User Account Control (UAC) helps prevent unauthorized changes/access to a computer by asking privileged password. When a user designated with elevated privilege logs on to Windows 7 and Windows Server 2008, two access tokens are issued: a full access token and a filtered standard user access token. The filtering process removes the administrative privileges and disables the Administrative group Security Identifiers (SIDs), resulting in a filtered standard user access token. The standard user token is then used to start the Windows desktop (explorer.exe) and all subsequent child processes. Consequently, all applications run with the standard user token by default and only when an administrator with granted privileged permission can run specific application with a full access token. These internal processes happens in an Windows 7 and Windows 2008 operating systems to provide you with extra security so that you can make sure what you doing before it applied into operating systems.
When you log on to a computer, it verifies with Microsoft Active Directory RID master about your roles/privileges/authority in an Active Directory infrastructure and provide you with necessary pre-defined attributes assigned in Microsoft Active Directory and Group Policy Object. For Example: Domain Admins, Schema Admins, Enterprise Admins, Account Operator, Administrator, Power Users, Domain users, users, Cert Publisher and many more. If you log on to a standalone computer, Windows 7 and Windows server 2008 still verify with local account policies whether you are a power user, administrator or user.
The Credential Prompt (asking username and password) and consent prompt (allow/disallow user to perform a task) are two components of UAC. Even though if you are a member of domain admins or administrator you will ask your consent to perform task like changing date/time, modify registry, running application, modifying any OS related tasks. A standard user can perform installation task in windows 7 and windows server 2008 unless user is part of Admin group.
Running registry in elevated command prompt
Start menu>run> type runas /user:domain\username cmd.exe.
Provide Password
In the new Command Prompt window that opens up, type regedit.exe.
Respond to the UAC elevation prompt.
UAC Group Policy Settings
Microsoft GPO support management of UAC through group policy object. GPO settings are available in Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Benefits of UAC
Stop malware add schedule task
Stop Spam sites and spyware to run installer
Stop malware to run command, script
Create a local windows firewall to protect windows systems despite having top level firewall like ISA or squid
Prevent running inappropriate application as a standard user
Prevent modification of registry key
If you still don’t like UAC then you can disable UAC completely from Control Panel>User Account>UAC>uncheck UAC>OK>restart
To Disable from Registry
go to Start menu>run>type regedit.exe
Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
create a DWORD named LocalAccountTokenFilterPolicy with a value of 1 and reboot computer.
Screenshots
Windows Server 2008 – UAC (User Account Control)
The mission of this page is to explain the purpose of Windows Server 2008’s ‘Continue’ pop-up dialog box. I will also show you how to disable this UAC (User Account Control) box.
Whenever you need to configure a Windows Server 2008 setting, even if you are logged on as the administrator – you need elevated privileges. This is by design, and part of the fierce security initiative in Windows Server 2008. Before you can complete any administrative task, the User Account Control manager pops-up with a ‘Continue’ message.
Topics for User Account Control in Windows Windows Server 2008
- How to Disable UAC (User Account Control)
- Windows 8 Disable UAC
- Registry Hack to control User Account Control
- Example of User Account Control (UAC)
- Evolution of Windows Server 2008 User Account Control
- CMD Prompt – Run as Administrator
- Disable UAC Windows Server 2012
♦
How to Disable User Account Control (UAC)
If you feel a little guilty when you disable the UAC – join the club. Many techies:
a) Get rid of the nagging ‘Continue’ pop-up message box.
b) Feel shamefaced at turning off this Windows Server 2008 security feature.
c) Sometime later, they realize that the UAC is necessary for security, and turn it back on.
Microsoft’s introduction of UAC reminds me of the governments introduction of seat belts in the 1970s. Both were unpopular at first, but eventually, the majority see the advantages of safety over ease-of-use.
As someone who hated the UAC at first, I can say that now I have turned it back on, firstly, it’s not THAT irritating, secondly it sends a subliminal message ‘Guy work securely’. Thirdly, as an unexpected bonus the delay, or pause, that UAC introduces makes me think more about the action I am about take. – No bad thing!
- Local Policy – Elevate without prompting
- Run all administrators in Admin Approval Mode
- Registry Hack – ConsentPromptBehaviorAdmin
- How to Activate the Hidden Windows Server 2008 Administrator Account
Local Policy – Elevate without prompting
For computers that have joined a domain, ‘Elevate without prompting’ is the best Local Policy method for disabling the UAC pop-up. For Windows Server 2008 Home Editions, or any Windows Server 2008s not joined to the a domain see below.
