Elevations Are Now Blocked in the User’s Logon Path


Hi, Jim Hong, Program Manager on UAC, here again to tell you about a new change in the UAC user experience coming in RC1. Applications that start when the user logs on and that require elevation are now blocked in the logon path.


Without blocking applications from prompting for elevation in the user’s logon path, both standard users and administrators would have to respond to a User Account Control dialog box on every log on. While this potentially becomes an annoyance for administrators, it is an unusable UI for standard users who cannot drive the UAC elevation prompt without having an administrator around to provide credentials. Furthermore, we advise users to be wary of prompts that appear without them taking an explicit action — and prompts generated at startup go against that advice.


In RC1 and later, Windows Vista notifies the user if an application has been blocked by placing an icon in the system tray and providing a notification balloon during the startup sequence. See Fig. 1 for a visual of what this might look like:



In many cases, users can operate their computers normally without the software that was skipped. However, in cases where the skipped application may be needed, users can then right-click this icon to run the applications that were blocked as they logged on. The user can elect to manage which startup applications are disabled or removed from this list by double-clicking the tray icon and bringing up the default application that controls Startup programs.


The areas where these applications are blocked from are:


• Per-user Startup Folder
• Per-user RUN Key
• Per-machine Startup Folder
• Per-machine RUN Key


Independent Software Vendors who wish to have part or all of their software suite run during the startup process are encouraged to architect their applications to run AsInvoker so that all users (that is, administrators and standard users) can run the software without the need for a UAC elevation.


A couple of exceptions to note: First, setup applications that need to complete their setup after a reboot should be putting their application in the RunOnce key. This key gets consumed by the next Administrator account that logs on, and the setup will continue without the need for an elevation. (This key can only be set by a program running with elevated privileges.) Second, applications that require UAC elevation that gets pushed out via the POLICY\RUN keys will not get blocked at logon. Therefore, they will run and will either result in the Secure Desktop prompt or appear in the taskbar as a blinking button that will require user input before the desktop switch occurs.


This feature will really help users with streamlining the logon path so that they can start using their Vista PCs quickly, with as little distraction as possible. Users maintain control of these UAC elevations. This reinforces the UAC theme of putting admin elevation under the user’s control.


Comments (43)

  1. Mitch Tulloch says:

    What about logon scripts?

  2. Friend of Random Reader says:

    One minor note: There is no such thing like a "system tray". See http://blogs.msdn.com/oldnewthing/archive/2003/09/10/54831.aspx

  3. Mark Minasi says:

    In response to the first question:

    I created a short batch file that just ran a whoami /all>report.txt and put it in the "Logon" area of my local group policy, then logged off and back on.  The whoami output showed that my account (a local admin) has all of its SIDs and privileges, so … I’m guessing because I only have 5472 … that unless the later build applies the split token, then everything in the logon script will run with full permissions and privileges.

  4. Starting with Windows Vista RC1, which should be here in the not too distant future, you will see a new…

  5. Original source: Elevations Are Now Blocked in the User’s Logon Path Hi, Jim Hong, Program Manager on

  6. war59312 says:

    Very nice! Was starting to get annorying!

  7. I just noticed these blog posts related to Windows Vista security that may interest y’all.

    Built-in…

  8. Dan Petitt says:

    I am confused, my applications are installing an icon in Programs->Startup folder and none of these are requesting admin password to continue on startup under Admin/Standard or Guest accounts??

  9. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  10. Kurt Harriger says:

    Is it possible to configure a program to start with elevated permissions?  I realize the goal of UAP is to prevent unauthorized use of admin privilages.  However, I don’t get why I can’t authorize an application ONCE and be done with it.  I can’t imagine UAP is going to start prompting me if I want to start the SQL Server Service.  Are services by definition some how more secure?  For a windows service to interact with a windows tray icon it must provide inter-process communication, where as self contained tray icon may not have required any ipc at all, which is likely more secure?

