UAC Feedback and Follow-Up


When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature or mess up because we were blogging poorly about a well-designed feature. To some it appears as though with the topic of UAC we’ve managed to do both. Our dialog is at that point where many do not feel listened to and also many feel various viewpoints are not well-informed. That’s not the dialog we set out to have and we’re going to do our best to improve.

This post is an attempt to get both the blog right and the feature right. We don’t like where we are in terms of how folks are feeling and we don’t feel good – Windows 7 is too much fun and folks are having too much fun for us to be having the dialog we’re having. We hope this post allows us to get back to having fun!

To start we’ll just show representative comments from the spectrum of feedback. We’ll then talk about the changes we’re making and also make sure we’re all on the same page regarding how we move forward. In terms of comments we’ve heard the following:

@sroussey says:

You have 95% of the people out there think you got it wrong, even if they are the ones that got it wrong. The problem is that they are the one’s that buy and recommend your product. So do you give them a false sense of increased security by implementing the change (not unlike security by obscurity) and making them happy, or do you just fortify the real security boundaries?

And @Thack says:

Jon,

Thanks for sharing your thoughts.  I understand your points.

Now, I want add my voice to the call for one very simple change:

Treat the UAC prompting level as a special case, such that ANY change to it, whether from the user or a program, generates a UAC prompt, regardless of the type of account the user has, and regardless of the current prompting level.

That is all we are asking.  No other changes.  Leave the default level as it is, and keep UAC as it is.  We’re just talking about the very specific case of CHANGES to the UAC prompting level.

It will NOT be a big nuisance – most people only ever change the UAC level once (if at all).

Despite your assurances, I REALLY WANT TO KNOW if anything tries to alter the UAC prompting level. 

The fact that nobody has yet demonstrated how the putative malware can get into your machine is NO argument.  Somebody WILL get past those other boundaries eventually.

Even if you aren’t convinced by my argument, then the PR argument must be a no-brainer for Microsoft.

PLEASE, Jon, it’s just a small change that will gain a LOT of user confidence and a LOT of good PR.

Thack

With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we’ll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation.

@mdaria510 says:

Sometimes, inconsistency with your own ideals is a good thing. Make an exception, if only to put people’s fears to rest.

That sums up where we are heading. The first change was a bug fix and we actually have a couple of others similar to that—this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we’re seeing. This “inconsistency” in the model is exactly the path we’re taking. The way we‘re going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.  To the points in the comments, we also don’t want to create a sense or expectation of security that is not there—you should still not download code and run it unless you trust the source. HTML, EXE, VBS, BAT, CMD and more are all code and all have the potential to alter the environment (user settings, user files) running as a standard user or an administrator. We’re focused on helping people make sure that code doesn’t get on the machine without consent and many third party tools can help more as well. We want people to be comfortable with the new UAC control and the new default setting, so we’ll make the changes outlined above as the feedback has been clear.

While we’re discussing this we want to make sure we’re all on the same page going forward in terms of how we will evaluate the security of Windows 7. Aside from the UAC setting, the discussion of the vulnerability aspects of the Windows 7 Beta  have each started with getting code on the machine, which the mechanisms of Windows have prevented in the cases shown. We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else.  We will treat very seriously the ability to get code on a machine and run without consent. As Jon’s post highlighted briefly, the work in Windows 7 is about the increased protections in place to secure your PC from acquiring and running code without your consent, and of course we continue to make sure Windows code is secure from both tampering or circumventing the protections in the system.

We want to reiterate the security of the system overall. Windows 7 is SD3+C and is designed to be more secure that Vista—that’s our priority. None of us want to have Windows 7 be perceived as being less secure than Vista in any way, because our design point is to make sure it is more secure that Windows Vista, by default.

We said we thought we were bound to make a mistake in the process of designing and blogging about Windows 7. We want to continue the dialog and hopefully everyone recognizes that engineering, perhaps especially engineering Windows 7, is sometimes going to be a lively discussion with a broad spectrum of viewpoints expressed. We don’t want the discussion to stop being so lively or the viewpoints to stop being expressed, but we do want the chance to learn and to be honest about what we learned and hope for the same in return. This blog has almost been like building an extra product for us, and we’re having a fantastic experience. Let’s all get back to work and to the dialog about Engineering Windows 7. And of course most importantly, we will continue to hear all points of view and share our point of view and work together to deliver a Windows 7 product that we can all feel good about.

–Jon and Steven

Comments (198)

  1. sushovande says:

    Thank you very much. This is awesome!

  2. conhopper says:

    Thanks for this, Steven and Jon. I took the liberty of blockquoting you guys directly.

  3. LifeOnTitan says:

    Thank you. This is a _great_ example of listening to customers, reacting to their concerns and finally providing what they need. In fact, this is just par for the course for what the Windows team is delivering with Windows 7: A sophisticated general purpose OS that suits the needs of a great many people and one that has been designed, from the very beginning, with their feedback front and center. Outstanding work, Windows team! Thank you.

    Charles

    Channel 9

  4. mech9t8 says:

    Sounds good.

    You definitely need to work on your communication about these though.  The exploits relied on the UAC page not being elevated – the critical part was the SendKeys, not the lack of UAC mesage; clear communication about the bug rather than long explanations about "this is by design" would’ve done a lot to defuse this situation.

    I would also suggest that a change of mindset in terms of the idea that "once an app gets code running on the machine, it’s game over".  People shouldn’t have to give an installer full access to their system just to try out a new browser, media player, or photography app.  Yes, if its an app running with the user’s permissions, it’ll be able to destroy the user’s data; but it shouldn’t be able to render the machine unusable or access other people’s files on the machine.  

    The concept of "partially trusted" code is hardly a new one.  Will there be vulnerability that permit unprivileged processes to elevate?  Of course.  Those are bugs, and should be fixed like any other security issue.

    Google Chrome is an excellent of example of an app installation which doesn’t require full admin permissions.  I would suggest you should be encouraging these scenarios and figuring out how to make them more secure.  It would be awesome if an app could be installed without being granted full control to a system (as per Google Chrome/ClickOnce) *and* have its binaries be secure against tampering by other non-elevated apps (as Program Files-installed apps are).

    Thanks for listening…

  5. Corrine says:

    Thank you not only for listening but also for the awesome communication.  

  6. Mikael3 says:

    John and Steven,

    I think nobody here expects that you make design decisions in realtime based on feedback in this blog. In fact it even makes me feel a little uneasy.

    This sounds paradoxical but especially with security you want somebody on the other side, who knows, what she is doing and does not give in to user demand too easily.

    Also if people knew about the sendkey fix in the making, the discussion here would probably have been far more relaxed.

    What I would like to here now is a clear technical statement what kind of security I get from the UAC as it is in vista versus using a standard user account versus using the windows 7 default UAC settings.

    Are you planning to protect other dialogs in windows 7 from simulated user input?

    Regarding telemetry to measure system security: The point here is to realize that malware to exploit the new UAC settings has to be written first and this is likely to happen only, when windows 7 becomes mainstream.

  7. ncgloy says:

    I am blown away (pleasantly surprised) that you’re making this change.

    I feel that this topic would really benefit from an in-depth interview on Channel9.  Ideally you’d have someone like Mark Russinovich playing devil’s advocate and asking you tough questions. There are 2 issues that I would ideally like to see discussed:

    1. I thought the whole point of UAC is to limit the damage that malware can do if it somehow gets to run.  So it seems besides the point to argue that malware can’t really get into the computer without the user’s consent.  If you are so sure that malware cannot possibly get into a Windows7 machine, then why bother having UAC at all ?

    2. Before this latest change in UAC behavior, the following scenario was thought to be possible:

    * user has configured UAC to "Notify only when…"

    * malware somehow gets to run

    * malware can use some kind of trick to change UAC settings without the user finding out

    * malware can do whatever it wants

    Was that scenario possible ? And if so, did that render the "Notify only when…" setting useless ?  If not, why not ?

    Thanks !

  8. jaips says:

    wow jon and steve, i’m blown away by how gracious you have been in the discussion!

    Also thank you for changing UAC settings to now require elevation. that was all i was after (and i bet many others) However regarding your quote; "That was already in the works before this discussion", its a pity this wasn’t communicated earlier

  9. niclas.lindgren says:

    Hello Steven and Jon!

    First of all I would just like to add that this blog has been fantastic so far and it feels as if Microsoft is opening up in a way never "felt" before. Now don’t get me wrong, I know Microsoft has always been listening, the problem before has been that it hasn’t really been visible to the general customer that you are actually listening. Everyone part of any program (be it connect, OEM or other channels) know this, because they get responses to their questions. Here, for the first time, you can combat the blogosphere and give your view before it is too late. And I think you do a really good job (and many others at Microsoft strengthen this view of openness, like Mark Russinovich, Larry Osterman, Scott Guthrie, Tim Sneath etc etc).

    I expect you to make mistakes, what counts is how you recover from them, that is how we all learn, if you are not failing you are not trying hard enough.

    I would say that one big strengths in being a good communicator is when you set aside prestige, see the facts, and handle a heated conversation the way you just did.

    Secondly I wouldn’t mind the possibility of tagging certain system changes as "always prompt no matter what the current elevation is", and UAC level be one of those. I do understand that UAC prompt isn’t the first line of defense. Part from being all what it is , to me it is also a glorified notifier that can make me aware of what programs are trying to do. Because even if I trust a program source, even from notable large companies such as Sun and Adobe, they sometimes tend to change things in their installers that I don’t particularly agree with. To be able to be notified of such changes even when the setup program is elevated would make me feel more in control and less reliant on monitoring tools.

    I can’t resist to mention this as well. For setups it would also be very handy with a complete diff log on the system, all changes made by a setup process to the system. Sysinternals tools give you this, but inbox tools that always captures would be very nice. It would also help the community give feedback to program developers to start placing their files in a xcopy manner.

    Keep up the great work and make Windows 7 all that it can be!

    Cheers,

    Niclas

  10. LifeOnTitan says:

    @ncgloy:

    That’s a great idea! :)

    C

  11. Manosdoc says:

    UAC should be set to Always Notify. Protect us from System Changes. I was thrilled in a bad way to find Windows 7 left by default that option to a lower level…

    That’s the purpose of UAC.

    I don’t see anyone complaining on Other OS about Credential Mechanism.

    Do you really want to please Whinning XP users at all ? I bet not !

    Keep Up the excellent Work there !

  12. Thack says:

    Absolutely delighted!  Thank you for listening, and I genuinely do believe that the changes you’ve outlined are the right way forward.  Furthermore, you’ve been more than gracious in all this.

    Technical and security aspects aside, you’ve just done one hell of a good thing for Microsoft’s PR.

    And don’t worry, I don’t think any of your audience are about to get complacent about security as a result of this change to UAC prompting.

    Finally, I just want to say that W7 is shaping up to be one hell of a good product.  Congratulations are due to all you guys ‘n’ gals.

  13. Thack says:

    I just wanted to discuss this quotation a little further:

    "We have also heard of security concerns that involve multiple steps to demonstrate a potential exploit. It is important to look at the first step—if the first step is “first get code running on the machine” then nothing after that is material, whether it is changing settings or anything else."

    Isn’t it slightly naive to say "nothing after that is material"?  There’s an implied assumption that ALL you need to worry about is that first step.

    But wouldn’t it be fair to say that, even with your very best efforts, one day some malware might come along that DOES overcome that first step.  In that case you want it to face another barrier, and another.

    So I think it’s kinda risky to dismiss those scenarios which begin "first get code running on the machine".  They are not silly scenarios, or contrived.  They are simply saying "If the first barrier has fallen, how well do the remaining barriers work?".