Stage 1) Preliminary task:
Our first task is simply to launch the Local Security Policy snap-in. You have the choice of two methods:
Method A) Begin by clicking on Windows Server 2008’s Start button, then type secpol.msc in the Start Search dialog box. Note: you must include the .msc extension. See more on Secpol
Method B) The goal is to display Windows Server 2008’s Administrative Tools. Firstly, right-click the Taskbar, select Properties. Next navigate this path: Start Menu, Customize, Advanced; scroll to the bottom and find System Administration Tools, place the radio button next to ‘Display on the All Programs menu’.
Stage 2) Configure the Security Options
- Open the Local Security Policy. (See Method A or B above)
- Expand the Local Polices folder, see the screenshot opposite.
- Drill down to Security Options folder.
- Scroll down, and locate the family of settings beginning with ‘User Account Control’.
- Focus on: User Account Control: Behaviour of the elevation prompt for administrator. Double click and set to: Elevate without prompting. Check the screenshot below.
- Restart you Windows Server 2008 computer.
- When the computer restarts, try to configure a tasks that needs UAC. For example, change the computer’s display name. Press the Windows Key + Pause / Break. Select the ‘Change Settings’ shield.
- UAC should now be turned off, thus you should not see the ‘Continue’ box.
Run all administrators in Admin Approval Mode
There is an alternative, if inferior, method of turning off UAC, that is by disabling the Local Policy, Security Option: ‘Run all administrators in Admin Approval Mode’. Double click and set to ‘Disabled’. Unlike the Elevate without prompting technique, this method turns off UAC and compromises security. My advice is leave this setting as Enabled, and focus on the above setting:
User Account Control: Behaviour elevation prompt for administrator.
Guy Recommends: Permissions Analyzer – Free Active Directory Tool
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Download Permissions Analyser – Free Active Directory Tool
Other User Account Control (UAC) Settings
As you can see in the above screenshot, there are more server policies for the UAC. However, they are less important and control specialist situations, for example, installing applications.
User Account Control: Detect application installations and prompt for elevation. For home users, the default is Enabled, meaning home users get a UAC dialog box. However, for domain users this UAC is disabled so that installation can proceed silently.
There are similar UAC Policy settings for Users rather than Administrators.
Only elevate UIAccess applications that are installed in secure locations
The idea behind this policy is that Windows Server 2008 will only give UIAccess privileges and user rights to executables that are launched from %ProgramFiles% or %windir%. The permissions are set on these directories to ensure that the executable is not user-modifiable (which would otherwise allow elevation of privilege).
Registry Change to User Account Control
Group Policy settings ultimately work by changing the registry settings. It follows that you could edit the registry directly rather than configure through the Local Policy GUI. When you are learning and if there is a GUI, that is always the best place to start. However, there may be occasions when you need to go to the registry, for example to create a .Reg file. If you would like to examine the key UAC registry settings, then See more about ConsentPromptBehavior here.
One of the underlying computer dilemmas is productivity versus security. If Microsoft make UAC too difficult, then Administrator’s will investigate registry hacks that make their jobs easier, even if easier means a less secure environment. On my test network I move the imaginary productivity -v- security slider to ease of use, whereas for customers, I move the same slider over to more secure settings.
CMD Prompt – Run as Administrator
My problem occurred when I wanted to run the command: ipconfig /release. What I received was this error message:
‘The requested operation requires elevation’.
Fortunately, the solution was easy; as you can see from the screen shot to the right, just right-click the Command Prompt and select Run as administrator from the shortcut menu. As a result I was allowed to run ipconfig /release. There was no irritating: ‘The requested operation requires elevation’.
An Even Better Solution – Tick Advanced Box
When you have found a good move in chess or bridge, always look for a better one. Applying this principle to the CMD prompt:
Right-click the command prompt icon, Properties
Select the Shortcut (tab)
Click on Advanced (button)
Tick: Run as administrator
Overview of UAC
Windows Server 2008s User Account Control (UAC) enables you to wear two ‘hats’. Firstly, when you logon as an administrator, you can run applications such as Outlook, but in the context of an ordinary user. Secondly, whenever you need to put on your Administrator’s hat, UAC prompts you the necessary rights, all you have to do is click ‘Continue’ and receive permission to complete that one task.
An Example of User Account Control (UAC)
Let us consider this situation, you needed to install a driver, Windows Server 2008 presents you with a dialog box. After reading the UAC menu, you click: ‘Continue’ and thus receive elevated rights for the duration of the task. The key concept is you don’t have to logoff and logon as an administrator. Instead Windows Server 2008 just switches tokens, performs the named task, and then returns you to normal user status.
