Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
We promised that this blog would provide a view of Engineering Windows 7 and that means that we would cover the full range of topics—from performance to user interface, technical and non-technical topics, and of course easy topics and controversial topics. This post is about User Account Control. Our author is Ben Fathi, vice president for core OS development. UAC is a feature that crosses many aspects of the Windows architecture—security, accounts, user interface, design, and so on—we had several other members of the team contribute to the post.
We continue to value the discussion that the posts seem to inspire—we are betting (not literally of course) that this post will bring out comments from even the most reserved of our readers. Let’s keep the comments constructive and on-topic for this one.
FWIW, the blogs.msdn.com server employs some throttles on comments that aim to reduce spam. We don’t control this and have all the “unmoderated” options checked. I can’t publish the spam protection rules since that sort of defeats the purpose (and I don’t know them). However, I apologize if your comment doesn’t make it through. --Steven
User Account Control (UAC) is, arguably, one of the most controversial features in Windows Vista. Why did Microsoft add all those popups to Windows? Does it actually improve security? Doesn’t everyone just click “continue”? Has anyone in Redmond heard the feedback on users and reviewers? Has anyone seen a tv commercial about this feature?
In the course of working on Windows 7 we have taken a hard look at UAC – examining customer feedback, volumes of data, the software ecosystem, and Windows itself. Let’s start by looking at why UAC came to be and our approach in Vista.
Technical details aside, UAC is really about informing you before any “system-level” change is made to your computer, thus enabling you to be in control of your system. An “unwanted change” can be malicious, such as a virus turning off the firewall or a rootkit stealthily taking over the machine. However an “unwanted change” can also be actions from people who have limited privileges, such as a child trying to bypass Parental Controls on the family computer or an employee installing prohibited software on a work computer. Windows NT has always supported multiple user account types – one of which is the “standard user,” which does not have the administrative privileges necessary to make changes like these. Enterprises can (and commonly do) supply most employees with a standard user account while providing a few IT pros administrative privileges. A standard user can’t make system level changes, even accidentally, by going to a malicious website or installing the wrong program. Controlling the changes most people can make to the computer reduces help desk calls and the overall Total Cost of Ownership (TCO) to the company. At home, a parent can create a standard user account for the children and use Parental Controls to protect them.
However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. This is partly due to the first user account defaulting to administrator, since an administrator on the machine is required, and partly due to the fact that people want and expect to be in control of their computer. Since most users have an Administrator account, this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. Software written this way would not work for standard users, such as the enterprise user and parental control cases mentioned above. Additionally, giving every application full access to the computer left the door open for damaging changes to the system, either intentionally (by malware) or unintentionally (by poorly written software.)
Figure 1. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.
User Account Control was implemented in Vista to address two key issues: one, incompatibility of software across user types and two, the lack of user knowledge of system-level changes. We expanded the account types by adding the Protected Admin (PA), which became the default type for the first account on the system. When a PA user logs into the system, she is given two security tokens – one identical to the Standard User token that is sufficient for most basic privileges and a second with full Administrator privileges. Standard users receive only the basic token, but can bring in an Administrator token from another account if needed.
When the system detects that the user wants to perform an operation which requires administrative privileges, the display is switched to “secure desktop” mode, and the user is presented with a prompt asking for approval. The reason the display is transitioned to “secure desktop” is to avoid malicious software attacks that attempt to get you to click yes to the UAC prompt by mimicking the UAC interface (spoofing the UI.) They are not able to do this when the desktop is in its “secure” state. Protected Admin users are thus informed of any system changes, and only need to click yes to approve the action. A standard user sees a similar dialog, but one that enables her to enter Administrative credentials (via password, smart card PIN, fingerprint, etc) from another account to bring in the Administrator privileges needed to complete the action. In the case of a home system utilizing Parental Controls, the parent would enter his or her login name and password to install the software, thus enabling the parent to be in control of software added to the system or changes made to the system. In the enterprise case, the IT administrator can control the prompts through group policy such that the standard user just gets a message informing her that she cannot change system state.
