User Account Control, also known as UAC, was designed to reduce vulnerability by requiring confirmation when system settings are being changed. Some people hate it, some don’t mind it. But most understand it’s intent.
In any case, when deploying servers, it’s key to know what state the UAC settings are in, so that we can script accordingly. Normally, I just set the registry value to whatever I need it to be, using a one-liner such as:
To disable UAC:
Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0 |
To enable UAC:
Set-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 1 |
UAC changes how a token is assembled when you log on. If we’re making changes to this, remember that a reboot is required before the new setting takes effect.
But what if we just need to programatically peek at what UAC is set to, so that we can act accordingly? Well, this handy little function should help:
1 |
function Get-UACStatus { |
2 |
<# |
3 |
.SYNOPSIS |
4 |
Gets the current status of User Account Control (UAC) on a computer. |
5 |
6 |
.DESCRIPTION |
7 |
Gets the current status of User Account Control (UAC) on a computer. $true indicates UAC is enabled, $false that it is disabled. |
8 |
9 |
.NOTES |
10 |
Version : 1.0 |
11 |
Rights Required : Local admin on server |
12 |
: ExecutionPolicy of RemoteSigned or Unrestricted |
13 |
Author(s) : Pat Richard (pat@innervation.com) |
14 |
Dedicated Post : http://www.ehloworld.com/1026 |
15 |
Disclaimer : You running this script means you won't blame me if this breaks your stuff. |
16 |
17 |
.EXAMPLE |
18 |
Get-UACStatus |
19 |
20 |
Description |
21 |
----------- |
22 |
Returns the status of UAC for the local computer. $true if UAC is enabled, $false if disabled. |
23 |
24 |
.EXAMPLE |
25 |
Get-UACStatus -Computer [computer name] |
26 |
27 |
Description |
28 |
----------- |
29 |
Returns the status of UAC for the computer specified via -Computer. $true if UAC is enabled, $false if disabled. |
30 |
31 |
.LINK |
33 |
34 |
.INPUTS |
35 |
None. You cannot pipe objects to this script. |
36 |
37 |
#Requires -Version 2.0 |
38 |
#> |
39 |
40 |
[cmdletBinding(SupportsShouldProcess = $true)] |
41 |
param( |
42 |
[parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $false)] |
43 |
[string]$Computer |
44 |
) |
45 |
[string]$RegistryValue = "EnableLUA" |
46 |
[string]$RegistryPath = "Software\Microsoft\Windows\CurrentVersion\Policies\System" |
47 |
[bool]$UACStatus = $false |
48 |
$OpenRegistry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$Computer) |
49 |
$Subkey = $OpenRegistry.OpenSubKey($RegistryPath,$false) |
50 |
$Subkey.ToString() | Out-Null |
51 |
$UACStatus = ($Subkey.GetValue($RegistryValue) -eq 1) |
52 |
write-host $Subkey.GetValue($RegistryValue) |
53 |
return $UACStatus |
54 |
} # end function Get-UACStatus |
You can call it via
Get-UACStatus |
to see the status for the local machine, and
Get-UACStatus -Computer [computer name] |
to see the status of a remote machine. Full help is available via
Get-Help Get-UACStatus |
And if we need a little function to deal with enabling or disabling, for building into deployment scripts, we have this one, which includes functionality for rebooting:
1 |
function Set-UACStatus { |
2 |
<# |
3 |
.SYNOPSIS |
4 |
Enables or disables User Account Control (UAC) on a computer. |
5 |
6 |
.DESCRIPTION |
7 |
Enables or disables User Account Control (UAC) on a computer. |
8 |
9 |
.NOTES |
10 |
Version : 1.0 |
11 |
Rights Required : Local admin on server |
12 |
: ExecutionPolicy of RemoteSigned or Unrestricted |
13 |
Author(s) : Pat Richard (pat@innervation.com) |
14 |
Dedicated Post : http://www.ehloworld.com/1026 |
15 |
Disclaimer : You running this script means you won't blame me if this breaks your stuff. |
16 |
17 |
.EXAMPLE |
18 |
Set-UACStatus -Enabled [$true|$false] |
19 |
20 |
Description |
21 |
----------- |
22 |
Enables or disables UAC for the local computer. |
23 |
24 |
.EXAMPLE |
25 |
Set-UACStatus -Computer [computer name] -Enabled [$true|$false] |
26 |
27 |
Description |
28 |
----------- |
29 |
Enables or disables UAC for the computer specified via -Computer. |
30 |
31 |
.LINK |
33 |
34 |
.INPUTS |
35 |
None. You cannot pipe objects to this script. |
36 |
37 |
#Requires -Version 2.0 |
38 |
#> |
39 |
40 |
param( |
41 |
[cmdletbinding()] |
42 |
[parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $false)] |
43 |
[string]$Computer = $env:ComputerName, |
44 |
[parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $true)] |
45 |
[bool]$enabled |
46 |
) |
47 |
[string]$RegistryValue = "EnableLUA" |
48 |
[string]$RegistryPath = "Software\Microsoft\Windows\CurrentVersion\Policies\System" |
49 |
$OpenRegistry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$Computer) |
50 |
$Subkey = $OpenRegistry.OpenSubKey($RegistryPath,$true) |
51 |
$Subkey.ToString() | Out-Null |
52 |
if ($enabled -eq $true){ |
53 |
$Subkey.SetValue($RegistryValue, 1) |
54 |
}else{ |
55 |
$Subkey.SetValue($RegistryValue, 0) |
56 |
} |
57 |
$UACStatus = $Subkey.GetValue($RegistryValue) |
58 |
$UACStatus |
59 |
$Restart = Read-Host "`nSetting this requires a reboot of $Computer. Would you like to reboot $Computer [y/n]?" |
60 |
if ($Restart -eq "y"){ |
61 |
Restart-Computer $Computer -force |
62 |
Write-Host "Rebooting $Computer" |
63 |
}else{ |
64 |
Write-Host "Please restart $Computer when convenient" |
65 |
} |
66 |
} # end function Set-UACStatus |
Call it via
Set-UACStatus -Computer [computer name] -Enabled [$true|$false] |
And, like Get-UACStatus, full help is available via
Get-Help Set-UACStatus |