As an example of UAC in action, let us assume that you wish to check the new System Restore settings. You launch the System Icon, (Windows Key and Pause / Break) then you click on ‘System Protection’ and up pops a Windows Security box – even if you are the Administrator. To gain the elevated rights needed to complete your mission, just click the ‘Continue’ button. See screen shot below.
A good habit to cultivate is always to check that the program specified in the central band, is the program you intended; in this case, ‘Change Computer Settings’. Beware that if you are connected to the internet, then sites may have rogue programs that mimic this menu and trick you into installing Spyware.
Microsoft’s New Security Philosophy
UAC is a central plank in Microsoft’s new security fortress. As with so much of Windows Server 2008, Microsoft has redesigned what an ordinary user, or a base-level user can do. Surprisingly, some security settings have been loosened; if a task does not pose a security threat then Windows Server 2008 lets an ordinary user perform that task. For example, in Windows Server 2008 users can now alter the Keyboard, mouse or adjust the Power Settings. As a consequence, this increases the range of activities for a user, and reduce the number of tasks that require Administrative rights, and consequently the need to display the UAC ‘Continue’ dialog box. Naturally if you feel that certain users are getting too much power, then you can clip their wings with Group Policies, which are now increased from 1,500 in XP to 3,000 in Windows Server 2008.
Incidentally, Microsoft use this User Accounts Control system to underpin the Parental Controls on the Home editions of Windows Server 2008.
Guy Recommends: SolarWinds Network Topology Mapper (NTM)
NTM will produce a neat diagram of your network topology. But that’s just the start;Network Topology Mapper can create an inventory of the hardware and software of your machines and network devices. Other neat features include dynamic update for when you add new devices to your network. I also love the ability to export the diagrams to Microsoft Visio.
Finally, Guy bets that if you test drive the Network Topology Mapper then you will find a device on your network that you had forgotten about, or someone else installed without you realizing!
Download your 14 day free trial ofSolarWinds Network Topology Mapper
How User Account Control (UAC) works
If you are familiar with concept of Kerberos in Windows Server 2003, you may already know that once a user logs on successfully, the operating system supplies them with a security token. That token has their privileges and group membership. The whole idea is that the user does not have to keep typing in their password every time they need to open a file or print.
User Account Control extends this idea by supplying what some call a split token and other call two tokens. What ever the semantics, the idea is that to perform jobs such as checking their email or updating their spreadsheets, the Administrator relies on the lesser token, the one with minimal rights. Suppose that same user account now needs to carry out a higher level administrative task, for example, changing a DNS record or amending a DHCP scope option; at this point they need to switch to the other full token, known as Administrator Approval Mode. Thanks to User Account Control, a menu appears with a shield symbol and the clicks ‘Continue’, job done, no need to logoff as a user and the logon as the administrator.
User Account Control – Under the Covers
-
Imagine a user launching a snap-in from the MMC. The Windows Windows Server 2008 shell calls CreateProcess, which then queries the application to see whether it requires elevated privileges
-
If the application does not require elevated privilege the process is created through NtCreateProcess – end of story. However, let us assume that the snap-in requires elevated privilege, in this instance CreateProcess, returns an error to ShellExecute.
-
Next, ShellExecute calls Application Information Service (AIS) and now initiates an elevated launch.
AIS then prompts the user for a password through the Consent User Interface. -
ShellExecute now tries again, but this time uses the full token to launch the application on the client’s Windows Server 2008 machine.
»
Evolution of Windows Server 2008 User Account Control
In earlier Beta 1 builds of Windows Windows Server 2008, UAC was called UAP (User Account Protection). More than just a mere change of acronym, this indicates that UAC is part of a larger security area, which Microsoft are rapidly evolving. Following feedback from beta testers, Microsoft fine tuned the balance between high security and ease-of-use for the UAC.
Microsoft’s press releases tell us that User Account Control is a development of least-privilege user access, or LUA. My view is that User Account Control has grown out of the ‘Run as..’ feature of Windows Server 2003 or the ‘Switch User’ feature of XP. I have to say that at least on training courses, RunAs was one of the least liked features of Windows Server 2003.
Even when we ignored ‘Run as…’ on those training courses, we had this feeling of being naughty boys and not taking security seriously. User Account Control makes it easier to develop good habits and work securely. UAC is like opening a locked draw using a plastic card kept in your top pocket, compared with ‘Run as…’, which is like walking over to the filing cabinet and finding the correct key for your draw. In summary, User Account Control automatically gives you the best of both worlds, rely on a basic token for routine tasks and reserve the Administrative token for special security responsibilities.
Surprise, I discovered that certain tasks still need the ‘Run as…’ technique, for instance releasing and renewing an IP address. This is how it works.