We are always trying to improve Windows, especially in the areas that affect our customers the most. This section will look at the data around the ecosystem, Windows, and end-users—recognizing that the data itself does not tell the story of annoyance or frustration that many reading this post might feel.
UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. As mentioned in previous posts, there are ways for our customers to voluntarily and anonymously send us data on how they use our features (Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, blog posts, and in house usability testing). The data and feedback we collect help inform and prioritize the decisions we make about our feature designs. From this data, we’ve learned a lot about UAC’s impact.
UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.
In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their “sessions” - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.
Figure 2. Number of unique applications and tasks creating UAC prompts.
This reduction means more programs work well for Standard Users without prompting every time they run or accidentally changing an administrative or system setting. In addition, we also expect that as people use their machines longer they are installing new software or configuring Windows settings less frequently, which results in fewer prompts, or conversely when a machine is new that is when there is unusually high activity with respect to administrative needs. Customer Experience Improvement Program data indicates that the number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1.
Figure 3. Percentage of sessions with prompts over time.
An immediate result of UAC was the increase in engineering quality of Windows. There are now far fewer Windows components with full access to the system. Additionally, all the components that still need to access the full system must ask the user for permission to do so. We know from our data that Windows itself accounts for about 40% of all UAC prompts. This is even more dramatic when you look at the most frequent prompts: Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1. Some targeted improvements in Vista SP1 reduced Windows prompts from frequently used components such as the copy engine, but clearly we have more we can (and will) do. The ecosystem also worked hard to reduce their prompts, thus the number of Windows components on the top 50 list increased. Windows has more of an opportunity to make deeper architectural changes in Windows 7, so you can expect fewer prompts from Windows components. Reducing prompts in the software ecosystem and in Windows is a win-win proposition. It enables people to feel confident they have a greater choice of software that does not make potentially destabilizing changes to the system, and it enables people to more readily identify critical prompts, thus providing a more confident sense of control.
One important area of feedback we’ve heard a lot about is the number of prompts encountered during a download from Internet Explorer. This is a specific example of a more common situation - where an application’s security dialogs overlap with User Account Control. Since XP Service Pack 2, IE has used a security dialog to warn users before running programs from the internet. In Vista, this often results in a double prompt – IE’s security dialog, followed immediately by a UAC dialog. This is an area that should be properly addressed.
Figure 4. Number of Microsoft prompters in the top 50 over time.
One extra click to do normal things like open the device manager, install software, or turn off your firewall is sometimes confusing and frustrating for our users. Here is a representative sample of the feedback we’ve received from the Windows Feedback Panel:
We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done). However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.
Does this make the system more secure? If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don’t read the prompts, and thus gain no benefit from them (and are just annoyed). In Vista, some power users have chosen to disable UAC – a setting that is admittedly hard to find. We don’t recommend you do this, but we understand you find value in the ability to turn UAC off. For the rest of you who try to figure out what is going on by reading the UAC prompt , there is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it’s something you want to happen. However, we haven’t made things easy on you - the dialogs in Vista aren’t easy to decipher and are often not memorable. In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista. Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable.
Figure 5. Percentage of prompts over time per prompt type.
Figure 6. Percentage of UAC prompts allowed over time.
Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.
Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:
The benefits UAC has provided to the ecosystem and Windows are clear; we need to continue that work. By successfully enabling standard users UAC has achieved its goal of giving IT administrators and parents greater control to lock down their systems for certain users. As shown in our data above, we’ve seen the number of external applications and Windows components that unnecessarily require Admin privileges dramatically drop. This also has the direct benefit of reducing the total amount of prompts users see, a common complaint we hear frequently. Moving forward we will look at the scenarios we think are most important for our users so we can ensure none of these scenarios include prompts that can be avoided. Additionally, we will look at “top prompters” and continue to engage with third-party software vendors and internal Microsoft teams to further reduce unnecessary prompts.
