guidance on the control user account (UAC)

By | 10.12.2018



Manual control user account (UAC)

UAC (User Account Control), is probably the most unappreciated and maybe even most hated by many feature that debuted in Vista and became part of all subsequent versions of Windows. For the most part the flow of hatred, which spills out onto the User Account Control, I think undeserved, because the function has a real benefit. I totally agree that sometimes the user account control (hereinafter simply UAC) can be quite irritating, but he was introduced in Windows for a specific purpose. No, not to interfere with the users, and to facilitate a smooth transition from a standard (limited) account to the administrator account.

In this article, I’ll tell you what UAC is, how it works, why it is needed and how to configure it. I have no intention to give you instructions, why you should use UAC and only inform about what you lose by disabling this feature.

A little background and information about accounts

As you should know, Windows works with so-called accounts. They are of two types: administrator and standard (limited).

The administrator account gives the user full access to all functions of the operating system, i.e. the user can do whatever he wants. The standard user account offers lower rights, but because he was allowed only a few things. This is usually all that only affects the current user. Example: change Wallpaper on your desktop mouse settings, change sound schemes, etc. In General, everything that concerns a specific user and not systemwide, available in standard accounts. For everything that can affect the system as a whole, need administrator access.

One of the tasks assigned to these accounts, is to protect against malicious code. The General idea here expressed to normal operation the user has performed under a limited user account and switched to the administrator account only when required by the action. Paradoxically, but malware get the same level of rights the user has performed the login.

In Windows 2000 and Windows XP perform actions as administrator implemented is not flexible enough, and therefore work under a limited user account was not very convenient. One way to execute the admin action on these versions of the system looks like this: output from the restricted account (or rapid switching, if you have used Windows XP) -> login admin -> action -> exit from the accounts of the administrator (or quick switch, if you have used Windows XP) -> return to the restricted account.

Another option is to use the context menu and selecting «Run as different user», which opens a window where you must specify the correct administrator account and password to run the file as administrator. This is a quick method of switching from one accounts to another, but not applicable to any situation requiring administrative privileges. Another problem with this method is that the administrator account must have a password, otherwise the command will fail.

That’s why Windows Vista introduced User Account Control in Windows 7 has been brought almost to perfection.

What is UAC

UAC is a feature in Windows Vista, 7, 8, 8.1 and 10, which aims to make the transition from a restricted environment in the admin as smooth and hassle-free, eliminating the need to run the file with administrator rights manually, or switch between accounts. In addition, UAC is an extra layer of protection that requires almost no effort from the user, but can prevent serious damage.

How does UAC

When the user logs in to your account, Windows creates a so-called user access token that contains specific information about this account and mainly the various security identifiers that the operating system uses to control access to this account. In other words, this token is a kind of personal document (passport, for example). This applies to all versions of Windows based on the NT kernel: NT, 2000, XP, Vista, 7, 8 and 10.

When a user is a standard user account (limited), creates a standard user token with limited rights. When a user logs in to the admin account created called administrator token with full access. Logical.

However, in Windows Vista, 7, 8 and 10, if UAC is enabled and a user logs on to the administrator account, Windows creates two token’. The administrator remains in the background, and the standard used to start Explorer.exe. That is Explorer.exe runs with restricted rights. All started after this processes are the subprocesses Explorer.exe inherited reduced privileges of the basic process. If a process requires administrator rights, he requests the admin token, and Windows in turn asks the user’s permission to grant the process this token in the form of a special dialog box.

This dialog box contains the so-called secure desktop (secure desktop), access to which has only the operating system. It looks as dark the actual desktop and only contains the confirmation window as an administrator and perhaps the language bar (if you activated more than one language).

If the user does not agree and click No, Windows will refuse to process in the admin token’E. And if you agree select «Yes», the operating system will give the process the necessary privileges, namely, the administrator token.

If the process is already running with lower rights, it will be restarted with these elevated user (administrator). The process can not be «downgraded» or «upgraded» directly. After the process was launched with one token’nom, he will not be able to obtain other rights until, yet again, will not start with new rights. As example, the task Manager, which always run with limited rights. If you click «Show processes from all users» Task Manager is closed and started again, but with administrator rights.

If you use the standard account, the UAC asks you to specify a specific admin account and enter password:

Руководство по контролю учетных записей пользователей (UAC)

How UAC protects the user

By itself, the UAC does not provide special protection. It just eases the transition from a restricted environment such administrator. So a more correct formulation of the question, therefore, is that as a limited account prevents the user. Under restricted profile user processes cannot access certain system areas:

  • the primary partition;
  • the user folders of other users in the Users folder;
  • the Program Files folder;
  • the Windows folder and all its subfolders;
  • sections other accounts in the system registry
  • the HKEY_LOCAL_MACHINE key in the system registry.