Summary of User Account Control (UAC)
User Account Control (UAC) is a central plank in Microsoft’s security platform for Windows Server 2008. This page gives you strategies for controlling this service. One theme that runs through UAC is that Microsoft are still fine-tuning the places where you can configure the settings, there have been significant changes from Beta 1 –> Beta 2 –> RC1 –> Windows Server 2008 Final Release.
If you like this page then please share it with your friends
Microsoft Windows Server 2008 Topics:
• Server 2008 Home • Overview • What’s New? • Migration Advice • Install • SP1 Review
• AD DC • Roles • Features • Editions • Hyper-V • UAC • IPv6 • Group Policy • Free NPM Trial
From Wikipedia, the free encyclopedia
User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft’s Windows Vista[1] and Windows Server 2008 operating systems, with a more relaxed[2] version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.
UAC uses Mandatory Integrity Control to isolate running processes with different privileges. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, User Interface Privilege Isolation, is used in conjunction with User Account Control to isolate these processes from each other.[3] One prominent use of this is Internet Explorer 7’s «Protected Mode».[4]
Operating systems on mainframes and on servers have differentiated between superusers and userland for decades. This had an obvious security component, but also an administrative component, in that it prevented users from accidentally changing system settings.
Early Microsoft home operating-systems (such as MS-DOS and Windows 9x) did not have a concept of different user-accounts on the same machine. Subsequent versions of Windows and Microsoft applications encouraged the use of non-administrator user-logons, yet some applications continued to require administrator rights. Microsoft does not certify applications as Windows-compliant if they require administrator privileges; such applications may not use the Windows-compliant logo with their packaging.
Behavior in Windows versions
[edit]
- Windows 1.0–3.11 and Windows 9x: all applications had privileges equivalent to the operating system;
- All versions of Windows NT up to, and including, Windows XP and Windows Server 2003: introduced multiple user-accounts, but in practice most users continued to function as an administrator for their normal operations. Further, some applications would require that the user be an administrator for some or all of their functions to work.[5]
- Windows Vista and Windows Server 2008: Microsoft developed Vista security firstly from the Limited User Account (LUA), then renamed the concept to User Account Protection (UAP) before finally shipping User Account Control (UAC).[6] Introduced in Windows Vista, User Account Control (UAC) offers an approach to encourage «super-user when necessary». The key to UAC lies in its ability to elevate privileges without changing the user context (user «Bob» is still user «Bob»). As always, it is difficult to introduce new security features without breaking compatibility with existing applications.
- When someone logs into Vista as a standard user, the system sets up a logon session and assigns a token containing only the most basic privileges. In this way, the new logon session cannot make changes that would affect the entire system.
- When a person logs in as a user with membership in the Administrators group, the system assigns two separate tokens: the first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive.
- User applications, including the Windows Shell, then start with the restricted token, resulting in a reduced-privilege environment – even when running under an Administrator account.
- When an application requests higher privileges or when a user selects a «Run as administrator» option, UAC will prompt standard users to enter the credentials of an Administrator account and prompt Administrators for confirmation and, if consent is given, continue or start the process using an unrestricted token.[7]
- Windows 7 and Windows Server 2008 R2: Microsoft included a user interface to change User Account Control settings, and introduced one new notification mode: the default setting. By default, UAC does not prompt for consent when users make changes to Windows settings that require elevated permission through programs stored in %SystemRoot% and digitally signed by Microsoft. Programs that require permission to run still trigger a prompt. Other User Account Control settings that can be changed through the new UI could have been accessed through the registry in Windows Vista.[8]
- Windows 8/8.1 and Windows Server 2012/R2: add a design change. When UAC is triggered, all applications and the taskbar are hidden when the desktop is dimmed.
- Windows 10 and Windows Server 2016-2022: early versions have the same layout as Windows 8 and 8.1. The Anniversary Update (including Windows Server 2016, which is based on said update) adds a more modern look, along with support for dark mode. Also, Windows 10 adds support for Windows Hello in the User Account Control dialog box.
- Windows 11 and Windows Server 2025: has mostly the same layout as in later versions of Windows 10, but with visual changes that match the rest of the operating system’s new look and feel.
Tasks that trigger a UAC prompt
[edit]
Tasks that require administrator privileges will trigger a UAC prompt (if UAC is enabled); they are typically marked by a security shield icon with the 4 colors of the Windows logo (in Vista and Windows Server 2008) or with two panels yellow and two blue (Windows 7, Windows Server 2008 R2 and later). In the case of executable files, the icon will have a security shield overlay. The following tasks require administrator privileges:[9][10]
- Running an Application as an Administrator
- Changes to system-wide settings
- Changes to files in folders that standard users don’t have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases)
- Changes to an access control list (ACL), commonly referred to as file or folder permissions
- Installing and uninstalling applications outside of:
- The %USERPROFILE% (e.g. C:\Users\{logged in user}) folder and its sub-folders.
