Reducing Elevation Prompts in RC1


First, let me introduce myself, my name is Steve Hiskey, and I am the Lead Program Manager for User Account Control in the Windows Security Core group.  Although there are many groups at Microsoft that are contributing to UAC, the Windows Security Core group has primary ownership.  We own the feature and take the heat if something is wrong.


 


One of the primary goals of the UAC effort is that the user should see a reduction in UAC elevation prompts over time.  We expected that the user would see a bunch of elevation prompts when they are first setting up the system, but that the prompt frequency would dramatically reduce over time, usually after the first few days, and after that they would only appear for infrequent events such as adding new software.


 


However, as many of you have witnessed, there are a LOT of UAC elevation prompts in Feb CTP and still more than we would like in Beta 2.  Therefore, I would like to take a moment and discuss the issue and give some details on what we are going to combat the problem. 


 


I get asked a series of standard questions when I deal with this problem, so let’s take that format:


 


Question 1:  Why does Windows ask me for permission when I JUST double clicked on the executable or clicked on the shielded object?


 


The issue here is extensibility of Windows.  Windows prides itself it on being pluggable and extendable.  For example, to facilitate the accessibility extensions, Windows needs to be able to send keystrokes on the user’s behalf so that a Windows user can talk to an input device and have that  be translated into keystrokes that drive a dialog or type an email message.  This also allows interesting and useful scenarios such as “show me how” buttons inside help dialogs.


 


However, that means that malware, running as a Standard User, can download an administrative application, and send keystrokes through Windows to simulate the user invoking the application.  As a result, Windows cannot tell if YOU launched the application or if malware launched the application.


 


The hope here is that the user won’t need to launch many administrative applications.  If we fix every “runtime” issue where an application is asking for administrative privileges without a real need and leave elevation to JUST adding applications to the machine or doing impactful changes, it should not happen too often. 


 


Once that is true, we can then move to educating the users to know that “good” elevations are ones that they initiated and “bad” elevations are ones that suddenly appear without their explicit action.  We want the users to think “if an elevation dialog appears while I am reading my email, and I didn’t perform any action that would require elevation, always cancel those dialogs.”


 


Question 2:  How come I cannot mark OS binaries to silently elevate?  Why do I have to keep consenting to elevate things like Windows Update?


 


The problem with marking Windows binaries to “silently elevate” is that we feel it will lead to “worms” or self propagating malware.  If, for example, the user marks MMC.exe (the Microsoft Management Console) as “silent elevate” so that the device setup dialogs don’t prompt for elevation, malware running as Standard User would be able to use that setting to launch MMC with a set of command line parameters that accomplish tasks that we don’t want to happen silently, such as adding a new admin account to the system.  As another example, if you mark Format.com as a “silent elevator,” malware can then do a format of the OS drive.


 


The rationale for people wanting to mark OS components to silently elevate is based on the belief that the elevation dialog is being presented too often for OS components.  We will discuss how we are going to reduce these elevations later in this blog.


 


Question 3:  How is my Parentally Controlled child supposed to elevate every day to run Anti-Virus and Spyware cleaners?


 


Answer:  They are not supposed to.  Anti-virus applications designed for Windows Vista should be services that are installed by an administrator and run automatically even when a user is not logged on.  Ideally, anti-virus applications even include file-system extensions (filter drivers) that can watch every write to the file system, no matter who is logged on.


 


In fact, there should be ZERO elevations as part of the login operation.  We are working hard with ISVs (both inside Microsoft and external) to make this happen.


 


The Plan


 


That being said, we still have work to do.  There are simply too many elevations. So  let’s take some time to discuss what changes the Windows Vista team is putting in place.


 


1)       Make changes in the OS to create safe scenarios for the Standard User to accomplish tasks that used require an elevation prompt.


2)      Apply application compatibility fixes (“shims”) for the applications that need help running as Standard User.


3)      Work with ISVs to update the applications that can’t be shimmed and to design the future applications so that the next generation run well as Standard User.


 






Changes in the OS


 


To continue improving the OS to reduce the elevation prompts, we are working from Beta 2 to RC1 to add new functionality to allow the Standard User to perform actions that used to require elevation. 



For example, in RC1, the Standard User will be able to “go get and install all critical updates” without elevating.  The Admin and the Standard User could “install updates and shutdown” in Beta 2, but they were not allowed to “get them now” without an elevation prompt.  We didn’t open up the Windows Update Service to be generically “driven” by a Standard User application to do this.  For example, there will still be an elevation dialog to remove an update or to “take update #1 and #3, but not update #2.”  New code was added to allow the service to be called by a Standard User to “install all critical updates.”  Malware calling this entry point in the service can “make the system safer” but cannot roll back updates etc.


 


We are also going through the OS and modifying functionality to take a “non elevating default”.  For example in the case of the “Public vs Private” network choice, the default choice will become “Public“ to save an elevation.


 


In RC1, we are going through the OS point by point on each elevation to make a determination if the elevation is a “bad” elevation where we think the Standard User can safely accomplish the task.  You should see significant improvement in RC1 in the number of elevations that you see.


 






“Shim” the applications


 


Note a “Shim” is a set of rules and code that can be applied to a specific application or a group of applications.  An example shim would be “when the app foo.exe asks for the Windows version, tell it what it wants to hear, ‘Windows XP,’ so that the app continues to work past its broken version check.”


 


Some applications, such as a popular web-camera application and Microsoft Messenger Auto Update application, were elevating every time the user logged on.  We have shimmed these applications to work as Standard User in Beta 2. 


 


We have a VERY high percentage of successfully shimming applications to run well as Standard User.  We just have to know about them.  Tell us about them by replying to this blog and by using Windows Vista Beta 2 on your PC. We have instrumentation in place that tells us anonymously what is causing prompts to appear for users. We look at this data every week so we know the most important issues to work on.


 


We are also working hard on a generic “shotgun” shim that can be run by the end user and will hopefully fix a large percentage of applications.  We will blog more on this in the coming weeks.


 






Work with ISVs


 


We are attempting to reach as many ISVs as part of Beta 2 as possible.  We have written developer guidance, provided a tool to debug applications on XP and Windows Vista and are starting an outreach program that will help ISVs and Enterprise customers debug their applications with a traveling lab. 


 


Here are some links to get you started if you are an ISV or if you have a favorite ISV that you want to send them to:


 


·         Link to the Standard User Analysis tool blog


·         Windows Vista Readiness Labs at TechEd 06


·         UAC developer white paper


 


Conclusion


 


Reducing the number of elevation prompts that a user sees is our primary job from now until RC1.  We know that it is causing frustration (and bad press articles) are we are working to turn that around.   We have to make a good experience, even for people that don’t understand why they are safer with the prompts.  It would not be helpful to security if people turned off UAC because they found it too annoying.


 


We hope that the reality will become:  


1.       You rarely see an elevation prompt.  


2.       You understand that if you see an elevation prompt, it is because you just asked the system to run setup on something


3.       You understand that if you did NOT initiate the action that caused the elevation prompt, that you should cancel the elevation.


4.       You understand that signed apps are better than unsigned apps because they give you more information about the reason for the elevation.


 


The home user may see prompts during their initial setup as they reload their applications, but after that, they should only see OS elevation prompts when they do something that changes the system… such as changing Parental Control settings etc.


 


Don’t give up on the feature yet!


 


We are working to change the way EVERYBODY runs Windows.  As we move towards RC1, we are dealing with the number of elevation prompts as our Job #1.  Help us out by playing with the Beta 2, and tell us about your elevations by adding comments to this blog so that we can make them go away.


 


 


Call to Action


 


Install Beta 2!  Give us feedback in the blog comments to this blog!


 


·         Tell us about the applications you are using that elevate every time you use them.  I am not talking about admin applications here such as your disk-maintenance tools.  But if your favorite photo editor elevates every time you use it, we want to know so we can shim it to work as Standard User or, failing that, we will work with the ISV to get the application fixed.


 


·         Tell us about applications that elevate every time you log in.  We need to fix or remove every one of these scenarios.


 


·         Tell us about your most annoying OS elevations that you wish would go away.


 


 


Thanks,


 


Steve


Comments (143)

  1. zzz says:

    How confident one can be that these "shims" that enable legacy code to run without elevations will not increase the risk of malware creeping through through a popular shimmed app?

    Can the shotgun-shim be applied without elevation?…

  2. zzz – The shims Steve is referring to don’t allow an app to do administrative things.  The example he gave is about telling the buggy app what it wants to hear.  Another type of shim that will be used a lot is file and registry virtualization – where file/reg operations are silently redirected, from the system-wide locations the app is trying to access, to a per-user virtualized store.  Malware can still try to do bad things, but:  1) It can’t modify the way the OS runs; and 2) It can’t affect other users on the computer.

    We fully expect that malware will adapt to the new realities, and take lower-privilege contexts into account.  However, malware running with normal user privileges will be *far* easier to detect and remove than malware that has full admin rights.  One prime example is that it will not be able to install kernel-mode rootkits.

  3. Not to be nitpicky, but you might want to edit this entry to be more readable… the text size is way too small to be read on the "Normal" text size setting in IE.

  4. Dileepa P says:

    Why is Windows so complicated? I mean, when Unix/Linux can so very easily handle admin/user accounts, why can’t Windows implement something that works as easily.

    (I don’t use Linux every day. I use Windows and I like using it, I like the applications, the games and everything about it – except Windows Vista)

  5. Gabriel Michaud says:

    Visual Basic 6 requires elevation to work properly. At first I tried to check the "Run as administrator" checkbox, but the elevation prompt was so annoying that I disabled UAC.

    The elevation prompt was also takin 2-3 seconds to display, and causing my screen to flicker.

  6. Josh says:

    Robert…you are always nitpicky.. 😛

  7. Deleting Desktop shortcuts stored in the Public folder requires too many confirmation dialog boxes, one of which is an elevation prompt.  Perhaps applications should just avoid creating Desktop shortcuts in the Public folder.  I also don’t think I should have to elevate to set a "user" environment variable but because of the location of the UI to do this, I have to elevate.  I have a Task Manager shortcut in my "Startup" group.  That causes an elevation prompt at logon which sucks.  It could be because I like to see processes from all users.

  8. UAC says:

    We fixed deleting Desktop Icons in the current RC1 builds.  Unfortunately, the Beta 2 build still has the (many) step user experience.  It is an interesting dilemma on how ISVs should write their installers to place icons though.  The advantage to putting the icon on the all-users desktop is that any NEW user will also get the icon.  We (windows) need to add some sort of “hide” technology to have it both ways… and we haven’t done that yet.

    TaskMgr now defaults to a non-elevated version … and has a button on it to ‘show all users’ which requires elevation.  We hope that handles most of the issues people have as they look to TaskMgr to tell them why they are out of memory etc.

    I will check into the “Set” operation… but allowing a Standard User to modify the environment for all users or all apps is dangerous.  My guess is that it is where it is for a good reason.

