This post has had a few false starts. It’s a tough topic to cover, as it’s a
very controversial subject for most people still. Hopefully we can enlighten
some people along the way.
From a high level perspective, the UAC was developed to protect the user without necessarily
removing administrative privileges. Any change to the system required a second
validation. On older versions of Windows, an application running with administrative
credentials could change any setting on the box. Viruses and malware became
rampant because of this openness, given that the average user had administrative credentials.
Most average users balked at the idea of having a limited user account, so Microsoft
came up with an alternative for the new OS, Vista – a second form of validation.
You told the computer you wanted to make a change, it asked “are you sure?”
Logically it makes sense. Consider an instance where a devious application wanted
to change some setting, and because Windows wanted to verify it’s ok to make this
change it asked “are you sure?” If you responded no, the change didn’t happen.
Simple enough. However, here we start running into issues. There are three
perspectives to look at.
First, the end user. Simple changes to basic settings required validation.
This annoyed most of them, if not all of them. They didn’t care why it was asking,
they just wanted to delete shortcuts from their start menu. Their reaction:
turn off UAC. Bad idea, but security loses when it comes to usability in the
case of the end user.
Second, the irate IT Pro/Developer. Most people working in IT make changes to
system settings constantly. Given that, the UAC would be seen many times in
a day and it would, for lack of a better word, piss that person off. They didn’t
care what security it provided, it was a “stupid-useless-design” that shouldn’t have
been created. Their reaction: turn off UAC. Once again security loses
when it comes to usability.
Third, the knowledgeable IT Pro/Developer. Not a lot of people fell into this
category. However, these tended to be the same type of people who fit into the Lazy
Admin category as well. When managed properly UAC wasn’t all that annoying
because it wasn’t seen all that often. Set-it-and-forget-it and you don’t ever
see the prompt. If you created the system image properly, you don’t have to
constantly keep changing settings. It’s a simple enough idea.
Application compatibility is a pain. Most applications didn’t understand the
UAC, so they weren’t running with a validation and generally broke when they tried
to do things they really shouldn’t be doing in the first place. These are things
like manipulating registry keys that don’t belong to them, writing to system folders,
reading data from low-level system API’s etc. This was reason #1 for disabling
With the general availability of Windows 7 in about 2.5 hours from now, it seems like
a good time to discuss certain changes to UAC in the latest version of Windows.
The biggest of course being when Windows decides to check for validation.
Windows 7 introduces two new levels of the UAC. In Vista there was Validate
Everything or Off. Windows 7 added “Do Not Notify Me When I Make Changes to
Windows Settings”. This comes into effect when the user makes a change to a
Windows setting like display resolution. Windows is smart enough to realize
it’s the user making the change, and allows it. It’s second additional level
is the same as the first, except it doesn’t hide the desktop.
Now we get into some fun questions.
How does Window’s know to not show the prompt? It’s fairly straightforward.
All Window’s executables that were released as part of the OS are signed with a certificate.
All executables signed with this certificate are allowed to run if user started.
This is only true for Window’s settings though. You cannot implement this with
3rd party applications. There is no auto-allow list.
How does Window’s know it’s a user starting the application? Lots of applications
can mimic mouse movements or keyboard commands, but they occur at a higher application
level than an actual mouse move. Input devices like mice and keyboards have
an extremely low level driver, and only commands coming from these drivers are interpreted
as user input. You cannot spoof these commands.
Can you spoof mouse/keyboard input to accept the UAC request? No. The
UAC prompt is created in a separate Windows desktop. Other well known desktops
include the Locked screen, login screen, and the Cardspace admin application.
No application can cross these desktops, so an application running in your personal
desktop cannot push commands into the UAC desktop.
Mark Russinovich has an excellent article in TechNet
Magazine that goes into more detail about changes to the UAC. Hopefully
this post at least covered all sides of the UAC debate.