    And I think it is legitimate to explore those scenarios, even though they OUGHT not to arise, and you’ve designed against them.

    Just my thoughts!  :-)

  14. p_rynhart says:

    Hi Jon and Steven,

    I’m pleased to see that the changes you describe are being made.

    While I appreciate that UAC is not a security boundary, it is still (IMHO) too easy to elevate an arbitrary binary in Windows 7 with the default UAC settings.  Consider the following example:

    1) A user is a member of an administrator’s group and is using Windows 7 with the default UAC settings.

    2) Click Start. In the search box enter "taskmgr" to open Task Manager using a standard user token (i.e. without administrative rights).

    3. Click the Processes tab.

    4. Click "Show processes from all users". Task Manager will elevate without triggering a

    UAC prompt.

    5. Click the File Menu and Select "New Task (Run…)"

    6. Place a tick in "Create this task with administrative privileges". Enter the name of an arbitrary executable (trusted or untrusted) to be executed on the system with full administrative rights.

    7. The binary will be launched with full administrative rights. No UAC prompts will be

    invoked.

    I would like to see a UAC prompt added at some point in the above chain to prevent this scenario.  Just because UAC is not a security boundary does not necessarily mean that the trivial cases such as this (and the UAC "SendKeys" case that has recently been fixed) should be overlooked.

    Regards,

    Patrick

  15. sroussey@network54.com says:

    @ncgloy: The real way scenario is:

    * user has configured UAC to "Notify only when…"

    * malware somehow gets to run and malware can do whatever it wants

    However, in reality, malware often does install new malware based on commands as part of a botnet, and these new items could have been silently installed later with the way Win7 beta is now. The change noted in this blog will help prevent that. But only for certain scenarios. But I’m all for roadblocks, even those that are not completely effective.

    Anyhow, until all software is managed code and the UAC knows and Windows can enforce sandbox parameters for an app install, we have to deal with these ways to manage black box software.

    Kudus on handling a big business item, and a minor technical one. Nothing worse than someone with a little bit of knowledge making prognostications, than one with a bullhorn and a mob at his feet.

  16. enzol says:

    The fix of running on higher integrity level for the UAC applet should be extended to all other processes that are part of the whitelist and as such don’t require elevation.

    In this way it wouldn’t be possible to replicate a similar attack through TaskManager, MMC.exe, etc.

  17. a688 says:

    @p_rynhart

    What scenario would they be preventing? Allowing an elevated program to do things that elevated programs are allowed to do?

  18. p_rynhart says:

    @a688

    If a third party installer is downloaded to the desktop and launched then UAC will kick in and prompt for elevation on the secure desktop.  Yet, this can all be circumvented within 30 seconds by starting up Task Manager.

    This doesn’t seem right to me (particularly when UAC is set to require a password along with "Notify me when programs try to make changes to my computer").

    Regards,

    Patrick

  19. yngdiego says:

    On my W7 beta 1 machine I have no option in the task manager create new task window to elevate its rights.

    But I agree if there’s a series of steps which a program running with UAC on could elevate to admin rights without prompting from UAC, it needs to be eliminated.

  20. p_rynhart says:

    Could someone please explain to me why regedit.exe requires elevation under the default UAC settings whereas taskmgr.exe does not ?

    It seems to me that neither are directly related to "Windows Settings" (which is the text associated with the UAC slider).

    taskmgr.exe concerns terminating processes, starting/stopping services, etc.  "Windows Settings" (in my view) concerns changes to font dpi, adding/removing programs etc.

    In my opinion, taskmgr.exe should require elevation the moment that a shield icon is pressed in this application (with the default UAC settings).

    On the contrary, why does UAC force me to use a full administrative token to invoke regedit ?  What if I only wanted to make changes to HKCU ?  I should be able to open this application using my "standard user" token.

    Things seem very inconsistent.

    Regards,

    Patrick

  21. alamfour says:

    Oh, finnally we were starting to worry that you wern’t listning.

    My thoughts exactly expressed here

    http://community.winsupersite.com/blogs/paul/archive/2009/02/05/microsoft-backtracks-on-windows-7-uac-pretends-it-was-all-part-of-the-plan.aspx

  22. niclas.lindgren says:

    p_rynhart:

    If a third party installer is downloaded to the desktop and launched then UAC will kick in and prompt for elevation on the secure desktop.  Yet, this can all be circumvented within 30 seconds by starting up Task Manager.

    ——–

    Care to elaborate further what you mean. I don’t see how it can be circumvented by starting the task manager. One way or the other you need to be elevated. If the taskmanager is elevated it cannot be touched by the non elevated installer (which it will be, but without a prompt).

    Try this and you will see that your non elevated app cannot touch it anylonger

    Set WshShell = WScript.CreateObject("WScript.Shell")

    WshShell.SendKeys("^{ESC}")

    WScript.Sleep(1000)

    WshShell.SendKeys("taskmgr")

    WshShell.SendKeys("{ENTER}")

    WScript.Sleep(2000)

    WshShell.SendKeys("{TAB}")

    WshShell.SendKeys("{TAB}")

    WshShell.SendKeys("%s")

    WScript.Sleep(1000)

    WshShell.SendKeys("%f")

    WshShell.SendKeys("{ENTER}")

  23. niclas.lindgren says:

    p_rynhart:

    On the contrary, why does UAC force me to use a full administrative token to invoke regedit ?  What if I only wanted to make changes to HKCU ?  I should be able to open this application using my "standard user" token.

    ——–

    User reg, powershell or any other command line tool.

    But I agree that it would be nice if they rewrote regedit to be aware of different ACLs. Then again it is alot of work for no real day to day benefit. I would rather have them work on other more userful features. Especially since there are other ways.

    All in all, I wish they would instead remove the entire registry and push every app to a xcopy solution.

  24. hitman721 says:

    Steven and Jon,

    THANK YOU! I’m glad you guys are listening. You just insured that I will be purchasing at least two copies of Windows 7 Professional with an Ultimate upgrade.

    Thanks for listening to the bloggers, testers, and concerned users. This is why I’m a Windows user. You’d never get this kind of open and honest discourse from Apple. Thanks guys.

  25. TheChucklesStart says:

    Thank you very much for making those changes based on user input, even though you disagree with them.  That is almost worth more than the value of the change, IMO.

    I would like to point out, that with full UAC enabled, Windows Explorer still likes to prompt twice before changes to protected files or folders are made.  This double prompt also sometimes changes security settings when accessing someone else’s files.  I would like some way of running an explorer process with admin permissions (right now it seems to lower its privileges when you run it as administrator).  I also would not mind if you made a distinction in the title of an elevated explorer window so it is easier to remember to close it.

    Since Taskmgr.exe was brought up, it would be nice if this was also a high integrity process.  It would also be nice if it could be marked as page-last process.

    Thanks,

    Charles

  26. p_rynhart says:

    @niclas.lindgren and Charles

    Niclas is correct.  After taskmgr.exe is relaunched with a full administrative token it becomes a high integrity process.  Thank you for your script Niclas.

    However, it still seems inconsistent to me that regedit.exe should involve a UAC dialog whereas taskmgr.exe (when using an administrative token) should not.

    Regards,

    Patrick

  27. rdamiani says:

    My main issue with UAC is not the prompts (though they can be annoying) it’s the behavior changes that occur without any prompts to elevate. i.e. some (possibly) bad stuff I’m asked to confirm first, other (possibly) bad stuff is just forbidden.

  28. ababiec says:

    p_rynhart – I use taskmgr daily whereas I might need to use regedit once a month. I don’t have much issue with needing to a UAC prompt to run that program.

    Plus, regedit.exe can execute a dangerous .reg file via a parameter where taskmgr takes no parameters (that I’m aware)

  29. p_rynhart says:

    @ababiec

    Surely frequency of use shouldn’t be the sole determiner as to whether an application should trigger a UAC prompt.

    Regards,

    Patrick

  30. WindowsFanboy says:

    Google Reader doesn’t show this post. Your RSS feeds must not be being updated properly.

  31. blargsoup says:

    The UAC in the Windows 7 beta is very nice, and the default settings are quite pleasant!

    I would be interested if you could do a write-up on Windows Defender development.  The last comparison reviews I’ve seen about it were a couple of years ago, and it was shown to be not as effective as some other antimalare products at that time.  I wonder if there is any telemetry to share in this regard.

  32. domenico says:

    Great !

    Microsoft is listening 😀

  33. moocna@hotmail.com says:

    I was also hoping that Microsoft would provide a way of installing software as a local user, or perhaps a sort of forced emulation (redirecting the install to C:UsersCurrentUserAppDataLocalVirtualStoreProgram Files), or wherever is deemed necessary.

    Part of this is simply providing functionality that existed under XP (installing WinRAR to non-C:Program Files was possible as a standard user) and part of this is to provide additional protection. Sometimes I’m not sure I trust an installer enough to give it administrative privileges, but enough to take the chance that it may trash my personal account. I would like to be able to test out a program before taking the plunge.

  34. p_rynhart says:

    @MrDiSante and Mech9t8

    Yes – I couldn’t agree more with your comments.  

    Currently, UAC *forces* users to continue with an administrative token for installers (and other applications such regedit.exe for that matter).

    The UAC dialogs should have an advanced section (or similar) that allows a user to deny access to the administrative token, but to continue with the Standard User token.

    Currently, you *have* to continue with an administrative token or not at all.  (Unlike on Windows XP where you could choose to install software from an admin account or a limited user account and obtain an admin or limited token respectively.)

    Regards,

    Patrick

  35. Hino Musouka says:

    I was very disappointed with previous blog entry, due to which I was made to think that I, the consumer of the product, am wrong. However, this one resurrects some faith in your promise of ‘great experience’.

    Do know it is highly apreciated. I understand you can’t listen to everyone every time you hear complaint, but this special time I’m quite proud of your announcement.

    Keep going like this and we really may enjoy Windows 7. (Now awaiting RC with fixed UAC)

  36. BasP says:

    Great news, especially after yesterday’s extremely dissapointing blogpost. Was that part of the underpromise, overdeliver campaign? 😛

  37. E-ponto says:

    I wrote strong words in the other post, but you need to consider that all systems have a hole, and this hole is the Social Engineering that modify the behavior of the drive between the chair and the keyboard.

    Finally we have light. Congratulations, now UAC will be protect and Feedbacks on Connect have a solution. UAC protects itself against not authorized changes is a very good idea.

  38. PedroAsani says:

    UAC is just one of several problems, so whilst it’s great that one is getting sorted, what about, say, SKUs?

    Stop, Stop, Stop banging out different versions. It is unneccesary, and may cause more problems than it’s worth.

    Ultimate should be the only version released. It has all the features. But make each of these features an optional install.

    Don’t want/need Aero, Bitlocker? Don’t install them. Six months down the line, you decide you need Bitlocker after all (work told you to have it or you can’t telecommute anymore) just click on the Add/Remove Windows Components (or the 7 equivalent).

    Either something is integral to the OS, which means it should be in all the versions you release, or it is an optional feature. And options should be the choice of the user. 3.11 didn’t have Home, Pro, Office, Enterprise, Guava and Cranberry, Chicken Bacon Ranch and Barbeque flavours. It was Windows, and it was better for it.

  39. andycadley says:

    Excellent news, good to see that you are listening to feedback! Windows 7 is shaping up to be awesome and it would have been a shame to let something like this tarnish it.

  40. GuillaumeM says:

    You shouldn’t do that… almost everybody is missing the point.

