Skip to main content

How to Disable/Enable the UAC (User Account Control) in Batch Script

User Account Control (UAC) is a fundamental security feature in Windows that helps prevent unauthorized changes to your computer. It's the prompt that appears asking for permission when a program tries to perform an action that requires administrative privileges. While disabling UAC is strongly discouraged for security reasons, it is sometimes a necessary evil for specific, automated tasks, such as running legacy installers or certain administrative scripts that fail with UAC enabled.

This guide will teach you how to enable and disable UAC from a batch script by modifying the Windows Registry. You will learn the critical registry keys involved, the absolute requirement of a system reboot, and the significant security risks you are taking by disabling it.

CRITICAL SECURITY WARNING

Disabling UAC is a significant security risk. It should never be done on a permanent basis. Without UAC, all programs run with full administrative privileges by default. This means:

  • Malware and viruses can install themselves silently without asking for your permission.
  • Accidental changes to the system can be made without any warning.
  • You are removing one of the most effective layers of defense against malicious software.

This action should only be performed temporarily in a controlled environment for a specific, necessary task, and UAC should be re-enabled immediately afterward.

The Core Method: Modifying the Registry with REG ADD

UAC's settings are stored in the Windows Registry. The REG ADD command is the standard way to modify these keys from a batch script.

danger

This operation requires the script to be run with full administrative privileges.

The key we need to modify is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

The Registry Keys Explained

There are several values under this key that control UAC, but the most important one is EnableLUA.

  • EnableLUA: Limited User Account. This is the master switch for UAC.
    • Value 1: UAC is Enabled (Default and Secure).
    • Value 0: UAC is Disabled.
  • ConsentPromptBehaviorAdmin: Controls the behavior of the prompt for administrators. 0 disables the prompt, but this is less secure than just leaving UAC enabled.
  • PromptOnSecureDesktop: Controls whether the prompt appears on a separate, dimmed "secure desktop." 1 is the secure default.

For a complete disable, setting EnableLUA to 0 is all that is required.

Script to Disable UAC

This script sets the EnableLUA registry value to 0, effectively disabling User Account Control.

@ECHO OFF
REM This script MUST be run as an Administrator.

ECHO --- Disabling User Account Control (UAC) ---
ECHO WARNING: This is a major security risk. A reboot is required.
ECHO.

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

ECHO.
ECHO [SUCCESS] UAC has been disabled in the registry.
ECHO You MUST reboot your computer for this change to take effect.
PAUSE
  • /v EnableLUA: The Value name to modify.
  • /t REG_DWORD: The data Type.
  • /d 0: The Data to set (0 for disabled).
  • /f: Forces the overwrite without prompting.

Script to Enable UAC (Restore Security)

This is the most important script. After you have completed the task that required UAC to be off, you must run this to restore your system's security.

@ECHO OFF
REM This script MUST be run as an Administrator.

ECHO --- Enabling User Account Control (UAC) ---
ECHO Restoring system security settings. A reboot is required.
ECHO.

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f

ECHO.
ECHO [SUCCESS] UAC has been enabled in the registry.
ECHO You MUST reboot your computer for this change to take effect.
PAUSE

Common Pitfalls and How to Solve Them

Problem: The Script is Not Run as Administrator

If you try to modify the HKEY_LOCAL_MACHINE registry hive from a standard command prompt, the operation will fail.

Example of error:

ERROR: Access is denied.

Solution: You must run the script with elevated privileges. Right-click your .bat file or cmd.exe and select "Run as administrator."

Problem: The Change Doesn't Take Effect Immediately

This is the most common point of confusion. You run the script, but the UAC prompts still appear.

Solution: A system reboot is absolutely required for any changes to the EnableLUA registry value to be loaded by the operating system. There is no workaround for this. Your script must inform the user that a restart is necessary.

Practical Example: A Fully Automated Temporary Disablement Script

This advanced script shows a responsible way to handle this process. It automates the entire cycle: disable UAC, schedule a reboot, have a second script automatically run after reboot to perform the task, and then have that script re-enable UAC and schedule the final reboot.

Step1_Disable_UAC.bat
@ECHO OFF
REM Run as Admin.
ECHO Disabling UAC and scheduling a reboot in 60 seconds...
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

REM Set the next script to run automatically once after logon.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v DoMyTask /t REG_SZ /d "C:\MyScripts\Step2_DoWork.bat" /f

shutdown /r /t 60 /c "Rebooting to apply UAC changes..."
Step2_DoWork.bat
@ECHO OFF
REM This script runs automatically after the reboot.
ECHO UAC is now disabled. Running the legacy installer...
REM (Run your legacy installer or other commands here)

ECHO Work is done. Re-enabling UAC and scheduling final reboot...
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f

REM Clean up the RunOnce key.
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v DoMyTask /f

shutdown /r /t 60 /c "Rebooting to restore security settings..."

Conclusion

Disabling UAC is a powerful but dangerous action that should only be performed when absolutely necessary.

Key takeaways:

  • The only way to programmatically disable UAC is by modifying the EnableLUA value in the Windows Registry using the REG ADD command.
  • This action always requires administrator privileges.
  • A system reboot is mandatory for the change to take effect.
  • Disabling UAC poses a major security risk, and it should be re-enabled as soon as the specific task is complete.

Table of Contents