    Unix has long had the ability to run applications as the “owner” root or otherwise no prompting required but only the owner of the file could set the required file attribute.  Rather then make unix less secure I believe it has helped to keep it secure, becuase processes it is not necessary to login as another user to interact with a priviliged application.  Should I be prompted for administrative privilages to run a Sql Query on a database if SQL is running as local system?  it just doesn’t make sence, SQL has been designed to provide access to resources such as a database file that the user does not otherwise have direct access to.  Sure there are security risks involved in exposing a privilaged process like SQL to requests on port 1433, but it is NECESSARY for SQL to do so in order to be a useful application!.
    UAP is under the false impression that all processes that require administrative privilages are DANGEROUS.  They can be but they don’t have to be, and I don’t think it is Microsoft’s place to make the decision that Windows Firewall is safe but a third party firewall product is not.  (although if it is implemetend as a tray icon rather then a windows service it is probably not much use).
    Personally I’m tired of using run as or login as administrator in order to perform routine administrative tasks… yes administrative tasks I need to do those occassionally, and with MSCA and MSCD.NET certifications I feel rather comfortable with the tasks I need to preform.  What I feel least comfortable doing is running Internet Explorer as an administrative process or even a standard user process, IMHO Internet Explorer should run as an anonyomous user with permissions only to a the temp internet files, a download and upload directroy, how many times have I seen … vunerablity in IE may allow arbitrary code execution…. what does UAP do to protect me?  Nothing!  What I want from UAP is to restrict processes like IE, not users like myself from performing basic administrative tasks.

    Kurt:

    UAC applies only to interactive desktop apps, not to services.  You don’t need to consent to elevation in order to run the SQL services.

    I don’t understand your point about a “self contained tray icon”.  Services should not display UI directly, period.  They shouldn’t on XP, and steps have been taken to prevent past abuses on Vista.  A channel between the interactive user and any elevated service must be tightly constrained — more tightly than the window messaging infrastructure has allowed.

    Unix has long had SUID — and this has been a constant source of elevation-of-privilege problems on Unix platforms.  The Windows team made the conscious decision (and the correct decision, IMHO) not to introduce those problems on Vista.  The “approve once” paradigm you describe is essentially SUID.

    I don’t understand the point you’re trying to make about Windows Firewall vs. 3rd party firewalls.

    Finally:  Internet Explorer on Vista does exactly what you ask:  it runs as a Low Integrity process with greatly reduced privileges.  It cannot access the file system the way your other apps can.  Read this for more info.

    HTH

    — Aaron Margosis

  11. Jim Hong says:

    "I am confused, my applications are installing an icon in Programs->Startup folder and none of these are requesting admin password to continue on startup under Admin/Standard or Guest accounts??"

    Dan,

    UAC will only block those apps that require admin privilege at startup.  If your app does not require elevated privileges, it will continue to startup without any intervention.  

    HTH,

    Jim

  12. Kurt Harriger says:

    I wasn’t aware of Vista labeled processes with an integrity level… this is GOOD!.  However the documentation is very IE specific?  Does this only apply to internet explorer? is it possible to assign an integrity level to other application such as MSN Instant Messager for example?

    As far as tray icons let me give you a more practical scenario… Administrators should monitor the Windows Event log for errors, but all to often the event log goes unchecked unless there is a specific problem.  So I put on my developer hat and I write a notification icon that will monitor the event log for errors and display an alert if any errors are encountered.  The event log is a privilaged resource which requires that I have administrative privilages to access, and for good reason since events could possible contain sensitive information such as an application connection string containing a password.  Vista no longer allows me to create a tray icon to monitor the event log, so now I create myself a windows service that will monitor it for me… but then how is this service to alert me, now a standard user, that a new error has been recorded?  Well the service could provide a named pipe to publish events to that my notification icon can monitor… however my service shouldn’t provide this senitive information to every user only administrative users, which are now standard users.  This application NEEDS administrative privilages to read the event log either as a service or a tray icon, as a service IPC is required and the solution just became more complicated and more risky, and now how does the windows service determine if the user is authorized to recieve notifications?  What is the recommended way to implement this application in Vista?  

    Another example is the frequently mentioned ipconfig /renew.  Standard users occassionally need permissions to execute this PRIVILAGED command, adding usb devices, printers, etc… all privilaged commands that need to be executed as necessary to make the system USEFUL.  I don’t think an OS hack to allow users to add printers and USB devices is a good solution, I’ve seen computers with GLUE packed into the USB ports to prevent users from adding/removing USB devices, clearly this should be an administrative policy not a one size fit all solution.  The primary reason that users must login as administrators now is because they CANNOT preform adminsitrative tasks otherwise.

    Re Low Integrity:  Applications must be coded to lower themselves to low-integrity processes.  As far as I know, Internet Explorer is the only app that does this today, but the documentation shows how other apps can do the same.

