User Account Control

Last updated
User Account Control "Windows Security" alerts in Windows 11 in light mode. From top to bottom: blocked app, app with unknown publisher, app with a known/trusted publisher. User Account Control.png
User Account Control "Windows Security" alerts in Windows 11 in light mode. From top to bottom: blocked app, app with unknown publisher, app with a known/trusted publisher.

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista [1] and Windows Server 2008 operating systems, with a more relaxed [2] version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

Contents

UAC uses Mandatory Integrity Control to isolate running processes with different privileges. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, User Interface Privilege Isolation, is used in conjunction with User Account Control to isolate these processes from each other. [3] One prominent use of this is Internet Explorer 7's "Protected Mode". [4]

Operating systems on mainframes and on servers have differentiated between superusers and userland for decades. This had an obvious security component, but also an administrative component, in that it prevented users from accidentally changing system settings.

Early Microsoft home operating-systems (such as MS-DOS, Windows 95-98 and Windows Me) did not have a concept of different user-accounts on the same machine. Subsequent versions of Windows and Microsoft applications encouraged the use of non-administrator user-logons, yet some applications continued to require administrator rights. Microsoft does not certify applications as Windows-compliant if they require administrator privileges; such applications may not use the Windows-compliant logo with their packaging.

Behavior in Windows versions

Tasks that trigger a UAC prompt

Tasks that require administrator privileges will trigger a UAC prompt (if UAC is enabled); they are typically marked by a security shield icon with the 4 colors of the Windows logo (in Vista and Windows Server 2008) or with two panels yellow and two blue (Windows 7, Windows Server 2008 R2 and later). In the case of executable files, the icon will have a security shield overlay. The following tasks require administrator privileges: [9] [10]

Common tasks, such as changing the time zone, do not require administrator privileges [11] (although changing the system time itself does, since the system time is commonly used in security protocols such as Kerberos). A number of tasks that required administrator privileges in earlier versions of Windows, such as installing critical Windows updates, no longer require administrator privileges in Vista. [12] Any program can be run as administrator by right-clicking its icon and clicking "Run as administrator", except MSI or MSU packages as, due to their nature, if administrator rights will be required a prompt will usually be shown. Should this fail, the only workaround is to run a Command Prompt as an administrator and launch the MSI or MSP package from there.

Features

User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is temporarily dimmed, Windows Aero disabled, and only the authorization window at full brightness, to present only the elevation user interface (UI). Normal applications cannot interact with the Secure Desktop. This helps prevent spoofing, such as overlaying different text or graphics on top of the elevation request, or tweaking the mouse pointer to click the confirmation button when that's not what the user intended. [13] If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective. [14]

In earlier versions of Windows, Applications written with the assumption that the user will be running with administrator privileges experienced problems when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM). [5] UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user's profile. For example, if an application attempts to write to a directory such as "C:\Program Files\appname\settings.ini" to which the user does not have write permission, the write will be redirected to "C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\settings.ini". The redirection feature is only provided for non-elevated 32-bit applications, and only if they do not include a manifest that requests specific privileges. [15]

There are a number of configurable UAC settings. It is possible to: [16]

Command Prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user can discern which instances are running with elevated privileges. [18]

A distinction is made between elevation requests from a signed executable and an unsigned executable; and if the former, whether the publisher is 'Windows Vista'. The color, icon, and wording of the prompts are different in each case; for example, attempting to convey a greater sense of warning if the executable is unsigned than if not. [19]

Internet Explorer 7's "Protected Mode" feature uses UAC to run with a 'low' integrity level (a Standard user token has an integrity level of 'medium'; an elevated (Administrator) token has an integrity level of 'high'). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC. [7] [20] Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system. [21]

Requesting elevation

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assemblyxmlns="urn:schemas-microsoft-com:asm.v1"manifestVersion="1.0"><trustInfoxmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevellevel="highestAvailable"/></requestedPrivileges></security></trustInfo></assembly>

Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation. [22] In both highestAvailable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.

