This FAQ topic aims to address some of the misconceptions about User Account Control.
What is UAC?
User Account Control (UAC) is a technology in Windows Vista that attempts to address the problem that applications in Windows XP commonly run with Administrator rights. It is a common idea in computer security that an application should not have more permissions than it needs; that way, if something does go wrong, no serious damage can be caused. In previous versions of Windows, most users would run as Administrators, and as such, all applications ran with Administrator privileges. Because all applications ran with Administrator privileges, many applications were designed with the assumption that they would have these privileges. Running with lower privileges was possible, but very difficult.
With UAC applications by default get limited permissions, even if the current user is a member of the Administrators group. If an application requires more permissions, it can be
elevated with the user's consent.
How does it work?
A user account in Windows is represented by a token which contains the privileges the user has. When UAC detects a user is logging on with certain privileges, it creates a
filtered token that removes those privileges, and links the original token to that filtered token. By default, processes are created with that filtered token, while an elevated application gets the original token (or, if the original user didn't have the privileges required, the user can provide credentials for another user account and a token for that user is created and used instead).
For more details, check this
article from MSDN magazine
When is an application elevated?
Elevation is controlled through a manifest, which is usually embedded in the executable. The manifest indicates whether a process wants to run "asInvoker" (using the filtered token), "highestAvailable" (as much privileges as the original token has), or "requireAdministrator" (needs an administrator token; if the logged in user doesn't have these privileges the user is asked for different credentials).
If an application doesn't have a manifest, it will usually not be elevated. However, Vista contains heuristics to detect old applications that need elevated permissions (mainly old setup applications) and will elevate these applications even without a manifest.
Elevation can
only occur when an application is launched. Once an application is running, it cannot elevate. If an application wishes to elevate only for a short time, it must start an external executable to perform the elevated task. If desired, an application can use the COM elevation moniker to create an out-of-process COM object with elevated permissions.
Will UAC solve the Dancing Bunnies problem?
In a nutshell, the
Dancing Bunnies problem is the issue that users will click yes to anything if they believe the software they are running is useful (or otherwise desired), and will thus allow even the worst malware to elevate.
UAC will not solve this problem. It puts up another hurdle, but in the end, if the user wants to see the dancing bunnies, an extra "continue" button isn't going to stop them. Moreover, many users will get bored of the UAC dialogs and just allow everything without even reading the dialog.
Solving this problem is not the main point of UAC.
Okay, so what is the main point?
As stated above, the main point is to make applications run with as few privileges as possible. Many applications, such as Outlook, Internet Explorer, Firefox, your favourite game, etc... don't require administrator privileges. With UAC enabled, they won't get them. There are no prompts here; UAC won't ask you anything if an application isn't elevated.
This means that if a vulnerability is found in Outlook - and an exploit is created for this vulnerability - this exploit can't trash your system because Outlook isn't running with Administrator rights. Internet Explorer, which runs as a "low integrity" process (so-called protected mode), has even fewer rights so the exploit can do almost nothing at all!
Isn't that cool? UAC is protecting you most when you're not seeing
any dialogs!
The dialogs work as a warning; a sign to say: "I'm going to turn the protection off now" rather than asking for your permission to do something. And because they are so visible, one benefit is that application designers will design their applications to avoid the UAC dialog; which in turn means their applications are less of threat should they contain a vulnerability.
I still don't like UAC. Can I turn it off?
That is, of course, your right. I will ask you give it some more time. UAC's main drawback is that you see it most just after you get Vista: when you're setting everything up. Once you've finished installing all your applications you'll find you see it a lot less. UAC tends to become less of an annoyance over time.
If you do want to turn it off: instead of turning UAC off completely, you can just disable the prompts. This way, applications that don't need elevated rights still don't get them; but you won't get prompted anymore when they do. Turning off UAC in the conventional way removes this protection, and leaves you considerably more vulnerable.
How to do this is described in
this blog post by Tim Sneath
Channel 10: Black Friday Deals on Windows 7 Machines
ASP.NET: Presenting in Europe Next Week
WindowsClient: You know your post rate has gone down...
Silverlight: Geek Profiles – Scott Guthrie
