Why Does It Take So Long to See the UAC Prompt Sometimes? (Diagnosing Slow UAC Prompts)

I wanted to elevate a response to one of the comments on an earlier post to the status of a full post, so it's hopefully a bit more discoverable.

The author writes:

"I would't mind dismissing Yet Another Popup, if it would have the decency to pop up already.  UAC takes for-freaking-ever to ask my permission to do something I just told the computer to do.  If it happened right away, it would be no biggie, but I frequently have to wait 20, 30, 40 seconds (sometimes way, way longer--about 30 minutes for a game download and install once) before the UAC prompt on the secure desktop.  This is why I want to turn the damn thing off--because of its horrible performance!  And it's all well and good to blame this on ill-behaved apps, but who owns UAC?  That's right, Windows.  I suspect for most users UAC is just another reason why Vista comes across as one of the clunkiest Windows releases ever."

And yes, Jason, you have a very fair point - that user experience sucks, and I hate user experiences that suck! Let's discuss.

First, we need to determine where exactly the problem occurs, because there are two possibilities. The first is that we're having trouble transitioning to the secure desktop. Given the current implementation, this is generally caused by limitations in the graphics card drivers to support this transition. If you end up staring at a black screen for a while, then this is likely the culprit. Unfortunately, there isn't much to do about this. One option is to get a new graphics card. (Easier said than done, right?) The other is to turn off switching to the secure desktop for elevation prompts, which has a couple of issues. First, it's somewhat less secure (a malicious application could disguise the dialog by painting something in front of it, and since the boundary of a window message is the desktop any potential loopholes could be exploited to auto-elevate - let's just say we did the secure desktop thing on purpose). Second, we disable this via group policy, but home SKUs don't have group policy editing included, which means you end up resorting to an obscure registry hack (also easier said than done, right?). So, I'm really kind of hoping you don't fall into this bucket.

The far more common bucket would be the case where everyone would be impacted with a given exe - and there is something the developers could do about this (and you can too, if you throw a shim at it). So let's discuss this one, and we will continue to try to push the software ecosystem in this direction to resolve it through policy rather than technology.

When we need to authorize a request for elevation, we look at the binary to see if it is signed. There is a difference in the UAC prompt if the application is signed - instead of being kind of orange and scary, it's greyish and more neutral. But the fact that it's signed means we have to verify the signature. And herein lies the problem.

Clearly signatures are a good thing, particularly for huge downloads from arbitrary sites. So we don't discourage signing - quite the opposite! But say you have a 10GB setup.exe that gets prompted for elevation due to GenericInstaller (which tries to ferret out setups by looking for heuristic evidence). That means we have to touch the entire 10GB file to verify that the binary has not been modified since it was signed - and that's a lot of disk I/O (and the reason you wait for the elevation prompt). If you are running such a huge file repeatedly, you can skip over the signature check by applying the NoSignatureCheck shim using Compatibility Administrator - this will eliminate your wait. But, if you're only running it once, it may be worth it to you to actually perform the check.

What could the developer do? They could manifest the self-extracting setup.exe to request asInvoker. The unpacker could then launch a small application that does the setup, which is signed but small enough that the validation doesn't take long. So, instead of waiting to validate the entire self-extracting package (when you may not even need all of it) you only wait to validate the actual setup, which clearly you'd want to manifest as requireAdministrator if you are doing a per-machine installation.

If you are noticing one particular source of exes that take a long time to pop up, my guess is they are elevating the outside package and doing a complete signature check over the entire setup package. Let us know if we need to evangelize to one particular group of folks. Is there any one source where you see this happening more frequently than other times? For this is an instance where we, as a platform, have made it possible to be either high performance or low performance. We rely on third party developers to take the high-performance path, but we don't always reach everyone to tell them how. However, we can't remove the low-performance path, so we have to continue to extend our outreach. Clearly, we still have work to do.

As for your 30-minute experience - we have no clue. We'd have to debug that one.

Comments (11)

  1. Guru says:

    Nice information…(any way i turned off the UAC!! ) 🙁

  2. Guru says:

    1 more information, akind of Joke,

    My brother started using Vista (as he bought a new laptop)…within a week, i got his feedback…He said Vista is Cool (from the graphics user interface point) & since he isnt using any older programs almost all his programs ran well (he mostly users outlook, excel (2007) & winzip, IE & rare Windows media player.

    He asked me whether Microsoft inbuilt an antivirus software! (seeing the UAC dialogs!!)..and my answer was MS gave you Antispyware & Firewall..but the dialog you see isnt a Antivirus dialog, its called UAC & it just informs & warns you about the action you are going to take which may or maynot access your system core.

    Cant MS do a little more innovation of the UAC? (i think they will…lets wait!!)

  3. Ari Pernick says:


    1)  If validation takes more then a certain minimal amounts of time, you need to display some UI. A user should be able to abort the verification and go to an "unvalidated" state.

    2) Any file size over a threshold should skip validation and go to an unverified UI display.

    3) Poor User experience that can be tracked by the OS (such as this installer issue) should get bucketed and reported back through WER.

  4. shadowwolf says:

    This explination is very helpful.  

    It would be cool if there was some simple way to resolve the delays when installing MSI packages.  It seems like sometimes you can wait up to 1 minute with the progress bar doing nothing while the UAC prompt kicks off.  There are times where I’ve waited longer for the UAC prompt than the remainder of the installation took.

    The whole digital signature thing is not really ready for the prime time.  Things like having to validate the integrity of 500+MB files is just not realistic.

    The only nice thing is that UAC prompts are fairly rare and entirely controllabe. 🙂

  5. Jason Spicer says:

    Chris, thanks for the detailed explanation (and for taking the time).

