrator features and programs! If a\r\nfeature is intended only for administrators (and has no navigation paths or useful read-only information for\r\nStandard users), you can prompt for administrator credentials at the entry point before showing any UI.\r\nUse this approach for lengthy wizards and page flows when all paths require administrative privileges.\r\nIf the entire program is for administrators only, mark it to prompt for administrator credentials in order to\r\nlaunch. Windows displays such program icons with the UAC shield overlay.\r\nscreen shot of windows logo and uac shield overlay\r\nIn this example, the program requires administrative privileges to launch.\r\nGuidelines\r\nUAC shield icon\r\nDisplay controls with the UAC shield to indicate that the task requires immediate elevation when\r\nUAC is fully enabled, even if UAC isn't currently fully enabled. If all paths of a wizard and page flow\r\nrequire elevation, display the UAC shield at the task's entry point. Proper use of the UAC shield helps users\r\npredict when elevation is required.\r\nIf your program supports multiple versions of Windows, display the UAC shield if at least one\r\nversion requires elevation. Because Windows XP never requires elevation, consider removing the UAC\r\nshields for Windows XP if you can do so consistently and without harming performance.\r\nDon't display the UAC shield for tasks that don't require elevation in most contexts. Because this\r\napproach will sometimes be misleading, the preferred approach is to use a properly shielded contextual\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 4 of 8\n\ncommand instead.\r\nscreen shot of photo files in windows explorer\r\nBecause the New folder command requires elevation only when used in system folders, it is displayed\r\nwithout a UAC shield.\r\nThe UAC shield can be displayed on the following controls:\r\nCommand buttons:\r\nscreen shot of command button with uac shield icon\r\nA command button that requires immediate elevation.\r\nCommand links:\r\nscreen shot of command link with uac shield icon\r\nA command link that requires immediate elevation.\r\nLinks:\r\nscreen shot of change account link with uac shield\r\nA link that requires immediate elevation.\r\nMenus:\r\nscreen shot of menu with uac shield\r\nA drop-down menu that requires immediate elevation.\r\nBecause tasks don't remember elevated states, don't change the UAC shield to reflect state.\r\nDisplay the UAC shield even if User Account Control has been turned off or the user is using the\r\nBuilt-in Administrator account. Consistently displaying the UAC shield is easier to program, and\r\nprovides users with information about the nature of the task.\r\nElevation\r\nWhenever possible, design tasks to be performed by Standard users without elevation. Give all users\r\naccess to useful read-only information.\r\nElevate on a per task basis, not on a per setting basis. Don't mix Standard user settings with\r\nadministrative settings in a single page or dialog box. For example, if Standard users can change some but\r\nnot all settings, split those settings out as a separate UI surface.\r\nIncorrect:\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 5 of 8\n\nscreen shot of date and time settings dialog box\r\nIn this example, Standard user settings are incorrectly mixed with administrative settings.\r\nCorrect:\r\nscreen shot of same dialog box without uac shields\r\nIn this example, the settings for changing the date and time are in a separate dialog box, available only to\r\nadministrators. The time zone settings are available to Standard users, and are not mixed with\r\nadministrative settings.\r\nDon't consider the need to elevate when determining if a control should be displayed or disabled.\r\nThis is because:\r\nIn unmanaged environments, assume that Standard users could elevate by asking an administrator.\r\nDisabling controls that require elevation would prevent users from having administrators elevate.\r\nIn managed environments, assume that Standard users can't elevate at all. Removing controls that\r\nrequire elevation would prevent users from knowing when to stop looking.\r\nTo eliminate unnecessary elevation:\r\nIf a task might require elevation, elevate as late as possible. If a task needs a confirmation,\r\ndisplay the elevation UI only after the user has confirmed. If a task always requires elevation,\r\nelevate at its entry point.\r\nOnce elevated, stay elevated until elevated privileges are no longer necessary. Users shouldn't\r\nhave to elevate multiple times to perform a single task.\r\nIf users must elevate to make a change but choose not to make any changes, leave the positive\r\ncommit buttons enabled but handle the commit as a cancel. Doing so eliminates users having to\r\nelevate just to close a window.