    Steve

  9. zzz says:

    pseudo#:

    if user isin administrators then have installers place new start menu icons in all users start menu

    else

    have installers place icons only in the current user menu

  10. Keeron says:

    Interesting explanation of the changes (and some of the reasonings behind the prompts). Could your future posts reflect some of the decisions made on certain prompts? (like the example you gave of executing an exe). That should give ISVs and developers a good idea if certain (similar) actions in their case needs to be elevated.

  11. Gaurav Sinha says:

    1. When an application install finishes and places icons on the desktop, dont prompt if the user tries to delete those icons.

    2. This is vague but cant apps be open "read-only"? That way if I open mmc.exe or sysdm.cpl and only want to look at existing settings w/o changing any then there is no prompt. If I do decide to change then I could either ‘Run as administrator’ or do say ‘elev sysdm.cpl’ which would then prompt me.

    3. Why does refreshing system rating require elevation prompt?

    4. Under performance issues I had 4 items listed that was causing windows to start slowly. Looking at any of them required elevation. The info. only lists driver/startup program details and has no admin action item associated with it.

    5. If I want to change ‘User Variables’ under advanced in sysdm.cpl I have to first elevate.

    6. Windows Defender ‘scan for spyware and other ….’ link on control panel require elevation. I am assuming automated scans dont require consent but user initiated scans do? Thats ood.

    7. ipconfig release/renew should be allowed. If I am using DHCP then that is going to happen anyway later. Let the user be able to do it too with no elevation.

    8. Is it possible to have the shield icon as part of the title bar (or somewhere on the window) so that it reminds me that the current app. is launched eleveated? Lot of times I start a program and eventually forget if I started it elevated or not.

  12. Ben Townsley says:

    Not 100% sure if it is just myself not knowing how to configure Vista properly or not, however I get asked quite frequently to elevate to delete things from the desktop. For example, when I first installed, I changed the file settings so that it shows all files (including hidden). When I did that, it displayed two copies of the desktop.ini files. So i attempted to delete them, and found that I required administrator access to do that (which i thought i had, being in the administrators group), and then i had to elevate to delete from my accounts desktop.

    There has been a heap of others, including problems accessing registry but I’m sure these will be resolved in time.

    Thanks!

  13. PatriotB says:

    The ability for standard users to do a Windows Update is a bit worrisome.  In a home environment, do you really want your kids to be able to perform an update?  I think that "allow standard users to do windows update" should be *disabled* by default; let admins (parents) explicitly say that standard users can update.  Maybe, after the user elevates Update for the first time, ask them if they want to open this up for all users in the future.

    (For the various business SKUs, this should definitely be off by default.)

    My comments above are about standard user.  Maybe, make it so that standard users can’t do it without elevating, but members of the administrators group (i.e. protected admins) *can*.

  14. PatriotB says:

    I agree with Gaurav’s remark #8, there should be a visual way to know that a given window is elevated.  I know, it’s spoofable, but all it tells you is you should be *more* careful with that window.  Unfortunately it is probably too late in the development cycle for such a big change.

  15. PatriotB says:

    Expanding on Gaurav’s remark #2… read-only mode would be great for many of these uses.  This is what was wrong with the Clock for so long: it assumed you wanted to change the time instead of view a calendar.

    The MMC approach is like using a hammer on a pushpin: elevating the entire MMC shell instead of elevating individual actions within it.  Though, if you were doing a bunch of administrative work in MMC, you wouldn’t want to have to keep elevating little things here and there.  (Of course, in that case if you know you’re going to be doing a lot of administrative stuff, you could’ve manually run it elevated from the start.)

  16. PatriotB:  Re Windows Update – what risk do you see with a Standard User (e.g., the kids) being able to install the current set of critical updates without asking for help?

  17. Nidonocu says:

    I must say I like this feature though any and all reductions in unneeded prompts is a must and thank you for working on it.

    The one major app I have to keep running elevated myself because it has issues running as standard is Photoshop CS2. It always has trouble accessing preference files after the first load without privileges.

    Also for general compatibility, I’ve noticed the vitalization of program files for preferences is working great in say mIRC, but for some reason it fails with HydraIRC. From what I can work out, vitalization is writing the compatibility files but then HydraIRC is making some sort of read request to original ones which vitalization isn’t catching.

    For general ideas, I like the idea of marking elevated applications and services.

    Another problem I’ve seen is opening say notepad to open a file stored in a administration area such as Program Files and then trying to save it. There’s no easy way currently to open a file in an elevated version of an application. You have to open the app elevated, then File > Open the file you want to edit. (Drag drop from Explorer to application seems to crash Explorer). Could open with elevated application be added as an option to the Open With… dialog?

  18. Mike says:

    ipconfig /flushdns currently requires elevation.  That’s really quite an irritating one for what is surely a very low risk operation.  It’s made worse by the fact that it’s command-line based, so you don’t even get the UAC prompt and just get told that you need to elevate.  So you need to fire up a new elevated cmd window just to continue.  thanks

  19. Bob says:

    When logged in as an administrator, the default elevation setting is to request confirmation but not require a password, no? Since malware can imitate user input, for any reasonably sophisticated malicious program isn’t this functionally identical to having no prompt?

  20. Tim says:

    Why on earth would any sane person knowingly allow a computer program to impersonate themselves or others? An app that can type into an e-mail application and send the as if I had sent it? Can you say spamming that is totally out of control? If someone gains access to a computer and places code that does this, is the spam blocker now supposed to be able to discern human typing versus machine typing? I can see the AV software prompt now:: "I’m sorry, your typing interval is too regular therefore please retype the last paragragh so that I know you are a real person."

    I now have the best reason in the world to dodge Windows Vista. Security in it is worse than XP.

  21. Don Dumitru says:

    As far as how apps should install desktop icons for all users, this is what I propose:

    Assume the app install is running elevated.

    If the user requests the app to be installed only for that user, the desktop icon should be placed in that user’s desktop directory.

    If the user requests the app to be installed for ALL users, then the install app should enumerate all of the existing users and place the desktop icon in each user’s desktop directory.  The install app should also place the desktop icon in the "Default User" desktop directory, so that it will be copied to the desktop directory of any new users.

    On uninstall, the app should do the inverse:  If it was installed for ALL users, it should enmerate the users and remove itself from all of their desktops, as well from the "Default User".

    Isn’t that the right way to make this work?

  22. zzz says:

    Automatic updates should be on by default and only allow a person logged on as full Administrator to change that.

    BTW.

    Half the time trying to enter this page from Slashdot, Community Server gives an error.

    Doesn’t CS scale or is there a problem with MSDN blogs?

  23. Twon says:

    "An app that can type into an e-mail application and send the as if I had sent it? Can you say spamming that is totally out of control?"

    Can you say "speech-to-text for accessibility"? Keep on raging against that machine, though.

  24. John Coleman says:

    I just turn that useless crap off.  What’s the problem?  People don’t know they can do that???

  25. Bob says:

    Re: Thursday, June 01, 2006 5:18 PM by User Account Control Team

    Please consider whether the "all users" desktop and start menu could stay as they are.

    An additional "new users" desktop and start menu could then be created and ISVs encouraged to use them (or them used by default).

    On creation of a new user, the contents of "new users" is then copied.

    For example, if a short cut to Outlook was on the desktop, some users may want to delete it, other users may want to rename it, or move it, or change the parameters…

    This would keep "adding" the items by default – but allow all properties to be changed – not just being hidden.

  26. FooBar says:

    Why is it that everytime you steal a feature from OSX, you twist it in such a way that it loses most of its benifits. If your going to try to make windows look like OSX, at least just steal the features straight up, your "improvements" just wreck things.

  27. Michael says:

    Easy solution (or perhaps not, depending on how Windows is implemented internally.)  A program should not have privileges to run unless I allow it to run.  As Administrator, I should be able to set a white list of programs that I want to allow (on a per user or per machine basis).  That doesn’t mean authorizing every DLL like you have to now on XP.  It means that I get a list of apps on the machine, and I check a checkbox if I want that app to be able to be run by a non-administrative user.  Adding an app requires authorization.  Malware can’t run if it isn’t on the whitelist.  In other words, Vista should not have to ask every time for every program.  It should only allow authorized programs to run, and only allow authorized users to install new programs.  (See MacOS X Tiger’s Parental Controls for a great example of how this works.)  

    I would *never* want a user to be able to run Windows Update without me authorizing it (and yes, I should be able to check a box to allow users to do this.)  I need to know how my systems are configured, and I don’t want users to install something that I haven’t authorized.

    A regular user should be able to write to their own home directory, but not to the rest of the system.  Implementing that will greatly limit the impact of most malware.

    Also, it would be great if programs (even those run by regular users) were not permitted to write to certain user directories without being whitelisted by the user.  For example, Skype likes to place at least 5 different "My <something>" directories inside my Documents directory.  Many other programs do this too (Acrobat, for example), even though there is no reason for it.  Programs should be able to write to a program specific location for their configuration data, and should only be able to write to user whitelisted locations for anything else.  Implementing this would prevent most malware from damaging most user files, since the user would have to permit programs to write to specific locations.  (Whitelisting should be a switch you only have to set once, and that you can turn off, on a per user and per program basis.)  It would also prevent poorly behaved, but legitimate, programs such as Skype from littering a user’s Documents directory with unwanted files and folders.

  28. Picky says:

    FooBar, this feature did not come with OS X, it came with Unix, which OS X is based upon (BSD).

  29. Blobby says:

    <i>Install Beta 2!  Give us feedback in the blog comments to this blog!</i>

    Beta 2 is still not available to the public, only to IT professionals and developers. It would be awesome to have a real public beta for everyone like linux distros do, and of course, the beta should be free of charge and use.

  30. Logan Greenlee says:

    Ultimately it seems that the reason for this UAC prompt is that you want the user to understand that: <i>"if you did NOT initiate the action that caused the elevation prompt, that you should cancel the elevation. "</i>

    Or you could look at the problem this way: UAC’s purpose is to help the user distingish if the actions being taken are as a result of their actions, or as a result of a malicious program impersonating them.

    So my question is this, why is there no way to differentiate the <i>type</i> of input? At a most basic level, a chain of actions or events should have a root cause associated with them. If a user is responsible for actions then HAL input would be the root cause, where as a program would have a different cause.

    It would make prompts for deleting things like the desktop shortcuts a non-issue. The OS knows that the user is taking the action.

    I’ve not spent a whole lot of time thinking about the issue but it seems at first brush that the underlying problem is that the OS does not know the source of the command, and ultimately the OS cannot trust *any* input, so it must question everything. Build a chain of trust and part of this issue is solved.

  31. EdB says:

    UAC Should not pop up if I’m running as an admininstrator, only on a user account. If I log on as root in linux, the assumption is made that I did it for a reason. If I log in as non-privledged, then I need to use SU/UAC to give admin credentials.

    It’s nonsense that while I’m logged in as administrator, a prompt tells me I need administrative access.. Guess what?? I have it so leave me alone.

