UAC security question

Hello all, I have an interesting issue.

So I prefer to have my uac set to the highest setting: Which is always notify.

I noticed that sometimes when I check the setting, it will be at the default (not off) Level 2, notify when programs make changes to this pc on secure desktop.

So I set it to the highest, click ok and reboot. Its still set to the highest setting and I go on my way. I check it several days(weeks even) later and UAC is on the default setting again.

So I am curious, UAC at the highest setting is supposed to prompt whenever UAC settings are about to be changed, but this is not happening. It does when I initiate it, but not otherwise apparently.

I know what your thinking, and I am absolutely sure its not malware. I don't know if its a older program I have that's doing it or what. Still, it should not be able to.

So questions:

1.) What could be causing this?

2.) Is there a way in group policy I could disable the uac setting screen so it could not be changed? Or lock it down to the always notify option?

I have searched the net and have not found any information on this.

Thank you.

1st image is what I want,

2nd image is what happens after a few weeks.

Event viewer shows nothing.

Hello Andrew,

Interesting. Is this all happening in the same user account?

One possibility is a Windows Update resetting it back to default.

Brink said:

Hello Andrew,

Interesting. Is this all happening in the same user account?

One possibility is a Windows Update resetting it back to default.

Yes it is, thanks for the response. My fiance has her standard user account on this machine, I run as admin. I am almost always doing admin things, (which is why I want uac set to the highest since I run as admin all the time.) I have some group policy objects applied to her. But nothing involving uac.

derekimo said:

Not sure why it's doing that, maybe this will help with what you want though,

How do I change the behavior of User Account Control by using Group Policy?

Thanks derekimo, I saw that but unfortunately it doesn't seem like any of the options there are what I need. It does not seem like there is any way to grey out the entire uac settings box. Or force to the specific always on. There is a force on, but I believe thats for the default setting and I see no way to specify to always notify.

I have the following software running on startup if this helps:

Teamviewer
Panda cloud AV
Malwarebytes pro

Thats it.


I am trying to remember if/when this started occurring. One of the reasons I notice it is because I go into task scheduler and services and management console a lot, so when my uac settings are set to always notify, uac prompts me. At the default it doesn't.

SFC is good.

I am starting to wonder if this started happening after I created her standard account....but at the time same time I thought it was before that.....

The good news is uac is not being turned off, but its just odd.

This might help to ferret out the offending app...
...or maybe not :-(

Let's start with the standard UAC states (e.g. states that can be set by the UAC slider).

Using the numbers found in the Data column for the registry Value Names of interest, we get the following pattern. (edit: to be clear, I'm not suggesting that people change the UAC levels via the regedit. The screenshots of the registry via regedit were originally intended as info needed to modify the AutoIt script mentioned later on. The script can change the UAC back to some desired level, but it requires admin rights to do that - so that function was removed. The link just below this edit shows how best to change the UAC notification levels.)

User Account Control - UAC - Change Notification Settings


Always Notify is "211"



Default is "511"



Secure Desktop OFF is "510"



Never Notify is "000"





The UAC slider is a live monitor of some changes, but you probably do not want to leave that open all of the time. Plus, you will not know when the change happened unless you are sitting right there when it changes. This AutoIt script should help with that. The script only reads the registry info. It does not make any changes.



I used regedit to simulate whatever app is making this change to the UAC. Whatever app it is, it should require elevated privileges to be able to write to that area of the registry..

Hopefully, the "Time of change" in the title of the AutoIt message box is self explanatory. Maybe the message box will be all that you need to see to know exactly what app caused the change. If you were away from the computer when the change happened, then the message box should be waiting for you when you get back - even if the computer went to sleep.

If need be, armed with the "Time of change", you can look thru the Windows Event logs and/or you can run LastActivityView - View the latest computer activity in Windows operating system and look back to the events near the "Time of change". (The download link is near the bottom of that webpage.)

I show how to compile the script in the first video, but you do not need to do that. I would suggest putting that AU3 text file directly in the All users startup folder.



You will need to install AutoIt to be able to make use of the text version of the script.

If you don't want to install AutoIt, then use the compiled version that is attached to this post. (Virustotal scan for the compiled version). Two of those hits are because I compressed the EXE with UPX.

You might notice in the first video that the first line of the script mentions an older version of AutoIt. I went ahead and tested the script with the newer version - so I removed that comment line from the script. The compiled version attached to this post was made using the older version of AutoIt for reasons that I'll not bore you with.

I'll understand if you don't want to use the script at all - compiled or as text.


I doubt that it is an infection, but you can never know (source):

Nick Harbour's team completed the DEFCON race in just over six hours; the fastest team managed completion in about two-and-a-half-hours. Nick Harbour's team came out on top when the viruses were tested and all 10 of his modified viruses eluded virus detection.

Brink said:

One possibility is a Windows Update resetting it back to default.

I would have said it is Windows Update too.....have you been able to check that?

Wow, thanks to everyone! :)

I appreciate all the help here, especially user name issues thank you so much! I will start monitoring it with this and will see what happens. Thanks again!

UsernameIssues said:

......Let's hope that the script helps to find the offending app. My UAC stays at the highest level without any problem.

The fact that a program is able to do this without me being notified is what concerns me, it feels like a security hole..

And thanks for the registry info. I am sure others as well as myself enjoyed it.

Golden said:

Brink said:

One possibility is a Windows Update resetting it back to default.

I would have said it is Windows Update too.....have you been able to check that?

Yes I have checked, and I have not noticed it happening after that. But that's just it, I am not sure when its happening. Thanks to username issues script, that should hopefully pin the cause of it.