Any process (or malicious code) without administrator rights cannot get deep into the system without having access to the necessary folders and registry keys and therefore can not cause serious damage to the system.

UAC can interfere with older programs that are not officially compatible with Vista/7/8/10

Don’t have to. When UAC is enabled, and also enabled virtualization. Some older and/or just carelessly written programs do not use the correct folder to store its files (settings, logs, etc.). Correct folders are folders in the AppData directory, which are in each account and each program can create a folder to store there anything.

Some programs try to store their files in Program Files and/or Windows. If you run the program with administrator rights, it won’t be a problem. However, if the program runs with restricted permissions – it will not be able to make changes to the files/folders in Program Files and/or Windows. The operating system simply will not allow it.

In order to prevent problems with such programs, Windows offers a virtualization of the folders and registry keys that the programs with restricted rights do not have access in principle. When such a program tries to create a file in the protected folder, the operating system redirects it to a special VirtualStore folder, which is located in X:UsersAppDataLocal (where X: is the system partition, usually C:). Ie, my program is all right. She is not faced with obstacles and believes that creates files/folders exactly where he wants. VirtualStore usually contains sub-folders Program Files and Windows. Here is a screenshot of the Program Files in my VirtualStore folder:

Руководство по контролю учетных записей пользователей (UAC)

But what is in the SopCast folder, for example:

Руководство по контролю учетных записей пользователей (UAC)

Ie if UAC was stopped, or the program always run with administrator rights, the files/folders would have been created in the C:Program FilesSopCast. In Windows XP, these files and folders would have been created without any problem, because all programs have administrator rights by default.

This, of course, should not be seen by developers as a permanent solution. The duty of every author is to create a fully compatible with current operating systems software.

The dialog UAC

You may have noticed that there are only three different dialog box, UAC. Here we will discuss those in Windows 7, 8.x and 10. Vista dialogs are slightly different, but we won’t dwell on them.

The first type of window has a dark blue stripe at the top and an icon in the form of a shield in the upper left corner, which is divided into 2 blue and 2 yellow sections. This window appears when confirmation is required for a process with a digital signature that belongs to the operating system – i.e. Windows binaries. Talk about them below.

Руководство по контролю учетных записей пользователей (UAC)

The second type of window also with dark blue ribbon, but the shield icon is completely blue with a question mark. This window appears when confirmation is required for a process with a digital signature, but the process/file is not in the operating system.

Руководство по контролю учетных записей пользователей (UAC)

The third window is decorated by an orange band, the shield is also orange, but with an exclamation point. This dialog appears when confirmation is required for a process without a digital signature.

Руководство по контролю учетных записей пользователей (UAC)

The UAC settings

Settings (modes) UAC is located in control Panel -> System and security -> Change settings user account control. There are only 4:

Руководство по контролю учетных записей пользователей (UAC)

Always notify – the highest level. This mode is equivalent to the method of operation UAC in Windows Vista. In this mode, the system always requires confirmation of the rights of the administrator, regardless of the process and what it requires.

The second level is used by default in Windows 7, 8.x and 10. In this mode, Windows does not display the UAC window when it comes to the so-called Windows binaries. I.e. if the file/process that requires administrator rights, meets the following 3 conditions, the operating system will give it to them automatically, without confirmation from the user:

  • file has a built-in or in a separate file the manifest (. manifest) that points to the automatic elevation;
  • the file is in the Windows folder (or any of its subfolders);
  • the file is signed with a valid digital signature Windows.

The third mode is the same as the second (previous), but with the difference that when it is not used by the secure desktop. That is, the screen is not dimmed and the UAC dialog box appears like any other. Microsoft does not recommend this option, and why – I will explain later.

Do not notify me – the fourth and last level. Practically, this means disabling UAC.

It is appropriate to make two comments:

  • a digital signature refers specifically to the Windows operating system. I say this because there are files that have been digitally signed by Microsoft. These are two separate signatures, with UAC recognizes only the digital signature of Windows, as it acts as proof that the file not only from Microsoft, but is part of the operating system.
  • not all Windows files have a manifest to auto-elevate. There are files that deliberately deprived of this. For example, regedit.exe and cmd.exe. It is clear that the second deprived automatically improve, because it is very often used to start other processes, but as already mentioned – each new process inherits the rights of the process that launched it. This means that everyone could use the command line to seamlessly run any processes with administrator rights. Fortunately, Microsoft are not fools.