    UAC is not here to protect you from malware, it’s just saying this code require admin privileges, you can have a more or less aggresive prompt.

    The setting we are talking about allow system modifications without prompt and allow users as code to do thoses changes. This is not an issue! If you want a prompt on every modification just adjust your UAC setting.

    By doing this change, you let everybody think "UAC is here to protect us from *bad* code that try to get elevated rights". Now geeks are happy to say : "there is a vulnerability, I can change settings, run a service, whatever and this way I dont have an UAC prompt". Of course… you have choosen to!

    If you want to protect yourself against malware go buying an antivirus/antispyware. Moreover, a malware doesnt need admin privileges to spam, get information about you, to listen your keyboard and send it over internet.

  41. pakizito says:

    I enjoyed this post very much, it gives me the impression that engineers at microsoft really are good because a good eng. really is open minded and result driven with no problem with what route was taken the achieve the goal.

    Congrats for all the great work.

    I had an idea that i don’t know if it’s implementable or doable to the global users. I think windows should not let users, or should advice users, not to work or use windows with admin privileges, so what i thought was, why should, at the end of installation, let you create a normal non-privileged user, this should be the default profile of users, and create an administrator user with the users login as password for that admin user (this is to avoid an attacker to know the default admin pass), this password could be changed later on or even at installation, but imagine this, i create a user like i do today, no password accs should be advised as not secure mode of windows, and the admin user will be the user needed to install stuff or alter anything in windows, like uac, the thing is, i think that

    two users as a default installation is much more secure than it is today. The uac is the remedy for this subject, but if you really have two users and run every change with the admin user, then plenty of virus and attacks were avoided. But this is like UAC, but with two different users, and if the programs need to install, this should be with the admin pass, this is bad for all users, but once and for all if information is so important as is getting today, this should be the default, ppl need to know that with no admin user, the system is vulnerable, so i hope this could lead to a great change of thought about security… This idea has to be user-friendlier, like uac is now…

    Maybe this is just more complex and stupid, but hope to see what ppl thinks about this…

    Thanks.

  42. LCARS says:

    Thank you very much for listening to the community. It seems that you have fixed both the technical issues AND the perception issues. Both are equally important in the end.

    My only suggestion would be that you should actively monitor for upcoming issues like this and nip them in the bud more quickly next time. You let this UAC incident build for a couple of weeks before you made any statements or addressed it. This gave the issue time to be widely reported, theorized upon, misunderstood, bashed, etc.

    Many of the popular news blogs and sites enjoy view count increases from bashing Microsoft. They will eagerly report anything slightly negative very quickly. These negative stories will be placed on the "front page" in big bold text. However, when the issue they reported negatively is resolved, they might report it as a minor story buried somewhere in the middle of their other stories. As a result, many people who read these news sites will see the negative press but may not hear that the issue reported has been fixed. This fosters negative perception and other PR issues.

    Actively monitoring for upcoming issues and issuing a statement ASAP will help prevent negative perception from forming BEFORE it becomes widespread.

    Your products are great! Windows Vista was and is a great product! Its biggest issue is negative popular perception. Windows 7 is even more fantastic than Vista is. However, Microsoft needs better PR to combat the negative press of an Apple infatuated media and the word of mouth that ensues from the people who subscribe to them.

  43. wtroost says:

    Cheers for listening!  And from my partial understanding, a good change.

    Just writing to comment on:

    > if the first step is “first get code running

    > on the machine” then nothing after that is

    > material

    That’s a stunning disconnect from reality.  There are shades of gray from virus to malware to good program.  Many, many computers run stuff that’s at least partly malware! Think real player or IE addons.

    These programs will not go as far as to generate UAC prompts, but they would silently turn off UAC. So with the prompt you’ll make them behave better.

  44. teoh.hanhui says:

    @p_rynhart

    A good example of an installer that does not require Administrator privileges to run is the Firefox installer. It seems more like a problem in the way the installers work rather than UAC’s fault.

    However, it would be nice if programs could be forced to run with a Standard token (at the user’s own risk of the program not functioning as expected, of course).

    ——

    @GuillaumeM

    I think the UAC serves the purpose of asking for user consent when non-trivial changes are being made (or might be made). UAC does indeed "protect" by making you think twice before taking critical actions.

    ——

    If a non-elevated program can use a non-elevated whitelisted program to get itself elevated:

    http://www.withinwindows.com/2009/02/04/windows-7-auto-elevation-mistake-lets-malware-elevate-freely-easily/

    It needs to be fixed.

  45. LinuxGuyInRI says:

    There is a reason why every other operating system uses a UNIX permission structure – it’s because UNIX is truly secure by design.

    Perhaps Microsoft should think about that as they redesign the security wheel for the millionth time.

    Microsoft, do what you do best for once; copy someone else’s design.

    Your users’ won’t even notice the difference:

    http://www.zdnet.com.au/insight/software/soa/Is-it-Windows-7-or-KDE-4-/0,139023769,339294810,00.htm

  46. Jaquez says:

    Second post ever: if it’s important enough to post about, it’s important enough to say thank you!

    Some will point to this as an example of how you guys are finally listening.  In fact, this is an example of how you all have been listening for years and we appreciate it and it shows.

    It is also an example of you talking, though.  Without that, we would not know that you were listening.  You always said you were and of course you were but no one can see it unless you show it.  For that I also thank you.

    I am running the Beta but I can’t wait for RTM so the rest of my family can enjoy the benefits as well.

  47. Thack says:

    >>

    Microsoft, do what you do best for once; copy someone else’s design.

    <<

    We shouldn’t think the folks at Microsoft are fools, or talk to them like they are.

    When Microsoft realised they had to seriously revamp Windows to make it secure, they looked at a vast range of options, including making it work much like Unix.  

    However, they were SEVERELY constrained by the need to maintain backward compatibility.  No other OS in history has such an enormous ecosystem of assorted software (and hardware) to support.

    The NT security model, which was pretty good and was designed in from the beginning by Dave Cutler, had never properly been enforced by Microsoft.  Thus there was a truly vast amount of software out there which completely ignored the security guidelines.

    Obviously Microsoft could (and probably would have preferred) to redo Windows security from the ground up, possibly like the Unix model.  But to do so would nobble vast swathes of software out in the field, and piss off tens of millions of users.

    So they’ve had to engineer a somewhat more complicated solution, which may not be as simple and elegant as Unix security, but which has demonstrably worked well.  And it continues to be improved.

    All the while, the impact on old, non-compliant software has been remarkably limited and manageable.

    Although I fully agree that Microsoft painted themselves into this corner, I think they’ve done a pretty impressive job of sorting it out.

    Let’s give the guys a break.

  48. domenico says:

    David Of Michelangelo

    It is said that when the work was nearly completed, the gonfalonier Piero della Repubblica Fiorentina Soderini went from Michelangelo to admire the statue. After long observed with interest, he turned to the teacher saying that in his opinion, the nose of David was too big. Michelangelo then seized a handful of powdered marble and a chisel with which to pretend to correct the alleged error. slow slow ‘at a time he dropped the powder from the hand, then asking the opinion of gonfalonier, who met, finally declared the perfection

  49. marypcb says:

    that’s my question about programmatically changing UAC and protecting the UAC setting answered perfectly 😉 It *is* inconsistent and having UAC changes always require elevation may not in truth offer any more protection, but I think you’re right to see it as a change worth making. Having the UAC control panel as a high integrity process makes a lot of sense; perhaps you could share your thinking around which (if any) other elements are in high integrity processes, to help people understand what’s security boundary and what’s making the user aware?

    @Patrick It would be bad practice for Microsoft to change the resources given to a program on request; giving a standard token when an admin token was requested would lead to a lot of unexpected behaviour. how would you troubleshoot that? would you believe that the program was at fault or that Windows was? Would the user remember a week later that they had told Windows to deny the admin token (if you could phrase it in a way that would be intelligible to every user)? UAC has pushed software developers to running with standard accounts and tokens because users have complained about elevation. I run with UAC set to warn and I see far fewer elevations – not because of changes in Windows but because of changes in software.

    @wtroost It’s my understanding that a high proportion of UAC prompts are from IE addons – because that’s where a lot of malware attacks.

  50. LinuxGuyInRI says:

    @Thack

    Microsoft’s software for better or worse (mostly worse) runs on 85% of consumer and business computers. There is no room for the half-ass security techniques they have used over the years. The numerous breaches resulting in the compromise of consumer private data should be all the motivation Microsoft needs to make the hard choices and do a redesign. Microsoft constantly uses their monopoly (remember convicted monopolists) to maintain their dominance on the desktop. They can just as easily use it to force software developers to redesign their applications to continue to run on the Microsoft platform. If software companies continue to want their software to run on 85% of the computers out there, they will do the required work. Such a change would result in much needed economic stimulus as well from all the programmers required to make the changes and all the new consultants needed to help technology customers with the change. It’s not as big of a deal as you make it out to be. Apple was able to make the change twice with little to no recourse. The same would be true for Microsoft. And Microsoft now has the advantage of virtualization technology almost being ubiquitous. Apple had to do it without this technology. No more excuses for Microsoft are allowed; not in this day and age of technology.

  51. bananaman says:

    Great news.  It is unfortunate they didn’t reveal the plan earlier (if indeed it’s been in the works for a while) since it would have avoided some of this.  I think the blog posts could be a bit more up-front and use a few less buzzwords, delivering answers to important questions instead of sounding like a lecture.  However great blog overall 😀

    @ PedroAsani

    For the same reason chip-makers underclock and core-cripple chips to sell "lower end" products (even though manufacture cost is the same).  If Microsoft had only one OS product, selling it for the price of a Home edition, they miss out on the extra dollars of those willing to pay more.  That said, a simpler structure would be far better, particularly the starter/basic versions should be axed.  If Professional is truly a superset of Home, then Pro and Ultimate could also be combined.  In short, I agree with you in principle, but eliminating all but one sku would be a bad business decision.

  52. er3s says:

    I just had a thought, instead of just requiring the user to click "Continue", why not force them to enter their password.  I know I’ve been victim to just clicking "Continue" because I wasn’t paying attention.  Requiring a user to enter their password really makes them think before they do something.  What I find is also weird, if you have UAC set above default, buttons that would normally require a consent, still have the shield on them even though they don’t produce a prompt.

  53. tryon says:

    I’m glad to hear you’ve decided to change your mind on this issue.

    Let’s about some new features (some we haven’t heard from for months like WARP) now :) !

  54. p_rynhart says:

    @marypcb

    > It would be bad practice for Microsoft to change

    > the resources given to a program on request;

    > giving a standard token when an admin token was

    > requested would lead to a lot of unexpected

    > behaviour.

    I was not referring to applications/installers specificially marked with "requireAdministrator" in their manifest – but to setup progams (e.g.) that Windows 7/Vista assumes require full administrative privileges.

    Surely some mechanism should be available for a user-based install ?  I don’t see this as being any different to the "Protect my Computer and data from unauthorsied program activity" option which is available in the Windows XP runas dialog.  Note that in the case of XP, the trust level is even lower (i.e. a constrained token as opposed to a Standard User token).

    Regards,

    Patrick

  55. marypcb says:

    @What I find is also weird, if you have UAC set above default, buttons that would normally require a consent, still have the shield on them even though they don’t produce a prompt.

    That’s because the button is telling you that what you do will cause the dialog to elevate when you select it, even though you have chosen to hide the elevation process.

  56. PatriotB says:

    This change, while an improvement, is still not enough.  NOTHING should be able to silently elevate EVER.  Because you have NO reliable way of knowing it is originating from the user!