  32. Scottie says:

    Re:  Why does Windows ask me for permission when I JUST double clicked on the executable or clicked on the shielded object?

    …why couldn’t the source of the event that caused the application to start be tracked; e.g. if the application was started by a user clicking a mouse that is directly attached to the local machine, consider it a trusted source and just run the app; if it comes from a remote source, then pop up the dialog?

  33. Dyna says:

    Ok, couple of interesting ideas. Firstly, the problem with whitelisting applications blindly is that sooner or later malware will figure out how to impersonate an application that everybody will have whitelisted after a few months (mmc). The fix would be to implement a kernel level crc checking mechanism on software added to the whitelist. All reputable software manufacturers should provide crc information for all their products anyway. Another idea for people that complain about the "on/off" feeling of admin powers, would simply be to have more than one level of administrator. Why not? Have a top level "!Admin" account that can do anything without elevation, but only when logged in locally, not priveleges that can be accessed from a network logon or any other "not sitting at the keyboard" connection. Prevent people from using a super elevated account all the time? Disable direct x in it. Or, place several items on the screen related to system control that cannot be removed. Also, during a logon like this, perhaps network traffic is also restricted. *shrug* I dunno, I have faith that Vista, all in all, when it’s done, shouldn’t be that bad. There will most likely be elevation prompts here and there, but the point is you can’t have your cake and eat it too. You can’t sit at the helm of the most targeted and attacked OS ever conceived, then complain about security, then complain when they implement elevation prompts.

  34. Dr-Dyna says:

    Ok, couple of interesting ideas. Firstly, the problem with whitelisting applications blindly is that sooner or later malware will figure out how to impersonate an application that everybody will have whitelisted after a few months (mmc). The fix would be to implement a kernel level crc checking mechanism on software added to the whitelist. All reputable software manufacturers should provide crc information for all their products anyway. Another idea for people that complain about the "on/off" feeling of admin powers, would simply be to have more than one level of administrator. Why not? Have a top level "!Admin" account that can do anything without elevation, but only when logged in locally, not priveleges that can be accessed from a network logon or any other "not sitting at the keyboard" connection. Prevent people from using a super elevated account all the time? Disable direct x in it. Or, place several items on the screen related to system control that cannot be removed. Also, during a logon like this, perhaps network traffic is also restricted. *shrug* I dunno, I have faith that Vista, all in all, when it’s done, shouldn’t be that bad. There will most likely be elevation prompts here and there, but the point is you can’t have your cake and eat it too. You can’t sit at the helm of the most targeted and attacked OS ever conceived, then complain about security, then complain when they implement elevation prompts.

  35. CZA says:

    Hi,

     I recently came to know UAP was extended to apply to Network based communication. It also adds in some new requirements like machines in same domain can successfully communicate but others cannot.

     I am looking for more info on this design/strategy and any limitations it causes.

     Any workarounds on solutions would be great.

  36. Giles Robertson says:

    Firstly, great for working on keeping the feature in and enabled. It should help with a lot of issues.

    Secondly, on a more philosophical/design level, while "elevation requests when user hasn’t obviously triggered = bad" makes sense, I’d be worried if the average user was told/encouraged to believe/acclimatised towards believing that elevetion requests during certain tasks/on user action are always good. That could make it too easy for malicious insertion during commonly elevated tasks – it does some of the social engineering for the attacker.

  37. ::CORY:: says:

    I have a computer for my mother to use on her own that I come to weekly and update/fix.

    When she starts using Vista, she sill not understand what the word "app" means on these prompts and she will barely understand "application".

    Basic users are also VERY prone to just clicking on anything that popups to just get it out of the way without reading this. In fact I doubt they read (let alone comprehend) 1% of the text that’s displayed.

    That’s my biggest issue with UAC, even if it only comes up when ABSOLUTELY necessary, the user will not understand why it was necessary (even if told to just rely on the fact that we will only show you when necessary). If they cant assign a danger sense to it, then they will ignore it as an annoyance and glance at it and learn the quickest way to get around the thing to get back to what they were doing without comprehending what they just did.

    While I like the concept of interjecting a step between a request and a system change, I dont think the majority of users will be served by this method.

  38. microbe says:

    : As another example, if you mark Format.com as a “silent elevator,” malware can then do a format of the OS drive.

    Marking "silent elevator" should require administrative privilege, so what’s the problem?

    Unix has this for years, that is called "setuid root". This is extremely useful.

    Also, it’s very easy to have a knob to allow all signed applications to do silent privilege. Much cleaner than developing hacky shims.

    Obvious things to think about.

  39. Andrew says:

    One major annoyance with me is that I have a second partition (hard drive) for where all my pictures and data are, and when I do a clean install of Vista and try to fix those pictures in Photo Gallery, it tells me that the pictures are read-only. I know this is related to UAC because when I turn UAC off, the pictures can be fixed.

    This is a major annoyance for many people…

    Thanks.

    (And yes, I’m a beta tester and I’ve bugged this to no avail.)

  40. Gack!  Vista isn’t going to be any more secure than previous versions of Windows.  At 1 bug per 1000, you have 60,000 bugs with half of them potential security holes and there is no possibility of reducing the bug count in any significant way.

    The problem is that you want every part of the OS to be Network aware.  There is no way to do that without maximizing absurdity and minimizing utility and security.  

    Put ALL network access in an impermiable sandbox so that anything that happens there STAYS there.  If and only if the user attempts to move something from the sandbox to the rest of the system, bound, tie, gag, prohibit, and otherwise restrict the action.

    The sandbox could be a jungle and could cause no harm.  The rest of the system could be used with safety at ANY rights level.  

    Gasp!  You mean I could actually USE my computer again?  I could even get real work done?  Yes, but don’t worry, it won’t happen.  If it did, Microsoft could not sell sell the damned .NET, C#, Software as service, Borg consumes all crap.  

    Oh well.  One can wish.

  41. thomas leeq says:

    I have UAC turned off. It is just too painful in the current implementaion. For example, I travel a lot and I need to change time zones – I resent having to just click "yes" each time I want to do something. No doubt there is some security guru rockstar at MS that can tell me why this is a dangerous thing – but to me it’s not.

    The curent implemtation is just over sensitive. It goes off far too much – and this has two effects. For users like me – it sucks when the screen goes black for a second etc. On my 3rd Vista B2 install, it was the first thng I turned off, even before instgalling AV software.

    For normal users it just teaches them to click "yes" – so that when REAL malware gets to their system they just click yes.

    Sicne the default install of Vista has an admin account with no password, most users are just going to get used to jsut click "yes". Which if you really think about it just about totally defeats the whole object. All in all, while UAC is a great idea, the current implementation fails (much like Native Structured Storage).

    Finally, the blog post suggests that Windows can’t tell the difference between me doubleclicking some app, control panel applet, etc from malware spoofing my clicks. That just says the Fundamentals in Longhorn are not right because Vista SHOULD be able to tell the difference.

    Noiw if MS wants me to turn this on, or to recommend it to most of my clients, the impelementation needs a lot of work. Given the  problems of application compatibility I just can’t run B2 in anger – it’s not ready.

    You need to make improvements in RC1, and then ensure there is time for feedback. Right now, you seem to have one more chance and we get whatever you come up with even if it’s still as lame as today. I hope it won’t be, but I really do think on this you are going to need to take more time.

    Either that, or just pull it till you can get it right. It’s current implementation is simply not ready for prime time.

  42. CostasZ says:

    When software installed it should digitally signed either by a trusted source like MSFT or the user themselves. Any OS resource should only be allowed if the source is code that is trusted. Any malware won’t be trusted so it won’t have access to those resources no matter what. Why wasn’t this avenue of securing the OS pursued?

  43. Jan Ilacqua says:

    This is really great news! It is very good to know that your team is listening, and understands the level of overkill that has been created by the current system, and the serious potential for actually allowing a malware attack due to Users merely clicking out of frustration or laxity to continue on.

    I think your plan is a good place to start, to build a system that will be both "User Friendly" and provide the kind of security you are after.

    I will be happy to assist with feedback, as I am sure many others will as well, and look forward to seeing the improvements in this area in the future builds.

    Thank you. 🙂

    Jan 🙂    

  44. Is Microsoft reinventing the wheel with Windows Vista?

    I mean, we have filesystems, policy controls etc etc that can be used to control on who runs what.

    The Unix world has done this for years..

  45. Mr Registry says:

    Ok, a little on topic…the registry needs work.  How about eliminating the hive for non system data or each app gets a hive that’s mapped in for keys only it needs and writes to! You know, back to the individual ini file, only transparent to the app.  Shared keys, like type registration stuff that the system needs, are linked to the app that created them.  You know… I install app A, I uninstall app A, app A leaves all its type info and private data laying around, system deletes the apps hive and ALL registry info created by it.

  46. As a user and an administrator, I want a "5-minute override" that will let the currently running application not prompt me for 5 minutes.

    As an administrator, I want the option of logging some or all elevations, whether approved by a prompt, approved by a previous 5-minute-allow prompt as outlined above, or bypassed by another means such as a shim, to the screen/pop-up, the local system or security logs, to a local or remote monitoring application, and/or to a destination on the local network.  The bottom line:  I want an audit trail and a means to directly or by way of a 3rd-party application spot suspicious user- or malware-initiated activity on my network quickly.

    Off-topic:

    For myself, I’d rather have a more secure but more annoying OS than a less secure and less annoying one any day.  For my less-sophisticated users, that isn’t necessarily true:  a more-annoying user interface may lead to "alert fatigue" and the user may not notice a real threat.

  47. Jim Keogh says:

    Why on earth would any sane person knowingly allow a computer program to impersonate themselves or others? That’s a good question that Tim poses. My gut feeling is that MS and other software mfg want more control of MY and YOUR computer without us knowing it. It wouldn’t surprise me if elements of the Vista allow MS to search your computer for bogus copies of MS software and software from other companies without us knowing it. MS could sell this service to other companies (i.e. music industry, publishing industry with e-books). And how about marketing companies want to know your buying habits. Remember that the OS has unrestricted to your drives – and the Internet. This becomes a serious concern as more home users become hard wired to the Internet 24/7 with fixed IPs. Think about it. Why would a home user need all this sophistication? And forget about worrying about a family member (i.e. kids) updating windows. Most family members who are online have their own PC – $700 is all it cost and no one has to fight for a turn on the Internet.

  48. stan says:

    thats just stupid… if you cant tell if its the user who is typing and doing things than *FIX IT* dont make one more work around… thats silly.

    And after that, do like we do.. if you want to make an admin job, log in as root (or just ask for the root password to run that program with root privileges). If you dont do it, you will get no permission.

    By the way, your files are only yours, and if you get a virus, it wont be able to touch anyones files (even the OSs files since youre not root)… so in the worst case senario, just delete the user and it´s files and you will have no more virus.

  49. Michael says:

    On CRCs for whitelists: CRCs generate non-unique values.  It is easy to create two binaries that will generate the same CRC.  This would need to be done with a one way cryptographic hash.  (See Tripwire.)

