The UAC Arms Race Has Begun


I figured this day would come, and to be honest, I’m a little bit surprised it took as long as it did for me to run into this in the wild. But this week, I finally came across an installer that somebody had devised which would check to see if UAC was turned on, and if so, it would fail out, and not install.

Actually, it was even worse than that. It would speak condescendingly to the user, informing them that UAC was turning on, so clearly the user must be some sort of an idiot. I mean, the readme file (which we all know everyone reads thoroughly multiple times before running an installer making sure they digest every last bit of it) clearly explains how to turn UAC off, how could they have missed that, or worse, ignored their sage advice?

Then the installer exited.

So, I took a peek to see how the application was performing this check. A little bit of time with Process Monitor was all it took – the application was looking at HKLMsoftwaremicrosoftwindowscurrentversionpoliciessystemenablelua. Aha – a registry key! That makes things easier.

So, I shimmed up the application using VirtualRegistry. Now, we don’t have a command line argument for VirtualRegistry that says “lie about UAC” so I had to invent my own using ADDREDIRECT(HKLMsoftwaremicrosoftwindowscurrentversionpoliciessystem^HKLMsoftwarelieaboutlua), create this key, add the DWORD value enablelua, and set the value to 0. Now, the application thinks UAC is off, and we can go on from there to fix the LUA bugs that the developer punted on fixing.

Now, here’s what I don’t get. If the application really needs to have admin rights, checking for UAC being turned off is a really silly way to get that. While it doesn’t make sense for most organizations to run as a standard user with UAC turned off, there are some who do. This check could lead you in completely the wrong direction. If you really need admin rights, then manifest as requireAdministrator. (Note that I can still go back and shim with RunAsInvoker to override your manifest, and then fix your LUA bugs myself, but at least you’re checking the right thing then.)

There are, of course, other ways to check to see if UAC is enabled which would have made my job harder. I won’t point them out, because that’ll just make my job harder if somebody chooses to do that, and the obvious one has some of the same issues as this approach. All I can ask is this: if you’re going to punt on fixing bugs, at least don’t block me from fixing them for you. In this case, they didn’t (though it looks like they tried) – and I figured I would share how to get around this in case others run into it.

So, the arms race has begun. Together, we can get applications running as a standard user. Because that’s what our mutual customers want. But if you fight me, I’ll just get trickier! :-)

Comments (9)

  1. Tyler says:

    Wow.  What app was this?  This is absurd!

  2. cjacks says:

    I’m trying to find somebody to track down the ISV and figure out if we can help them out so they don’t have to do this. I don’t really care for naming names and singling people out – plenty of apps still do some kind of strange things, including ours, so it would be somewhat unfair of me to do so.

  3. Friday says:

    I won’t fight you. I will give you all my money and let you tell me what to do.

  4. Cris Mooney says:

    Great to hear you perceive yourself to be in a battle against those of us who are blessed enough to be allowed to develop tools that run on your esteemed platform.

    Perhaps as I just touched upon in your old thread "http://tinyurl.com/37bjnw", if you guys were not so damn heavy handed with your clandestine rules and convoluted implementations, everyone else would not have to be working so hard to find a way to get legitimate things to run under the watch of such a powerful Vista (paradox intended).

    I mean, maybe the rest of us could do business, really accomplish things, if you and your UAC and TrustedInstaller and whatever else would just be straight forward and help us – not make our lives a living hell. Or, maybe that is not your purpose in selling an operating system… maybe you have another goal?

    As pompous as I am, you guys are multitudes more pompous and you will drive significant numbers of us all away in short order.

    Cris Mooney

  5. Let’s be as honest as one can be on an MSDN blog; who actually likes the UAC?

    I’m not defending the ISV that made this mistake, nor Chris Jackson for asserting that there is some kind of war between the OS manufacturer and the third party software developers.

    However, let’s get one thing straight: The UAC is a complete PITA. In my experience, so many users disable it (and those that don’t know how, complain as loud as they can). Since UAC is so hated why shouldn’t software developers work towards the reality of their customer base (those with UAC off), rather than what Microsoft dictate?

    This brings up a further point:

    It’s possible the ISV simply isn’t trained or might just be starting out (who was it, btw?). Microsoft should help by providing much more guidance on software standards and make it easier for ISV’s to get in line with the "expected" way of doing things. Simple documents should be available (if they are, I can’t find them) for installer requirements, control layout (I have found one such document for XP), what to do and what not to do when failing, error handling and message (msgbox) design…

    Excellent blog, by the way – you’re added to my RSS :)

  6. cjacks says:

    Hi Mike,

    You can totally be honest here. I won’t delete a comment unless it’s obscene or spam.

    And the "arms race" wasn’t referring to a war between the developer and Microsoft, but specifically between the developer and the guy who is trying to get the code working in one customer’s environment (I just happened to be that guy). I never determined what that customer wanted, I am just there to help them get the software they want working in the environment that they want, and the developer happened to be working against me. They were the ones trying to enforce an environment the customer didn’t want – we never had a vote in the matter! And this time around, the customer won – that’s what I like.

    UAC is not a dictate from us – it was a demand from our customers. Make the platform more secure, but keep it convenient. Try running as a standard user on Windows XP. You’ll find it challenging, and then you start picking up tools like Aaron Margosis’ MakeMeAdmin. And UAC is essentially a more convenient implementation of the idea of MakeMeAdmin – we just made it easier. But it is just a baby step. But we’re not dictating anything – we’re trying to keep security high, compatibility high, and convenience high. Those goals are frequently very contradictory. Did we get the balance perfect? Probably not, but we do the best we can.

