UAC Improvements in Release Candidate 1 (RC1) and Video


We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account Control. It’s definitely an area where we’ve received significant feedback, and an area where we’ve been able to make significant improvements in Windows Vista Release Candidate 1.


On June 1, Steve Hiskey, Lead Program Manager for the User Account Control, blogged about the team’s plan to reduce the prompts in RC1. We’ve created a video to show you some of the work the team has done since then.


> Watch video


Prompt reductions shown in the video:




  • File operations, reducing the prompts caused by adding, deleting, or editing files in protected directories. For example, administrators can delete shortcuts from the public desktop without receiving a prompt. And the user should no longer receive a prompt when copying files to a newly formatted storage drive.




  • Re-architecting several Control Panel applets so that they no longer prompt when opened. Examples include the Firewall applet, Scanners and Cameras applet, and the Software Explorer of Windows Defender.




  • Reducing prompts when creating new network connections.


In addition to the prompts in the video, users can install high-priority updates without a prompt, and will receive fewer prompts caused from unknown devices and driver installation. Based on these changes, we are finding that, on average, users are not receiving any prompts most times that they use Windows Vista.


Other improvements besides prompt reduction that we’ve made to Windows Vista RC1 are:







  • UAC prompts will not “steal focus” from the user’s task. If the operating system cannot determine that the prompt was generated from the foreground window the current user is using, we will alert the user with a highlighted operation in the taskbar that an application is requesting elevated privileges. The user can select to elevate at his or her convenience and not be disrupted by an unplanned application elevation.




  • Elevations are now blocked in the user’s logon path. Applications improperly elevating during each and every logon were a significant source of feedback from the Beta 2 release, and based on that feedback, we are disallowing elevations during logon.







  • Improved performance when switching to the secure (dimmed) desktop to display the prompts. We received significant feedback that the small delays during switching were disruptive, and we have worked with the video and display teams to enhance the user experience in this area.


If you’ve used an earlier version of Windows Vista, we are confident that you’ll notice the improvements in RC1. If RC1 is your first chance to use Windows Vista, you’ll probably wonder what all the fuss was about.


– Alex Heaton
Windows Vista Security


Comments (34)

  1. aC says:

    Nice to see that feedback is being used well…

    In fact it seems removing prompts is on your mind a little too much. Should’t

    "administrators can delete shortcuts from the public desktop without removing a prompt."

    actually say

    "administrators can delete shortcuts from the public desktop without >>receiving<< a prompt."

    :-)

  2. windowsvistasecurity says:

    Thank you aC, I fixed that. – Alex

  3. One of the areas of Windows Vista on which we’ve received the most feedback is User Account Control (UAC).&amp;nbsp;…

  4. rsclient says:

    Here’s more feedback: when blogging, it helps to say things that are true, and not say things that are not true.  Take, for example, your statement "We received significant feedback that the small delays during switching were disruptive".  The word small carries a clear implication that that the delays are unimportant.  When your team wrote the feature, you probably thought that they were.

    However, once you got feedback about the feature, it’s clear that it’s not a small delay.  Overwhelming, everyone I know who’s seen it thinks that it’s a big delay.  Clearly other people think so to ("significant feedback").

    Ergo, a true statement would be: "We received significant feedback that what we hoped would be small delays during switching were in fact too long and disruptive"

    There!  A true statement!  One that you can write and be satisfied with!  Even better, by being more humble, and by acknowledging that your customer feedback is important, the new statement reflects better on Microsoft than the original.

  5. speedy5662 says:

    In RC1 has it been made so that you can disable the UAC, without the red shield prompt to irritate the user? If not will this be something that could be utilized in a future release? For me, I am the only user on my computer and I find that the UAC is nothing but a pure aggrevation. I would like to disable this feature without getinng a red shield or any other "alerts" that it is off.

    Thank you

    Jonathan  

  6. Maurizio says:

    Can you make standard user as default at the end of installation? Because I think many people continue to use admin user as default.

    At the end of installation you require administrator password and to make an standard user and use it as default

    Thanks for all

    Maurizio

  7. As you may have heard by now, Windows Vista Release Candidate 1 (RC1) is complete! See the announcement…

  8. Mike W says:

    UAC still needs a lot of work. Deleting items still yields too many prompts (with the confirm on delete option set in recycle bin), there is a total that could be up to four different prompts.

  9. Wiest, Brian says:

    With some of the work that is still needed. Make an option to allways allow source to run. I am connected to a SBS2003 machine as many of my clients are, when logging on the server runs a setup program to configure the workstation. EVERY time I log on I have to accept the UAC prompt for the server setup program. Please allow me to trust it.

    Thank you

  10. Vista RC1 Reaction Roundup

  11. Antti Aspinen says:

    Well, UAC does better job at RC1 but why haven’t microsoft gone to the route of UNIX and established a clear rights managerment classes for the applications and also where are the tools to do stuff like chown root:root /Users/Files/To/Be/Changed/*

    I know you got that kinky change attributes window which doesn’t serve well users like me when I want to remove rights from guys like 345234-23452345-2345234-23452 which was created by XP?

