They knew damn well back then that stuff like silent elevation was a disaster waiting to happen (and like we see with the rundll32/code injection bugs in win7, it happened)
Look what the Vista devs wrote 2007:
FAQ: Why can’t I bypass the UAC prompt?
The designers of Windows Vista's User Account Control expressly decided not to incorporate functionality like setuid/suid or sudo found in Unix and Unix-like OSes such as Mac OS X. I think they made the right decision.
Pre-approving code to run with elevated permissions without going through an elevation prompt, as described in the bulleted scenarios above, seems at first glance to be both useful and convenient. However, the negatives far outweigh those benefits. In particular:
- The "standard user by default" vision would become impossible and ultimately never happen;
- Elevation of privilege (EoP) would be trivial – any compromise could lead to full system compromise.
If it were possible to mark an application to run with silently-elevated privileges, what would become of all those apps out there with
LUA bugs? Answer: they'd all be marked to silently elevate. How would future software for Windows be written? Answer: To silently elevate. Nobody would actually fix their apps,
and end-user applications will continue to require and run with full administrative permissions unnecessarily.
"Well, so what? We're only talking about applications I approved!" OK, let's say that's true, but how do you ensure that a malicious user cannot use the application for purposes other than those for which it was intended? And at least as important – how do you ensure that malware that has infected the user's session cannot drive a setuid application programmatically to take over the system? Ensuring strict behavioral boundaries for complex software running with elevated privileges is (at best) incredibly difficult. And ensuring that it is free of exploitable design and implementation bugs is far beyond the capabilities of software engineering today. The complexity and risk compounds when you consider how many apps have extensibility points that load code that you or your IT admin may not be aware of, or that can load code or consume data from user-writable areas with minimal if any validation.
OK, this was mostly about third party software, but still - much of it applies to windows components as well.
Here is the best part again:
Pre-approving code to run with elevated permissions without going through an elevation prompt, as described in the bulleted scenarios above, seems at first glance to be both useful and convenient. However, the negatives far outweigh those benefits
So, rundll32 and other windows components should't be pre-approved either! The Vista devs unterstood this well. Either they got a complete new team for win7 or the devs are constrained by marketing. ("win 7 needs to be less annoying!")