Program Compatibility
Some
legacy applications will not run on Windows Vista because of some
compatibility problems. Starting with Windows XP, Windows includes a
Program Compatibility Wizard to configure Windows to run a program under
an older Windows environment. For example, if you have a program that
will run under only Windows 9x, you can configure Windows to run that
program under the Windows 95 environment. This means that when Windows
XP is running this application, it will pretend to be a Windows 95
system. The wizard also allows you to try different settings, such as
switching the display to 256 colors and the screen resolution to 640x480
pixels.
To start the
Program Compatibility Wizard, right-click the executable file that you
are using to start the program, select Properties, and select the
Compatibility tab. Enable the Run This Program in Compatibility Mode
option and select the appropriate operating system environment.
An application that is
made to be 100 percent compatible with Windows Vista is designed to work
with UAC to keep the system secure by requesting privilege elevation as
necessary. If you have an older application that requires
administrative permissions to run, you can use the Application
Compatibility tab to select the Run This Program as an Administrator
option, which will allow the application to use the UAC system to
request privilege escalation. This setting applies only to the account
of the currently logged-on user, and no other users are affected by it.
You can only configure this option if you have administrator privileges.
If you need to have an application run as an administrator for all
users, you can use the Show Settings for All Users option on the
Application Compatibility tab.
Controlling UAC
UAC can be enabled or
disabled for any individual user account. If you disable UAC for a user
account, you lose the additional security protections UAC offers and put
the computer at risk. To enable or disable UAC for a particular user
account, follow these steps:
1. | In the Control Panel, click User Accounts.
|
2. | On the User Accounts page, click the Turn User Account Control On or Off link.
|
3. | You
can now enable or disable UAC for the currently logged-on user account.
Disable UAC by clearing the Use User Account Control (UAC) to Help
Protect Your Computer check box. Enable UAC by selecting the Use User
Account Control (UAC) to Help Protect Your Computer check box.
|
4. | Click OK.
|
5. | When prompted to restart the computer, click Restart Now or Restart Later, as appropriate, for the changes to take effect.
|
Besides enabling or
disabling UAC, you can control the behavior of the UAC by using local or
group policies. Local policies are managed from each local computer,
whereas group policies are managed as part of Active Directory. Table 1 shows the settings found in local and group policies.
Table 1. UAC Policy Settings Available in the Policy Editor Snap-In
| Policy | Security Settings |
|---|
| Admin Approval Mode for the Built-In Administrator Account | Enabled |
| | Disabled (Default) |
| Behavior of the Elevation Prompt for Administrators in Admin Approval Mode | Elevate without prompting Prompt for credentials Prompt for consent (Default) |
| Behavior of the Elevation Prompt for Standard Users | Automatically deny elevation requests Prompt for credentials (Default) |
| Detect Application Installations and Prompt for Elevation | Enabled (Default) |
| | Disabled |
| Only Elevate Executables That Are Signed and Validated | Enabled |
| | Disabled (Default) |
| Only Elevate UIAccess Applications That Are Installed in Secure Applications | Enabled (Default) |
| | Disabled |
| Run All Administrators in Admin Approval Mode | Enabled (Default) |
| | Disabled |
| Switch to the Secure Desktop When Prompting for Elevation | Enabled (Default) |
| | Disabled |
| Virtualize File and Registry Write Failures to Per-User Locations | Enabled (Default) |
| | Disabled |
To change the behavior of the UAC message for administrators in Admin Approval mode, follow these steps:
1. | Click Start, All Programs, Accessories, Run. Then, enter secpol.msc in the Open box and click OK.
|
2. | If UAC is currently configured in Admin Approval mode, the UAC message will appear. Click Continue.
|
3. | From the Local Security Policy tree, click Local Policies, and then double-click Security Options.
|
4. | Scroll down and double-click User Account Control: Behavior of the Elevation Prompt for Administrators in Admin Approval Mode.
|
5. | From the drop-down menu, select one of the following settings:
- Elevate without Prompting.
In this case, applications that have been marked as administrator
applications, and applications detected as setup applications, will
automatically run with the full administrator access token. All other
applications will automatically run with the standard user token.
- Prompt for Credentials.
In this case, to give consent for an application to run with the full
administrator access token, the user must enter administrator
credentials. This setting supports compliance with Common Criteria or
corporate policies.
- Prompt for Consent. This is the default setting.
|
6. | Click Apply.
|
To change the UAC message behavior for standard users, follow these steps:
1. | Click Start, All Programs, Accessories, Run. Then, enter secpol.msc in the Open text box and click OK.
|
2. | If UAC is currently configured to prompt for administrator credentials, the UAC message will appear. Click Continue.
|
3. | From the Local Security Policy tree, click Local Policies, and then double-click Security Options (see Figure 1).
|
4. | Scroll down and double-click User Account Control: Behavior of the Elevation Prompt for Standard Users.
|
5. | From the drop-down menu, select one of the following settings:
- Automatically Deny Elevation Requests.
In this case, administrator applications will not be able to run. The
user should see an error message from the application that indicates a
policy has prevented the application from running.
- Prompt for Credentials.
This is the default setting. In this case, for an application to run
with the full administrator access token, the user must enter
administrator credentials.
|
6. | Click Apply.
|