    "Aside from the UAC setting, the discussion of the vulnerability aspects of the Windows 7 Beta  have each started with getting code on the machine, which the mechanisms of Windows have prevented in the cases shown."

    Here’s an EASY way to get code running on the machine which Win7’s defenses will have no control over: Say you install a third party product such as a browser which runs at medium IL.  Then, some remote code execution vulnerability is found in the browser.  You go to a site that takes advantage of this exploit to run arbitrary code.  This arbitrary code does all the SendKeys/etc that it wants and elevate all over the place.

    You even allude to this by having the UAC setting say that it should be used by people who only visit familiar websites.  

    You’ll NEVER find all the "safe" vs "unsafe" apps which should allow elevation, because the app itself isn’t what has power to do danger, it’s the user’s *administrative token*.

    Windows 7 is NOT secure out of the box if it ships with the setting at anything LESS than Always Notify.  The fact that the first account is always an administrator is even more troubling, especially since your own telemetry shows that most machines only have one account.

    I’m as big a Microsoft fan as they come, but this is a HUGE mistake.  I cannot believe that all the smart security minds at Microsoft (Crispin Cowan, Adam Shostack, Michael Howard) would give their okay on this.

  57. Mikael3 says:

    @PatriotB

    Exactly. You are only listening to the feedback, you want do hear, Microsoft.

    Btw., do the contributers to this blog get their free copy of windows 7 for help designing your product? :-)

  58. Mikael3 says:

    What you really should have done is leave the basics concept of UAC as it is and tweak the details of UAC to avoid double prompts, avoid prompts for uncritical changes like changing DIP and avoid prompts, before an actual change is made.

  59. marcinw says:

    well, I’m looking into all opinions and have few comments:

    Windows 7 developers have to make some compromises. But the truth is, that UAC will do only, that normal non technical users will understand less, what is going on. I will repeat some other words about build 7000:

    1. no easy info for user, that something is working with admin privileges (no different window color or title with "(admin account)" or something like that)

    2. Task Manager should display info about all processes by default (when run without admin privileges, it will naturally not display everything about some of them – like currently Process Explorer from SysInternals)

    3. default tools should work with non admin privileges – like chkdsk, which in such situation should be able at least to show some info about partition

    Currently Microsoft will be maybe less interested in making more deep changes, but imagine such situation:

    1. startup files, kernel, some drivers, etc. are working in admin ring.

    2. whatever you try to run installer for some runtimes (like .Net) or antivirus, it must be signed and user is always asked by something like UAC to run it.

    3. when you run application (installer or executable), it runs in own sandbox (with some virtual system directories in real subdirectory of Program Files containing files and libraries). it doesn’t have access to system directory or other apps, it can share only some Registry keys with other (for example responsible for registering some extensions). When application try to add driver to driver database, user is always asked by something like UAC.

    4. when you want to increase priviligies of application, you are always asked by something like UAC to run it.

    5. when you do some actions (changing time), you are always asked to do it.

    6. admins are allowed to block these few actions (adding new drivers to driver codebase, setting time, etc.). additionally it will be possible to allow/block users run non installed software (not run from virtual sandboxes)

    When are profits ?

    you will be able to install for example many different versions of IE, applications can be easy uninstalled, there will be less questions from various antiviruses (for example: do you want application X to read Y key ?), no need of using WinSxS, etc.

    Additionally user should have ability of setting some network access to concrete processes and should have clear info, what servers can his system connect to (when is making updates for example)

    Current solution is going to nowhere and that’s why can’t give any real additional security than Windows XP. Non technical users will have problems with understanding it, technical users can configure old system, that it will have (almost) the same functionality + security for daily usage.

    Compatibility is very important, but making prosthesis will make only, that it will be more difficult to fix situation in the future. Making good roots will help much more….for customers. Imagine, that Microsoft will do secure system at last. It will difficult to sold next version. I don’t want to believe, that this is reason, but…

  60. marcinw says:

    and some other word about security in build 7000: Microsoft seems to be removing some other things, which could help especially technical users to see, that something is wrong in system. I speak about ability of displaying icons for each network card near clock (with animation, when data is transferred).

    Very useful and could notify very fast, that something is transferred, when user doesn’t do anything. Such details should be returned… Without them even the best UAC will be incomplete.

  61. Leo Davidson says:

    I agree with this change, however you’ve still done nothing about the RunDll32.exe exploit, and yesterday I proved that there’s a code-injection exploit where any unelevated process can elevate itself silently (even if RunDll32.exe is fixed).

    I also really don’t buy your logic.

    If, as you seem to be saying, it doesn’t matter if an exploit is only possible from code already running (unelevated) on the box, then why do we have UAC prompts for anything at all?

    If we implicitly trust all running code, and if we aren’t supposed to care that all running code can elevate itself silently via the backdoor, then why don’t we simply allow all running code to elevate silently via the proper route, without a UAC prompt?

    In other words ditch the new mode and make the default the setting (that was already an option in Vista) where UAC is enabled by all elevation requests from all applications are granted without a prompt.

    That’s would be less secure than what we have now by default in Win 7, if you’re going to leave the trivially-exploitable backdoors open, and it would mean that users don’t have to be bothered by prompts from well-behaved software that doesn’t exploit the backdoors.

    Either silent elevation is important or it isn’t.

    – If it is important then you shoudln’t be dismissing the other two exploits.

    – If it isn’t important then you should be getting rid of all UAC prompts and allowing silent elevation everywhere without making prompting the user for no purpose (beyond security theatre) and without making things resort to backdoors.

    Information on the code-injection exploit that I found is here:

    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

  62. GoodBytes says:

    Thank you listening.

    Now one last major issue which is on the UI:

    – When a window or program is maximized boarders and superbar stays transparent. This causes a problem when a user has a changing background, bright background, or an animated one. Because it is distracting, and feels like Windows wants the user attention, but it does not. I think it would be best to either set Vista behavior or at least have an option to change the behavior from Win7 to Vista.

  63. adaviel says:

    "UNIX is truly secure by design" ? Bull. It’s another academic OS that did at least have multiuser capability baked in. One all-powerful account which, if hacked, gives you the keys to all kingdoms ? Come on. A truly secure system would be more like VMS with an ACL for everything; the operators can install new drivers but not add accounts, the auditors can read logs but not write them etc. etc.

    Microsoft is going in the right direction with some of the system file permissions – administrator is not omnipotent. So is Linux with SELinux etc., but we’re not there yet.

  64. Mikael3 says:

    @Leo

    Very good work.

    They already admitted it in their earlier blog by saying that UAC is not a security feature. The new UAC level is only the imitation of a security feature created for marketing purposes.

    With a little irony you could say they created it with the ingenious plan in mind to make users demand for the stronger UAC settings.

  65. niclas.lindgren says:

    LinuxGuyInRI :

    There is a reason why every other operating system uses a UNIX permission structure – it’s because UNIX is truly secure by design.

    Perhaps Microsoft should think about that as they redesign the security wheel for the millionth time.

    Microsoft, do what you do best for once; copy someone else’s design.

    Your users’ won’t even notice the difference:

    http://www.zdnet.com.au/insight/software/soa/Is-it-Windows-7-or-KDE-4-/0,139023769,339294810,00.htm

    —————

    You should really look into how the security in the NT kernel works. Once you do that you will realize the Unix permission structure is vastly inferiour to the NT model. I would even go so far to say the opposite, in standard unix there is one root and one root only. In windows you have ACL/DACLs. That way you can specify on _each_ kernel object what should be allowed and by who and what shouldn’t. This cannot be done in Unix. Unix permission scheme is simple, the only thing making unix more "secure" is that it enforced people early on _not_ to run there apps under root.

    However malware don’t need to be root to gather private data from your computer, and it is as easily done on a unix box as a windows box. On a windows box you are more free to setup you environment and taylor it to minimize the damage of a possible breach.

    Either way, I encourage you to read up on it.

  66. adaviel says:

    One other thing I’d like to see – the install process say "now create a standard account for day-to-day use".

    There’s nothing to tell a naive home user to use the account manager.

    Using a nonprivileged account is effective against

    zero-day malware, and free.

    It is also a good defense against accidental damage by other users, such as children, and is I believe a prerequisite for parental controls to work. With all the work that Microsoft has put into the UAC and virtualization, there is no reason not to use a standard account by default.

  67. p_rynhart says:

    @niclas

    I found myself agreeing with most of your post, except for:

    > On a windows box you are more free to setup you

    > environment and taylor it to minimize the damage

    > of a possible breach.

    With UAC on Vista and Windows 7, there are some scenarios where the OS forces you to use an admin token.  On Windows XP and Linux, the power user is able to decide whether an installer or an executable should have root/admin access to the system.

    Regards,

    Patrick

  68. Synced says:

    I am really inspired by this w7 engineering blog.

    I am a mobility developer on major mobile platforms and a strong advocate of many Microsoft technologies and in the last year or two I have had strong opinions on the strategies of the company.

    I’m not trying to toot my own horn here but this blog has really inspired me and makes me think the day "you are listening" has finally come.

    I’m going to try to take part more in commenting on w7 engineering articles, as well as posting my overall thoughts on strategies going forward.

    I really want to see what I call Microsoft 2.0 emerge in a time that it is being attacked and challenged on all fronts.

    The answer to me is very clear, the challenge however is very tough and I want to make my ideas, opinions and thoughts public.

    Thanks for inspiring me in this blog seeing your dedication to opening channels to the community.

    I also would love to see a ui/usability blog for w7 because as much as people are talking about the new taskbar, I am dissapointed in the lack of innovation in the last 10 years in UI for Windows.

    We are in a touch screen generation, with multiple monitors and UMPC/MID’s and windows UI does not scale / adapt well let alone expose much flexibility.

    w7 engineering seems to be nailing down performance.

    However even with the latest technologies, why is it an iPhone can finger scroll a web page better than w7 & IE8 on a quad core desktop machine?

    I sometimes feel there is some lack of vision of where Windows usage is going in the future.

    For myself mobility is the next big boom, although I am bias of course since I work in the industry but Windows does not set itself up as an innovator here.

    Recently Microsoft has been a reactor to trends, not a maker of trends.

    I really want to see this change. Many things are clear to me what needs to be done.

    Sorry for the lengthy text. Strategy is a passion for me and I don’t want to see a repeat of the last 8 years.

    For example, everything I see shows Windows based MID, UMPC, Desktop, Notebook, multi touch devices having the same basic desktop.

    The iPhone is a perfect example that usability and UI has to be tailored to its use.

    Simply slapping a taskbar and desktop with a start menu on a MID is not going to be acceptable.

    The OS itself is solid. It’s time for a change in how users use Windows.

    I hope to comment on the under the hood engineering on this blog and write my various thoughts at my blog since I don’t know where else to drum up ideas, comments and feedback that maybe some day can be visible:

    http://strategyblog.nureality.ca

  69. cybershawngates says:

    Um, Guys, we have a SERIOUS problem with windows 7 – can we focus on the BLUESCREEN issue with tdx.sys?  A lot of us are running windows 7 without antivirus!!! HELP??!!!

  70. Aaron Friel says:

    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    Microsoft, please read that site. You need to come up with a fix for this in order to call UAC secure. Unelevated processes are still capable of doing anything.

  71. cranialsurge says:

    A perspective offered first as a suggestion to improve had then to take on the role of being a dogmatic approach to make engineering understand that the true intentions of releasing a product that harbors an ecosystem as vast and immaculate as Windows is not always to dictate a technical accuracy. It is in essence a die hard effort at preserving the good will and pristine faith that close to 90% of the tech savvy world vests in to Microsoft. I am privileged both as a technologist and as a consumer to have patronized Microsoft for over a decade now.