More importantly, as we evolve UAC for Windows 7 we will address the customer feedback and satisfaction issues with the prompts themselves. We’ve heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience. We believe this can be achieved by focusing on two key principles. 1) Broaden the control you have over the UAC notifications. We will continue to give you control over the changes made to your system, but in Windows 7, we will also provide options such that when you use the system as an administrator you can determine the range of notifications that you receive. 2) Provide additional and more relevant information in the user interface. We will improve the dialog UI so that you can better understand and make more informed choices. We’ve already run new design concepts based on this principle through our in-house usability testing and we’ve seen very positive results. 83% of participants could provide specific details about why they were seeing the dialog. Participants preferred the new concepts because they are “simple”, “highlight verified publishers,” “provide the file origin,” and “ask a meaningful question.”
In summary, yes, we’ve heard the responses to the UAC feature – both positive and negative. We plan to continue to build on the benefits UAC provides as an agent for standard user, making systems more secure. In doing so, we will also address the overwhelming feedback that the user experience must improve.
There's a feature in XP to run programs with least privilege even if you are logged in as Admin by right clicking that program then choosing 'Run as...' which would make the viruses and malwares useless even if they run. Why isn't that feature available in Vista? By default Vista gives administrators standard privilege, that's cool. But even if viruses run with standard privilege they still can delete or infect files on other drives besides that system drive and can make other changes that can still affect administrators. So Vista's security is still lame. So putting that feature back into Windows 7 and running the programs via that feature would be great cause even running a malicious program would make no difference to the users
Just to add again. By default applications that are not installed should launch with least privilege rights (XP-> right click a program and select 'Run as...' and click ok) which is a feature not available in Vista when you are logged in as Admin, which would definitely make the OS very secure. There should be options to run that programs with either Admin and Standard privileges.
Microsoft should improve UAC in Vista too. Why only Windows 7? Am talking about UAC UI in Vista. Rather than blocking the whole screen by displaying the UAC dialog in Vista, why not replace it with a simple dialog box which will act as a child window that asked for permission to get admin rights by not blocking that whole screen which is damn annoying. That would make UAC much simpler. I know so many Vista users and they all hate that thing and so do I. So please don't forget Vista users too. It would be great if we could see that in Vista SP2. Many won't upgrade to Windows 7 until it's SP1 release so will I. So make Vista users happy too.
An other problem with UAC and the "one UA" is that you deliberitly make stuff hard to find or change stuff when the user has admin account. The OS should make these changes easy for an administrator.
Just a bit of brain dumping...
What if you the admin user account (or the one you would like to have) has two mode.
First is the "user" mode what is optimized for average user and a protected "admin" mode which is optimized for admins. The admin mode even could be different UI for admins a a separate Admin Virtual Desktop. On this desktop the user would find every tool to make the admin work easy.
When the user goes to the Admin Desktop then he can work with admin security settings. When he goes back to User Desktop then user security kicks in.
For example no software could install itself if the user desktop is active. if something needs to be done then the user gets a subtle notification and he can go to the admin desktop. But if the user have to do a lots of admin work then he could just go to admin desktop and change stuff without annoying UAC prompts.
I the User Desktop should be viewable from Admin Desktop in a secure way
The chalange here is to make sure that the user dont stay in the Admin Desktop all the time. But I guess it is doabble if the Admin Desktop is optimized for admin work and not for general work.
It seems to me that one of the biggest fustrations comes from having just clicked something to perform an action, and then a UAC prompt effectively (it seems to the user) asking them if they're sure they want to perform said action. "Of course I want to do that, I just clicked it!". Ideally, it seems to me, it would be able to distinguish between actions the user invoked explicitly and implicit operations. Probably impossible to impliment in a system wide scheme, but perhaps possible to do in the shell to reduce the number of dialogs Windows pops up.
On a more achievable note, I think it could be improved with increased granularity. A portion of users who disable UAC disable it because they perform a small subset of tasks that routinely bring up a UAC prompt. If they could disable it just for those tasks but still benefit from the increased security in other areas it would be good.