    The best way to do it (probably too late for Vista) would be to distribute the entire program, including all DLLs, inside a package such as a JAR file or a directory, the contents of which are all signed, with the signatures contained in a manifest and the manifest signed as well.  This would also greatly simplify software distribution and installation and removal, eliminate much of the registry, and improve security.  (Example: See OS X.)

    The user should not sign the application, since the user does not (in most cases) have the ability to verify its origin.  Microsoft shouldn’t either, since that would prevent software from being patched, and would prevent developers from recompiling their software.  The user can be presented with a list of checkboxes next to the icon for their program, and a program location.  When the icon is checked, the program is hashed.  Windows would then hash the program again against a list of accepted hashes and would only run programs on that hash list.  

    I agree that Windows needs to provide *useful* feedback as to what a program is, and what it is trying to do.  Example, SVCHOST.dll is trying to access the network provides me with no useful information.  "Firefox is trying to listen for connections on Port 137, which is normally used only for connections between Windows hosts, and not by applications" is useful information.

    MacOS X asks you to authenticate when you need to make a change to a certain component of a system (example: network settings.)  You click a lock icon, and enter your username and password.  You can then change things as much as you want until you click the lock again or close the Network System Preference.  You only have to do this once per set of changes, not once for everything that might need to be done.  This is required even if you are administrator.

  50. I’ve been using Beta 2 for more then a week now and in order to fully understand it I’ve installed it on the 3 machines I use the most. In my personal opinion the dialog boxes frustrate me less and less the more I use the OS. They seem to just become a part of the greater machine. This is (I hope) more users will start to feel as time goes on. Some users (those who flame first) don’t understand that while installing software it’s 50% MSFT’s new UAC and 50% bad software written for Vista (all 2 of them). So along with "teaching" users that when you want something changed you must approve it, you must teach software venders to abide by the rules of the land. (no writing to sensitive kernel areas) While this will definately be rough waters for both users and software vendors it will lead to a much better OS foundation. Now this all doesn’t matter since once you install/remove software your productivity shouldn’t be effected with dialogs to delete a shortcut.

  51. ryanb says:

    The dialogues shouldn’t really have anything to do with it becoming "more secure".  The problem was every user had full admin access to everything, and that all the apps all-tied together, used the same libraries, and had root access themselves.<p>

    The average joe user doesn’t need to be able to install some app that runs services at boot-time.  If he wants to install some word processor, he should be able to do that in some user available folder.  If he wants to install some active-x control, and isn’t an admin, he should be able to install it in his local space in a place that doesn’t affect the system as a whole with minimul fuss.<p>

    I realize that this could have the effect on a single user machine of being the same as it is now, just at the user level.  First that would be a lot easier to clean up.  Create new user, copy files you want, delete old user.  Even the most horrid over-run problem solved.  Make starting a process at boot-time, or user log-in time a pain in the arse.  That way you know the user really wants it.  It seems this is the area most abused.  Without boot-time access most of the worms/virii would become impotent anyway.<p>

    Dialoging common actions, in user space, will have the effect of getting everyone to just ignore the dialogues.  Then a serious problem in the system space might be occuring, and we will all be accustmed to clicking "ok".<p>Think "Are you sure you want to install to C:Program Filesxcmd.exe" vs "Are you sure you want to install to C:Windowscmd.exe".  I bet most wouldn’t catch something subtle like that (just an example).  One should generate a dialogue, one should not.<p>

    For compatability create something like Altiris Software Virtualization tool.  It can pretend to let your old software do whatever it wants.  When in fact it is just doing these things in a virtual user space.  Then I tell windows to zap this program, not ask the program to delete itself (this is also heavily abused).  Windows has been tracking everything this program has been doing, shuts down all it’s processes, and sucks EVERY file and folder back out that the orginial install and it’s children put in.<p>

    I think the whole concept that you can protect users from themselves is flawed.  Users are going to do dumb things.  No matter how many dialogue boxes you throw up little jimmy is going to install Kazaa and all the spyware it comes with.  Letting him click "ok" to suddenly give everything the run of the system is just stupid.  Make it so dumb things means they break their account, not the system.

  52. Marc Chung says:

    Hi Steve, thanks for the good explanation.  One question.

    "Once that is true, we can then move to educating the users to know that “good” elevations are ones that they initiated and “bad” elevations are ones that suddenly appear without their explicit action.  We want the users to think “if an elevation dialog appears while I am reading my email, and I didn’t perform any action that would require elevation, always cancel those dialogs.”"

    What happens if the malware detects a user elevated request (a "good" elevation) and immediately pops up the elevation dialog that really requests elevation for an "evil" action?  

  53. Barry Burns says:

    The problem seems to be that the administrative tools were designed from the ground up with the assumption that all users have admin rights.

    UNIX, for instance uses the SUID bit to determine if a program should run as its owner or the user executing it; programs that are designed to run set-UID take this into account and examine the "effective" and "actual" uid/gid to determine the   current user (and thus permission to carry out task XYZ). It seems that the Windows admin tools need to be redesigned to work properly in an environment like this.

    As for people worrying about people sending heaps of spam via the sendkeys APIs… you are morons. This functionality has existed since the beginning of Windows; Google WM_CHAR and WM_KEYDOWN to see what I’m talking about. That’s just how the GUI works; the OS passes messages to apps when events happen, and apps can post those same messages to other apps. This is a feature, not a bug.

  54. Why don’t you guys do something about the All Users folder?

    The reason why people (and I running XP as a non-admin) have trouble deleting an icon from the desktop is because the icon is placed in the All Users profile.

    So why not instead synchronize the %USERPROFILE% dir with %ALLUSERSPROFILE% partially when something is changed inside the ALLUSERSPROFILE? When a new icon is added to ALLUSERSPROFILE/Desktop copy it to all users, but then remember to which users you’ve copied it and don’t ever do it again.

    Dejan

  55. spaglia says:

    You must be very careful as too many prompts will cause users to simply click them all ‘yes’ out of frustration which defeats their purpose. If I may be blunt this seems to be an asinine way to solve the problem.

  56. SJP says:

    re: "As a result, Windows cannot tell if YOU launched the application or if malware launched the application."

    Give me a break. So instead of all this insanity perhaps we should let Windows know how the application was launched? We can’t tell if keys were pressed on the keyboard or a mouse button was clicked? Are these not hardware events?

  57. Muj Beg says:

     You probably considered this already, but I was wondering about the following scenario:

     What if only trusted drivers and/or app are allowed to inject UI events in the Windows queue. For example, say signed HID drivers are allowed by default. The user is allowed to assign trustany other driver they wish.

     Other than that, any untrusted app would require a previlidge escalation to inject UI events.

     Just wondering why this scenario is not workable?

  58. Ben Hanson says:

    What is the recommended way to copy files to %systemroot%system32 from the command line?  Is there a ‘sudo’ or ‘su’ equivalent?  I can’t do runas /user:administrator because the script involved copies files from a network share to %systemroot%system32.  I’d be happy to put the files somewhere else, but %systemroot%system32 is the only path that I know is ALWAYS in the PATH variable.

  59. ~Jean-Marc~ says:

    Hi,

    I think your UAC feature need a second way to work…

    I didn’t read all the comments and i don’t know if already suggested :

    What about an "UAC helper" sitting in the task bar and allow to temporary elevate all the user’s action ?

    In my mind, a green icon says : you’re in user mode, and a red icon says : you’re in admin mode and reminds you every (user set a timing… says 15 minutes by default ?) X minutes…

    I think it’s better because user often perform admin tasks in "group" ("i want to update my drivers", or "i want to install some programs", or "i want to install my new printer and his programs" or "i want to delete some files" (doh…)), not once at a time.

    hummm ? Who says "sudo reversed" ?  😉

    .

  60. Brian says:

    Wouldn’t it be easier to just authenticate keystrokes and clicks on the computer’s side rather than through user interaction? I doubt it’s beyond Microsoft’s ingenuity to just mark "virtual keystrokes" as such and prevent false "real keystrokes" by making some kind of encrypted keystroke protocol…

  61. Imran says:

    I would like that, in Windows Live Messenger, when the safetly scanner scans the pc,i should be

    not be prompted by it , to elevate privelages.

    yeah pls fix that.

  62. Mcrosoft BOB says:

    THe Biggest Agrevation users have on a PC is too many popups that prevent them from working.

    With UAC, windows now comes with its own built in "ad-bot"

    UAC will be a failure, and is nothing more than an annoying person going "are you sure you want to do that?" over and over again

    AXE THIS

  63. doug says:

    many people here have mentioned features in os x that they like (1 file instead of a complicated folder for an app, 1-time user prompting for authentication, the lock buttons), as well as *ix (sudo-esque commands and more control over the command line).  the way i see it – windows is windows; it’s not os x, and it’s not linux, even though you can make it look and feel like either with enough effort.

    the way i see it, microsoft programmers are always going to see it their way – the "let’s build on what we already have" school of thought, vs. the "scrap it and let’s start anew with what we’ve learned."  microsoft did this waaaaay back for win95.  they ditched the outdated program manager that always crashed and came up with a great idea…11 years ago.  unfortunately, microsoft has spent too much time screwing around trying to build on code they already have that they haven’t thought about redoing some things.  technology has changed, things have improved, and for windows, security flaws are endless.

    what i’m saying is i’m not talking a multi-million line re-programming extravaganza, but rebuild some components.  windows, whether it likes to admit it or not, is still an 8-bit os, with 16-bit capability built on top of it, and 32-bit capability built on top of that.  i remember hearing about early builds, when it was longhorn, and them saying you’d need huge memory cards to do the visual effects, and a lot of computers today can’t handle all of it.  i have a g4 with 32mb of video memory and it runs effortlessly.  rebuild something and make it work efficiently, not using 8x the memory to do something that shouldn’t have taken that much in the first place.

    i think it’s time to not only fix features, but really think – what the hell do we want?  microsoft has a good mind to be creative, and i think they should use it.  and while they’re at it, find some awesome, creative way to kill the freaking registry.

  64. To David Richardson:

    There *IS* an audit trail for UAC.  We added a field "elevation type" to the process creation event (event ID 4688 in the security log).  You can use the auditpol.exe tool to turn on this feature, and then look in the security log.

    auditpol.exe /set /subcategory:"Process Creation" /success:enable

    Whenever a process is created, we will generate an audit record in the security log and record the elevation type.

    Elevation type will be a numeric code: 1, 2, or 3.

    Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

    Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

    Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

    Eric

  65. AC says:

    With felxibility you get complexity. Look at Unix, you have the concept of everything is a file. You give files permissions based on owner, group, and other and you’re done. Sure you don’t have the flexible ACLs but at least you got a secure and usable OS. This whole permissions thing seems like the worst mess possible. I have a feeling you will give up and just turn it off after users bitch and bitch about it.

  66. JD says:

    Does anyone have the slightest clue what Tim and Jim are talking about? Rabid nonsense.

