One of the minor complaints about Windows Vista was the way the User Account Control notification system annoyed the heck out of some people. During the following few years of using the operating system, there were 3rd party applications available that could control how and when the User Account Control behaved. Now with the introduction of Windows 7, Microsoft has adapted a User Account Control system that any user can take advantage of to control how much of an annoyance you wish to put up with.
Over at the Microsoft site for Windows 7, they explain how to control UAC via the built in ‘slider’, which is described as:
The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC’smalware technologies looks and smells like a security feature: the consent prompt. Many people believed that the fact that software has to ask the user to grant it administrative rights means that they can prevent from gaining administrative rights. Besides the visual implication that a prompt is a gateway to administrative rights for just the operation it describes, the switch to a different desktop for the elevation dialog and the use of the Windows Integrity Mechanism, including User Interface Privilege Isolation (UIPI), seem to reinforce that belief.
As we’ve stated since before the launch of Windows Vista, the primary purpose of elevation is not security, though, it’s convenience: if users had to switch accounts to perform administrative operations, either by logging into or Fast User Switching to an administrative account, most users would switch once and not switch back. There would be no progress changing the environment that application developers design for. So what are the secure desktop and Windows Integrity Mechanism for?
The main reason for the switch to a different desktop for the prompt is that standard user software cannot “spoof” the elevation prompt, for example, by drawing on top of the publisher name on the dialog to fool a user into thinking that Microsoft or another software vendor is generating the prompt instead of them. The alternate desktop is called a “secure desktop,” because it’s owned by the system rather than the user, just like the desktop upon which the system displays the Windows logon dialog.
For us Vista users we are famaliar with the security windows that appears when we install, update, or take on another task in Windows Vista:
Here is what the new UAC control looks like in Windows 7:
Microsoft concludes the new benefits of UAC in Windows 7 with this statement:
To summarize, UAC is a set of technologies that has one overall goal: to make it possible for users to run as standard users. The combination of changes to Windows that enable standard users to perform more operations that previously required administrative rights, file and registry virtualization, and prompts all work together to realize this goal. The bottom line is that the default Windows 7 UAC mode makes a PA user’s experience smoother by reducing prompts, allows them to control what legitimate software can modify their system, and still accomplishes UAC’s goals of enabling more software to run without administrative rights and continuing to shift the software ecosystem to write software that works with standard user rights.
I personally like the new control of UAC in Windows 7 since it allows me to adjust my settings to the way I use my computer. What do you think?
Comments welcome.
The UAC would have been a good idea if it would remember what I allowed. I don’t mind telling the system that a program is making changes and it’s ok but why do I have to approve the same thing every time I use the program or reboot? I hope Windows 7 is a little smarter.
Have you switched to running as a standard user? Probably not because it’s still incredibly annoying compared to running as admin.
Standard user still isn’t the default account type, either.
So UAC doesn’t seem to be meeting its primary goal. (Or at least the goal MS are stating in what you quoted. The purpose(s) of UAC seem to vary depending on which argument MS are trying to win.) Maybe in Windows 8?
If MS want people running as standard user they need to improve the experience of that case. If they had actually done that then it would also have made UAC less of a hassle under admin accounts and they probably wouldn’t have needed to add the hack in Windows 7 which allows Windows executables (and thus anything else that really wants to, via injection) to bypass the UAC prompts.
Don’t get me wrong, though; I like Windows 7 overall. I just don’t think the changes to UAC make any sense. If it isn’t important whether or not programs can bypass admin UAC prompts then the user should have control over which programs are subject to them. OR, if it is important, they shouldn’t be so easy for programs to bypass. And if standard user is the holy grail then very little progress has been made there compared to Vista.
I’m also starting to wonder what the point of the (supposed!) move to standard user is when:
a) Any elevation to admin breaks the security boundary. i.e. Standard user is only a security boundary if you *never* use UAC. MS have said that UAC itself is not a security barrier/boundary that they can or will defend and that seems to apply to standard user as much as admin accounts. (You can piggyback/spoof UAC elevations from standard user, though you cannot bypass the prompts entirely like you now can with admin accounts under default Win7 settings.)
b) MS dismiss the UAC injection elevation stuff by asking what difference it makes whether or not malware has admin access. Indeed, malware can do a lot of damage without admin… but if we honestly don’t care about the additional damage it can do with admin rights then why are we so concerned about getting more people to use standard user who aren’t already using it perfectly well?
UAC is a great tool for developers to detect when they accidentally write code that requires admin rights. Forcing code to go via UAC definitely makes sense. I’m just starting to wonder what the point of the UAC *prompts* is, for admin users, if Microsoft don’t care about creating holes that let anything bypass them.
(Also wondering why the “elevate without prompting” option is only available via the Local Securtity Policy control panel and not the end-user-orientated UAC panel. That option lets you keep UAC on — for the really good stuff like protected mode IE — and still requires apps to use UAC to gain elevation, but removes the need for the user to click prompts.)
Mostly I’m annoyed that MS have created one rule for their code and another for everyone else’s.
Hi Leo,
Great points. Thanks for sharing your thoughts with us.
Regards, Ron
It sucks. I got malwarebytes installed on my computer and the damn message popups every time O_O why? I already said, yea allow it, but it keeps showing up.
You think they would smarter than that, windows 7. I can’t believe how dumb it is.