- Most of the time this is in %APPDATA%. (e.g. C:\Users\{logged in user}\AppData), by default, this is a hidden folder.
- Chrome’s and Firefox’s installer ask for admin rights during install, if given, Chrome will install in the Program Files folder and be usable for all users, if denied, Chrome will install in the %APPDATA% folder instead and only be usable by the current user.
- Most of the time this is in %APPDATA%. (e.g. C:\Users\{logged in user}\AppData), by default, this is a hidden folder.
- The Microsoft Store.
- The folder of the installer and its sub-folders.
- Steam installs its games in the /steamapps/ sub-folder, thus not prompting UAC. Some games require prerequisites to be installed, which may prompt UAC.
- The %USERPROFILE% (e.g. C:\Users\{logged in user}) folder and its sub-folders.
- Installing device drivers
- Installing ActiveX controls
- Changing settings for Windows Firewall
- Changing UAC settings
- Configuring Windows Update
- Adding or removing user accounts
- Changing a user’s account name or type
- Turning on Guest account (Windows 7 to 8.1)
- Turning on network discovery, file and printer sharing, Public folder sharing, turning off password protected sharing or turning on media streaming
- Configuring Parental Controls (in Windows 7) or Family Safety (Windows 8.1)
- Running Task Scheduler
- Backing up and restoring folders and files
- Merging and deleting network locations
- Turning on or cleaning logging in Remote Access Preferences
- Running Color Calibration
- Changing remote, system protection or advanced system settings
- Restoring backed-up system files
- Viewing or changing another user’s folders and files
- Running Disk Defragmenter, System Restore or Windows Easy Transfer (Windows 7 to 8.1)
- Running Registry Editor
- Running the Windows Experience Index assessment
- Troubleshoot audio recording and playing, hardware / devices and power use
- Change power settings, turning off Windows features, uninstall, change or repair a program
- Change date and time and synchronizing with an Internet time server
- Installing and uninstalling display languages
- Change Ease of Access administrative settings
Common tasks, such as changing the time zone, do not require administrator privileges[11] (although changing the system time itself does, since the system time is commonly used in security protocols such as Kerberos). A number of tasks that required administrator privileges in earlier versions of Windows, such as installing critical Windows updates, no longer require administrator privileges in Vista.[12] Any program can be run as administrator by right-clicking its icon and clicking «Run as administrator», except MSI or MSU packages as, due to their nature, if administrator rights will be required a prompt will usually be shown. Should this fail, the only workaround is to run a Command Prompt as an administrator and launch the MSI or MSP package from there.
User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is temporarily dimmed, Windows Aero disabled, and only the authorization window at full brightness, to present only the elevation user interface (UI). Normal applications cannot interact with the Secure Desktop. This helps prevent spoofing, such as overlaying different text or graphics on top of the elevation request, or tweaking the mouse pointer to click the confirmation button when that’s not what the user intended.[13] If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective.[14]
In earlier versions of Windows, Applications written with the assumption that the user will be running with administrator privileges experienced problems when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM).[5] UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to a directory such as «C:\Program Files\appname\settings.ini» to which the user does not have write permission, the write will be redirected to «C:\Users\username\AppData\Local\VirtualStore\Program Files\appname\settings.ini». The redirection feature is only provided for non-elevated 32-bit applications, and only if they do not include a manifest that requests specific privileges.[15]
There are a number of configurable UAC settings. It is possible to:[16]
- Require administrators to re-enter their password for heightened security,
- Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security;
- Disable only file and registry virtualization[17]
- Disable Admin Approval Mode (UAC prompts for administrators) entirely; note that, while this disables the UAC confirmation dialogs, it does not disable Windows’ built-in LUA feature, which means that users, even those marked as administrators, are still limited users with no true administrative access.
Command Prompt windows that are running elevated will prefix the title of the window with the word «Administrator», so that a user can discern which instances are running with elevated privileges.[18]
A distinction is made between elevation requests from a signed executable and an unsigned executable; and if the former, whether the publisher is ‘Windows Vista’. The color, icon, and wording of the prompts are different in each case; for example, attempting to convey a greater sense of warning if the executable is unsigned than if not.[19]
Internet Explorer 7’s «Protected Mode» feature uses UAC to run with a ‘low’ integrity level (a Standard user token has an integrity level of ‘medium’; an elevated (Administrator) token has an integrity level of ‘high’). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC.[7][20] Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system.[21]
Requesting elevation
[edit]
A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="highestAvailable" /> </requestedPrivileges> </security> </trustInfo> </assembly>
Setting the level attribute for requestedExecutionLevel to «asInvoker» will make the application run with the token that started it, «highestAvailable» will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and «requireAdministrator» will require elevation.[22] In both highestAvailable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.
