Why Does It Take So Long to See the UAC Prompt Sometimes? (Diagnosing Slow UAC Prompts)

I wanted to elevate a response to one of the comments on an earlier post to the status of a full post, so it’s hopefully a bit more discoverable.

The author writes:

“I would’t mind dismissing Yet Another Popup, if it would have the decency to pop up already.  UAC takes for-freaking-ever to ask my permission to do something I just told the computer to do.  If it happened right away, it would be no biggie, but I frequently have to wait 20, 30, 40 seconds (sometimes way, way longer–about 30 minutes for a game download and install once) before the UAC prompt on the secure desktop.  This is why I want to turn the damn thing off–because of its horrible performance!  And it’s all well and good to blame this on ill-behaved apps, but who owns UAC?  That’s right, Windows.  I suspect for most users UAC is just another reason why Vista comes across as one of the clunkiest Windows releases ever.”

And yes, Jason, you have a very fair point – that user experience sucks, and I hate user experiences that suck! Let’s discuss.

First, we need to determine where exactly the problem occurs, because there are two possibilities. The first is that we’re having trouble transitioning to the secure desktop. Given the current implementation, this is generally caused by limitations in the graphics card drivers to support this transition. If you end up staring at a black screen for a while, then this is likely the culprit. Unfortunately, there isn’t much to do about this. One option is to get a new graphics card. (Easier said than done, right?) The other is to turn off switching to the secure desktop for elevation prompts, which has a couple of issues. First, it’s somewhat less secure (a malicious application could disguise the dialog by painting something in front of it, and since the boundary of a window message is the desktop any potential loopholes could be exploited to auto-elevate – let’s just say we did the secure desktop thing on purpose). Second, we disable this via group policy, but home SKUs don’t have group policy editing included, which means you end up resorting to an obscure registry hack (also easier said than done, right?). So, I’m really kind of hoping you don’t fall into this bucket.

The far more common bucket would be the case where everyone would be impacted with a given exe – and there is something the developers could do about this (and you can too, if you throw a shim at it). So let’s discuss this one, and we will continue to try to push the software ecosystem in this direction to resolve it through policy rather than technology.

When we need to authorize a request for elevation, we look at the binary to see if it is signed. There is a difference in the UAC prompt if the application is signed – instead of being kind of orange and scary, it’s greyish and more neutral. But the fact that it’s signed means we have to verify the signature. And herein lies the problem.

Clearly signatures are a good thing, particularly for huge downloads from arbitrary sites. So we don’t discourage signing – quite the opposite! But say you have a 10GB setup.exe that gets prompted for elevation due to GenericInstaller (which tries to ferret out setups by looking for heuristic evidence). That means we have to touch the entire 10GB file to verify that the binary has not been modified since it was signed – and that’s a lot of disk I/O (and the reason you wait for the elevation prompt). If you are running such a huge file repeatedly, you can skip over the signature check by applying the NoSignatureCheck shim using Compatibility Administrator – this will eliminate your wait. But, if you’re only running it once, it may be worth it to you to actually perform the check.

What could the developer do? They could manifest the self-extracting setup.exe to request asInvoker. The unpacker could then launch a small application that does the setup, which is signed but small enough that the validation doesn’t take long. So, instead of waiting to validate the entire self-extracting package (when you may not even need all of it) you only wait to validate the actual setup, which clearly you’d want to manifest as requireAdministrator if you are doing a per-machine installation.

If you are noticing one particular source of exes that take a long time to pop up, my guess is they are elevating the outside package and doing a complete signature check over the entire setup package. Let us know if we need to evangelize to one particular group of folks. Is there any one source where you see this happening more frequently than other times? For this is an instance where we, as a platform, have made it possible to be either high performance or low performance. We rely on third party developers to take the high-performance path, but we don’t always reach everyone to tell them how. However, we can’t remove the low-performance path, so we have to continue to extend our outreach. Clearly, we still have work to do.

As for your 30-minute experience – we have no clue. We’d have to debug that one.

Comments (8)

  1. Guru says:

    Nice information…(any way i turned off the UAC!! ) 🙁

  2. Guru says:

    1 more information, akind of Joke,

    My brother started using Vista (as he bought a new laptop)…within a week, i got his feedback…He said Vista is Cool (from the graphics user interface point) & since he isnt using any older programs almost all his programs ran well (he mostly users outlook, excel (2007) & winzip, IE & rare Windows media player.