    The main issue I have is the wording of the dialogs. Make it extremely simple:

    – Accessing the Internet

    – Exposing this Computer to the Internet

    – Changing Computer Settings

    – Running a Program

    You focus should be on reducing social engineering problems due to ignoring prompts.

    I also worry that your approach is wrong – "after a few days or weeks the prompts will become less frequent" – this is horrible; you’re saying that you’ll piss the user off before making it usable, this makes sure that it will be turned off or ignored.

    Whitelists may be bad, but the OEM preinstall should be onfigrable for the apps on the machine when it is bought, or this will be reviled.  (If I don’t trust the OEM, I can reinstall Vista from scratch)

    Hope this was at least slightly contructive.

  67. AcidTonic says:

    I dont know about everyone else whos been following this "feature" but UAC seems more like a patch over a more critical security hole than security itself.  The automation APIs (input stuff mostly) need to sit behind a security module which will flag events as system generated as opposed to user generated.

    When launching programs for example if the event was flagged as originating from the user then the system "knows" that I just launched it, If not, prompt.

    It seems as though the problem is in the chain of events.  API controlled input is sent to the system too early in the chain, and then the system is implementing ugly hacks to figure out the original source.

    As for priv escalation I believe the dialog boxes need to go…. The past has shown that the ie activeX dialogs did lots of good.  Users will get so sick of it they either A: disable UAV or B: click yes to anything.  The OS needs to be more secure for things to be secure…. There’s no patch for human stupidity

    -AcidTonic-

  68. Charles Choi says:

    To everybody working on UAC: keep up the good work on trying to enforce a sane security policy in Vista as opposed to practically none before. For sure, UAC is breaking apps and habits which were bad to begin with; all this complaining about dialogs is Karmic payback for MS not putting a sensible policy in NT to begin with. I imagine your group is under a lot of pressure to make allowances; please RESIST them. Such comprimises really do comprimise the system, but I’m preaching to the choir by now.

  69. Patrick says:

    In response to stan’s comment: "And after that, do like we do.. if you want to make an admin job, log in as root (or just ask for the root password to run that program with root privileges). If you dont do it, you will get no permission."

    If you log in as a regular user, this is exactly what happens.  If you launch something requiring admin privileges, you have the ability to either provide the credentials, or cancel.  

    You can also mark -any- program to "Run as administrator" in compatibility properties, and you are presented with the same dialog to provide admin credentials.

    I always run as non-admin, and only elevate when needed, and this is a much easier task on Vista than XP. The UAC prompt makes the process seamless.

  70. Jon says:

    Wow — is this how developers at Microsoft get feedback?  Through blogs?  Steve, asking users for feedback through a blog is dangerous because, in general, only the most computer savvy are reading blogs and using Beta software, such as Vista.  The audience of this blog is going to provide limited insight given the breadth of customers that will eventually use Vista.  Sometimes I wish developers at Microsoft would let market research guide their decisions; rather, than a blog post answered by techies.  

  71. Kurt says:

    Why not ask confirmation when an application tries to send UI events to other windows?  Programs that do this legitimately aren’t that common, are they?

  72. Craig [TheQuestor] says:

    <RANT>

    UAP has been turned off an on so many times on this machine that I just gave up on it and turned it off.

    We BTs are NOT your normal user as an average. I am not my grandmother who clicks on "Cancel" on a popup instead of the red X. I "KNOW" know to break my machine and subsequently fix it. I do it for a living [well not the "my machine" part] and have done it now for about 21 years. From my point of view UAP [and if I haven’t been killfiled by "everyone" on the Beta newsgroups, you have seen my large distaste for UAP in its current form as of Beta2.] is well a GREAT and much NEEDED idea that is horribly implemented but is going to cause me and my field technicians so much grief that I am having nightmares already.

    Even after disabling UAP there are parts of the OS that as ROOT I am not able to get to with jumping through about 6000 hurdles.  This is bad, Even OSX has a super user account.

    Now after reading this blog entry I am feeling a little better about not turning it off by default on every PC I work on and sell over the next 4 or 5 years.

    To get rid of most of the pop ups every program written for XP and before that needs Admin access has to be rewritten. This is both good and bad, because it will take months and years to get all 75 Gazillion programs to be “shimmed” and in most cases this will never happen as the company has neither the need nor inclination to do this. I mean why should they? It is just 1 pop up box.

    My 2nd biggest gripe which is almost getting worse then the 1st is the fact that Unless turned off on the local security policy, when ever a elevation box pops up, it tosses my 2 other screen for a loop. Shutting on and off and that is adding a TON of extra wear to them. It got so bad that I just replaced the 2 19” CRTs with 19 Wide Flats. They don’t turn on and off like my CRT’s but they do go blank.

    The UAP guys REALLY need to get with more of the other teams such as the people working on Multi-Mon, which has taken a huge step BACK in Vista.

    </RANT>

  73. OBKenobi says:

    It sounds to me like the real problem is that Vista can’t distinguish between real mouseclicks/key presses and virtual ones sent by software. If it could tell the difference, then there would be no need for these elevation prompts to come up repeatedly when the user deliberately initiated the action. Stop treating us like monkeys, MS!

    I can tell you right now, that if UACs behavior doesn’t improve radically, no one is going to willingly use it.

    Trying to patch up every instance, for every piece of software and situation is going to be a neverending process. If you don’t fix the core behavior, you’ll never get it to work properly. Is MS going to have a UAC team shimming and patching for the rest of Vista’s existence? And if shimming is possible, what’s to stop malware developers from exploiting this?

  74. Hi

    I’m actually looking at a demo of UAC and I’m really hangry about it (sorry W. Moses, nothing against you).

    1 – For the first time in the history of OS, I can’t predict if I can do something by looking at the ACLs if I can open a file, run a programm or editing a registry key !

    2 – For the first time I can’t guess if I’m administrator of the machine by looking at membership. Why calling a group administrators if it’s not. What will be consequences for people who setup / maintain / troubleshot ?

    3 – As far as I know UAC block program it know not function so for exemple :

    REGEDIT is blocked (even if we wanted to consult !!!)

    REG.EXE in a command prompt is not blocked

    So no impact on spy / viruses which uses their own path.

    Basically that show that Microsoft is just making an interface for hidding things and for rejecting responsability : "you have been infected, huhu you removed UAC, that’s why !!!"

    So basically I’ll sugest continue my efforts to train people (and me) :

    1 – to set :

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem]

    to

    "EnableLUA"=dword:00000000

    (that’s disable UAC which is just useless and anoying)

    2 – set ACLs correctly (on files and registry)

    3 – users and admins must use users level accounts and RUNAS for needs.

    Laurent Gébeau [MVP]

    (actually at an EMEA Vista event in Amsterdam)

    laurent.gebeau.at.toutwindows.com

  75. PatriotB says:

    Ok, there have been lots of comments about "distinguishing" between human-originated commands, and malware-originated commands.  How would you propose there be a difference?

    When it comes down to it, launching an executable is done via the CreateProcess API.  Are you guys proposing that CreateProcess somehow looks all the way up the callstack until it finds "oh, the root of this is some Input function"?  What if the app doesn’t call CreateProcess from the same thread as the input came in on?  E.g. Thread A gets some input, and sends a message to Thread B to launch a process.  What do you do in this situation?

    As a side note, I think a lot of what people would "ideally" want, would have been possible if NGSCB (Palladium) would have been implemented.  But there was such an outcry from people about this, that MS decided not to go forward with it.  You can’t have it both ways.

  76. PatriotB says:

    "Wow — is this how developers at Microsoft get feedback?  Through blogs?  Steve, asking users for feedback through a blog is dangerous because, in general, only the most computer savvy are reading blogs and using Beta software, such as Vista."

    Blogs is probably the last place that any "real" feedback comes from.  Consider all of these other sources of feedback:

    – Technology Adoption Program (TAP) participants

    – Corporate clients

    – Thousands of beta testers

    – Usability labs/inperson studies

    – Feedback from third party ISV’s

    – Feedback from OEMs

    I’d say feedback left on blogs is, while accepted, hardly the place where decision-making feedback comes from.  You’re right in that blog readers are not a typical representation of a product’s audience.  Microsoft has other ways of getting a real feel for how the product works across a wide spectrum of users.

  77. PatriotB says:

    "windows, whether it likes to admit it or not, is still an 8-bit os, with 16-bit capability built on top of it, and 32-bit capability built on top of that"

    Ok, I don’t know why I’m bothering trying to respond to this, but here goes…

    NT was developed as a 32-bit OS from the start.  Period.  No 16-bit code in it, and certainly no 8-bit code.

    Actually, at its core, all of NT is "bitness-agnostic", meaning that depending on compiler switches, you can build for either 32-bit x86, 64-bit x64, or 64-bit Itanium.  And I’ve read on other blog posts that one of the requirements for code to get into Longhorn was that it had to be compileable to any of these three platforms.

    So get educated.

    And a last bit about the registry… Why do so many people have a problem with it?  It’s a heirarchical database of values.  Much like a file system is a hierarchical database of files.  So if your proposal is that instead of a registry database, we have a slew of individual files: it’s just as easy (or, difficult) for a file system to get corrupted as it is for the registry to get corrupted.  (Talking NT here, not 9x.)

  78. Sandy G says:

    I just removed a hundred fonts. It took an hour and eleventyseven volumes of cusswords at that blasted black plague.

    I am SO frustrated that I will probably use Arial 10 for everything forever.

  79. McoreD says:

    I like the Limited User idea. In fact I am running Windows under a LUA since 2005 August and have developed strategies to easily overcome problems that arise while not running the computer as an  Administrator.

    http://wmwiki.com/wiki/index.php?title=Limited_User

    Windows XP already has this facility. In Vista, I hope this to be extended.  Vista should not ask the Administrator user/password for more than once per operation.

    In Windows XP under a LUA, if you type control userpasswords2 in Run, then Windows prompts for Administrator user/password.  

    http://img84.imageshack.us/img84/4526/xpuapcontroluserpasswords27xf.png

    When installing a new hardware devices, Windows XP nicely does the same thing.

    http://img84.imageshack.us/img84/1338/xpuapaddnewhardware9rb.png

    Just like above, in Vista, under LUA, it should be:

    1. User tries to access Device Manager, Windows asks  for administrator username/password, Device Manager is opened.  After Device Manage is closed, Administrator access should be terminated.

    2. User tries to change time zone, Windows asks  for administrator username/password, user changes time zone. After Time Zone dialog box is closed, Administrator access should be terminated.

    3. User tried to access Administrator user profile. Windows asks for administrator username/password. User gets into Administrator user profile. After user closes the explorer window, the Administrator access should be terminated.

    4. User tries to delete a shortcut created by Administrator. Windows asks for administrator username/password. User deletes the shortcut.

    5. User tries to delete a shortcut created by herself. User deletes it without any prompts from Windows.

    Vista follows this behaviour in Beta 2 and I am quite pleased. In short, the UAP behaviour in Vista should work identically to how Mac OS X does it, and enhancing it by providing support for user case #4 above.