An executable that is marked as «requireAdministrator» in its manifest cannot be started from a non-elevated process using CreateProcess(). Instead, ERROR_ELEVATION_REQUIRED will be returned. ShellExecute() or ShellExecuteEx() must be used instead. If an HWND is not supplied, then the dialog will show up as a blinking item in the taskbar.
Inspecting an executable’s manifest to determine if it requires elevation is not recommended, as elevation may be required for other reasons (setup executables, application compatibility). However, it is possible to programmatically detect if an executable will require elevation by using CreateProcess() and setting the dwCreationFlags parameter to CREATE_SUSPENDED. If elevation is required, then ERROR_ELEVATION_REQUIRED will be returned.[23] If elevation is not required, a success return code will be returned at which point one can use TerminateProcess() on the newly created, suspended process. This will not allow one to detect that an executable requires elevation if one is already executing in an elevated process, however.
A new process with elevated privileges can be spawned from within a .NET application using the «runas» verb. An example using C#:
System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe"; proc.StartInfo.Verb = "runas"; // Elevate the application proc.StartInfo.UseShellExecute = true; proc.Start();
In a native Win32 application the same «runas» verb can be added to a ShellExecute() or ShellExecuteEx() call:[7]
ShellExecute(hwnd, "runas", "C:\\Windows\\Notepad.exe", 0, 0, SW_SHOWNORMAL);
In the absence of a specific directive stating what privileges the application requests, UAC will apply heuristics, to determine whether or not the application needs administrator privileges. For example, if UAC detects that the application is a setup program, from clues such as the filename, versioning fields, or the presence of certain sequences of bytes within the executable, in the absence of a manifest it will assume that the application needs administrator privileges.[24]
UAC is a convenience feature; it neither introduces a security boundary nor prevents execution of malware.[25][26][27][28]
Leo Davidson discovered that Microsoft weakened UAC in Windows 7 through exemption of about 70 Windows programs from displaying a UAC prompt and presented a proof of concept for a privilege escalation.[29]
Stefan Kanthak presented a proof of concept for a privilege escalation via UAC’s installer detection and IExpress installers.[30]
Stefan Kanthak presented another proof of concept for arbitrary code execution as well as privilege escalation via UAC’s auto-elevation and binary planting.[31]
There have been complaints that UAC notifications slow down various tasks on the computer such as the initial installation of software onto Windows Vista.[32] It is possible to turn off UAC while installing software, and re-enable it at a later time.[33] However, this is not recommended since, as File & Registry Virtualization is only active when UAC is turned on, user settings and configuration files may be installed to a different place (a system directory rather than a user-specific directory) if UAC is switched off than they would be otherwise.[14] Also Internet Explorer 7’s «Protected Mode», whereby the browser runs in a sandbox with lower privileges than the standard user, relies on UAC; and will not function if UAC is disabled.[20]
Yankee Group analyst Andrew Jaquith said, six months before Vista was released, that «while the new security system shows promise, it is far too chatty and annoying.»[34] By the time Windows Vista was released in November 2006, Microsoft had drastically reduced the number of operating system tasks that triggered UAC prompts, and added file and registry virtualization to reduce the number of legacy applications that triggered UAC prompts.[5] However, David Cross, a product unit manager at Microsoft, stated during the RSA Conference 2008 that UAC was in fact designed to «annoy users,» and force independent software vendors to make their programs more secure so that UAC prompts would not be triggered.[35] Software written for Windows XP, and many peripherals, would no longer work in Windows Vista or 7 due to the extensive changes made in the introduction of UAC. The compatibility options were also insufficient. In response to these criticisms, Microsoft altered UAC activity in Windows 7. For example, by default users are not prompted to confirm many actions initiated with the mouse and keyboard alone such as operating Control Panel applets.
In a controversial article, New York Times Gadgetwise writer Paul Boutin said «Turn off Vista’s overly protective User Account Control. Those pop-ups are like having your mother hover over your shoulder while you work.»[36] Computerworld journalist Preston Gralla described the NYT article as «…one of the worst pieces of technical advice ever issued.»[37]
- Comparison of privilege authorization features
- Features new to Windows Vista
- Polkit
- runas
- Secure attention key (SAK)
- Security and safety features new to Windows Vista
- sudo – A similar feature in UNIX-like operating systems
- ^ «What is User Account Control?». Microsoft. January 2015. Retrieved 2015-07-28.