    He asked me whether Microsoft inbuilt an antivirus software! (seeing the UAC dialogs!!)..and my answer was MS gave you Antispyware & Firewall..but the dialog you see isnt a Antivirus dialog, its called UAC & it just informs & warns you about the action you are going to take which may or maynot access your system core.

    Cant MS do a little more innovation of the UAC? (i think they will…lets wait!!)

  3. Ari Pernick says:


    1)  If validation takes more then a certain minimal amounts of time, you need to display some UI. A user should be able to abort the verification and go to an "unvalidated" state.

    2) Any file size over a threshold should skip validation and go to an unverified UI display.

    3) Poor User experience that can be tracked by the OS (such as this installer issue) should get bucketed and reported back through WER.

  4. shadowwolf says:

    This explination is very helpful.  

    It would be cool if there was some simple way to resolve the delays when installing MSI packages.  It seems like sometimes you can wait up to 1 minute with the progress bar doing nothing while the UAC prompt kicks off.  There are times where I’ve waited longer for the UAC prompt than the remainder of the installation took.

    The whole digital signature thing is not really ready for the prime time.  Things like having to validate the integrity of 500+MB files is just not realistic.

    The only nice thing is that UAC prompts are fairly rare and entirely controllabe. 🙂

  5. Jason Spicer says:

    Chris, thanks for the detailed explanation (and for taking the time).

    You pretty much nailed my 30 minute UAC scenario.  I purchased Heroes of Might and Magic V online via Windows Marketplace (very cool–no waiting for UPS and no packaging to recycle!) and downloaded it over a cable modem.  It was a 5G (or so) install.  UAC and the secure desktop didn’t show up until 30 minutes (OK, it might have only been 25) into the process.  I’m not sure if it would have timed out if I hadn’t been sitting there, but I was shocked to be prompted by UAC so very, very long after initiating the action that led to the prompt.  I thought something had gone wrong, or that maybe some virus was trying to launch an unrelated process.

    There has to be a smoother way for UAC to deal with ill-behaved apps that want to do a signature check over a 5G file.  From a user experience standpoint, I have no idea that this is going on under the covers (and there is zero UI to tell me that anything other than the download/install is proceeding normally), and anyhow, why shouldn’t I be able to fire and forget a setup?  I know I launched it.  If there are security implications, why can’t the OS ask me right away if I really approve it, and cache my response for the app when it finally gets around to asking later?  I don’t really understand the underpinnings of UAC, but computers are all about making my life easier, not making me wait an indeterminate amount of time to authorize something I already authorized.  If this would mean more UAC prompts (because you couldn’t predict which ones might not really need elevation), I’d be OK with that as long as it meant instant responsiveness.

    As it is, I feel like this isn’t a big advance over filling out forms in triplicate with carbon paper.  "Press hard.  You are making three copies."

  6. Mike says:

    Well, I think I know why it takes 30 minutes for that UAC prompt to appear. Recently I was running a ~150 mbytes setup from an external USB harddisk. For that exe size it takes a bit for the UAC prompt to come up but nothing annoying.

    However what bugged me was that there was heavy disk access on both the USB drive and the internal harddisk so I took a look with Sysinternal’s procmon and I found out that the exe file first gets copied to Windows’s temp directory and then the digital signature is computed from that copy.

    So if this copying happens for a 5GB file it can account for a part of those 25-30 minutes.

    Another issue it that it seems that reading the copied file is done in noncached mode so it hits the disk again so in the end you have 1 write and 2 read operations for a 5 GB file… that’s going to take a bit :). (Anyway a 5GB file won’t fit into the cache so cached or noncache IO won’t make any difference).

    Yet another possible issue is that it looks like the buffer size used for all IO operations is 8192. I remember doing some experiments and it looks to me that a 32k buffer size would be better but I may be wrong. My experiments used sync IO and this code may as well be using async IO which may have a different performance behavior.

    So the main question would be why does it need to copy the file? Maybe some security "optimization" (like to prevent someone from modifying the file after the signature (or only a part of the signature) has been computed?

  7. Dallin Dyer says:

    Thanks for the information.  It always seems like a battle to find the right amount of security and still make a UI experience painless for the customer.  One thing on my end is that the screen stays black for a very long time (you sort of mentioned this, but I have a new nvidia graphics card). My guess is that once the dialog box is confirmed it is pinning my CPU and the other processes are semi-starving for awhile.  Usually when the screen eventually comes back the install is either half way done, or it is now waiting for input which allowed the "screen-switching process" to execute.

  8. If you have a delay in switching back, that’s almost always due to bad drivers. Are you running the latest?