Microsoft Wiki

Checkout our wiki's socials

READ MORE

Microsoft Wiki
Advertisement
Smallwikipedialogo
Wikipedia
This page uses Creative Commons Licensed content from Wikipedia (view authors).
User Account Control Win11

User Account Control "Windows Security" alerts in Windows 11. From top to bottom: blocked app, app with unknown publisher, app with a known/trusted publisher

User Account Control (UAC) is a mandatory access control enforcement feature and security infrastructure included in modern versions of Microsoft Windows starting with the releases of the Windows Vista and Windows Server 2008 operating systems, with a more relaxed version being present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Windows by limiting application software to standard user privileges until an administrator authroizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system.

In other words, with UAC, a user may have administrator privileges, but an application that that user runs does not unless it is approved beforehand or the user explicitly authorizes it to have higher privileges.

UAC uses Mandatory Integrity Control to isolate running processes with different privileges. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology called User Interface Privilege Isolation is used in conjunction with User Account Control to isolate these processes from each other. One prominent use of this is Internet Explorer 7's "Protected Mode".

Operating systems on mainframes and on servers have differentiated between superusers and userland for decades. This had an obvious security component, but also an administrative component, in that it prevented users from accidentally changing system settings.

Early home operating systems by Microsoft (such as MS-DOS, Windows 95/98/Me) did not have a concept of different user accounts on the same machine. Subsequent versions of Windows and Microsoft applications encouraged the use of non-administrator user-logons, yet some applications continued to require administrator rights. Microsoft does not certify applications as Windows-compliant if they require administrator privileges; such applications may not use the Windows-compliant logo with their packaging.

Overview[]

Before Windows XP was released, previous versions of Windows targeted at the consumer audience, such as Windows 95, Windows 98 and Windows Me, gave the user full rights despite the fact these operating systems had multi-user capabilities. Windows XP, on the other hand, was a multi-user operating system based on Windows NT. This allowed for different user levels and permissions.

However, in Windows XP, the first user created when installing the operating system is given administrative privileges by default. As such, most users would use this account for everyday use. This ensured that all software, including malware, was also running with administrator privileges as well, thereby giving it full access to the operating system.

Unfortunately, most legacy Windows applications and even new Windows applications were not designed to work without full administrator privileges. Running these as a standard user or even as a power user could lead to errors or strange behavior. As such, it was often normal practice to give users full administrator access when running normally.

In contrast to this, other operating systems, such as Linux and other UNIX-like systems, have always been designed for multiple users, with multiple security levels, and so applications have almost always been aware of and compliant with this system.

With Windows Vista, an attempt was made to embrace more of the Unix user security model, so that actions that can affect the security and stability of the operating system require the input of an administrator name and password before they are executed. If the user is an administrator, by default they are not asked to re-enter their password. Instead, a dialog is shown with the choices to allow or deny the action.

When logging into Windows Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group however, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or "Run as administrator" is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.

Actions that trigger User Account Control[]

Tasks that will trigger a UAC prompt (if UAC is enabled) are typically marked by a 4-color security shield symbol. These tasks include:[3]

  • Right-clicking an application's icon and clicking "Run as administrator"
  • Changes to files in %SystemRoot% or %ProgramFiles%
  • Installing and uninstalling applications
  • Installing device drivers
  • Installing ActiveX controls
  • Changing settings for Windows Firewall
  • Changing UAC settings
  • Configuring Windows Update
  • Adding or removing user accounts
  • Changing a user’s account type
  • Configuring Parental Controls
  • Running Task Scheduler
  • Restoring backed-up system files
  • Viewing or changing another user’s folders and files

Common tasks, such as changing the time zone, do not require administrator privileges. In addition, a number of tasks that required administrator privileges in earlier versions of Windows, such as installing critical Windows updates, no longer do so in Vista.

Features[]

  • User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is blacked out and temporarily disabled and only the authorization window is enlightened, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective.
  • Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts; often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM)[1] UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn’t have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.”
  • There are a number of configurable UAC settings. It is possible to:
    • Require administrators to re-enter their password for heightened security
    • Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security
    • Disable Admin Approval Mode (UAC prompts for administrators) entirely
  • Command prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user can discern which command prompts are running with elevated privileges.

Requesting elevation[]

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3">
   <v3:security>
     <v3:requestedPrivileges>
       <v3:requestedExecutionLevel level="highestAvailable" />
     </v3:requestedPrivileges>
   </v3:security>
 </v3:trustInfo>

</assembly>

Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation. In both highestAvailiable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.

A new process with elevated privileges can be spawned from within a .NET application using the "runas" verb. An example using C++/CLI:

System::Diagnostics::Process^ proc = gcnew System::Diagnostics::Process();
proc->StartInfo->FileName = "C:\\Windows\\system32\\notepad.exe";
proc->StartInfo->Verb = "runas"; // Elevate the application
proc->Start();

In a native Win32 application the same "runas" verb can be added to a ShellExecute() call.

ShellExecute(0, "runas", "C:\\Windows\\Notepad.exe", 0, 0, SW_SHOWNORMAL);

In the absence of a specific directive stating what privileges the application requests, UAC will apply heuristics to determine whether or not the application needs administrator privileges. For example, if UAC detects that the application is a setup program, in the absence of a manifest it will assume that the application needs administrator privileges.

Criticism[]

Many experts have called UAC "annoying" and "the worst product Microsoft has ever released". It is possible to turn off UAC, but this is highly unrecommended and could cause computer instability because of its connection with File & Registry Virtualization.

UAC, however, was received much worse by users of the Beta 2 release of Vista. This reaction led Microsoft to the "toning down" of UAC to a less intrusive level.

Due to a majority of criticism, Microsoft lets users change levels of UAC in Windows 7.

Gallery[]

See also[]

Advertisement