- ^ Windows 7 Feature Focus: User Account Control Archived 2014-05-04 at the Wayback Machine, An overview of UAC in Windows 7 by Paul Thurott
- ^ «The Windows Vista and Windows Server 2008 Developer Story: Windows Vista Application Development Requirements for User Account Control (UAC)». The Windows Vista and Windows Server 2008 Developer Story Series. Microsoft. April 2007. Retrieved 2007-10-08.
- ^ Marc Silbey, Peter Brundrett (January 2006). «Understanding and Working in Protected Mode Internet Explorer». Microsoft. Retrieved 2007-12-08.
- ^ a b c Torre, Charles (March 5, 2007). «UAC – What. How. Why» (video). Retrieved 2007-12-08.
- ^
Howard, Michael; LeBlanc, David (2010). Writing Secure Code for Windows Vista. O’Reilly Media, Inc. ISBN 9780735649316. Retrieved 2013-08-06.UAC started life as the Limited User Account (LUA), then was renamed to User Account Protection (UAP), and finally we got UAC.
- ^ a b c Kerr, Kenny (September 29, 2006). «Windows Vista for Developers – Part 4 – User Account Control». Retrieved 2007-03-15.
- ^ «Registry Tweaks to Customize User Account Control (UAC) Options in Windows Vista and Later — AskVG». 16 March 2008.
- ^ Bott, Ed (2007-02-02). «What triggers User Account Control prompts?». Archived from the original on 2015-09-27.
- ^ «Living with and benefiting from User Account Control». Microsoft. 2014-12-09.
- ^ Allchin, Jim (2007-01-23). «Security Features vs. Convenience». Windows Vista Team Blog. Microsoft.
- ^ «User Account Control Overview». TechNet. Microsoft.
- ^ «User Account Control Prompts on the Secure Desktop». UACBlog. Microsoft. 4 May 2006.
- ^ a b Bott, Ed (2 February 2007). «Why you need to be discriminating with those Vista tips». Ed Bott’s Windows Expertise.
- ^ «Determine How to Fix Applications That Are Not Windows 7 Compliant». TechNet. Microsoft. 12 September 2012. Retrieved 2013-09-09.
- ^ «Chapter 2: Defend Against Malware». Windows Vista Security Guide. Microsoft. November 8, 2006.
- ^ User Account Control: Virtualize file and registry write failures to per-user locations
- ^ «Administrator Marking for Command Prompt». UACBlog. Microsoft. 1 August 2006.
- ^ «Accessible UAC Prompts». Windows Vista Blog. Microsoft. Archived from the original on 2008-01-27. Retrieved 2008-02-13.
- ^ a b Russinovich, Mark (June 2007). «Inside Windows Vista User Account Control». TechNet Magazine. Microsoft.
- ^ Friedman, Mike (10 February 2006). «Protected Mode in Vista IE7». IEBlog. Microsoft.
- ^ Carlisle, Mike (10 March 2007). «Making Your Application UAC Aware». The Code Project.
- ^ Zhang, Junfeng (18 October 2006). «Programmatically determine if an application requires elevation in Windows Vista». Junfeng Zhang’s Windows Programming Notes. Microsoft.
- ^ «Understanding and Configuring User Account Control in Windows Vista». TechNet. Microsoft. Retrieved 2007-07-05.
- ^ «Disabling User Account Control (UAC) on Windows Server». Microsoft Support Knowledge Base. Microsoft. Retrieved 2015-08-17.
- ^ Russinovich, Mark. «Inside Windows 7 User Account Control». Microsoft. Retrieved 2015-08-25.
- ^ Johansson, Jesper. «The Long-Term Impact of User Account Control». Microsoft. Retrieved 2015-08-25.
- ^ Russinovich, Mark. «Inside Windows Vista User Account Control». Microsoft. Retrieved 2015-08-25.
- ^ Davidson, Leo. «Windows 7 UAC whitelist: – Code-injection Issue – Anti-Competitive API – Security Theatre». Retrieved 2015-08-25.
- ^ Kanthak, Stefan. «Defense in depth – the Microsoft way (part 11): privilege escalation for dummies». Full disclosure (mailing list). Retrieved 2015-08-17.
- ^ Kanthak, Stefan. «Defense in depth – the Microsoft way (part 31): UAC is for binary planting». Full disclosure (mailing list). Retrieved 2015-08-25.