Why is it important to use secure desktop

The secure desktop prevents any possible interference and interference from other processes. As mentioned above, it is the only operating system and it only accepts basic commands from the user, i.e. pressing the «Yes» or «No».

If you do not use secure desktop, an attacker can simulate the UAC window to mislead you to open a malicious file with administrator rights.

When you need administrator rights? When a UAC window?

In General, there are three cases in which the UAC prompt the user:

  • when you change the system (not user) settings, although in reality this applies only to the maximum level UAC;
  • when you install or uninstall the software/drivers;
  • when the application/process requires administrator privileges to make changes to system files/folders or registry keys.

Why is it important not to disable UAC

Control user accounts provides a high level of protection, and in return requires almost nothing. That is, the efficiency of UAC is very high. I don’t understand why he annoys people. In daily work, the average user sees a UAC window 1-2 times a day. Maybe even 0. It is so much?

The average user rarely changes the parameters of the system, and when changes, UAC doesn’t bother with questions, if you are running with the default settings.

The average user does not install the drivers and programs every day. All drivers and most programs are installed once after Windows installation. That is a major percentage of UAC prompts. After that, UAC intervenes only when upgrading, but new versions of programs come out, not every day, not to mention the drivers. Moreover, many do not update any software or drivers, which further reduces the issues of UAC.

Very few programs need administrator rights to perform their jobs. It is basically a Defragmenter, tools for cleaning and optimization programs for some diagnostics (AIDA64, HWMonitor, SpeedFan etc.) and system settings (Process Explorer and Autoruns, for example, but only if you want to do something specific – for example, to disable the driver/service, or launched from Windows program). And all this programs who either can’t use at all or rarely. All frequently used applications work with UAC completely normal and don’t ask any questions:

  • multimedia players (audio and/or video);
  • converters are video/audio;
  • a program for processing images/video/audio;
  • program to capture desktop screenshots or videos on it;
  • program for viewing images;
  • web browsers;
  • file downloaders (download managers and P2P clients-networking);
  • FTP clients;
  • messengers or programs for voice/video communication;
  • program for recording discs;
  • archivers;
  • text editors;
  • PDF readers;
  • virtual machine;
  • etc.

Even install Windows updates will not trip the UAC window.

There are people who are willing to sacrifice 1-2 or more minutes a day to «optimize» the system by some poorly written programs that don’t do anything useful, but are not willing to spend a few seconds a day to answer UAC prompts.

Statements like «I’m an advanced user and know how to defend yourself» is not enough, because no one is immune and the outcome of certain situations does not always depend on the user. Moreover, people make mistakes, it happens.

Let me give you an example: suppose you are using a program that has a vulnerability, and one day you were on a site that uses this vulnerability. If UAC is enabled and the program runs with limited privileges, an attacker will not be able to make a lot of troubles. Otherwise, the damage can be enormous.

And this is just one of many examples.

Run application with Windows administrator rights

I admit that perhaps there are users who turn off UAC just to be able to run the program with Windows with administrator rights. The usual way is impossible, because the UAC cannot send a request to the user until, until will not be loaded Desk. However, there is a way you can leave UAC enabled. Here it is:

  • open the task Scheduler;
  • click Create task;
  • in field Name , enter anything in its discretion, and in the lower part of the window, enable the option Run with highest rights;
  • navigate to Triggers and click Create;
  • in the drop-down menu on the top select At log on; if you want to create a task for a specific user, select the User, and then click switch user; enter user name and confirm by pressing OK;
  • go to the tab Actions and click Create;
  • click Browse, specify the appropriate application and confirm your choice;
  • go to tab Conditions and uncheck the option to Run only when powered from the mains;
  • in the tab Settings uncheck the option to Stop the task if it runs longer;
  • confirm by pressing OK.

Ready. The task is added, so that now the app will load automatically with administrator rights. Here, however, there is one small catch: all these tasks are executed with a priority lower than normal – below normal (below normal). If it suits you, it’s all right. If not, then you have to work a little more:

  • start the task Scheduler, if you have closed it;
  • select the task scheduler Library;
  • select your task, click Export , and then save it in the format .xml;
  • open your .xml file in a text editor;
  • find the section 7, which must be at the end of the file and modify the seven (7) between the opening and closing tags for the five (5);
  • save the file;
  • in task Scheduler again, select your task, click Delete and confirm deletion;
  • now click Import task, specify the saved file and click OK.

That’s about it. Use UAC or not is up to you, but it is very important to know what you lose when you disable this feature, and to be aware of the risks. Thank you for your attention!




Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *