ManipUni said:
AndyC said:
*snip*

But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

Yes, sure, processes can be poisoned but only if they escalate AFTER the initial execution. If you dump them to an admin session right from the inital launch it would be impossible for an application within another session to poison them.

My point is, that if Microsoft wants to turn UAC into a security boundary then they have to leave UAC in place in the mean time in order to get application developers used to writing code that either runs in User or Admin scopes.

ManipUni said:
But why can't UAC be made to push processes into a different session? Isn't that the ideal anyway? Everyone is a user and only processes get to run as admin?

I'm not suggesting you couldn't build a system where everyone is a user and elevation presents a security boundary that does something a bit like fast-user switching but in a more seemless fashion. Of course there'd be lots of additional protection needed to ensure such apps remained truly isolated (it would need to go beyond, for example, UIPI).

However that is not what UAC does. It's not trivial to reach that point, especially when too many apps still don't truly understand Standard User behavior. That would be a long term goal perhaps. Right now we need UAC to do the best it possibly can and to continue pushing application developers into having to do things "the right way"