  12. Chesong Lee says:

    Would COM elevation using InvokeAs idiom without registry entries (registration-free COM object) be impossible?

    UAC Elevated moniker still requires registry entry and does not seem support manifest-based COM.

    It seems like COM-based approaches for UAC-friendly applications is best options for ISVs. If manifest-base isolated COM objects are also supported, it would be great for both developers and IT administrators for application deployment.

    Is there any particular reason that it is not feasible?

  13. JanRei says:

    I think UAC works much better in RC1 than in Beta 2. But there is still work to do.

    I often recieve multiple warnings for one action. For example when I want to run a program directly after being downloeded via IE7, I get one warning from IE7 then from UAC.

    Or when I want delete a file which needs administrator previliges I get to warnings.

    Are there chances that this will be reduced to one warning each?

  14. hsuhd says:

    i still hate it… it asks me about everything to change…i dont like the idea at all…

  15. andrew says:

    Hello,

    I upgraded my machine from Beta 2 to RC1. Before upgrading i had renamed my default ‘Administrator’ user account to ‘ServerAdministrator’ using the Local Security Policy setting ‘Rename Administrator Account:’. I also had one other user account (‘andrew’) belonging to the ‘Administrators’ group because of being bitten from upgrading from XP to Beta 2.

    Anyway the same bug has occurred:

    Once i upgraded from Beta 2 to RC1 i logged into my ‘andrew’ user account ensured that the ‘ServerAdministrator’ account still had Administrator permissions and than removed the Administrators group from the ‘andrew’ user account.

    I logged off expecting to see the ability to login to either the ‘andrew’ account and ‘ServerAdmninistrator’ account however the login page only displays the ‘andrew’ account to login to.

    Now whenever i am prompted by the secure desktop it asks me to enter an adminsitrator password however i do not have anywhere to type in the password: ie you guys are not presenting me with a textbox to enter the password….. seriously this is so GOD DAMN ANNOYING!!!!! I suspect its because i upgrade with my administrator account renamed to ‘server administrator’ and you guys don’t respect the fact that i have renamed it.

    Is it possible to fix my laptop, or will i have to reinstall?

  16. andrew says:

    It turns out that you guys disabled the ‘serveradministrator’ account when i upgraded to RC1. i could fix this by loading vista in safe mode which then allowed me to logon as the serveradministrator user and re-enabling the account.

  17. windowsvistasecurity says:

    Andrew, yes we now disble the "built in administrator account" regardless of its name. http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx.

    I want to understand what you were seeing when you said "i do not have anywhere to type in the password: ie you guys are not presenting me with a textbox to enter the password"

    what did the prompt look like? what did it say?

    – Alex

  18. windowsvistasecurity says:

    Jonathan, if you prefer not to recieve the red prompts from the Windows Security Center you can configure this using the "Change the way Security Center alerts me" link n the left side of the security center.

    – Alex

  19. speedy5662 says:

    Thank you for a response Alex however the "Change the way Security Center alerts me" does not allow me to shut the UAC "red" shield off. It is only for updates, antivirus and firewall, disabling. I do like the concept of the UAC for those users that need it, however for me it is completely useless and I/we should be able to completely remove it without any "warnings" regarding it’s disablement.

  20. windowsvistasecurity says:

    On RC1, when I enable the "Change the way Security Center alerts me" setting, I do not get the red security center alerts if UAC is disabled. The behavoir may have been different in early builds. Which build # of Windows Vista are you using?

    Also, I question the "however for me it is completely useless" statement. If you disable i, and run as an admin, all of your software will be running as admin too. And if a piece of malware is able to exploit a vulnerability in one of those programs, that maliscode code will be running with admin privelages as well. With UAC enabled, the programs you run will have standard user privelages, and will be more difficult to use in a serious exploit that could take over your computer. So please consider leaving it enabled.

    – Alex

  21. I’ll add to Alex’s comments.  Many people believe they’re protected from malware because they keep up to date on patches and don’t browse "strange" locations.  The problem is that the criminals have gotten much more aggressive about 1) finding and exploiting previously unknown bugs in software (all software, not just Microsoft’s), and 2) hacking into well-known and trusted web sites to exploit innocent victims.  If you’re running as admin when you unknowingly get hit with one of these, the criminals will have absolute control over your system.  UAC will dramatically reduce the impact that this malware can have.

