User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista operating system. It aims to improve the security of Windows by limiting applications to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges, and malware is kept from receiving the privileges necessary to wreak havoc on the operating system.
In other words, with UAC a user may have administrator privileges, but an application that that user runs does not unless it is approved beforehand or the user explicitly authorizes it to have higher privileges.
UAC will usually prompt the user for additional privileges automatically, but the user can also right-click a program and click "Run as administrator".
Before Windows XP was released, previous versions of Windows targeted at the consumer audience, such as Windows 95, Windows 98 and Windows Me, were all operating systems where the user had super user rights despite multi-user capabilities. Windows XP on the other hand was a multi-user operating system based on Windows NT. This allowed for different user levels and permissions.
However, in Windows XP the first user created when installing the operating system is given administrative privileges by default. As such, most users would use this account for everyday use. This ensured that all software, including malware, was also running with administrator privileges as well, thereby giving it full access to the operating system.
Unfortunately, most legacy Windows applications and even new Windows applications were or are not designed to work without full administrator privileges. Running these as a standard user or even as a power user could lead to errors or strange behavior. As such, it was often normal practice to give users full administrator access when running normally.
In contrast to this, other operating systems, such as Linux and other Unices have always been designed for multiple users, with multiple security levels, and so applications have almost always been aware of and compliant with this system.
With Windows Vista, an attempt has been made to embrace more of the Unix user security model, so that actions that can affect the security and stability of the operating system require the input of an administrator name and password before they are executed. If the user is an administrator, by default they are not asked to re-enter their password. Instead, a dialog is shown with the choices to allow or deny the action.
When logging into Windows Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group however, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or "Run as administrator" is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.
Actions that trigger User Account Control
Tasks that will trigger a UAC prompt (if UAC is enabled) are typically marked by a 4-color security shield symbol. These tasks include:
- Right-clicking an application's icon and clicking "Run as administrator"
- Changes to files in %SystemRoot% or %ProgramFiles%
- Installing and uninstalling applications
- Installing device drivers
- Installing ActiveX controls
- Changing settings for Windows Firewall
- Changing UAC settings
- Configuring Windows Update
- Adding or removing user accounts
- Changing a user’s account type
- Configuring Parental Controls
- Running Task Scheduler
- Restoring backed-up system files
- Viewing or changing another user’s folders and files
Common tasks, such as changing the time zone, do not require administrator privileges. In addition, a number of tasks that required administrator privileges in earlier versions of Windows, such as installing critical Windows updates, no longer do so in Vista.
- User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is blacked out and temporarily disabled and only the authorization window is enlightened, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation. If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective.
- Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts; often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM) UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to “C:\program files\appname\settings.ini” and the user doesn’t have permissions to write to that directory, the write will get redirected to “C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\.”
- There are a number of configurable UAC settings. It is possible to:
- Require administrators to re-enter their password for heightened security
- Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security
- Disable Admin Approval Mode (UAC prompts for administrators) entirely
- Command prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user can discern which command prompts are running with elevated privileges.
A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> <v3:requestedExecutionLevel level="highestAvailable" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly>
Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation. In both highestAvailiable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.
A new process with elevated privileges can be spawned from within a .NET application using the "runas" verb. An example using C++/CLI: System::Diagnostics::Process^ proc = gcnew System::Diagnostics::Process(); proc->StartInfo->FileName = "C:\\Windows\\system32\\notepad.exe"; proc->StartInfo->Verb = "runas"; // Elevate the application proc->Start();
In a native Win32 application the same "runas" verb can be added to a ShellExecute() call.
ShellExecute(0, "runas", "C:\\Windows\\Notepad.exe", 0, 0, SW_SHOWNORMAL);
In the absence of a specific directive stating what privileges the application requests, UAC will apply heuristics to determine whether or not the application needs administrator privileges. For example, if UAC detects that the application is a setup program, in the absence of a manifest it will assume that the application needs administrator privileges.
Many experts have called UAC "annoying" and "the worst product Microsoft has ever released". It is possible to turn off UAC, but this is highly unrecommended and could cause computer instability because of its connection with File & Registry Virtualization.
UAC, however, was received much worse by users of the Beta 2 release of Vista. This reaction led Microsoft to the "toning down" of UAC to a less intrusive level.
Due to a majority of criticism, Microsoft lets users change levels of UAC in Windows 7.