  72. hexaae says:

    Why don’t you simply solve this misunderstanding with UAC’s newbies improving communication?

    IMHO, a rolling video that explains in deep UAC and its settings would solve the problem, using a 2 level terminoglogy: one for expert users talking about admin rights etc., and one for newbies (so both will be pleased).

    Would be so simple…

  73. hexaae says:

    PS

    This video obviously should be played during Win7 installation..

  74. marcinw says:

    > w7 engineering seems to be nailing

    > down performance.

    > However even with the latest technologies,

    > why is it an iPhone can finger scroll

    > a web page better than w7 & IE8 on

    > a quad core desktop machine?

    > I sometimes feel there is some lack

    > of vision of where Windows usage

    > is going in the future.

    Once again: Microsoft has got product, which is old, but quite good estimated (XP). Development on it is stopped and we have Vista (Windows 6.x). It’s very often criticized. Microsoft decides to continue Vista instead of moving good Vista things into older better code (XP). Seven is improved in many things, but still worse than XP (yes, in opinion from many people it’s worse and numbers confirm it). Why ?

    I was thinking and probably found one of answers: it’s part of MS strategy. See http://www.pcpro.co.uk/news/245859/qa-microsoft-defends-return-to-drm.html MS opened new shop with music, where prices are higher than in concurrent shops and where there is used DRM (concurrent shops don’t have it).

    Other possibility: in Windows 3.11 era, Windows 98 SE era there were managers, who were able to force architecture changes (from 3.11 to 9x, from 9x to XP based on NT). Currently managers are afraid of any change. Shared Registry or other so criticized things ? It will be, because we want to… It isn’t possible to continue strategy, which was good 10 years ago. Market is different, people are more educated,…

  75. Mikael3 says:

    Read Mark Russinovich’s take on this. It explains a lot of Microsoft’s thinking.

    http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

    The key statement is, that UAC (as in Vista) is not a security feature, but just a convenience. I think this is tech speak for the UAC being not perfect in the sense that certain attack vectors can not be excluded by design. And he explains the possible gaps in detail. From Mark’s point of view everybody who wants real security should go with a standard user and even use no elevation.

    Maybe I am wrong, but I thought and I still think that UAC as it is in Vista gives me some security and is it fact a good compromise between security and convenience for a home user. But I think, that the new UAC level in windows 7 does give close to zero security over switching UAC off completely.

    But then after reading the article above it is clear to me: The new UAC level is not for the user, for him it is as good as switching off UAC completely. The purpose of the new UAC level is to give home users the convenience of XP back while still force windows programmers to write programs, which can be run as a standard user. And from this point of view it might even meet its purpose.

    But to get this message out is of course an immense communication task.

  76. marcinw says:

    > Read Mark Russinovich’s take on this.

    > It explains a lot of Microsoft’s thinking.

    […]

    > The key statement is, that UAC

    > (as in Vista) is not a security feature,

    > but just a convenience

    exactly ! and this is the problem. One of main Seven 7 advertised features will be UAC (changes) – MS can’t advertise (too many) other security features, because don’t have them.

    Technical people are speaking about it and sometimes only about it – real problems are not discussed.

    Non technical people will think, that it will resolve everything, many of them will stay on default level and will be more vulnerable. Systems will be more "secure", not more secure.

    We need to speak about it – when people will know about it, maybe will decide to move to more safe systems (or even stay with XP, which after years has got closed many gaps) and maybe it will force MS to start real work on improving this architecture. At least I hope so…

  77. Mikael3 says:

    @marcinw

    I think this is not about architecture. They had all the architectural pieces together even before Vista and with Vista’s UAC also third party program got ready for it.

    This is about being afraid about losing home users by forcing too much inconvenience upon them.

    The windows 7 UAC default level is a business decision.

  78. locolorenzo says:

    UAC as it stood in Vista was just annoying! UAC when it is set to the previous levels of Window 7 was just about the same!

    You have it right in the Windows 7 Beta, but It’s a fantastic idea to elevate UAC to the requirement of an Administrative Password to modify settings.

    It’s great to see that you are listening and it’s to bad that the Fun of using this OS has gone this way but you can’t please everyone!

  79. marcinw says:

    @Mikael3,

    Everywhere, where I read about Seven, I hear about "great" UAC. This is prosthesis, but I’m sure, that it will be very much advertised as important security feature, when Seven shipping will start (and many people will forget about explanations from Mark). This is wrong.

    Windows needs some changes. No more excuses.

  80. teoh.hanhui says:

    @Mikael3

    I think using "Notify only when…" as the default in Windows 7 is understandable. The point is doing so should not present more loopholes for circumvention than there exist in Windows Vista. If that happens Windows 7’s UAC at the default level is not only perceived as "less secure", but is inherently less secure than Vista’s UAC by design.

  81. JBClark says:

    It’s a bit off-topic bus are there any plans to prevent this kind of USB stick viruses in 7?

    http://www.symantec.com/enterprise/security_response/weblog/upload/2007/10/CW_moretibf.jpeg

    You can’t really see it in that image, but the prompt looks really confusing even in Vista: the icon and wording are the same ("Open folder to view files" or somesuch). In XP it was even worse since they could make the legit "Open" and "Explore" options disabled, making very hard to access the stick withouth infection. In any case even in Vista double-clicking it in "Computer" means game over.

    Every stick I come across is infected, even from machines with antivirus (people disable the antivirus because otherwise they can’t open the stick in Explorer!). Something must be done about this. I’d suggest completely ignoring "autorun.inf" files in USB drives, and make executables and such display the same prompt you get with downloaded ones (this one: http://blogs.msdn.com/blogfiles/e7/WindowsLiveWriter/UpdateonUAC_140FD/clip_image004_2.jpg or similar).

    This might be a bit extreme and there are some legit uses, but I think it’s 99.99% vs 0.01% – literally. In any case the user could run the software manually with just one prompt if he really wishes to.

  82. Mikael3 says:

    @teoh.hanhui

    Yes, you are right. When they make this new windows 7 default level work with the same level of security as the Vista level, it would be great.

    But when I read the stuff that Leo Davidson has posted in the link above, I doubt it. I am not deep into it, but to distinguish reliably between what the user wants to do and what a program wants to do seems impossible to me. It will be good enough to detect malware, which is not explicitly attacking windows 7 and it will also of course be good enough to force programmers of normal programs to work well in standard user mode. But let’s see, if Microsoft can pull this off.

  83. marcinw says:

    @Mikael3,

    We have thousands of spam emails, because protocols weren’t protected against it. We have need of using antyvirus software in Windows (using sometimes a lot of CPU and RAM), because MS was forcing some solutions over years.

    Wrong architecture solutions make problems.

    Windows needs some changes. MS started to make them, but for example creating UAC and some changes in IE (Per-Site ActiveX) is only partial returning to some things already discovered… Partial and there is required something more.

  84. dotnet@sivill.com says:

    Brilliant decision, thanks for listening.

    Siv

  85. Synced says:

    My next blog I am going to be covering how I think Windows 7 and all other Windows should have Live Mesh built in. Instead of having Zune Sync, ActiveSync, My Phone etc.

    Along the lines about my post about finger scrolling.

    Windows needs to start innovating on experiences, and standard uses for developers.

    For example some apps have finger scrolling, but nobody does the scrolling and animation properly anywhere near that the iPhone does.

    This stuff along with gesture recognition (swipes, etc which do exist somewhat in WPF) need to all be standardized so they all work very well in every app that decides to leverage them.

    Instead we have everyone writting their own animation and finger scrolling detection etc and no useful UI for users.

    I just saw a job posting about Windows in the open source division and how to combat open source with netbooks, mobile devices etc in mind.

    Seriously to compete, simply provide superior experiences that cannot be beat.

    Apple has the so called Apple tax. How do they get away with it? Superior experiences.

    Open source has comparable usability to Windows because Windows is still very much the same as it always has.

    Innovate and seamlessly integrate devices, services and software at a pace the unorganized open source realm cannot keep up with. That is the solution.

    w7 has the footprint more so of XP than Vista. But the UI is very unusable on a 7" UMPC with your finger.

    Think about that in 4 years on a 4-5" MID. We are back to the Windows Mobile way of thinking where a stylus is required because things are too difficult to navigate. Does Microsoft think w7 actually has a chance on MID’s? Performance wise I think the engineering team has done a great job at slimming it down for the most part where it needs to be considering Atom processor innovation going forward.

    However nothing in the OS shows me it is touch friendly or mobility friendly. There are touch capabilities yes, but its almost done to the point its just for demo purposes or marketing.

    Theres no consistency in the OS UI or touch wise for mobility to pass.

    Also Windows needs the CellCore technology from Windows Mobile if it really wants a chance at mobility.

    Seriously think to yourself for a moment. Where do you think Intel Atom is going to be in 4 years? How small are devices going to be?

    Cram the Windows 7 desktop on that thought and use your finger to operate your mobile PC.

    I work in mobility and one good test we like to think about for UI’s is, could you operate it well as you walk down a flight of stairs?

    That’s what mobility is about. Sometimes your eyes go off the device, and you may still be scrolling or interacting, your aim may not be too accurate because your walking down stairs or your in a crowd etc.

    It’s time to look at standard Windows UI’s in general as well for revision.

    Ever look at the Services manager or the Computer Manager etc? They never ever remember the sizes you make the window previously. They never remember how you set the grid last time.

    They look very NT4ish.

    Can we not have nice looking UI’s in these quite common interfaces? These have only received minor changes over the last many years.

    As a developer I was a big defender of Vista because I loved a ton of the work that was going on under the hood. I am a big fan of them. Even the breaking changes. It is my responsibility as a developer to follow the rules. Security is good. Writting poorly written apps then blaming UAC for breaking my app is not acceptable in my opinion.

    Windows 7 goes further. I love whats under the hood.

    UI and usability and mobility though needs a real team to manage all of this across the board. The OS, Internet Explorer, everything.

    Since Vista we have a nice rendering engine. Let’s use it.

    Sorry for the lengthy comments. I am very passionate as you can see. I would like to be a part of the solution not the problem.

    Rather than just trying to "keep up" with usability and sleekness, I think Windows can innovate and wow.

    Like I said before. Even using WPF which is a modern toolkit rendered via the GPU why can’t it finger scroll? Why can’t it render 200 items scrolling smoothly if an iPhone can? They are nowhere near the same hardware capabilities.

    I use WPF and love it, I love XAML and the vector capabilities with .NET but when I develop for iPhone I just drop a tableview and I never worry about rendering performance. It just includes the finger usability which is SPOT on and renders smooth as silk.

    The same things should occur for UMPC, MID’s etc.

    If Microsoft ever wonders why Linux and such are competing in the netbook and why UMPC and MID’s haven’t "taken off like hot cakes" its pretty simple. Simply slapping Windows on a small device does not = hot sexy device.

    The OS is fine. The experience however is ugly. How many times does one have to realize this? The Stylus experience = fail.

    We want Windows in our mobile lives. We want powerful devices. Windows is powerful. We need great usability however in small form factors.

    Ever use any version of IE including IE8 with finger scrolling? Brutal. Choppy, slow, doesn’t feel natural.

    I could go on and on.

    Windows on the desktop needs refinement, Windows for mobility needs a new way of thinking. A mobility way of thinking.

  86. SamYeager says:

    "Ever look at the Services manager or the Computer Manager etc? They never ever remember the sizes you make the window previously. They never remember how you set the grid last time.