- ^ Trapani, Gina (31 January 2007). «Geek to Live: Windows Vista upgrade power tips». Lifehacker. Archived from the original on 14 September 2011. Retrieved 15 April 2007.
- ^ «Disable UAC in Vista». YouTube. Archived from the original on 2021-12-22.
- ^ Evers, Joris (2006-05-07). «Report: Vista to hit anti-spyware, firewall markets». ZDNet. CBS Interactive. Archived from the original on 2006-12-10. Retrieved 2007-01-21.
- ^ Espiner, Tom (11 April 2008). «Microsoft: Vista feature designed to ‘annoy users’«. CNET. CBS Interactive.
- ^ Boutin, Paul (14 May 2009). «How to Wring a Bit More Speed From Vista». New York Times – Gadgetwise. Retrieved 2015-01-04.
- ^ Gralla, Preston (2009-05-14). «New York Times blooper: Throw away your anti-virus software». Computerworld. Retrieved 2022-10-04.
- Turning UAC On or Off in Windows 7
- Documentation about UAC for Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
- UAC Understanding and Configuring More Information at Microsoft Technet
- Development Requirements for User Account Control Compatibility More information at Microsoft Developer Network
- UAC Team Blog
2. User Account Control
User
Account Control (UAC) is one of the most important security-related
technologies in Windows Vista and Windows Server 2008. UAC provides
control over the level of privilege that a user or administrator has
when routinely using the computer. UAC forces the privilege level to be
a standard user until elevated privileges (typically administrative)
are required.
Two different scenarios are
important to understand when using UAC. First, when a user is logged on
with administrative privileges, the level of privilege is a standard
user until a task needs to be run that requires elevation. When
elevated privileges are required, a dialog box asks the user whether he
or she wants to continue to run the application or task with elevated
privileges, as shown in Figure 1.
Figure
1. UAC prompts a user logged on with administrative privileges
before running an application or task that requires administrative
privileges.
This
is an excellent security measure, because any application requiring
elevated privileges will be denied processing until approved. This is
important, because many viruses and malware require elevated privileges
to run.
The second scenario is when a
standard user is logged on and attempts to run an application that
requires elevated privileges. In this case, the user is prompted, but
not with the same prompt given to the user logged on with
administrative privileges. Instead, the user is prompted with the
dialog box shown in Figure 2.
Figure 2. UAC prompts a user who is logged on with standard privileges
with a dialog box asking for administrative credentials.
UAC
also has many control settings that allow you to alter how applications
and tasks that require administrative privileges are handled. Table 2 summarizes the settings available for controlling UAC in a GPO.
Table 2. UAC Settings
| Full Policy Name | Computer or User |
|---|---|
| Enumerate administrator accounts on elevation | Computer |
| Require trusted path for credential entry | Computer |
| Detect application failures caused by deprecated Windows DLLs or COM objects | Computer |
| Detect application install failures | Computer |
| Detect application installers that need to be run as administrator | Computer |
| Detect applications unable to launch installers under UAC | Computer |
| Notify blocked drivers | Computer |
| User Account Control: Admin Approval Mode for the Built-in Administrator account | Computer |
| User Account Control: Allow UI Access applications to prompt for elevation without using the secure desktop. | Computer |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Computer |
| User Account Control: Behavior of the elevation prompt for standard users | Computer |
More Info
Table 2
summarizes the majority of the UAC settings that can be configured in a
GPO. The policy name is listed in the table. If you are having trouble
finding the policy within the GPME, you can download and refer to
spreadsheet, WindowsServerGroupPolicy Settings.xls, from the Microsoft
Download Center at http://www.microsoft.com/Downloads/.
User Account Control is yet another feature which was introduced with the release of Microsoft Windows Vista and Windows server 2008. This feature allows even administrators can use the access token that has standard user privileges and whenever elevated privileges are required the computer displays a prompt for consent on which users can click on Yes button to continue. This configuration makes Windows server 2008 highly secured but might sometimes be annoying for the administrators in small to medium scale industries. In such cases administrators may want to disable this feature and the entire process requires some Group Policy editing. However Windows server 2008 also offers single click enable/disable option for User Account Control and as an administrator if you want to do so you need to follow the steps given as below:
1. Logon to Windows server 2008 with the account holding administrator’s crown.
2. Click on Start button and from the menu go to Control Panel.
3. On the opened window click on User Accounts.
4. On the opened page click on Turn User Account Control on or off link.
5. On the appeared window uncheck Use User Account Control (UAC) to help protect your computer checkbox and click on Ok button.
6. On the appeared box click on Restart Now button to restart the computer to allow changes to take effect.