    Re a “tray icon to monitor the event log”… If I understand your scenario, you have a desktop app running on XP or 2003 that presents itself through a notification area icon, and which monitors the event log for changes, and which requires admin privileges to work.  You have been running as admin on XP/2003.  I assume (hope) that this app is not an interactive service running as LocalSystem.  Several options:  1. Are you aware that you do not need admin privileges to read the Application and System logs?  Only the Security log requires admin.  Change your app not to open the logs for all-access, but for read-only.  2.  Mark the app to require elevation so that it always runs with admin privileges (this will invoke a prompt).

    Re your statement, “The primary reason that users must login as administrators now is because they CANNOT perform adminsitrative tasks otherwise.”  Users should not have to perform administrative tasks!

    — Aaron Margosis

  13. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  14. Geoff Coupe says:

    I don’t find this intuitive at all. The balloon’s wording leads me away from the solution of how to unblock a startup program. See: http://gcoupe.spaces.live.com/blog/cns!6AA39937A982345B!2498.entry

  15. Nishant Thorat says:

    Hi,

    I am reading a lot about UAC almost everywhere and trying to migrate our application to Vista. I could elevate my application programmatically. Is there any way to take appliaction to medium integrity from high integrity?

    Thanks,

    Nishant

  16. Nishant Thorat says:

    I mean using menifest I could elevate my application. I need a way to shift to medium level, programmatically. Unfortunately I don’t see any API exposed for that matter.

  17. Jitta says:

    Hello. I am a Japanese beta tester.

    Using automatic translation, please forgive, even if there is strange English.

    I am using InstallShield 12 of Macrovision.

    http://www.macrovision.com/products/flexnet_installshield/index.shtml

    It has Update Service function. This function offers that automatically update function, even if application does not have.

    It registers with HKLM/Software/Microsoft/Windows/CurrentVersion/Run. And the character "InstallShield" is included in file description.

    Although it can run on user mode, installer detection function judges this function to be an "installer" for the brand name of "InstallShield." For this reason, elevation is needed for performing and it is blocked.

    Since it can operate in user mode, I want to make it operate in user mode, but can it do?

    thank you.

  18. Kurt Harriger says:

    Aaron, thanks for the feedback.  I haven’t actually developed said application it was just a scenario I thought up where of a useful tray icon requiring admin privilages.  I didn’t realize until now that the ACL on the event log includes interactive user so it does not require admin privilages to monitor local event log.  However, the notification icon would be far more useful if it monitored a server event log rather then the local event log for which (domain) admin rights are required.  The point being that run as is works okay to perform one-off administrative tasks like reset a users password, but monitoring network health is an ongoing activity and tools that do so may require permissions to those resources.  

    Your statement "Users should not have to perform administrative tasks!" I think sums up MS perspective nicely… and I disagree!  It sounds good in theory, the problem is the definition of "administrative task."  

    Currently Microsoft decides what is an "administrative tasks."  Installing scanner… that requires admin account, install online activex meeting control, you need to be admin, and on and on…

    Users need to be able to connect to network resources, users need to be able to receive email, and use usb devices.  These in themselves are not administative tasks, however before the user can connect to the network it needs to be configured, before the user can receive an email the necessary software needs to be installed, before the user can scan the document the scanner drivers need to be installed, and these are administrative tasks.  The user’s activities not the administrator’s define what administrative tasks will need to be performed.  All these tasks need to be performed in advance by an administrator.

     

    In a corporate office environment where administrators are readily available this may not be a problem.  However, the sales guy currently on the road broke his scanner and needs to get that document to the client tonight so he goes to the local best buy and they don’t have the same model he currently uses or even the same brand so he buys what ever is available, but has difficulties installing the drivers, calls-up the IT guy and says I can’t install the drivers for my scanner, what do you do?  do you give the sales guy the admin password?  therefore giving him the ability to not only install the scanner but also change the firewall policy you carefully configured?  

    In other words, "Users should not have to perform administrative tasks!" might be more practically worded as "Users need to have an administrator perform ANY administrative tasks or have the administrative password to perform ALL administrative tasks!"  

    When I was a unix administrator I managed 100+ remotely connected unix systems each installed at a client site where there was no IT staff, if it was a hardware issue dell would be onsite to fix it within hours almost everything else could be done remotely.  However with 100+ clients to support I didn’t work alone, our support department could handle most all typical issues such as adding a new user account, and a variaty of other root level tasks, however these support guys were not experienced unix admins they initially worked off detailed documents that told them exactly what commands needed to be typed.  However one day while installing a software patch one of our support guys accidentally typed rm /* and I was on a plane before the sun had set.  Our solution to this problem involved writing SUID scripts for all common support tasks that required root permissions if it wasn’t on the menu the the call needed to be elevated to myself or one of our developers in the UK.  