  80. If we speak about Windows security, many people will tell you that Windows is unsecure operating system….

  81. David Hopwood says:

    It’s pretty silly to keep using accessibility as an excuse for not fixing the vulnerabilities due to malware sending keystrokes, reading the screen contents, etc.

    The vast majority of apps are not accessibility tools. So allowing all apps to send keystrokes, and continually bothering the user just in case a piece of malware did this, is a clear failure to observe least privilege/authority.

    Instead, the apps that actually need to be able to send keystrokes, read the screen, etc. (accessibility tools, macro players, automated GUI testing tools, and screen grabbers) should be marked, so that only they can do those things.

  82. anonymous says:

    @PatriotB

    "Ok, there have been lots of comments about "distinguishing" between human-originated commands, and malware-originated commands.  How would you propose there be a difference? "

    The difference is the app that calls CreateProcess().

    If Explorer calls CreateProcess(), that’s a fair bit different than if some arbitrary process calls CreateProcess() no? IHMO, Explorer (as the desktop shell) should only ever call CreateProcess() in response to some direct user input. As David Hopwood says above, accessibility is no reason to not be able to tell whether the user input came from me moving my mouse or some piece of malware generating mouse movements and (trying to) feed them to Explorer.

    Explorer is my shell. It should have the power to do anything that I can do as a user. It should ONLY do stuff that I tell it to do. It shouldn’t be able to be fooled by some other application — it should only respond to my actual input. As such, the stuff it launches could be treated differently to the processes launched by other applications.

    Let’s get off topic here a bit:

    Explorer (ideally, although Windows can’t support this sort of thing easily) should grant to the applications it launches (on my behalf) some subset of my authority. For example, if I launch Word, it should grant to Word the authority to read my global templates but not to access the network.

    Polaris (from HP research) implements this sort of thing on top of Windows. Plash is a similar project but for Linux/Unix.

    To really do this effectively, you need to bundle up designation and authorisation at the OS level. Capability-based operating systems (such as EROS, Coyotos and CapROS) are good examples. If you’re interested, here’s a good writeup http://usablesecurity.com/2006/05/18/vista-security/

    on how bundling designation and authority could provide a better solution than the UAC dialogs etc. that we’re discussing here.

  83. Micah Brodsky says:

    I think blaming the lack of an unforgeable input path to Explorer is missing the point.

    More fundamental than needing trusted input is having a privileged, protected shell. If the shell has the ability to grant privilege, then it itself must be privileged. Authenticated user commands do no good if malware can just attach a debugger or call WriteProcessMemory and mess with the shell’s execution state to trick it into invoking privileges. A privileged shell not necessarily good idea, however. Shells are big, complicated, extensible, and highly environment-dependent. Explorer is a particularly bad example, supporting zillions of legacy in-process extensions (e.g. right click to WinZip, browse pocket PC contents, etc.), capable of embedding the entire web browser, and, I suspect, frequently abused by applications via IPC. Even with a cleaner, more self-contained shell, the vulnerability exposure due to state shared under this mechanism would be staggering — consider how much of a nightmare writing secure SetUID programs on Unix has proven to be.

    As much as I agree that "security by designation" leads to better practical security than "security by admonition", I think it has to be balanced against the technical security risks it introduces. In this particular case, the problems seem to be daunting.

    All that being said, I’m not really sure what UAC is trying to accomplish in terms of security for ordinary desktop users. Running with only user privileges, malware can still root applications, destroy data, spy on user behavior and keylog, render the system flakey and unusable, send spam, and propagate over network via application-level vulnerabilities and social engineering. It’s just easier to clean up afterward by trashing all your personal settings instead of trashing the installed software along with your personal settings and the installed software. (Am I missing something?)

    –Micah

  84. Hans Olsson says:

    I normally don’t run as administrator in XP, and I think that making it easier to run as non-administrator is good.

    My concern is that in order to install a program I basically has to give it almost full access to my machine, which means that it can install malware as well (or more innocently take over file-associations, add desktop short-cuts, and replace the firewall).

    The elevation prompt does not seem to give me any protection for this scenario, since I obviously intended to install something.

    As I see it there are two solutions for this:

    1. Having the ability to install programs as non-administrator (either with a special group such as Power User, or by modifying all installers to be able to perform a per-user install instead).

    I believe this would make sense for many programs (e.g. games for home-users), but as far as I understand this is not the way Vista is going.

    2. The elevation prompt will inform you exactly what areas of file system, registry, etc will be open for writing, and/or you could manually select this.

    [Or inform you specially if those parts already exists.]

    If this would too much of a change in the operating system, you might develop a shim that first virtualizes the areas, runs the install, and then copies those parts when the operation is complete.



    Obviously it is possible that I am missing some other solution to this problem.

    /Hans

  85. TK says:

    The dialog needs to have more information when asking me to approve an action. I dont have the exact text, but I got a dialog that wanted me to approve a "File Operation" or something similar. That text is hardly useful in determining whether or not approve the action. I would rather see something like "Delete File: c:some.file.txt".

    The other main improvement I would like to see would be always approve and always deny option. There will very likely be some UAC protected action that I (or an app) perform frequently that I will have to approve every time I do it. That will get old really fast. There are going to be areas where UAC and I disagree, and I want the power to tell UAC that its either always ok, or never ok.

    Yeah, I know malware will try and add itself to the list to always approve. However, its my computer, and if UAC cant be made to work with me, then it will wind up disabled. I think UAC can work, and provide a reasonable layer of security, but it absolutely has to bend to my will, not the other way around.

  86. John Pickett says:

    In response/addition to:  http://blogs.msdn.com/uac/archive/2006/06/01/613098.aspx#616651

    I can’t emphasize exactly how annoying it is to be prompted for elevating when launching Device Manager in beta 2.  I can certainly understand if the user tries to actually do something that would require admin, but should just viewing the hardware components require a boost?

    Many times I just want to check and see model/driver info about various devices or check that everything at least thinks it’s installed correctly by just opening Device Manager.  For read-only tasks like this, it’s quite bothersome to require an elevation.

    My 2 ¢

  87. Toni Pomar says:

    I have been preparing the MMORPG I am responsible for (www.prisonserver.com) to work correctly under LUA, and found a weird situation, that I already fixed in my installers and exes.

    If an old fasioned win32 exe, in my case the game client, is started under LUA everything is OK, no popups, no elevations, all right.

    If a Windows XP GUI based exe, in my case the game updater, is started under LUA, an elevations is requested, and sometimes when exiting the program the system complains that the program is not correctly installed.

    The FIX in this weird case is to update the XP MANIFEST used to enable Windows XP looks for controls and windows, by adding an entry to the manifest requesting NO elevation whatsoever (you know, the requestedExecutionLevel level="asInvoker" stuff).

    It seems that for LUA, a plain win32 exe is ok to run, but any exe with an XP manifest embedded is wrongfully considered as admin stuff, always requesting elevation.

    It doesn’t have much sense anyway 🙂

    Best regards.

  88. Adam Stritzel says:

    @Toni Pomar:

    Toni, you should read an earlier post to this blog, especially item #1:

    http://blogs.msdn.com/uac/archive/2006/01/13/512776.aspx

    What’s happening to your game updater is that Vista heuristically detects that it is an installer/updater, and thus requires elevation to launch it.

    You’re correct that manifesting your app with a requestedExecutionLevel is the right way to explicitly tell Vista whether elevation is required or not.  If your app has a manifest that specifies a requestedExecutionLevel, it won’t be subject to heuristic detection.  You can read here for more details:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

    (Note: Whether an app is "old fashioned win32" or "GUI" should not have any effect on the heuristic detection.)

    Now that you know /why/ you were getting the elevation prompt, I encourage you to be sure that "asInvoker" is really what you want for your game updater.  If, indeed, your game and updater really are limited-user aware and can perform updates without writing to protected areas like %ProgramFiles% or HKLM, then kudos to you for a job well done.  On the other hand, if your updater does write to those locations, then "RequireAdministrator" should be your choice.

    Best of luck.

    – Adam

  89. Sobakus says:

    @Adam Stritzel:

    In fact the game does a local user install instead of a system wide install, precisely because of win 2000/XP non-admin. You know, having to add to "Power Users" group everyone that must be able to play (ergo able to autoupdate) the game is not a kind solution for the average home user.

    About the heuristic detection, in fact the game client and the auto updater share all the network code (well, the game client is even more "ugly" in that than the updater), so seeing that the former has no problems with LUA and the other one has I did a simple test.

    1.- Removing the XP manifest from the updater, no problem, no elevation request.

    2.- Putting the XP manifest again, the elevation request is back (and so does the "shield" icon over the program icon).

    3.- Adding the "asInvoker" token everything is ok again, just like without any manifest (case 1).

    Did it with a couple of simple exes and the same happened.

    From my point of view it seems like "asInvoker" is the default setting for plain win32 exes, but when a manifest is detected inside the exe for some reason "RequireAdministrator" seems to be the default setting unless specified, as I did when added the "asInvoker" stuff in my game executables.

    Shouldn’t be "asInvoker" the default for any kind of program, with or without manifest? Is the manifest parser doing a mess with default values?

    This would remove tons of unneeded elevation requests.

    In fact, even the installer for the game now has a suitable manifest so everything is smoothly installed for the local user with no elevation at all. Elevation when running the installer meant that "program files" and stuff was pointing by default to the global "all users" START menu, instead of the local user START menu. That meant that when trying to delete the game icons when uninstalling, that didn’t provoke an elevation, the uninstaller ended up looking the wrong place (and having not enough privileges to delete the icons anyway).

    Best regards.

  90. Sobakus says:

    @Adam Stritzel:

    In fact the game does a local user install instead of a system wide install, precisely because of win 2000/XP non-admin. You know, having to add to "Power Users" group everyone that must be able to play (ergo able to autoupdate) the game is not a kind solution for the average home user.

    About the heuristic detection, in fact the game client and the auto updater share all the network code (well, the game client is even more "ugly" in that than the updater), so seeing that the former has no problems with LUA and the other one has I did a simple test.

    1.- Removing the XP manifest from the updater, no problem, no elevation request.

    2.- Putting the XP manifest again, the elevation request is back (and so does the "shield" icon over the program icon).

    3.- Adding the "asInvoker" token everything is ok again, just like without any manifest (case 1).

    Did it with a couple of simple exes and the same happened.

    From my point of view it seems like "asInvoker" is the default setting for plain win32 exes, but when a manifest is detected inside the exe for some reason "RequireAdministrator" seems to be the default setting unless specified, as I did when added the "asInvoker" stuff in my game executables.

    Shouldn’t be "asInvoker" the default for any kind of program, with or without manifest? Is the manifest parser doing a mess with default values?

    This would remove tons of unneeded elevation requests.

    In fact, even the installer for the game now has a suitable manifest so everything is smoothly installed for the local user with no elevation at all. Elevation when running the installer meant that "program files" and stuff was pointing by default to the global "all users" START menu, instead of the local user START menu. That meant that when trying to delete the game icons when uninstalling, that didn’t provoke an elevation, the uninstaller ended up looking the wrong place (and having not enough privileges to delete the icons anyway).