    You pretty much nailed my 30 minute UAC scenario.  I purchased Heroes of Might and Magic V online via Windows Marketplace (very cool–no waiting for UPS and no packaging to recycle!) and downloaded it over a cable modem.  It was a 5G (or so) install.  UAC and the secure desktop didn’t show up until 30 minutes (OK, it might have only been 25) into the process.  I’m not sure if it would have timed out if I hadn’t been sitting there, but I was shocked to be prompted by UAC so very, very long after initiating the action that led to the prompt.  I thought something had gone wrong, or that maybe some virus was trying to launch an unrelated process.

    There has to be a smoother way for UAC to deal with ill-behaved apps that want to do a signature check over a 5G file.  From a user experience standpoint, I have no idea that this is going on under the covers (and there is zero UI to tell me that anything other than the download/install is proceeding normally), and anyhow, why shouldn’t I be able to fire and forget a setup?  I know I launched it.  If there are security implications, why can’t the OS ask me right away if I really approve it, and cache my response for the app when it finally gets around to asking later?  I don’t really understand the underpinnings of UAC, but computers are all about making my life easier, not making me wait an indeterminate amount of time to authorize something I already authorized.  If this would mean more UAC prompts (because you couldn’t predict which ones might not really need elevation), I’d be OK with that as long as it meant instant responsiveness.

    As it is, I feel like this isn’t a big advance over filling out forms in triplicate with carbon paper.  "Press hard.  You are making three copies."

  6. Mike says:

    Well, I think I know why it takes 30 minutes for that UAC prompt to appear. Recently I was running a ~150 mbytes setup from an external USB harddisk. For that exe size it takes a bit for the UAC prompt to come up but nothing annoying.

    However what bugged me was that there was heavy disk access on both the USB drive and the internal harddisk so I took a look with Sysinternal’s procmon and I found out that the exe file first gets copied to Windows’s temp directory and then the digital signature is computed from that copy.

    So if this copying happens for a 5GB file it can account for a part of those 25-30 minutes.

    Another issue it that it seems that reading the copied file is done in noncached mode so it hits the disk again so in the end you have 1 write and 2 read operations for a 5 GB file… that’s going to take a bit :). (Anyway a 5GB file won’t fit into the cache so cached or noncache IO won’t make any difference).

    Yet another possible issue is that it looks like the buffer size used for all IO operations is 8192. I remember doing some experiments and it looks to me that a 32k buffer size would be better but I may be wrong. My experiments used sync IO and this code may as well be using async IO which may have a different performance behavior.

    So the main question would be why does it need to copy the file? Maybe some security "optimization" (like to prevent someone from modifying the file after the signature (or only a part of the signature) has been computed?

  7. Dallin Dyer says:

    Thanks for the information.  It always seems like a battle to find the right amount of security and still make a UI experience painless for the customer.  One thing on my end is that the screen stays black for a very long time (you sort of mentioned this, but I have a new nvidia graphics card). My guess is that once the dialog box is confirmed it is pinning my CPU and the other processes are semi-starving for awhile.  Usually when the screen eventually comes back the install is either half way done, or it is now waiting for input which allowed the "screen-switching process" to execute.

  8. cjacks says:

    If you have a delay in switching back, that’s almost always due to bad drivers. Are you running the latest?

  9. Duggeek says:

    Well, don’t turn UAC off, that’s just poor judgment. For all the times you click ‘yes’, you’ll be thankful when it unexpectedly appears and you have to answer ‘no’. It only takes one time for it all to be worth it. (unless you prefer a malware-infested system)

    As for the UX on this, I am one of the many who suffer this. Amidst all the postulating, there’s one part where we can all agree; it takes too long for something to show-up. I mean, just *something* to show up. So here’s my take; while UAC and the kernel mode sentries are shuffling about after a WIP probes the app-space, how about a placeholder? Y’know… just something to say, “A program is requesting system-level changes, and I’ll ask you about it shortly.”

    Even if it is 20-40 seconds for the complete UAC prompt to trigger, at least it acknowledges that UAC is working on it. That’s what UX is about! Otherwise, we’re sitting there wondering if something has gone wrong. (causing user-initiated cancellations and power-user interrupt actions, all with potentially loads more problems down the road) Users are often to embarrassed to talk about their system-interrupt actions, unless they’re bragging about them. One small improvement to the UX with UAC and many problems will simply stop happening… just watch.

    tl;dr — we don’t need to make UAC itself faster, but UAC does need to alert the user with something more immediate. (e.g., under 4 sec) …perhaps we can do something in the notify tray here?

  10. Timothy says:

    Good article. Doesn’t fix the problem, though.
    Whenever I go to download from a source that I personally trust, I just open the UAC control panel and disable it until I’m done downloading. Sometimes I forget to turn it back on. Honestly, it irritates me a lot that I have to do this in the first place. We need less hand-holding, and more control over the content that we paid for.
    *Before* checking the entire program for modification, UAC should prompt the user with an option to skip the check all together. That way, I can skip checking for sources that I trust, and allow checking for all other sources. Having to disable it manually and then re-enable it afterwards is poor design.

    Side note: I don’t believe that checking the program is the issue. I run an extremely fast M.2 SSD, and while I’m waiting for UAC to pop up, there is almost no activity on the drive. Manually disabling UAC has always fixed the problem, so it’s not an issue with hardware or downloaded content.

  11. Ian Gardner says:

    Thank you so much, with your help I was able to troubleshoot my way through this being a frequent problem while waiting on the UAC prompt to load. It actually turned a moment in my user experience from “This is absolutely awful” to “Wow, what a pleasant learning experience that was”.

Skip to main content