    The support team required the ability to perform some administrative tasks but they did not need the ability to perform ALL administrative tasks.  This is ulimatly the benifit of SUID because it allows us to develop software specific to our needs that can allow application defined users the ability to perform specific administrative tasks WITHOUT the user having the administrator password.  

    In a Windows environment you either give the user the administrative password or you don’t there is very little in between.  Ideally there would be a local security policy setting for all administrative tasks so that administrators could have the option to delegate some of these tasks to the user himself.  But even if every administrative task had an associated ACL it is not possible for MS to think up every possible scenario for every possible environment.  It would be like trying to grant a user permissions modify an SQL table but not the table schema using NTFS permissions.  

    Requiring the user to have the administrative password to preform ANY administrative task is a lot like requiring the user to have write permissions to the SQL database files on the server.  If you grant the user access to the database files you effectivly NULLIFY the SQL server’s APPLICATION DEFINED ACLs.  

    Windows DOES have SUID but ONLY for services and this limits its usefulness.

    If companies are going to be successful in getting the administrative password away from users, then Administratos NOT Microsoft must define what tasks are administrative tasks.  

    – Kurt

  19. Special Section: ASP.NET 2.0

    [ASP.NET] [Windows Forms and Smart Clients] Dundas Map for .NET…

  20. Anonymous says:

    Kurt, here’s something to keep in mind.  When the user in your scenario installs a scanner driver, you are effectively granting them admin privs.  In the simple case, it’s because the driver isn’t signed and they can install arbitrary code that will run at the kernel level.  In the somewhat more complex case, it’s because the signed driver has a known security hole that was fixed in a later version, but because there is no way to revoke the signature on the old drivers, users can still use them.

    If you don’t believe me, think security holes in wireless drivers (this has gotten a lot of press lately) and that many of those were digitally signed by Microsoft.  So if you grant me the privs to install signed drivers, all I have to do is find an old copy of the driver and insert the PC Card wireless device, supply the old CD, and then send it specially crafted packets.

    As far as things like ipconfig /release /renew, there are solutions to that.  Write your own service.  It’s not that hard to write a service that allows the administrator to register a list of scripts that can be triggered by a user on the local machine.  Use writable directories with safe file formats for IPC.  Be very careful in your decoding logic.  Be even more careful in how you write those scripts.  My users can execute a user-level script that passes information to the script triggered by the service to do things like setting a static IP address (this is temporary because my Network Configuration service resets things to DHCP whenever it sees a network cable get unplugged), resetting the Power Configuration settings so that notebooks don’t go to sleep after 20 minutes, configure PCMCIA modem properties to adjust them to lower baud rates for dial-up over high-latency connections, etc.

    My presumuption as to why Microsoft did not develop their own version of this is that it requires a lot of discipline on the part of the developer to insure that there are no injection attacks available (i.e. if I were to use netsh to configure the static IP and then pass unvalidated user input in the system call), so they figured that anyone smart enough to write scripts to run from a sudo system was also smart enough to write their own sudo system.

  21. JonW says:

    Alternatively you could just turn all this off!

    In the local security policy you can just set the admins and/or users to automatically elevate privileges – ironically this is even less secure than XP, but at least you need admin privs to set it.

    It took me about 5 minutes to find this entry so I’ve no doubt that a million other people already know about it – I went looking for it after about the 300th time I was asked ‘do you want to allow this’ when just trying to set up Vista the first time I logged on…

  22. Sam says:

    I made an add-on that work with Microsoft outlook ( using VS 2005 C++ ).

    I used install shield to install the add-on.

    It works fine with Windows XP And Office 2007 , But I face problems with Vista, As for example I have file .txt that the privilage I have on it is Read , Read& Execute only by default, so the tool fails when i try to write to this file.

    I don’t konw How can I write to this file? Should i do this from install shield?  Or some new API? Help please

  23. I just noticed these blog posts related to Windows Vista security that may interest y’all. Built-in Administrator

  24. Phil says:

    Hi

    I too am a developer of an app that a) starts up at logon, and b) requires administrator access. So this issue is of great interest (and annoyance) to me. I am trying to understand how to work around this restriction. I noticed this comment up above in the original post:

    "… applications that require UAC elevation that gets pushed out via the POLICYRUN keys will not get blocked at logon…"

    Well that sounds vaguely promising, but unfortunately I have no idea what "via the POLICYRUN keys" means. I don’t suppose anyone out there can provide a translation?

