Set UAC level from VB, Python, registry or GPO

You can disable or enable UAC in Windows from the registry by using 0 or 1 in the below key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Setting to 0 is the equivalent of dragging the bar down to “Never Notify” in User Account Control Settings (C:\Windows\System32\UserAccountControlSettings.exe). If you later set this registry value back to 1, it will restore back to what it was previously configured as.

How do I set the level of UAC from registry?

It remembers what was previously configured as the level of UAC is dictated by multiple keys, not just “EnableLUA”.

The different combination of values for the below keys achieves different levels of UAC:

ConsentPromptBehaviorAdmin
ConsentPromptBehaviorUser
EnableInstallerDetection
EnableLUA
EnableVirtualization
PromptOnSecureDesktop
ValidateAdminCodeSignatures
FilterAdministratorToken

To achieve Never notify == “Level 1”, set the previously mentioned EnableLUA key to 0.

To achieve Notify me only when apps try to make changes to my computer (do not dim my desktop) == “Level 2”, set the registry keys as the following:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000000
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

To achieve Notify me only when apps try to make changes to my computer (default) == “Level 3”, set the registry keys as the following:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

To achieve Always notify == “Level 4”, set the registry keys as the following:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

A reboot is needed for the changes to take effect.

If you’re interested to know more information about all the possible values of each registry key mentioned above, Microsoft have an MSDN page for that.

Why edit the registry when you can set group policies?

Some reasons why you may want to set registry keys vs GPO:

  • To script so you can implement additional checks for greater control
  • Output logging for audit trail on each client it runs on
  • May be easier if OU structure is a mess and don’t want to apply to all domain clients
  • You are local admin and want to modify your UAC levels for whatever reason not using the GUI

Altering these values in the registry does not prohibit future alterations in the GUI from C:\Windows\System32\UserAccountControlSettings.exe or gpedit.msc – tried and testing on domain joined Windows 7 Enterprise so I suggest you test before deploying too.

More information about the group policy settings of UAC can be found here on a TechNet page, which also includes some more info about the registry settings of these policies.

Example scripts

Click here to see them all on GitHub

The example VB script modifies UAC in the registry back to default “Level 3” if it is disabled, ie “Never notify”. It also wouldn’t be me if I didn’t write something in Python, it is the same as the VB script in that it sets UAC back to “Level 3” if it is disabled.

Alternatively, you can create a simple .reg file where it’s a simple double click to run. The below modifies the reg again back to default “Level 3” regardless of UAC’s current state.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableVirtualization"=dword:00000001
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000
"FilterAdministratorToken"=dword:00000000

The GPO location is Security Settings\Local Policies\Security Options\Local Security Policy and if you fancy seeing something like this for PowerShell, read more here.

Leave a Reply

Your email address will not be published. Required fields are marked *