User Account Control

From Wikipedia, the free encyclopedia

It has been suggested that Run as administrator be merged into this article or section. (Discuss)

UAC confirmation dialog

UAC credentials dialog

Operating system commands or actions that require administrator rights (and thus will trigger UAC) are marked with a security shield

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista operating system. It aims to improve the experience of using Windows as a standard user.

[edit] Overview

Before Windows XP was released, previous versions of Windows targeted at the consumer audience, such as Windows 95, 98 and ME, were all operating systems where the user had super user rights despite multi-user capabilities. Windows XP on the other hand was a multi-user operating system based on Windows NT. This allowed for different user levels and permissions.

However, in Windows XP the first user created when installing the operating system is given administrative privileges by default. As such, most users would use this account for everyday use. This ensured that all software, including malware, was also running with administrator privileges as well, thereby giving it full access to the operating system.

Unfortunately, most legacy applications and even new applications were or are not designed to work without full administrator privileges.^[1] Running these as a standard user or even as a power user could lead to errors or strange behavior. As such, it was often normal practice to give users full Administrator access when running normally.

With Windows Vista, actions that can affect the security and stability of the operating system require the input of an administrator name and password before they are executed. If the user is an administrator, no password is needed; instead, a dialog is shown with the choices to allow or deny the action.

When logging into Windows Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group however, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token resulting in a reduced privilege environment even under an Administrator account. When an application requests elevation or is run as administrator UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.^[2]

User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is blacked out and temporarily disabled and only the authorization window is enlightened, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation.^[3] If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost.

In Windows Vista, common tasks, such as changing the time zone, do not require administrator privileges.^[4] UAC also provides file and registry virtualization to allow poorly designed applications to run as a standard user.

Additionally, command prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user may discern which command prompts are running with elevated privileges.^[5]

There are a number of configurable UAC settings. It is possible to:^[6]

• Require administrators to re-enter their password for heightened security
• Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security
• Disable Admin Approval Mode (UAC prompts for administrators) entirely

It has been accepted that having UAC enabled at all times can help secure the operating system, especially when browsing web sites that may pose a potential security threat, however there have been complaints that UAC notifications slow down various tasks on the computer such as the initial installation of software onto Windows Vista. It is therefore possible to turn off this feature whilst installing risk free software and preferably not being connected to the internet and then re enabling UAC afterwards.^[7]

[edit] Requesting elevation

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3">
    <v3:security>
      <v3:requestedPrivileges>
        <v3:requestedExecutionLevel level="highestAvailable" />
      </v3:requestedPrivileges>
    </v3:security>
  </v3:trustInfo>
</assembly>

Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation.^[8]. In both highestAvailiable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.

To spawn a new process with elevated privileges from within a .NET application you can use the "runas" verb. An example using C++/CLI:

System::Diagnostics::Process^ proc = gcnew System::Diagnostics::Process();
proc->StartInfo->FileName = "C:\\Windows\\system32\\notepad.exe";
proc->StartInfo->Verb = "runas"; // Elevate the application
proc->Start();

In a native Win32 application the same "runas" verb can be added to a ShellExecute() call.^[2]

::ShellExecute(0, "runas", "C:\\Windows\\Notepad.exe", 0, 0, SW_SHOWNORMAL);

[edit] See also

• Comparison of privilege authorization features
• Features new to Windows Vista
• Security and safety features of Windows Vista
• List of Windows Vista topics

[edit] References

1. ^ Charles (2007-03-05). UAC - What. How. Why. (video). Retrieved on March 23, 2007.
2. ^ ^{a b} Kenny Kerr (2006-09-29). Windows Vista for Developers – Part 4 – User Account Control. Retrieved on March 15, 2007.
3. ^ User Account Control Prompts on the Secure Desktop. UACBlog. MSDN Blogs (2006-05-03). Retrieved on February 25, 2007.
4. ^ Allchin, Jim (2007-01-23). Security Features vs. Convenience. Windows Vista Team Blog. Microsoft. Retrieved on March 4, 2007.
5. ^ Administrator Marking for Command Prompt. UACBlog. MSDN Blogs (2006-08-01). Retrieved on August 7, 2006.
6. ^ Chapter 2: Defend Against Malware. Windows Vista Security Guide. Microsoft (2006-11-08). Retrieved on March 15, 2007.
7. ^ Disabling the UAC feature (2007-03-10). Retrieved on March 10, 2007.
8. ^ Mike Carlisle (2007-03-10). Making Your Application UAC Aware. The Code Project. Retrieved on March 15, 2007.

[edit] External links

• User Account Control — Information at Microsoft TechNet
• UAC Team Blog
• Preview of User Account Control in Windows Vista Beta 2
• UAC – The Good and The Bad (Joanna Rutkowska - invisiblethings.org).
• What triggers User Account Control prompts?
• Security Features vs. Convenience