  22. speedy5662 says:

    Ok Iwasn’t sure about the "red" alert in RC1, since i have not loaded it yet. Truthfully it was one of my hold-ups. The last version I tried was 5536. Now to the point of the UAC that you both mention, I can say this is very true about the malware, hacking, etc… However for me I do have the utmost confidence with the security programs that I use. (Not Norton or Mcafee either for obvious reasons. I do have 2 hardware firewalls and a software firewall (2 if you include the xp firewall.) Also I have 2 Antivirus and 3 anti spyware programs. I guess you could say that I run a tight ship! I have never been hacked….Knock on wood…and yes I have had ocassional viruses due to my own stupidity. I also encourage my customers to utilize the same types of protection. The problem that I have with the UAC is also that hackers will eventually get way ahead and trash all of vista if they figure out how. (Some already have found allot of hacks, BTW) So I hope this helps to my original question of permanently disabling UAC and as to why I and others would want the same.

    Jonathan

  23. andrew says:

    @Alex – here is a link to a picture that i posted on channel9

    http://static.flickr.com/89/238925965_37e6fe9951.jpg?v=0

    The link to channel9 is

    http://channel9.msdn.com/ShowPost.aspx?PostID=233655

    Thanks

    andrew

  24. Lani Phillips says:

    I just installed Vista Beta RC1 and decided to do a clean install. Everything with Vista is working great (so far), but when I went to redownload Office 2007 Beta, it told me that Vista Beta RC1 users must come back at another time to get the Microsoft Office 2007 Beta Refresh. Am I missing something? The instructions for loading Vista RC1 did not say Office 2007 Refresh was not available. Can I still download the original Office 2007 beta program or do I have to wait for the Refresh to come out for download? Had I known it was not ready, I would have waited to install the Vista RC1 upgrade. Any ideads or suggestions would be greaty appreciated.

    **Note: for anyone who plans to do a clean install– if you plan to use the Office 2007 beta, they are now charging $1.50 per application for the download; AND the REFRESH is not currently available.

  25. for those who don’t know what RSI is read here

    http://en.wikipedia.org/wiki/Repetitive_strain_injury

    but if you are a vista user or will become one, you will know very well what

    it is "firsthand" no pun intended.

    UAC is that horrible idea some retarded person in MS thought of that pops

    100 times in your face.

    http://en.wikipedia.org/wiki/User_Account_Control

    You have to do so many mouse clicks and movments that the RSI foundation

    should sue

    Microsoft for destroying the health of so many people world wide.

    This is NOT taking into account the stress and fustration this "FEATURE"

    will introduce to the world.

    Perhaps a multi billion law suit will make MS think how to design an OS for

    humans.

  26. fcat says:

    @RSI foundation to SUE Microsoft over UAC

    RSI is retarded and ignorant

  27. Luca says:

    I would like an option to keep opened the details shown during a UAC message without needing to expand every times.

    I mean the Details button: http://static.flickr.com/89/238925965_37e6fe9951.jpg?v=0

  28. Mick Lohan says:

    Hi Guys

    Loaded a clean RC1 64 bit install onto my amd shuttle. Graphics fantastic , everything seemed to work until i tried to run a session from the PDC under IE7. I got prompted that the add-on ‘Microsoft Office Animation Runtime’ was required – so i clicked install active-x and your lovely UAC permission prompt appeared.Pressed Continue and then pressed install on the Security warning messagebox. The messagebox cleared and i was brought into windows messanger.On pressing play i again got the UAC prompt. I pressed Continue and the first slide appeared.Subsequently every time a new powerrpoint slide is about to be displayed up comes the UAC prompt and it doesn’t make any difference if I presss ‘Continue’ or ‘Cancel’ the next powerpoint slide is displayed anyway.

    As you can imagine after about 20 clicks – i was getting slightly upset. I admit it – i succumbed to the inevitable and decided to turn off the UAC. Which maybe you guys have made too easy to do.

    I Restarted the pc and again went to view the pdc session. This time on accepting the prompt to install the active-x i was brought to the Microsoft download center and downloaded the powerpoint animator add-on.As you’d expect , everything worked swimingly from then on.

    Then I got this guilty feeling that as you guys have put so much effort into the UAC – i should really give it another shot. I turned on the UAC again and restarted the pc.

    When I re-ran the pdc session everything worked as it should.

    If the beta refresh of Office had been available – the active-x would probably have been loaded with office ….

    Now there’s a thought.

    Keep up the good work – i appreciate that this is trial software and must be fully tested. I hope this was of some use to you guys.

    P.S. just to confirm i ran into the same problem with a 32 bit install.

  29. thomasm says:

    Funny thing… I went to the forum where this was posted (http://forums.techarena.in/showthread.php?t=585060) and it looks like you’re the only one ready to sue Microsoft over this. Good luck with that; hope you have a lot of resources at your disposal. Especially when it’s shown in court that you had the option to turn it off but didn’t use it.

    By the way, please learn English. Thank you.

  30. Izzat Alsmadi says:

    I am running Windows Vista and GP 9.0. Upon installing SP1 for GP 9.0, installation seems running fine, but it will never take effect and the release version will keep showing 9.00.0114 rather than 9.00.029 I beleive with the SP updates.