An executable that is marked as "requireAdministrator" in its manifest cannot be started from a non-elevated process using CreateProcess(). Instead, ERROR_ELEVATION_REQUIRED will be returned. ShellExecute() or ShellExecuteEx() must be used instead. If an HWND is not supplied, then the dialog will show up as a blinking item in the taskbar.

Inspecting an executable's manifest to determine if it requires elevation is not recommended, as elevation may be required for other reasons (setup executables, application compatibility). However, it is possible to programmatically detect if an executable will require elevation by using CreateProcess() and setting the dwCreationFlags parameter to CREATE_SUSPENDED. If elevation is required, then ERROR_ELEVATION_REQUIRED will be returned. [23] If elevation is not required, a success return code will be returned at which point one can use TerminateProcess() on the newly created, suspended process. This will not allow one to detect that an executable requires elevation if one is already executing in an elevated process, however.

A new process with elevated privileges can be spawned from within a .NET application using the "runas" verb. An example using C#:

System.Diagnostics.Processproc=newSystem.Diagnostics.Process();proc.StartInfo.FileName="C:\\Windows\\system32\\notepad.exe";proc.StartInfo.Verb="runas";// Elevate the applicationproc.StartInfo.UseShellExecute=true;proc.Start();

In a native Win32 application the same "runas" verb can be added to a ShellExecute() or ShellExecuteEx() call: [7]

ShellExecute(hwnd,"runas","C:\\Windows\\Notepad.exe",0,0,SW_SHOWNORMAL);

In the absence of a specific directive stating what privileges the application requests, UAC will apply heuristics, to determine whether or not the application needs administrator privileges. For example, if UAC detects that the application is a setup program, from clues such as the filename, versioning fields, or the presence of certain sequences of bytes within the executable, in the absence of a manifest it will assume that the application needs administrator privileges. [24]

Security

UAC is a convenience feature; it neither introduces a security boundary nor prevents execution of malware. [25] [26] [27] [28]

Leo Davidson discovered that Microsoft weakened UAC in Windows 7 through exemption of about 70 Windows programs from displaying a UAC prompt and presented a proof of concept for a privilege escalation. [29]

Stefan Kanthak presented a proof of concept for a privilege escalation via UAC's installer detection and IExpress installers. [30]

Stefan Kanthak presented another proof of concept for arbitrary code execution as well as privilege escalation via UAC's auto-elevation and binary planting. [31]

Criticism

There have been complaints that UAC notifications slow down various tasks on the computer such as the initial installation of software onto Windows Vista. [32] It is possible to turn off UAC while installing software, and re-enable it at a later time. [33] However, this is not recommended since, as File & Registry Virtualization is only active when UAC is turned on, user settings and configuration files may be installed to a different place (a system directory rather than a user-specific directory) if UAC is switched off than they would be otherwise. [14] Also Internet Explorer 7's "Protected Mode", whereby the browser runs in a sandbox with lower privileges than the standard user, relies on UAC; and will not function if UAC is disabled. [20]

Yankee Group analyst Andrew Jaquith said, six months before Vista was released, that "while the new security system shows promise, it is far too chatty and annoying." [34] By the time Windows Vista was released in November 2006, Microsoft had drastically reduced the number of operating system tasks that triggered UAC prompts, and added file and registry virtualization to reduce the number of legacy applications that triggered UAC prompts. [5] However, David Cross, a product unit manager at Microsoft, stated during the RSA Conference 2008 that UAC was in fact designed to "annoy users," and force independent software vendors to make their programs more secure so that UAC prompts would not be triggered. [35] Software written for Windows XP, and many peripherals, would no longer work in Windows Vista or 7 due to the extensive changes made in the introduction of UAC. The compatibility options were also insufficient. In response to these criticisms, Microsoft altered UAC activity in Windows 7. For example, by default users are not prompted to confirm many actions initiated with the mouse and keyboard alone such as operating Control Panel applets.

In a controversial article, New York Times Gadgetwise writer Paul Boutin said "Turn off Vista's overly protective User Account Control. Those pop-ups are like having your mother hover over your shoulder while you work." [36] Computerworld journalist Preston Gralla described the NYT article as "...one of the worst pieces of technical advice ever issued." [37]

See also

Related Research Articles

Microsoft Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For instance, Windows NT for consumer and corporate desktops, Windows Server for servers, and Windows IoT for embedded systems. Defunct Windows families include Windows 9x, Windows Mobile, Windows Phone, and Windows Embedded Compact.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role-based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

<span class="mw-page-title-main">Group Policy</span> Feature of the Microsoft Windows NT family of operating systems

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

System File Checker (SFC) is a utility in Microsoft Windows that allows users to scan for and restore corrupted Windows system files.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

<span class="mw-page-title-main">Task Manager (Windows)</span> Task manager application included with the Windows NT family of operating systems

Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of running processes, CPU and GPU load, commit charge, I/O details, logged-in users, and Windows services. Task Manager can also be used to set process priorities, processor affinity, start and stop services, and forcibly terminate processes.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

AppLocale is a tool for Windows XP and Windows Server 2003 by Microsoft. It is a launcher application that makes it possible to run non-Unicode applications in a locale of the user's choice. Since changing the locale normally requires a restart of Windows, AppLocale is especially popular with western users of Asian applications. The program installs itself in a subfolder of the Windows directory called "AppPatch", and when launched prompts the user for an executable to run and the desired codepage. It can also create a shortcut in the start menu, located under Microsoft AppLocale, however you will be prompted by AppLocale before the program's launch.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

Program Files is the directory name of a standard folder in Microsoft Windows operating systems in which applications that are not part of the operating system are conventionally installed. Typically, each application installed under the 'Program Files' directory will have a subdirectory for its application-specific resources. Shared resources, for example resources used by multiple applications from one company, are typically stored in the 'Common Files' directory.

Windows Resource Protection is a feature first introduced in Windows Vista and Windows Server 2008. It is available in all subsequent Windows operating systems, and replaces Windows File Protection. Windows Resource Protection prevents the replacement of critical system files, registry keys and folders. Protecting these resources prevents system crashes. The way it protects resources differs entirely from the method used by Windows File Protection.

A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

Windows XP and Windows Vista differ considerably in regards to their security architecture, networking technologies, management and administration, shell and user interface, and mobile computing. Windows XP has suffered criticism for security problems and issues with performance. Vista has received criticism for issues with performance and product activation. Another common criticism of Vista concerns the integration of new forms of DRM into the operating system, and User Account Control (UAC) security technology.

Microsoft Windows profile refers to the user profile that is used by the Microsoft Windows operating system to represent the characteristics of the user.

References

  1. "What is User Account Control?". Microsoft. January 2015. Retrieved 2015-07-28.
  2. Windows 7 Feature Focus: User Account Control Archived 2014-05-04 at the Wayback Machine , An overview of UAC in Windows 7 by Paul Thurott
  3. "The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)". The Windows Vista and Windows Server 2008 Developer Story Series. Microsoft. April 2007. Retrieved 2007-10-08.
  4. Marc Silbey, Peter Brundrett (January 2006). "Understanding and Working in Protected Mode Internet Explorer". Microsoft . Retrieved 2007-12-08.
  5. 1 2 3 Torre, Charles (March 5, 2007). "UAC – What. How. Why" (video). Retrieved 2007-12-08.
  6. Howard, Michael; LeBlanc, David (2010). Writing Secure Code for Windows Vista. O'Reilly Media, Inc. ISBN   9780735649316 . Retrieved 2013-08-06. UAC started life as the Limited User Account (LUA), then was renamed to User Account Protection (UAP), and finally we got UAC.
  7. 1 2 3 Kerr, Kenny (September 29, 2006). "Windows Vista for Developers – Part 4 – User Account Control" . Retrieved 2007-03-15.
  8. "Registry Tweaks to Customize User Account Control (UAC) Options in Windows Vista and Later - AskVG". 16 March 2008.
  9. Bott, Ed (2007-02-02). "What triggers User Account Control prompts?". Archived from the original on 2015-09-27.
  10. "Living with and benefiting from User Account Control". Microsoft. 2014-12-09.
  11. Allchin, Jim (2007-01-23). "Security Features vs. Convenience". Windows Vista Team Blog. Microsoft.
  12. "User Account Control Overview". TechNet . Microsoft.
  13. "User Account Control Prompts on the Secure Desktop". UACBlog. Microsoft. 4 May 2006.
  14. 1 2 Bott, Ed (2 February 2007). "Why you need to be discriminating with those Vista tips". Ed Bott's Windows Expertise.
  15. "Determine How to Fix Applications That Are Not Windows 7 Compliant". TechNet . Microsoft. Retrieved 2013-09-09.
  16. "Chapter 2: Defend Against Malware". Windows Vista Security Guide. Microsoft. November 8, 2006.
  17. User Account Control: Virtualize file and registry write failures to per-user locations
  18. "Administrator Marking for Command Prompt". UACBlog. Microsoft. 1 August 2006.
  19. "Accessible UAC Prompts". Windows Vista Blog. Microsoft. Archived from the original on 2008-01-27. Retrieved 2008-02-13.
  20. 1 2 Russinovich, Mark (June 2007). "Inside Windows Vista User Account Control". TechNet Magazine . Microsoft.
  21. Friedman, Mike (10 February 2006). "Protected Mode in Vista IE7". IEBlog. Microsoft.
  22. Carlisle, Mike (10 March 2007). "Making Your Application UAC Aware". The Code Project.
  23. Zhang, Junfeng (18 October 2006). "Programmatically determine if an application requires elevation in Windows Vista". Junfeng Zhang's Windows Programming Notes. Microsoft.
  24. "Understanding and Configuring User Account Control in Windows Vista". TechNet . Microsoft . Retrieved 2007-07-05.
  25. "Disabling User Account Control (UAC) on Windows Server". Microsoft Support Knowledge Base . Microsoft . Retrieved 2015-08-17.
  26. Russinovich, Mark. "Inside Windows 7 User Account Control". Microsoft . Retrieved 2015-08-25.
  27. Johansson, Jesper. "The Long-Term Impact of User Account Control". Microsoft . Retrieved 2015-08-25.
  28. Russinovich, Mark. "Inside Windows Vista User Account Control". Microsoft . Retrieved 2015-08-25.
  29. Davidson, Leo. "Windows 7 UAC whitelist: – Code-injection Issue – Anti-Competitive API – Security Theatre" . Retrieved 2015-08-25.
  30. Kanthak, Stefan. "Defense in depth – the Microsoft way (part 11): privilege escalation for dummies". Full disclosure (mailing list) . Retrieved 2015-08-17.
  31. Kanthak, Stefan. "Defense in depth – the Microsoft way (part 31): UAC is for binary planting". Full disclosure (mailing list) . Retrieved 2015-08-25.
  32. Trapani, Gina (31 January 2007). "Geek to Live: Windows Vista upgrade power tips". Lifehacker .
  33. "Disable UAC in Vista". YouTube . Archived from the original on 2021-12-22.
  34. Evers, Joris (2006-05-07). "Report: Vista to hit anti-spyware, firewall markets". ZDNet . CBS Interactive. Archived from the original on 2006-12-10. Retrieved 2007-01-21.
  35. Espiner, Tom (11 April 2008). "Microsoft: Vista feature designed to 'annoy users'". CNET . CBS Interactive.
  36. Boutin, Paul (14 May 2009). "How to Wring a Bit More Speed From Vista". New York Times – Gadgetwise. Retrieved 2015-01-04.
  37. Gralla, Preston (2009-05-14). "New York Times blooper: Throw away your anti-virus software". Computerworld. Retrieved 2022-10-04.