    I wouldn’t say that the reality is that customers have UAC turned off – see http://blogs.msdn.com/cjacks/archive/2008/02/22/what-percentage-of-consumers-have-uac-enabled-on-windows-vista.aspx.

    You can find developer best practices for UAC here: http://msdn2.microsoft.com/en-us/library/aa905330.aspx – if there are gaps that you’d like to see addressed, let us know and we’ll fix that!

    Thanks,

    Chris

  7. Cris Mooney says:

    While I do not contest your belief of the war you think you discuss here, you are simply confused an/or misled in your own war. While this is common of humanity, even some who dress in SWAT fatigues, it is not becoming of thinkers.

    The purpose of an OS should be to facilitate the relationship between users and developers. Your current "war" with developers is instigated by the User Access Control (UAC) implementation, which has aggravated simple "disputes". Another implementation of the UAC goals could have instigated peace talks. So, your war is misdirected. You are a pawn.

    Microsoft has shirked responsibly as a mediator, when they have even stronger obligations than just "any OS". Their obligation is greater because of their country wide power of having an end user OS monopoly, a resource as basic as oil these days, which is reasonably assured in the foreseeable future by an installed corporate base which was fueled by a fortuitous silicon revolution. However, as a capitalist (one who thinks), even I will admit a monopoly is not even sufficient sometimes – and UAC threatens to prove that.

    My point is that your battle should be with Microsoft, for providing you with simplistic nuclear weapons for you SWAT objectives instead of proper tools for resolving disputes (disputes their OS laid the ground for in the first place). Instead you allow them to promote your "dispute" to a "war" with heavy handed tactics, which conveniently direct away from themselves (to which you contribute). The truth is, they have not done their job, for which they are very, very, well paid. Instead, they have done the opposite of their job. You should start there, instead of idealizing that failure.

    But…it was my original impression that you (Chris) were part of the UAC team, and my comments were directed to you as such. I now believe that is not the case, despite your continued "we"  and "us" comments, and continued vehement defense of the current implementation.

    UAC fails in what was not a dictate, though perhaps a consensus from some customers (and a good idea as a goal). It neither meets the true goals to protect the platform, nor the requirements of convenience. As you note it was implemented in a baby step, and does not meet the balance requirements. This play on your words is intentional and my implications are accurate. The attempt should have stayed in development and QA, and only another attempt should have seen the light of day.

    And don’t give me this "we do the best we can" mamby pamby baby stuff. Microsoft has the money, power, and time of God. And witht hat power and position, it has a responsibly not to disrupt the world. If  can’t do it right, then don’t do it.

    As I fell to logging in as administrator to accomplish things in the past, so have I finally turned of UAC. Not because I did not like the "alerts", but because too many things did not work right even with the alerts (including Outlook). I am a user  with other things to do than fight the OS (like now help my brother figure out how to live under Vista).

    I will expound elsewhere on the details of the technical failures, when I find the right forum – and it may be on your of your logs since you keep defending this puppy in ramblings such as the one you site at "http://tinyurl.com/6xfg5m". Of course, I will try and temper my direct attack on you, since I do believe you are as much a victim as I am. Of course, I would welcome you directing me at a real source where an old man might share a few thoughts.

    While you continue to blur yourself by conveniently confusing your role at Microsoft with you being a "guy who is trying to get the code working in one customer’s environment" as is suits your current objectives, I continue to maintain both you and Microsoft  are at incorrectly waging a war against developers and implicitly the users of the tools that are developed. You may [both] do this innocently via ignorance, and claim users should take pity on you, but I think you are [both] obligated to expand your understanding.

    That is to say, I stand by my evaluation even in light of your comments.

    A bit calmer now that after two weeks I have disabled UAC (with full understanding of all implications),

    Cris Mooney (csm at my URL’s domain)

  8. Jon S Akhtar says:

    The biggest problem with UAC is that it basically requires you to redesign your entire application.

    If you read the 10 or so steps microsoft outlines, the steps read like "1) Redesign your application"

    Now, that’s well and good. I can do that, fine. But I am not the only application running, and if my app has to work with other apps who have not "redesigned their entire applicaitons", I have to not only support my app, but I have to support end users who don’t know how to use thier machines.

    That is where MS Failed. Expecting the application developers to provide the user guidance on OS issues. That was a 100% failure in logic.

    Here is what I finally had to post so that users of my application would "get the point"

    http://www.wowace.com/forums/index.php?topic=12103.0

    That right there pretty much sums it all up.

    Note: I am a big time MS supporter. I dont tell people to disable UAC. But, its pretty clear just from the picture in that link, that something is wrong.

  9. cjacks says:

    Hi Jon,

    The link you point to is a standard user issue, not a UAC issue. You’d have the exact same problem running on XP as a standard user.

    With UAC and Windows Vista, you can just manifest your application as requireAdministrator, and we’ll just elevate every time rather than failing or moving directories around or changing ACLs.

    From a quick glance, it looks as if you are trying to change binaries in WOW, which is a per machine install. So, you want to be admin, and you can just ask for it. UAC will elevate without giving standard users the ability to hork the app. Given what you’re trying to do, it shouldn’t require a redesign at all.

    Thanks,

    Chris