    (And I also don’t see why Vista can’t provide a button the user can click to enable an application to run at startup so they don’t get blocked and/or prompted for permission every time. It just seems like such an obvious thing.)

    Thanks!

    Phil

  25. Jim Hong says:

    The policy keys are populated by ITPros who wish to push apps out to their users via policy.  It’s not meant for ISVs to use to force admin elevations at logon.

    The best mitigation for your application is to remove the administrator privilege requirement for it.  The next best method is to run the application AsInvoker and have a separate process that runs as administrator that runs post-startup, preferably user-initiated.

    Why do you need admin privileges at startup?

    J.

  26. Jeff Galbraith says:

    If you sign your privilege-elevated application will it still be blocked in the Run path?

  27. Jim Hong says:

    Yes, it will.  This isn’t so much about how trustworthy your application is, it’s about the user experience of all applications and the OS.

  28. Jeff Galbraith says:

    Ok, so what’s the best approach for getting something running at login time that requires elevated privileges?

  29. tlim says:

    I have a serious issue with "A couple of exceptions to note: First, setup applications that need to complete their setup after a reboot should be putting their application in the RunOnce key. This key gets consumed by the next Administrator account that logs on, and the setup will continue without the need for an elevation".

    The problem with this is that as a "standard user", you might get access to the administrator username and password.  You start up the .exe, get the prompt, and then install the software.  Or so you think.  The application must finish its install after reboot.  I’d sure like to put that in the RunOnce key.

    Then, as a standard user, I sign in again.  I didn’t sign in as an administrator, so my RunOnce doesn’t get called at all, and the install never finishes up?  Am I misinterpreting something here?

  30. Bill Wood says:

    I just installed Vista, yes looks nice.  However under XP I have a much needed program that runs on startup called Powerstrip, now under Vista it won’t run.  Why isn’t there some way for me to authorize this program to run at startup?  Is the only way for me to modify the local security policy to set the admin and/or users to automatically elevate privileges (as someone suggested above), and thus forego all protection?

    This whole thing really has me boiling.

  31. Niclas Lindgren says:

    Bill:

    You could try adding the program to the scheduled tasks and set it to run at logon. And thus remove it from startup/run wherever it is now.

  32. Edward says:

    Windows Vista blocked my wampserver from running on startup. I managed to fix it. First I removed wampserver from the Startup group on the start menu. Then I used the Task Scheduler (Start -> Accessories -> System Tools -> Task Scheduler) to schedule the program to run "At log on". I selected the "Run with highest privaleges" option and disabled "Start the task only if the computer is on AC Power" and also disabled "Stop task if it runs longer than 3 days".

  33. Matt says:

    So for developers who need desktop applications to run at startup silently and with high integrity (eg elevated, admin rights) the only solution seems to add an entry to the task scheduler???? Our application has to create a shadow copy to run and that requires admin privileges!

    I do not get why the user is unable to approve an application to run at startup with admin privileges!

    Matt —

    Without blocking applications from prompting for elevation in the user’s logon path, both standard users and administrators would have to respond to a User Account Control dialog box on every log on. While this potentially becomes an annoyance for administrators, it is an unusable UI for standard users who cannot drive the UAC elevation prompt without having an administrator around to provide credentials. Furthermore, we advise users to be wary of prompts that appear without them taking an explicit action — and prompts generated at startup go against that advice.

    Hope this helps.

    — Aaron Margosis

  34. Matt says:

    Thank you, Aaron.

    A friend of mine helped me formulating my question with better wording!

    I do not get why the user is unable to [pre-]approve an application [at

    install time] to [silently elevate and] run at startup with admin

    privileges!

    Example: install a special scheduler for the administrator only (not for other users); the scheduler requires to run at startup silently and requires to elevate silently in order to create volume shadow copies.

    In Vista, it seems that you can do that only by

    – Writing a service.

    – Schedule a task, in the new task scheduler, which will run at startup (it seems you can switch on the option to elevate silently in the task properties).

    thank you.

  35. Windows Vista significantly changed the way applications are handled when the user logs on, now blocking elevations in the user’s logon path, which prevents users from running programs on startup that require administrator privileges. Unfortunately, Vist

Skip to main content