\r\nIncorrect:\r\nscreen shot of window with only one button active\r\nIn this example, the Save Changes button is disabled to avoid an unnecessary elevation, but\r\nbecomes enabled when users change the selection. However, the disabled commit button makes it\r\nlook like users really don't have a choice.\r\nDon't display an error message when tasks fail because users chose not to elevate. Assume that users\r\nintentionally chose not to proceed, so they won't regard this situation as an error.\r\nIncorrect:\r\nscreen shot of message: fabrikam restore can't run\r\nIn this example, Fabrikam Restore incorrectly gives an error message when the user decides to not elevate.\r\nDon't display warnings to explain that users might need to elevate their privileges to perform tasks.\r\nLet users discover this fact on their own.\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 6 of 8\n\nDisplay the UAC shield and elevation UI based on the following table:\r\nElevation UI\r\nIf the user provides an account that isn't valid (name or password) or doesn't have administrator\r\nprivileges, just redisplay the Credential UI. Don't display an error message.\r\nIf the user cancels the Credential UI, return the user back to the original UI. Don't display an error\r\nmessage.\r\nIf User Account Control has been turned off and a Standard user attempts to perform a task that requires\r\nelevation, provide an error message that states \"This task requires administrator privileges. To perform this\r\ntask, you must log on using an administrator account.\"\r\nscreen shot of task requires privileges message\r\nIn this example, User Account Control has been turned off so an error message explains that the user must use an\r\nadministrator account.\r\nWizards\r\nDon't elevate multiple times. Once a wizard is elevated, it should stay elevated.\r\nIf the task is performed within the wizard, put a UAC shield on the Commit page's \"Next\" button (which\r\nshould be given a more specific label). When the user commits:\r\nIf the next page is a Progress page, advance to that page and modally display the elevation UI. After\r\nsuccessful elevation, perform the task.\r\nIf the next page is a Completion page, advance to that page (but temporarily replace its contents\r\nwith \"Waiting for permission...\") and modally display the elevation UI. After successful elevation,\r\nperform the task, and then display the Completion page contents.\r\nIf the user cancels the elevation UI, return to the Commit page. Doing so allows the user to try\r\nagain.\r\nIf the task is performed after the wizard completes, put a UAC shield on the Commit page's \"Finish\" button\r\n(which should be given a more specific label). When the user commits:\r\nRemain on the Commit page and modally display the elevation UI. After successful elevation, close\r\nthe wizard.\r\nIf the user cancels the elevation UI, return to the Commit page. Doing so allows the user to try\r\nagain.\r\nFor lengthy wizards intended only for administrators, you can prompt for administrator credentials at the\r\nentry point before showing any UI.\r\nText\r\nDon't use an ellipsis just because a command requires elevation. The need to elevate is indicated with\r\nthe UAC shield.\r\nDocumentation\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 7 of 8\n\nWhen referring to User Account Control:\r\nRefer to the feature as User Account Control (on first mention) or UAC (on subsequent mention), not\r\nLeast-privileged User Account or LUA.\r\nRefer to non-administrators as Standard users.\r\nRefer to built-in computer administrators as Built-in administrators.\r\nIn user documentation:\r\nRefer to the act of giving consent to perform an administrative task as giving permission.\r\nIn programming and other technical documentation:\r\nRefer to the act of giving consent to perform an administrative task as elevation.\r\nIn the context of UAC, refer to administrators as Protected administrators when not elevated, and Elevated\r\nadministrators after elevation.\r\nRefer to the dialog box used to enter passwords as the Credential UI. Refer to the dialog box used to give\r\nconsent as the Consent UI. Refer to both generally as Elevation UI.\r\nSource: https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nhttps://msdn.microsoft.com/library/windows/desktop/dn742497.aspx\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx"
	],
	"report_names": [
		"dn742497.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434436,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08e6790b5d6d5f38d6e061eca6ff5a70108b83a3.pdf",
		"text": "https://archive.orkl.eu/08e6790b5d6d5f38d6e061eca6ff5a70108b83a3.txt",
		"img": "https://archive.orkl.eu/08e6790b5d6d5f38d6e061eca6ff5a70108b83a3.jpg"
	}
}