Symnatec released their UAC beta software with ability do search from internet and blbock unneeded reappearing popups so I hope you take a look what is already being built if you haven't looked the news yet
I agree with Asesh why not make this feature as an update in Vista SP2.
[disclosure: I am a developer at Symantec and was involved in the Norton UAC Tool.]
The Norton UAC Tool was written to address what we see as a usability issue in Vista's UAC prompting. The Microsoft Vista team did a fantastic job of improving the security of Windows by implemented integrity levels, isolation, user interface privilege isolation, and file/registry virtualization (which lead to protected mode IE) - but we were concerned with the trend of users disabling UAC all together or blindly clicking allow (Chicken Little, "the sky is falling", syndrome). Both resulting in the fantastic new security in Vista becoming useless (by either being disabled or ignored).
I am very pleased to see that the Windows 7 team is taking this problem seriously, paying very close attention to the CEIP data, and putting time and effort in to improving the usability and readability of UAC prompts while also working to reduce the number of prompts generated by Windows.
All around fantastic news!
The installation key could be the default admin password - default name "admin".
Then we might be able to log in with either a new password (easier) or the installation key.
UAC as a idea is not bad, but the core idea of 'how to protect' is a mistake from the very beginning of NT workstation (w2k wrks). The idea was (and regrettably still is and even more terrifying you write it is going to be) to give an administrator privileges to the first account created. you write how cool UAC is changing app ecosystem and less and less application need admin privileges - true, but imagine how would today IT look like, if XP would create non-administrator account for the first user. probably there wouldn't be such apps at all.
you had a chance with vista to change the situation - but instead you decided to create UAC. and the solution was so simple, with no need of architecture changes: simple add some 'special admin session' (some kind of GUI) to make system changes, some easy way to create 'run as admin' shortcut icons to commonly used tasks. this would force users (AND STUPID DEVELOPER COMPANIES!) to write app for standard users.
some may say - it would be hard to educate ppl and how to use it and what is all about. i answer: look at this all mess about UAC - it's not simple as well, but you decided to though. more over - it's the matter of well designed interface giving easy way to configure that (in some part automatically) and giving enough information.
UAC would be nice supplement then. for now a moment - as you wrote above - the users don't even know why they are abused by some question, and what they are asked for. as result most of users simply accepts clicking 'allow' - so what kind of security it is?
...so keep making complex statistics, make UAC and then slowly define object by object what operation will not prompt - and in effect you will have gr8 functionality of UAC-with-no-UAC, malicious software and spyware will learn how to use those no-prompt actions, and the apps will still be written as in w9x epoch - as there is one user on the computer with admin privileges. imho this situation (admin-apps) is your (microsoft) fault, and as i can read - you put a lot of effort to keep it that way.
Wouldn't it be better if Windows 7 would show up a dialog box when a non installed progam is opened which would display with what privilege the user would want to run that specific application e.g,
1: Least privilege (XP -> right click and program and select 'Run As...' and click ok)
2: Standard privilege
3: Admin privilege
It would be great and our computer would be more secure.
As a developer, UAC did force us to do a complete review of our code and we tidied up a few minor issues, but we were already able to run successfully without admin privileges.
The one big irritant has been Office 2007.
The 'Not installed for current user' problem has forced me and others to disable UAC. There is probably another solution, but that seems to work reliably.
In addition, on sandboxed machines, virtual machines etc that get a lot of configuration, switching it off saves time.
A slightly OT issue which is incredibly annoying is getting hit by being a good citizen and Authenticode signing our .NET assemblies - then high-security customers that do not allow internet access have issues with the CLR checking the certificate revocation list.
For apps, this leads to a delay, but for services it's worse, as the SCM decides it's not started in a timely fashion and kills it.
As with UAC, there should be some method of trusting certain apps explicitly, rather than just turning off the checking mechanism itself, which seems to be the fix in .NET 2.0 SP1.