    "

    @Synced – This is so true! I think the problem may be more the MS delivered MMC consoles rather than MMC per se. I’ve noticed in the past (Win 2003) that if I add a console into a new MMC then it remembers my settings. However I shouldn’t need to do that in the first place.

  87. dennes says:

    Hi,

    The changes solves one of the problems, but the bug explained here : http://www.withinwindows.com/2009/02/04/windows-7-auto-elevation-mistake-lets-malware-elevate-freely-easily/ wasn’t solved yet.

    The point is : This bug didn’t work in windows vista. This makes UAC in windows 7 less secure than windows vista.

    All the solutions to prevent malicious code to get in the computer doesn’t solve the problem. The user will allow code to run if he was told that’s a good program. In windows vista, UAC could block the program if it start to do something wrong (I know I’m simplifing this), but in windows 7, like demonstrated in the link above, the program can bypass UAC.

    None of the two changes for RC solves this problem, I would like to know how this problem will be solved.

    Thank you,

    Dennes

    dennes@bufaloinfo.com.br

  88. marcinw says:

    @Synced,

    I agree in big part with you. But not at all: there are required not only interface experiences, but also some other.

    (based on various people experiences) When:

    * after uninstalling some software I still can see some libraries and Registry entries from it

    * installed program X can change silently settings from program Y

    * antyvirus software is asking me for approval on changing some Registry keys (it’s good, because it’s protecting me against changing some system things, but wrong because I don’t have to know something about these settings)

    * I can’t do the same things in Seven which were possible in XP (like displaying animated icon for my Ethernet card near clock)

    * I get 100% CPU usage in Seven during opening Explorer

    * I can’t set up clear, where my system is connecting to during updating (servers + port)

    * system doesn’t allow me for installing few versions of the same application (IE for example)

    * I can’t reformat my HDD as I want during system install, because I received Recovery DVD

    * I can’t delete from system unnecessary default parts

    * in Seven I can set up less precise some options (see ClearType tweaker)

    * I can’t precisely set up, that for example application X shouldn’t use network interface Z or application X can’t use more than 30% of CPU

    * I don’t understand meaning of more and more system services

    * my NTFS is hidding some data (alternative streams) and 0 bytes big file (in Explorer) can have many MB for example

    * I need to make more clicks in Seven than in XP (for example in Task Manager I have to click additionally "show processes from all users", although it can show them even when run from limited account; I need to make many clicks, when I want to disable my ethernet card)

    my experiences are wrong. And I don’t blame developers for it only. Architecture. This is key. System should be "self-protected" against problems.

    I proposed some easy to implement solutions (for example sandboxing), nobody is interested in it. 3rd party solutions are better and better (I like it – Linux and other are very nice now), the best win32 implementation is more and more bloated and more and more "discussed", not improved. This is wrong.

  89. Eghost says:

    What I would like to see is choice, that simple. If I want to be a true administrator that’s my choice.  This was a major problem with Vista and continues to plague Windows 7, Microsoft want to control everything, security, the UI.  Why dose Microsoft feel as though people are incapable of making their own decisions? There is nothing wrong with UAC if that’s what you want, but there is also nothing wrong, with being to run as a full administrator with out any interference from the UAC if that’s my choice. Stop being a Military dictatorship, or believing that only Microsoft is Omnipotent, you don’t need to make decisions for everyone some of us would truly to make the decisions for our selves…      

  90. graham.lv says:

    "… When we started the “E7” blog we were both excited and also a bit uneasy. The excitement is obvious. The unease is because at some point we knew we would mess up. We weren’t sure if we would mess up because we were blogging about a poorly designed feature  …"

    What you have poorly designed is how to get the whole bloody thing to work!  There’s no way to activate it for the beta – I had one day left and it will not activate online – nor will any of your phone no.’s work.

    So, I had to search for how to re-arm it for another 30 days and doing that was reported as SUCCESSFUL by windows but has only given me another 3 days…

    So, it will go into cringe mode in 3 days instead of tomorrow – yay

    IT’S ANOTHER STINKER!  

    I wonder what Apple is like…

  91. kudraw says:

    @Eghost:

    Using an administrator account today it would be like swimming in a tank full of piranha.

    Malware and other viruses can break the system.

    I’ve used Vista from it launch, without the need of any real-time anti-virus.

    Linux use limited-privilege account too.

    I hope that Microsoft fully dismiss the use of an Administrator account at default settings.

  92. solaris says:

    I read some articles from paul thurrot lately where he critizes how Microsoft deals with Windows 7 Feedback.

    quotes:

    "Beta testers can simply provide bug reports feedback that will largely be ignored. Again and again, I’ve been contacted by people on the Windows 7 technical beta with examples of bug reports that have been closed by Microsoft because the features work exactly as they intend." (about the public beta)

    "Microsoft has tested Windows 7 in secret, not allowing its tech beta participants, reviewers, and others via the public beta to actually impact the final product in any meaningful way." (about the UAC conversation).

    well, I don’t claim that he is necessarily correct. But if there aren’t any significant changes in RC, I guess it will at least look like he’s right. In my opinion the Beta is great, for a beta and compared to Vista, but it isn’t final just a good base. Major changes from Beta to RC would be great for marketing and bring a feeling of progress and innovation.

  93. Eghost says:

    @kudraw

    Ahh my friend some people like swimming with peranaha’s. I use Linux if I wanted to, besides with every variant of Linux that I know of you can be full administrator if you choose to be, it’s an option. Besides they can’t break the system if you don’t let them in, granted not every one can do that, I’m no worried about it. Here’s a suggestion for Microsoft, add another sku to the line up windows 7 for power users, I have the control I want.  Again stop believing that only Microsoft is Omnipotent. I don’t need the Microsoft deities looking  out for me. Like it or not, this was a problem in the beta’s of Vista, Microsoft wants total dominance, they should stop. If you want the soft warm fuzzy blanket, that’s fine. I don’t care for it. Why because I’m just as much as a control freak as Microsoft, if I mess up my system so be it, I’ll rebuild it in a few hours. It’s not that difficult for me. Are they going to change, absolutely not, they ignored this in the all the years of the beta’s of Vista their ignoring it now, Why because, Microsoft for all it’s postulating has not really changed since the early incarnations of Vista, they know better, they are Omnipotent, they are the Microsoft Deities, so shall be written, so shall it be done….  

  94. mhildreth says:

    I think this is great. Thanks for listening, taking action, and comminicating openly about it. I don’t think you need to apologize. I think that the discussion that was the result of your previous UAC posts is EXACTLY what blogging about the Windows 7 development want intended to do – communicate, listen, and incorporate feedback. Keep up the good work!

  95. yngdiego says:

    While I’m glad MS fixed this one problem with W7 UAC, how about the run32dll issue raised on several blogs including:

    http://arstechnica.com/microsoft/news/2009/02/the-curious-tale-of-windows-7s-uac.ars

    Even with the announced W7 UAC changes, it still seems very trivial to bypass all UAC protection in the default mode.

  96. hitman721 says:

    LinuxGuyInRI,

    Considering the trojan infections on Leopard recently, I think you’ll come to the conclusion that no OS, no matter how well designed is not bulletproof. Every OS is going to have it’s strengths and weaknesses as far as security is concerned. Yes, Microsoft is having to leave a lot of compatability in Windows. Eventually, there will be a redesign. Howerver, I would argue that specific redesign should happen when Windows fully transitions to 64 bit only version of Windows.

    This would be the most logical time to throw out all the backwards compatability, while using a more secure model. A big time annoucement and longer design period so that nobody has any excuse.

    However, if you look at many Linux variants, according to the National Vulnerability Database, even Ubuntu Linux has more vulnerabilities than Windows Vista and XP. This isn’t my opinion, but based upon data collected by the U.S. Computer Emergency Response Team(CERT) and National Institute of Standards and Technology(NiST).

    http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

  97. murtaza110 says:

    OT: in addition to an issue mentioned by marcinw above (explorer process taking up 100% CPU while loading), i’ve also noted 100% CPU usage while just scrolling through a list of files/folders in explorer. i have a freshly installed copy of win7b1 and a 2.66 GHz CPU with 1GB of RAM.

  98. hux says:

    Hallo Jon and Steven,

    as a big fan of the Windows NT OS line, its great to hear that you want to change the UAC settings dialog in the RC of W7. Thank you very much for this! :-)

    Unfortunately, I am still concerned about the issue explained on this site:

    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    As far as I know this flaw is based on the CreateRemoteThread() & Co APIs. You previously stated that you are going to fix the run32dll story but this flaw seems a bit harder to fix.

    I would really appreciate if you could explain to me if raising the integrity level (somewhere between medium and high) of all "auto-elevate"-applications could prevent this kind of "code injection" and if Microsoft is planning to do something like that. If not, what are your plans to face this attack?

    Regards,

    hux

  99. bananaman says:

    Re: popular consensus "it makes Windows 7 less secure than Windows Vista"

    I would counter that UAC is not security.  In Windows XP, if I chose to run as Administrator I’d never have to elevate anything.  It was my own responsibility to run as a standard user.

    Same goes for Vista/7, for security, use a standard account.  UAC is more for forcing software developers to make their software run as standard users, since even the Admins are running with a standard token most of the time.

    Microsoft should work harder to ensure people use a standard account; (ie, offer to create one during install).

    Granted, a "partly on" UAC is barely better than having it off, but fully-on it’s been proven to drive the layman user crazy.  I can’t blame Microsoft for toning it down, especially as it’s not a true security measure to begin with.  +1 to the idea of (optionally) asking for a password on elevation *nix style, people might take that more seriously.  (And require a Ctrl+Alt+Del)

  100. marcinw says:

    @hitman721,

    Nobody is expecting miracles from MS – everything created by people (can) have bugs.

    We can go and observe various reports about bugs in various systems, but please note 2 things – in systems with opened source is much easier to find bugs (with closed finding some is impossible without knowledge available for some people only) and in cited by you report there is no word about Debian or other thought as very secure distributions. Because of I would be careful, when look into such reports.

    When we return to Seven: there are various method of making systems more secure without breaking compatibility. Microsoft even not tried to use them and this is wrong.

    @bananaman,

    Such "half-way" solutions are not too good. Do you have for example info, what exactly (with details) is done on each level ?

    And like I said: UAC WILL BE advertised as very strong security feature. Many non-technical people CAN resign from additional protection because of it. And this is wrong.

    In my opinion system should not have such prosthesis. There should be done real sandboxing (very easy to implement and possible even before Seven Gold) or other form of virtualization – when some application will not work with it, there should be real admin password or approval asked and windows from such application should be clear marked on the screen.

  101. pablomedok says:

    What’s wrong with syndication in this blog? It has stopped on ‘Windows 7 Energy Efficiency’ (both Atom and RSS 2.0)

    Please, fix it

  102. pablomedok says:

    Whats wrong with syndication in this blog? It has stopped on ‘Windows 7 Energy Efficiency’ (both Atom and RSS 2.0)

    Please, fix it

  103. hitman721 says:

    @marcinw,

    I totally agree with you. However, my point was to communicate that this illusion that OS-X and Linux flavors are anymore secure than Windows is bullpuckey. Each one of them has flaws, many of which will not be know. Part of the reason is Linux still doesn’t have 1 percent of the world desktop market. It doesn’t make sense for virus writers to target Linux OSes. Therefore, it Linux will not be as challenged as Windows gets challenged on a daily basis.

