When you’re login to an admin account and initiate an action that requires administrative rights (elevation of privilege), the UAC will ask for consent (instead of the username and password.) You select either Yes (“Permit”) or No (“Deny”) in the consent dialog. This operation will happen on the secure desktop. However, Windows binaries will be allowed to perform an operation that requires elevation without consent or credentials. This is the default behavior for admin-approval mode in Windows.
You may wonder how to configure UAC to always ask for the username and password when executing an action requiring administrative rights on admin accounts. This article tells you how to do that. The instructions apply to Windows Vista through Windows 11.
Make UAC Always ask for a Password on Admin Accounts
You can use the Local Security Policy editor to change the UAC admin approval mode setting for Windows Professional Edition and higher. On Windows Home Editions, follow the registry method.
Option 1: Using the Security Policy editor
- Right-click Start, and click Run.
- Type
secpol.mscand hit Enter. This opens the Local Security Policy editor. - Expand Security Settings → Local Policies → Security Options
- Double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
- Select one of the following options, and click OK.
Prompt for credentials on the secure desktop (or) Prompt for credentials
This ensures that the UAC dialog always asks for admin credentials when executing an action (from an admin account) that requires an elevation of privilege.
Option 2: Using the Registry Editor
- Launch the Registry Editor (
regedit.exe) - Go to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Double-click
ConsentPromptBehaviorAdminand set its data to 5.Here is the list of possible data forConsentPromptBehaviorAdmin0 → Elevate without prompting 1 → Prompt for credentials on the secure desktop 2 → Prompt for consent on the secure desktop 3 → Prompt for credentials 4 → Prompt for consent 5 → Prompt for consent for non-Windows binaries (Windows default)
Difference between the settings #1 & #3:
0x00000001: This option prompts the Consent Admin to enter his or her user name and password (or another valid admin) when an operation requires elevation of privilege. This operation occurs on the secure desktop.0x00000003: This option prompts the Consent Admin to enter his or her user name and password (or that of another valid admin) when an operation requires elevation of privilege.
(Note: To revert to the Windows default setting, set it to
0x00000005. See also UAC asks for password even if logged in as administrator, which is the opposite of this article.) - Exit the Registry Editor.
Windows will now ask for the password of your admin account (instead of the consent) when running a program elevated.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