    Best regards.

  91. Nidonocu says:

    Following further testing and use of Beta 2, I would like to make a further few comments about the dialog design. In particular, that they should be more precise and verbose as to why they are prompting, for what reason and how dangerous this action actually is.

    For example, if I set a shortcut to a legacy installed application to require elevation (an action I think should be protected by UAC it’s self), then should not that prompt be less threatening than one generated by Windows on a foreign legacy installer? I have already ‘let the beast in’ so to speak (files in Program Files, keys in the HLM hive), so if I am still fine at this point, it is probably a perfectly acceptable if legacy application.  The prompt should provide instead information with staying safe while using the application (going online with it, accessing the hard disk with it, etc).

    In addition, when running core system applications that have powerful functions, the UAC prompt should warn me as to why it is showing me a prompt, not the application name. For example, ‘The Defragmenter accesses your hard disk directly to improve your computers speed. For this reason, it requires administrator permission to do this. If you wish to continue…’

    For file access prompts, if a UAC elevation is required, then the entire file prompt should become a single prompt with all file operation details, along with the UAC prompt. ONE dialog box. It can fill a 640×480 screen as long as there is only one as far as I care. That’s the UAC banner, the file icon, the file details (so we can see its Owner: SYSTEM’s fault again) and the file prompt’s standard Yes, Skip, Cancel buttons. (If a password is needed, pop that dialog after clicking Yes, the above solution works well for the confirm mode of administrators who are most inconvenienced by this prompts.)

    The final thing I would say is maybe as part of ‘fit and finish’ to this feature, the overall display of elevation prompts could be brightened with some animation and possibly sudo-glass effect to make up for the fact it is running on the secure desktop where there is no DWM on hand.  Animation in the form of animating ‘swishes’ in the colour bar (as seen in explorer’s operation progress dialogs) would be pleasant. Elevation prompts need to be sure to follow the VISTA STYLE GUIDELINES and appear close to but NOT on top of their related dialogs (file operations often fail at this one). Finally, please improve performance on switching to secure desktop, when the machine is busy, I sometimes get stuck for over five seconds with a black screen as the ‘screenshot’ is rendered. Such a sight might seriously worry or scare a novice user and make them think they have crashed.

  92. I have been running with a pre-beta 2 build for sometime – and last night decided it was time to flatten…

  93. I love Windows Vista.

    One thing that opele complain about is the security prompts that come up when…

  94. Interesting article Steve.  Good to know you are working on making Vista a little less chatty!  

    Thanks for all your (and your team’s) help recently with my uiAccess issue.  Your diligent assistance was very much appreciated.

    Marcus

  95. Horatio Rajis says:

    The first change is the Administrator/superuser account needs a password set during installation so superuser escalation will require a password to be typed in instead of simply clicking OK or Continue. Subsequently, the password must be typed in whenever this level of access is required. As it stands, Microsoft needs to revamp the rest of the model. I want a Control Panel applet that will let me choose the level of invasiveness. Here is my proposal:

      1. Off – If I’m logged in as an Administrator, then it will work as current Windows machines.

      2. Default – The current default settings as shipped in Vista Beta 2. The user would be hand held even while in his/her profile (aka home) directory. Deleting, editing and installing any files would all require the annoying pop-up dialog confirming action.

      3. Limited Power User – Following the Linux model as shown in Red Hat of yesteryear, Ubuntu and others with a modification or two. All system files, installation of software available to the system, and any modification outside of the user’s profile directory would require superuser escalation. However, the user’s “%Profile%/Application Data” and “%Profile%/Local Settings/Application Data” directories would be protected. Any modification taking place would require escalation to superuser. In this scenario, I could attempt to wipe my profile, but things like my Outlook PST file and other settings would not be destroyed.

      4. Power User – Same as Limited Power User, but the two Application Data directories would not be protected. In other words, I could wipe my user directory without ill effects on the rest of the system. I could create a new user and not experience any problems. This mode would also give me an option of maintaining superuser access for a set amount of time. When this is active, a tiny icon would show up in the systray with a user-configurable timeout to return back to “limited” access to the rest of the system files.

    From a usability stand point, it would be nice to be able to elevate applications on the fly via another button on the top right of the window. It could also change colors based on the level of access the application has.

  96. MadsE says:

    Basically – Reduce most of them, so that when you actually see an UAC prompt, you know that it is something to pay attention to.

    Example: when accesing manage this computer, you get the UAC – Why? You havent dont anything at this stage. Nothing but viewing. No change has happened yet… There is so many, that i do not know where to start, and thus rather turn it around! Focus on the siutations where it is VITAL to have the UAC, and not the opposite!

  97. Sobakus says:

    Another point worth looking at is the ubiquitous "Add and remove programs" panel.

    In windows 2000/XP a big opportunity was lost to really separate user accounts even from the applications installation poit of view. I mean, the limited accounts under 2000/XP, and now the UAC system under Vista, are the perfect environment for the concept of "local applications", thats applications installed only for one user. With a bit of care, it is perfectly possible for an application (like the online game I develop/maintain does) to install only for the current user, as the user has its own environment (local start menu, local desktop, local account folder, local documents folder, whatever), but one missing point in all this is the aging old "Add and remove programs" control panel, that inherits its global system-wide nature, instead of giving local installers a "local installed apps list" to be added to. whenever you want to supply a "local" installer to the unprivileged user you have to ignore completely that admin-only list and always supply a custom "uninstall" icon or option in the application.

    Wouldn’t it be the logical step to add this kind of "local add/remove programs list" to every user? This way no admin rights are needed to access such a list, giving the local apps the "neat" and "compliant" way to be managed and uninstalled by the unprivileged user.

    Best regards

  98. UAC Fan says:

    Whatever you do DO NOT "shim" too much! The GOAL is to get Programmers to write code correctly – NOT make room for poor programming!

    Try offering a lot shims to the home versions (Basic + Premium) and less to the business version(Bus., Ent., Ult.).

    ****************************************************

    Again, DON’T SHIM TOO MUCH; BE RESPONSIBLE!

    ****************************************************

  99. Hans Olsson says:

    I agree with Sobakus that it would be nice if "Add/remove program" also used e.g. HKCUMicrosoftWindowsCurrentVersionUninstall (and some default install-directory for local installs since "Program files" is only for system-wide programs).

    [Obviously so that it can be restricted with group-policies.]

    That would reduce the number of elevation prompts in the simplest way: by removing the need for elevated privileges.

    However, as far as I understand this is not the way Vista is going.

    Best regards,

    Hans

  100. Tony says:

    The other problem is you need to be in explorer to elevate a program, since ‘run as administrator’ is an internal builtin function.

    eg. if you’re on the command line doing some work and you need an admin shell you need to create a shortcut, right click it and ‘run as administrator’ rather than just pass an option to a command line app (‘start /elevated’?)

    Within code it’s worse – I still haven’t found a way to make my control panel elevate (which needs admin rights as it’s a service control panel, and cpl files can’t be marked elevated as they’re DLLs not executables).  I cheated using an undocumented ‘runlegacycplelevated.exe’ command but I don’t expect that’ll be there beyond beta2.

    Would kill for a CreateThreadElevated() function – the current system is a complete pain to deal with.  Elevating the entire app to perform one function is removing the benefits of the whole LUA system IMO.

  101. Hugo says:

    Hi folks,

    let me look at it from the developer’s perspective.

    I think that the foremost problem with the current implementation of UAC (at least how I feel it) is that there’s no way to elevate at run time. E.g. an application either starts elevated, or starts non-elevated, and stays like this until it dies.

    This is IMHO totally unacceptable. The official MS recommendation/workaround is to launch a separate binary to accomplish the job that needs to run elevated. But that’s way too complicated! In my app, for example, I have many places where I need to run elevated. True, they don’t happen too often (e.g. entering a license key), but there’s at least 7 of them (as I remember now from the top of my head). But I don’t want to create 7 new binaries just to do these auxiliarly tasks (or, worse, a universal binary that would let me do 7 totally unrelated tasks).

    PLEASE, create an API that will let us elevate at runtime. Please please.

    Thanks

    Hugo

  102. fluid says:

    I run beta2 on my radeon 9600xt, but whenever a UAC window is expected I got black screen. I need to wait for almost a miniute for the dialog box showing itself.

  103. Nico Bendlin says:

    "rundll32 foo.dll,bar opt"

    The library is signed and has a manifest that contains requestedExecutionLevel="requireAdministrator".

    I expected to see an UAC dialog, but RunDll just shows the error message:

    "Error in foo.dll

    Illegal value: requestedRunLevel"

    Any solutions?

  104. Nico Bendlin says:

    "rundll32 foo.dll,bar opt"

    The library is signed and has a manifest that contains requestedExecutionLevel="requireAdministrator".

    I expected to see an UAC dialog, but RunDll just shows the error message:

    "Error in foo.dll

    Illegal value: requestedRunLevel"

    Any solutions?

  105. d'oh says:

    Some complaints:

    1. It’s resource hog

    2. Boot and install takes forever (hopefully better for final version)

    3. The New Explorer is a mess to navigate in

    4. Release DX10 for XP and skip Vista.

  106. joe says:

    Can you shim visual pinball + pinmame

  107. mud says:

    I generally like UAC, but have a few questions.

    It seems like (from the video now posted) that the program files and window directories and also the registry are virtualized, so why is it that when a user tries to install something, it does not simply install into the user virtualized space?  For example, if my sister downloads a small game from a friend and it has a standard installer, then she should be able to install it (with a UAC warning, but no request for password) in her own virtualized space.  If I want to install something system wide, then I can right click->run as administrator and be prompted for the password.  I do not see security disadvantages since if the program installed is dangerous in user space, the program could simply have done the same amount of damage as an exe that does not need to be installed at all and still have the same rights.  Note that linux, freebsd, and macs allow installs for pretty much all programs into user space and does not require permissions also.

    My second question is about copying or cutting multiple files and pasting.  There are still many prompts, almost one for each file for elevation, and if it hasn’t been fixed yet, it should be changed so that it only prompts once or should have a check mark so that I don’t have to enter the password a 1000 times when pasting 1000 files in the program files directory.  This is the same for deleting.

    Another note, on the UI side, it would be nice if there is an advanced button that analyzes and then shows a list (like the indexing options folder selection) that allows selection (for overwriting) and renaming of specific folders/files in the paste.  This would be much better than clicking one by one when you want to overwrite some, rename some, and maybe cancel some.  (it is what lots of programs like syncing/backup programs have)

  108. Windows Vista でアプリケーションが動作しないときは

  109. PatriotB says:

    Hugo — I imagine it would be way too late in the game to add a means by which a process could elevate itself (or one of its operations) "temporarily".  In Windows, the security boundary has always been the process object.  If you had a way to switch a process to "elevated" mode for a time period, what would stop, for example, a malicious add-on (or even, an exploit that took advantage of a buffer overflow in your code) from detecting this, and thus compromising your system?  Even if you could, for example, create a thread that was "elevated", malware running in a different thread would be able to modify the stack of the elevated thread, and thus could hijack the elevated thread into doing its bidding.

    This is the case, because the process is the boundary for memory access.  Could the security team have have architected a way to have an isolated, secure "sub-process" within a process?  Possibly, but would it be worth the huge cost?  (They certainly wouldn’t make such a big change this late in the development cycle.)

    But what is the benefit of having a secure "sub-process" over simply using a separate process?  I don’t think there is much of one; maybe it would be slightly faster, but not really, since you’re essentially duplicating the process model but within a single process.

    Also, if spawning off EXEs doesn’t fit your usage patterns, you can create an out-of-proc COM object which acts as a broker to perform administrative actions.

  110. Kent Love says:

    Very Informative

  111. mjg says:

    Need to eliminate constant prompting for anti virus software on start up after it is installed.  

  112. Doug Klokow says:

    I’ve been using Beta 2 for about two weeks now, and I just changed back to a Local Administrator from a Standard User for one reason only – I got tired of entering my password for elevation prompts!

    For the typical user, I would strongly recommend the Standard User model, but for users like myself that are constantly running apps which required elevation (MMC, CMD line tools, etc.) what’s the downside to running as local administrator since by definition they are running as a Standard User anyway?  The only difference from my perspective is the prompt to confirm dialog box, rather than the prompt for credentials.  Am I missing something that could bite me in the long run?

  113. Rick Love says:

    I work with Accessibility Technology.  We are testing Jaws with Vista Beta 2.  It works pretty well (except IE7 – found solution at http://www.ie7.com).

    I like the UAC, but I do not see how access could be given to a screen reader.  Having worked with Jaws for about 1.5 years, I would never allow it to have access to the UAC.  It would be a huge vulnerability.  

    The only solution I can think of is to make the UAC prompt self-voicing.  It would not need to use Narrator itself, just the MAPI voice to state simple instructions:

    [Read the dialog]

    If you started this action, Hit Enter

    If you did not start this action, Hit Esc

    If you need to repeat these instruction, Hit Any Other Key

    It could also automatically repeat after a few seconds.

    All the logic could be hard coded into the dialog box, and it could simple send a speak command to the MAPI.  It would still not allow anything to intercept or mimac a user keystoke.  The Enter / Esc / Other keys would go straight to the dialog like it does now.  And the dialog box would control the speaking, according to some OS setting.

    BTW, the new narrator voice is greatly improved.  But narrator is still stupid as ever.  Oh well, hopefully whoever does Narrator can at least make it use the UIA decently.

  114. L’UAC (User Account Control) est l’une des nouvelles fonctionnalit&#233;s de Windows Vista les plus controvers&#233;es…

  115. Rick Love says:

    In my earlier post, when I said MAPI, I meant Microsoft SAPI – Microsoft Windows Speech API

  116. I promised Arthur that I would tell people about the Microsoft Unified Communications and RTC user group,…

  117. Vadim Rapp says:

    >  If, for example, the user marks MMC.exe (the Microsoft Management Console) as “silent elevate” so that the device setup dialogs don’t prompt for elevation, malware running as Standard User would be able to use that setting to launch MMC with a set of command line parameters that accomplish tasks that we don’t want to happen silently

    how about providing a certificate for the executable, including crc32; the executable would present the certificate to the system in order to get elevated, along with the information if it was laucnched programmatically (in which case the certificate would be replaced by the certificate of the calling application, if any) or manually.

  118. Kyle says:

    When I access files that ended up stored in the Windows.Old folder it wants me to elevate for everything.

    I had things on my old desktop, so I go in an copy them then try to delete, I now need to elevate everything, there is a check box so I check that. But now when I go to clear the recyclebin it asks me again to elivate. Then I get a this file does nto exists should windows crete it message.

    Why is Vista creating files when all I wanted to do was delete old information? On top of that why am I being asked to elevate to delete information from an old install of windows and not from the improtant files. I have also noticed that every now and then when I clear the recycle bin, after being prompted like 5 times for different things, that there is still stuff in teh bin.

  119. Abigail Sara Hocking (Nana-An-Hu) says:

    The client for Hamachi VPN (http://www.hamachi.cc) requires elevation on every login as it needs the ability to configure its own network interface.

  120. Steve says:

    Keyboard key presses and mouse click events. Surely you can tell if a user has doubled clicked or pressed a key at the device level locally within an application? I am really suprised that with the level of access, i.e. Kernel source that you can not do this? What is the real issue. You must know if an application is inserting data into a queue instead of a real device?

  121. Tobias says:

    To make a long discussion short: It is a basic principle that security will only work if it is reasonably easy to use. Otherwise, users will simply turn it off or work around it or get used to "always click yes".

    This said, as an ISV I find it extremely hard to have our apps *not* require special privileges, mainly because .NET, VB or other external resouces like CAPICOM require it. Yes, it is a good idea to change all that *but* this will take some time. It will not happen until Vista ships.

    Bottomline for us is: yes, warn the user if there is an app that wants privileges, yes warn the user if it is from an unidentified publisher. BUT: Find a way no matter how to identify the binary fingerprint of that app, and once an admin approved this app, let it run.

    Anything beyond that may be *theoretically* more secure but will be much less secure in the real world because it renders the whole UAC unusable.

  122. Tobias:  You said, "as an ISV I find it extremely hard to have our apps *not* require special privileges, mainly because .NET, VB or other external resouces like CAPICOM require it."  I don’t understand that statement at all – on its face it just sounds completely wrong.  Can you please elaborate?  Thanks.

  123. After fixing some elevation request problems I had by embedding the correct manifests in the executable files (thanks to Adam Stritzel for a very clear explanation about the manifest problems I had) I just came up with a very annoying problem with those manifests.

    I just ported my projects to Visual 2005 from Visual 2003 and the first thing I tested is the "manifest tool" included in the IDE. It is a very convenient and easy tool for manifest embedding BUT I can’t use it at all.

    I seems that when the manifest is embedded with that tool AND the manifest includes a <security> section (required to specify requested privileges under Windows Vista and avoid annoying elevation prompts) the manifest is formated in such a way that the resulting EXE crashes (in fact completely reboots) Windows XP after running the exe a couple of times.

    It looks like some kind of overflow bug in the manifest parser in XP.

    The solution is to actually disable the manifest tool in vc 2005 and instead embed the manifest by hand editing the .rc file of the project.

    The only difference I’ve seen in both cases is that the manifest tool adds some padding text after the manifest (something like "PADDINGX" repeated a lot of times) and by embedding it by hand throug the .rc file there is a simmilar padding but full of zeroes instead of ASCII text.

    I hope this helps someone with weird crashes and reboots under XP. I had a couple of them before thinking about something weird happening with my exe and found this link

    http://codecomments.com/Visual_Studio/message980461.html.

    Best regards

  124. Thousands of people from around the world have been hard at work to ensure that Windows Vista is the…

  125. matro says:

    my app uses globally named objects for multiple instances synchronization and communication. this was an MS recommended way in the past, but with the forthcoming Vista it seems to be deprecated:

    CreateMutex() and CreateFileMapping() worked with globally named objects on 2000XP (even with restricted accounts) and Vista Feb CTP release.

    with Vista build 5384, an UAC elevation is requested as admin rights are needed.

    now what is the future of this?

    there is an unanswered thread at MSDN forums: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=327551&SiteID=1

  126. I’ve been somewhat lax in my postings on least privilege of late, in part because I’ve been pretty pleased…

  127. Mart Baaren says:

    I use eTrust EZ antivirus, it places part of the program in the systemtray, so every time i login i get these elevation prombts. The same thing happens with ATI Traytool, it loads with windows and gives….an elevation prombt. that makes 3 everytime i login.

    The app. "Newsleecher"  only runs well with admin privelages, so well everytime an EP.        

  128. was says:

    Like many older apps (Quicken, Sidekick98 etc), our apps install the data/config files in the same folder as the executable in the c:program files<appname> folder. If I install one of the apps in Vista Beta 2 with UAC ON, the empty data/config files are installed in the program files (PF) folder and in the user’s virtual PF folder. All works ok and I enter data in the app.

    Sometime later, I switch UAC OFF to avoid the prompts and run the app again. The data is no longer there because the app in now reading the data files in the app’s PF folder not the apps virtual PF folder. I switch UAC ON again and the data miraculously re-appears!

    Since we cannot prevent users re-installing their older apps in their new Vista PCs or changing the UAC setting, this feature will undoubtedly lead to significant customer angst and significant customer support workload for us. We are talking about pilot flight data here so this is not an insignificant problem.

  129. henke37 says:

    What is wrong with a simpel return ERR for the api functions? If the program lacks the permissions it simply should be told so.

  130. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  131. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  132. The SZ says:

    renaming a hd (set label) acts different than renaming a network connection.

    on hd:

    1) "attention you must be admin"

    2) "click yes if you can read"

    on network connetcion:

    1) "click yes if you can read"

    Steffen

  133. Charles Miller says:

    Adding a new folder to the c:inetpubwwwroot folder (or any other folder where users do not have write permission) can be a bit of a trial.

    1) Right click on empty space, select New>Folder.  Vista replies "You need to confirm this operation".

    2) Click Continue – Vista goes to the secure desktop and asks "Windows needs your permission to continue".

    3) Click Continue – the New Folder appears, with the text selected ready for the new name.  Type in the new name and press return.

    4) Vista replies "You’ll need to provide administrator permission to rename this folder".

    5) Click Continue – Vista goes to the secure desktop and asks "Windows needs your permission to continue".

    6) Click Continue – Finally the new folder is in place.

    You have to respond to four dialogs to perform one operation!

    Charles

  134. jul says:

    I can’t access my own pictures since I am on vista…

    Those where taken from a digital camera and copied from winXpsp2,

    I changed for vista R5600

    And I can’t open some of my pictures anymore 🙁

    Here is what I tried :

    Turned off UAC -> NG

    +logged on with the Administrator account -> NG

    +added all the groups to my user permission -> NG

    +tried to change owner ship -> NG

    +hang myself -> TBD

    funny thing about "advance security settings" :

    in permission tab :

    "You do not have permission to view this object’s security properties, even as an administrative user.

    To try taking ownership of the object, which includes permission to view its properties, click OK to close this dialog. And then go to the owner tab."

    ok -> owner tab :

    "You do not have permission to view this object’s owner, even as an administrative user"

    🙁

    +Rope is in place

  135. jul says:

    ok I fixed it,

    to regain access to the file :

    turn ON UAC,

    then access to change owner is available…

    otherwise it’s not available

    which is strange?

  136. Atramhasis says:

    I just had a similar problem like jul (read above): With UAC turned off you don’t have permission to change security of files and folders in some cases (e.g. after denying access for all users). I don’t know if this is maybe a bug, because I can’t see the intension behind it…