    Second, just because you’ve got more chef’s in the kitchen, doesn’t mean you come up with a better stew. Its great to have a large community. However, I’d argue that the huge number of people that know Windows and send in problems doesn’t mean its going to find everything. This is a very complex OS and new technologies are being added to it regularly. Its not going to be possible to get anything near perfect.

    I think its important to note that most Windows Zero Day vulnerabilities are on average patched within 24 hours. That is the fastest for any OS on the planet. No distro of Linux and certainly not Apple is that quick. So I feel quite secure using Windows, because of all the steps necessary to secure Windows.

    So lets be fair. Apple’s threats are evolving. Linux doesn’t get challenged as harshly. Windows simply because of the over 1 billion users becomes the most frequent target. However, challenges to OS-X and Linux will continue. The entire PC Industry has to be vigilent in the security arena.

  104. uecasm says:

    Prompting is good; forced elevation is not necessarily.

    A standard user should be able to switch between "prompt me for credentials" and "don’t prompt me and fail" with a simple confirmation prompt and without needing to elevate (for obvious reasons).

    The same applies to an admin user, except that they get the additional options "prompt me for confirmation" and "don’t prompt me and succeed", both of which should require both user confirmation and elevation in order to change.

    And this applies regardless of how it’s changed — tweaking the registry setting should either trip the confirmation or always fail.

    I also disagree with what you’re saying about security.  The whole point of UAC is to provide some small layer of protection against code running on the machine (and to retrain developers), so the steps after "get code running on the machine" *are* relevant.  If there is any way for an unelevated process to get itself elevated silently, then that’s a fatal security bug.

  105. Matteo Gazzoni says:

    I would like to repeat something that has already been said by some (including Microsoft itself), but that most people around seem to not understand:

    UAC is not a security feature per se: it is something that ease the use of a Standard User account, this, is a security feature or measure.

    Some may argue that using an account with admin privileges turns UAC into a security feature (I’m talking about the Admin Approval Mode) but this is only transitional, in sight of the ultimate goal: create the first user as a Standard User, reducing (or maybe totally deprecating) the use of an Admin account in most cases, al least, in the ones which regard only one user per machine (most home users).

    All the exploits posted are such as long as the account used has admin privileges (and UAC set to any other value than Notify All), which should not occur but for administration purposes (and, again, a home user should not have these purposes).

    I firmly believe that Microsoft and his security team have made a giant leap in regard of security with Vista; the Standard User has proved to work well, it should be now the Default.

    Note: UAC behaves differently, according to the type of the account being used: while an Admin account is more "secure" with UAC turned on (Admin Approval Mode, Notify All), the same cannot be said about a Standard User, which conversely is more "protected" with UAC turned off, utilizing the Fast User Switch for the tasks that require admin privileges. Hence, in the case of a Standard User, UAC is just a convenience, a shortcut for not to switch the user.

  106. Leo Davidson says:

    @Matteo Gazzoni: If the only purpose of UAC with an admin account is to help software authors transition into using the UAC model, and we don’t want prompts (and/or the prompts offer no security benefit) then Microsoft could and should set UAC to "elevate without prompting" by default, instead of what they are doing now.

    Nothing is lost, functionally: That still forces programmers to write the same UAC-compliant code which segregates admin and non-admin work and which allows for standard user accounts to use over-the-shoulder elevation.

    Nothing is lost, in terms of security: Since people seem to be arguing that UAC isn’t a security feature and since the UAC prompts in Windows 7 are so easy to bypass anyway (as my code  seems to prove, unless things change, and despite trying to contact Microsoft they haven’t even asked me for details).

    What we have right now in Windows 7 is the worst of both worlds: Insecurity and Inconvenience.

    If the UAC prompt is trivial to bypass why should one be inflicted on people when they run Process Monitor or if they use Process Explorer instead of Task Manager, or Directory Opus instead of Windows Explorer?

    If getting rid of nagging UAC prompts for trusted/frequent actions/programs is a good idea then it’s a good idea for all software, not just the in-box binaries. Users should at least be able to "whitelist" programs they don’t wish to be prompted for, if that’s the goal.

  107. Matteo Gazzoni says:

    @Leo Davidson: Yes, "elevate without prompting" could and should be the default behaviour for an Admin account (provided that the first user created is not an Admin and that the system strongly drives the user to choose a Standard User). Alas, I think that it is too late for these changes.

    In the light of the facts, there are two main usage patterns that trigger UAC prompts:

    1. Software Installation

    2. System Configuration

    A whitelist for software installation is useless. A whitelist for system configuration could be deployed, but then the user would have this set of special permissions (the whitelist) that would extend his power (speaking of privileges :P) and the possibilities of a malicious software (yet it is still a matter of convenience vs. security).

  108. p_rynhart says:

    @Matteo Gazzoni

    > While an Admin account is more "secure" with

    > UAC turned on (Admin Approval Mode, Notify All),

    > the same cannot be said about a Standard User,

    > which conversely is more "protected" with UAC

    > turned off, utilizing the Fast User Switch for

    > the tasks that require admin privileges. Hence,

    > in the case of a Standard User, UAC is just a

    > convenience, a shortcut for not to switch the

    > user.

    i.e. What we had with Windows XP!

    IMHO, Microsoft went on an enormous tangent with UAC.  All they needed to do was to change the installer so that it set up all accounts as a Standard User along with an admin account (to install software via RunAs and/or fast user switching).

    Regards,

    Patrick

  109. Hairs says:

    I think the main point that concerns me in the following

    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

    website is this:

    UAC, as has been explained on this blog, is part of a strategy to try and force developers not to use elevated or admin code for no good reason.

    YET

    Microsoft themselves, faced with a choice between doing the hard work and creating a lazy workaround, chose to go the lazy route. Calc and MSpaint were redone for Windows 7, yet apparently it was too much work to make sure they didn’t expect admin privileges, so they were whitelisted.

    Lazy, lazy, lazy.

    I don’t see this getting fixed any time soon. The uproar over the initial UAC reports resulted in a resounding "Meh, it’s supposed to do that, whaddya gonna do?" Clearly, if the designers thought that whitelisting *all* MS apps and processes to elevate silently was appropriate, there’s no way that the decision makers are going to approve doing the hard work of actually rearchitecting which MS processes deserve elevation and which don’t at this late stage of the release cycle.

    This whole debacle has cast a light over this blog as being a fluff piece for marketing instead of a blog by engineers for engineers, which I think is a pity. If we start hearing some thoughts on *why* the Win7 team decided that they weren’t going to do the hard work in terms of reducing the exposure to elevated processes that they expected from 3rd party devs, then I’ll be interested in what’s going on here.

  110. bruiloft says:

    Thanks for clarifying that Hairs, especially for that link!

  111. RikDederly says:

    In regards to UAC, it seems there is no protection for an uninformed user. In fact, I don’t see how this will ever be built into any product. There will be some users that will disable the pop-up because they do not want to be bothered with it. To this point, I agree with Matteo that this is a choice between "convenience vs. security".

  112. graham.lv says:

    I just posted this over at :

    Top 5 Famous Computer Hackers: From Conficker to the First Computer Virus

    America’s Best-Known Hackers Who Unleashed Computer Chaos

    http://abcnews.go.com/Technology/comments?type=story&id=7230601

    ————————————

    "… driving security professionals crazy …"

    So, the Holy Grail for security professionals would be software that can backtrack through all the infected computers (millions?) and find the source PC.  The one that spread the virus/worm/malware in the first place and ID the ISP or place of insertion.

    Then secret service agents could creep up, shoot or arrest the criminals.  Because these people are the worst criminals of our age – they are scum lower than heroin dealers.

    ————————————–

    I’m not a programmer, but could you track back using the DATE on the infection?  Then the much harder which URL/network/PC did it come from – so you could go on to the next PC..

    It seems to me that hackers are immune from detection? No programmer can write a reverse program to track them down.

    So, basically, the world of the dream, a PC on every desktop, is a flawed illusion of continual and increasing network attacks – until civilization breaks down!

  113. mhonzell says:

    UAC is still missing the point:

    1. If I elect to "turn it off", install a few programs (Yes, even MS products) and then slap myself "what was I thinking" and "turn it back on", some of those installed programs will no longer function.

    2. If I turn it off, I want full access to my computer including the entire registry and all folders. It should not continue to work at "some" level that restricts my use of my computer.

    3. If I had an anti-virus program, or firewall program that asked me everytime a file was scanned or attempted to transmit data if this file’s appearance or action is expected, I’d get rid of it in a heartbeat. I need the program to perform it’s "security" function without interrupting my real work.

    While UAC has somewhat accomplished it’s real purpose, (institutionalizing the standard "admin" user and making the user complain to programmers to stop their product from giving them prompts), it has failed at the most fundamental level of helping the user make valid security decisions and has corrupted any future use of this function.

  114. vovchara says:

    I turned UAC off. Because it has no "exclusions list" or "remember my choice" functions.

  115. Online Student Privacy says:

    One all-powerful account which, if hacked, gives you the keys to all kingdoms ? Come on. A truly secure system would be more like VMS with an ACL for everything; the operators can install new drivers but not add accounts, the auditors can read logs but not write them etc. etc.

  116. Educational Consultancy says:

    There will be some users that will disable the pop-up because they do not want to be bothered with it. To this point, I agree with Matteo that this is a choice between "convenience vs. security".

  117. GED Online says:

    if this file’s appearance or action is expected, I’d get rid of it in a heartbeat. I need the program to perform it’s "security" function without interrupting my real work.

  118. Financial Options says:

    full access to their system just to try out a new browser, media player, or photography app.  Yes, if its an app running with the user’s permissions, it’ll be able to destroy the user’s data; but it shouldn’t be able to render the machine unusable or access other people’s files on the machine.  

  119. Earn Diploma from Home says:

    Calc and MSpaint were redone for Windows 7, yet apparently it was too much work to make sure they didn’t expect admin privileges, so they were whitelisted.

  120. Lighting Fixtures says:

    I say that when you run application (installer or executable), it runs in own sandbox (with some virtual system directories in real subdirectory of Program Files containing files and libraries). it doesn’t have access to system directory or other apps, it can share only some Registry keys with other (for example responsible for registering some extensions). When application try to add driver to driver database, user is always asked by something like UAC.

  121. GarryWert says:

    Windows needs to start innovating on experiences, and standard uses for developers.

    For example some apps have finger scrolling, but nobody does the scrolling and animation properly anywhere near that the iPhone does.

    This stuff along with gesture recognition (swipes, etc which do exist somewhat in WPF) need to all be standardized so they all work very well in every app that decides to leverage them.

  122. cheap concert tickets says:

    It is a clear thing and it states that the designers thought that whitelisting *all* MS apps and processes to elevate silently was appropriate, there’s no way that the decision makers are going to approve doing the hard work of actually rearchitecting which MS processes deserve elevation and which don’t at this late stage of the release cycle.Thanks for sharing.

  123. Luggage Sets says:

    It is a clear thing that states.I had an anti-virus program, or firewall program that asked me everytime a file was scanned or attempted to transmit data if this file’s appearance or action is expected.Thanks for sharing.

    regards,

  124. Custom Thesis says:

    This was really a good one.It seems to me that hackers are immune from detection? No programmer can write a reverse program to track them down.

    So, basically, the world of the dream, a PC on every desktop, is a flawed illusion of continual and increasing network attacks – until civilization breaks down!

  125. Custom Thesis says:

    This was really a good one.It seems to me that hackers are immune from detection? No programmer can write a reverse program to track them down.

    So, basically, the world of the dream, a PC on every desktop, is a flawed illusion of continual and increasing network attacks – until civilization breaks down!

  126. Cover Letter Samples says:

    Really a good sharing.The setting we are talking about allow system modifications without prompt and allow users as code to do thoses changes. This is not an issue! If you want a prompt on every modification just adjust your UAC setting.

    By doing this change, you let everybody think UAC is here to protect us from *bad* code that try to get elevated rights. Now geeks are happy to say.Thanks for the post.

  127. GarryWert says:

    I think its important to note that most Windows Zero Day vulnerabilities are on average patched within 24 hours. That is the fastest for any OS on the planet. No distro of Linux and certainly not Apple is that quick. So I feel quite secure using Windows, because of all the steps necessary to secure Windows.

  128. Gotomeeting Promo Code says:

    I’m glad I found this page as it’s helped me get over a really frustrating issue. Thank you.

  129. GarryWert says:

    While UAC has somewhat accomplished it’s real purpose, (institutionalizing the standard "admin" user and making the user complain to programmers to stop their product from giving them prompts), it has failed at the most fundamental level of helping the user make valid security decisions and has corrupted any future use of this function.

  130. Luxury Yachts For Sale says:

    Yeah, I agree with the earlier comments, a think the majority of the negative sentiment seems to derive from poor communication to the public. Nevertheless, thanks for the feedback (although I only picked up on this fairly late in the day)

  131. gongoa says:

    Thank you for the wonderful conversation. I am really enjoyed this.

    <a href="http://www.elizabeth-bay.com.au"&gt; Elizabeth Bay</a>

  132. kinkon says:

    Nothing is lost, in terms of security: Since people seem to be arguing that UAC isn’t a security feature and since the UAC prompts in Windows 7 are so easy to bypass anyway (as my code  seems to prove, unless things change, and despite trying to contact Microsoft they haven’t even asked me for details).

  133. Gencsohbetci says:

    While UAC has somewhat accomplished it’s real purpose, (institutionalizing the standard "admin" user and making the user complain to programmers to stop their product from giving them prompts), it has failed at the most fundamental level of helping the user make valid security decisions and has corrupted any future use of this function.

  134. term paper says:

    I hope that IE7 wil have more usability for users.

    IMHO sometimes, UAC wants to much from users in Vista.

    Waiting for Windows 7 release

  135. kathey says:

    Thanks for sharing your thoughts.  I understand your points.

    <a href="http://www.compare-creditcards.com.au/"&gt; Credit Cards </a>

  136. piter05 says:

    The exploits relied on the UAC page not being elevated – the critical part was the SendKeys, not the lack of UAC mesage; clear communication about the bug rather than long explanations about "this is by design" would’ve done a lot to defuse this situation.

  137. Akon23 says:

    This sounds paradoxical but especially with security you want somebody on the other side, who knows, what she is doing and does not give in to user demand too easily.

  138. sophie68 says:

    Windows 7 look really good, nice to hear your working hard.

  139. annaspletcher says:

    I’ve already using Windows 7 on my home PC. It’s great! Fast and beautiful! Great thanks to all developers!

  140. job sites says:

    it sounds like your hard work has paid off. I’m hearing very good reports and looking forward to trying out 7!

  141. job sites says:

    I’m impressed by the openness evident in this blog – the feedback is going to make Windows 7 much stronger. Good work guys!

  142. cash gifting says:

    yeah windows 7 is definately working well for me

  143. cash gifting says:

    i havent had really any problems with it so far

  144. paul2me says:

    The amazing breadth of hardware supported for Windows and the broad spectrum of usage scenarios contributes to a vibrant ecosystem with many different goals – from just the basics to the highest frame rates on multiple monitors possible

  145. 招聘销售 says:

    The amazing breadth of hardware supported for Windows and the broad spectrum of usage scenarios contributes to a vibrant ecosystem with many different goals – from just the basics to the highest frame rates on multiple

  146. I’ve already using Windows 7 on my home PC. It’s great! Fast and beautiful!

  147. I’m very glad to find your blog. You’re real professions in your area. Here I’ve found many useful articles useful for my essay writing service. I’m going to read your ideas regularly. Waiting for new information.

  148. 广告联盟 says:

    Like the above mentioned class,

  149. steroids buy says:

    I’m glad to hear you’ve decided to change your mind on this issue.

    Let’s about some new features (some we haven’t heard from for months like WARP) now :)

  150. Thanks for your great work. it is very useful for me to determine the link.

  151. jim cheng says:

    Thanks for your great work. it is very useful for me to determine the link.

  152. Its true if people knew about the sendkey fix in the making, the discussion here would probably have been far more relaxed.

    <a href="http://www.helpprofitonline.com/">Profit Online</a>

  153. Thanks for inspiring me in this blog seeing your dedication to opening channels to the community.

  154. Earthy Warrior says:

    You are applying for a sales position. What differentiates one sales person from another? Follow-up. Yes. Follow up. Try not to be pushy. Use words like "you" "your" "team" more than "I", "me" and "my". Best of luck!

       * 2 years ago

  155. Garrison says:

    Windows 7 represents latest development of Windows philosophy and the system is fast and splendid indeed. However it is still difficult to operate under heavy virus conditions often present in modern Internet.

  156. UK Essays says:

    This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your

    articles, I guess I am not the only one having all the enjoyment here! keep up the good work.

  157. Websurfer says:

    I do personally thanking you guys for this update. Feels like, im off to go to my new Win7. I wanna make this OS my ultimate tool.

  158. onlinegal says:

    We’re having issues with our msi-based push installer and UAC. As long as UAC is set to the default, the push installer can’t connect. I know this will work if the client computers are in a domain, but what about all the others? Is it possible that all software vendors with push installers are running into this problem?

    Thanks for doing this, guys!

  159. like "you" "your" "team" more than "I", "me" and "my". Best of luck!

  160. condiments such as mustard, mayonnaise, and ketchup.These condiments

  161. I would also suggest that a change of mindset in terms of the idea that "once an app gets code running on the machine, it’s game over".  People shouldn’t have to give an installer full access to their system just to try out a new browser, media player, or photography app.  Yes, if its an app running with the user’s permissions, it’ll be able to destroy the user’s data; but it shouldn’t be able to render the machine unusable or access other people’s files on the machine.  

  162. 中国求人 says:

    就労,就業で必ず必要になるのが<a href="http://www.newfly-culture.com/chinavisa/&quot; target="_blank">上海ビザ代行</a>。

  163. free essays says:

     IMHO it is quite interesting information. Simply saying i’m impressed. Thanks and good luck!

  164. condiments such as mustard, mayonnaise, and ketchup.These condiments

  165. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your

    articles, I guess I am not the only one having all the enjoyment here! keep up the good work.

  166. I know this will work if the client computers are in a domain, but what about all the others?

    Thanks.

  167. Since people seem to be arguing that UAC isn’t a security feature and since the UAC prompts in Windows 7 are so easy to bypass anyway .

    Great article!

  168. The settings we are talking about allow system modifications without prompt and allow users as code to do thoses changes. This is not an issue!

    Thanks for these info.

  169. Windows Explorer still likes to prompt twice before changes to protected files or folders are made.  This double prompt also sometimes changes security settings when accessing someone else’s files. Nice post!

  170. zhuzhiyan says:

    Thank you for the awesome link – it really goes into detail as to the features added and improving GDI performance because that was a major let down since Windows Vista which resulted in GDI being unaccelerated. With the acceleration hopefully it’ll mean greater snappiness. With that being said, however, it would be great if vendors invested some of their healthy profits into porting their applications from GDI/GDI+ to Direct2D and DirectWrite.

  171. Nursing says:

    The settings we are discussing about allow system modifications without prompt and allow users as code to do those changes. This is not an issue!

    Thanks for these info.

  172. smith says:

    You are SPOT ON!

    Thanks for sharing such a nice article,

    Really wonderful list of creative tactics. I especially like the approaches that are less technical and more behavioral. The models are great too; very understandable.

    By the way for more information on Ethical Hacking  check this link: http://www.eccouncil.org/certification/certified_ethical_hacker.aspx

  173. Really wonderful list of creative tactics. I especially like the approaches that are less technical and more behavioral. The models are great too; very understandable.

    By the way for more information on Ethical

  174. Its very helpful conversation i really like it. Thanks for the tips.

  175. Really wonderful list of creative tactics. I especially like the approaches that are less technical and more behavioral. The models are great too; very understandable.

  176. I especially like the approaches that are less and more behavioral.

  177. epargne says:

    i am currently using windows 7 and i think it is faster than windows vista.

  178. 招聘销售 says:

    Many thanks for putting your list together. It’s very re

  179. i am currently using windows 7 and i think it

  180. average insurance cost says:

    It's really an informative posts. thanks a lot.

  181. cathy says:

    awesome.

    <a href="http://www.youtube.com/watch costumes</a>

  182. Marian says:

    Thank you so much for this one.

    <a href="http://projectmanagementacademy.net">Project management academy</a>

  183. ken says:

    wow, this gonna be a new knowledge about windows esp the Windows 7!

    i have been using for more a year.

    <a href="huntingtexastrophies.com/…/">Texas Elk Hunting</a>

  184. <a href="http://www.stevemeshbesher.com/>Criminal Defense Attorney Minneapolis</a> says:

    I have some fun reading of this post and comments. I got knowledge and i try to think or analyze how far is Windows 7 from they others.

    Windows 7 is a newly release product of Microsoft.I am a user of that and I expect that there is a advantage and disadvantage of Windows 7. May be we can say there is wrong but I have lot of fun and excitement of these. And Engineering Windows 7 are now improving of these. And that's another excitement.

    thanks and more power…

  185. Barbarajolie says:

    Very impressive, thank you for posting!

    http://www.writers-write.co.uk

  186. Essay says:

    Thank you very much for this helpful article and the remarks.

    http://www.easyessayhelp.com

  187. Uk Essay help says:

    I found your blogs after read topic's related post now I feel my research is almost completed. Thanks to share this nice information.

    http://www.essaymojo.co.uk/

  188. nobody says:

    was it against the fair competition law if UAC is blocking auto-update of others vendors but not microsoft's product ???

  189. Fulfilment says:

    I believe that Britain's economy will grow in the next few years until 2014 due to the growth of the Pacific region. But my concern is the budget deficits, and the value of the Pound. In David we trus.

    <a href="http://www.sykes-gala.com/…/a&gt;

  190. Steve says:

    Hats off to Microsoft for delivering another great product.  Love it.  http://www.rvsforsale.co/  

  191. Tim says:

    When is Windows 8 coming out?  I am sure it will owe us again.

    http://www.truckingjobs.co/

  192. Ram says:

    Any new products in the pipeline for this year?

    http://www.boatsforsale.co/

  193. site analytic says:

    <a href="http://archivenic.com">domain checker</a>

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading.

  194. I found your blogs after read topic's related post now I feel my research is almost completed. Thanks to share this nice information. says:

    I found your blogs after read topic's related post now I feel my research is almost completed. Thanks to share this nice information.

    archivenic.com/microsoft.com

  195. Dan says:

    The settings we are discussing about allow system modifications without prompt and allow users as code to do those changes. This is not an issue!

    Thanks for these info.

    http://www.mediatouch-online.de/suchmaschinenoptimierung

  196. Waed says:

    A leading Blue chip client of mine is currently looking for a Windows 7 Engineer for a 6 month rolling contract based in London. This is a great opportunity for a Windows 7 Engineer to join a leading financial client and to be involved in an exciting project.

    http://www.writingpearl.co.uk/cv-writing

  197. James Barber says:

    Interesting I really enjoyed your work it is too good.

    http://www.dissertationempire.co.uk