I note that some companies are now shipping unsigned assemblies to avoid this issue. This is really not what you want from your ISVs, so try and reward good citizenship with elegant solutions.
I'm a sysadmin and personally I very much like UAC - in fact I consider it the best reason to upgrade to Vista. I have had a habit of running nonadmin since NT4, and UAC makes this much MUCH easier. So to me, the benefits are obvious.
But I encounter UAC hate on an almost daily basis from other users. You've heard all the epithets I'm sure, so I will not repeat them. But I have a difficult time expressing the value of UAC in ways that don't cause instant contempt and/or glazed over "I'm not really listening" expressions on the faces of the UAC-haters. I can see where they are coming from (they've always been in full control of their systems; why are they now being demoted?), but they have a tough time seeing where I'm coming from. This gets me to thinking: how can MS soften the introduction to UAC, and better tell its story to the users who will be shocked and angered by it?
First, I think it would be very worthwhile to hire a really good media team and have them film a few short introductory videos. People need to be taken by the hand and led through a story which brings home the problem and the solution. I have read everything I could find about UAC, and talked to as many people as I could. It seems to me that the stuff which really explains the issue would bore a nontechnical user. With many other things vying for their attention, this is where they just click some other link and move on - still not really understanding the issues UAC works to resolve, still feeling that it is an unnecessary imposition on their day. So they simply type 'disable UAC' into the search bar, find a recipe, and use it.
Once you have a couple of movies, and perhaps a few text-and-graphic explanations for various audiences, link these from every UAC prompt. My thinking is that there should be a series of quick 2-5 minute hits, from basic to more advanced. A couple of episodes would address the question of 'what can I trust?'. And so on. All should be given in a plainspoken manner that does not patronize or talk down to the customer (for some reason I keep thinking of the videos Amazon used to introduce their Kindle, though of course the problem is much different here).
I don't know where you will find the people who can explain UAC in ways that new-to-UAC and already-hate-UAC folks can connect with. Media consultants? Documentary directors? Independent film types who premier at place like the Sundance Film Festival? I do think it's important to look outside the standard tech writer crowd, though - they have already struck out.
Thanks for providing this forum. Now I'll go back and read the rest of the comments!
Personally I like the idea of UAC. I have 2 outstanding issues with it, though. The first is the fact that each prompt is a pop up window. Why not have it dock to the task bar? This way you always know where a prompt will appear.
The second issue I have is a bit more complex. During a typical session, I usually peer around at settings, without modification. So when I want to take a look at Device Manager, for example, I first have to accept a UAC prompt. But all I really wanted to do was LOOK at the settings, not necessarily change them.
Would it be possible to integrate UAC in such a window so that you can easily see your settings? And then when or if you would like to make a change, all you would have to do is type in the password in the window and POOF!! everything is modifiable.
KDE has similar functionality and I believe it is far more useful and less intrusive than the current implementation of UAC.
I appreciate this forum a lot. It encourages excellent discussion about all of the functionality of Windows. Keep up the good work Windows Team! It sounds like Windows 7 will be an EXCELLENT and well-polished release.
I have to say I am quite anxious about Win 7. Hardly can wait to hear the reviews of the alpha.
I do appreciate this blog, but reading it I can not see how will be Windows 7 a new version of Windows . For now it looks like 6.2 rather than 7.0.
The kernel will be an enhanced version of the kernel of WS2008 whis is the same as SP1 has(I think). The UI will be an enhanced version of Vistas. (which is fine except Virtual desktops and other missing features will be a must have for me).
To stay on topic I can not see the urges to change UAC into a more useful one. (I do stand with my opinion that the current form is useless b/c it educated the user to accept anything, also very annoying)
off Steve Jobs just bragged about their success and that big part of it was the Vista, I could not agree more Windows needs a revolution not patching up the old legacy. Just look at how outdated the way windows connect with other devices. Just try to connect wireleslly an out of box WMobile 6 device with and out of box Vista and then use it in XXI century way, remoting, controlling, browsing etc. Ridiculous.