Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
We promised that this blog would provide a view of Engineering Windows 7 and that means that we would cover the full range of topics—from performance to user interface, technical and non-technical topics, and of course easy topics and controversial topics. This post is about User Account Control. Our author is Ben Fathi, vice president for core OS development. UAC is a feature that crosses many aspects of the Windows architecture—security, accounts, user interface, design, and so on—we had several other members of the team contribute to the post.
We continue to value the discussion that the posts seem to inspire—we are betting (not literally of course) that this post will bring out comments from even the most reserved of our readers. Let’s keep the comments constructive and on-topic for this one.
FWIW, the blogs.msdn.com server employs some throttles on comments that aim to reduce spam. We don’t control this and have all the “unmoderated” options checked. I can’t publish the spam protection rules since that sort of defeats the purpose (and I don’t know them). However, I apologize if your comment doesn’t make it through. --Steven
User Account Control (UAC) is, arguably, one of the most controversial features in Windows Vista. Why did Microsoft add all those popups to Windows? Does it actually improve security? Doesn’t everyone just click “continue”? Has anyone in Redmond heard the feedback on users and reviewers? Has anyone seen a tv commercial about this feature?
In the course of working on Windows 7 we have taken a hard look at UAC – examining customer feedback, volumes of data, the software ecosystem, and Windows itself. Let’s start by looking at why UAC came to be and our approach in Vista.
Technical details aside, UAC is really about informing you before any “system-level” change is made to your computer, thus enabling you to be in control of your system. An “unwanted change” can be malicious, such as a virus turning off the firewall or a rootkit stealthily taking over the machine. However an “unwanted change” can also be actions from people who have limited privileges, such as a child trying to bypass Parental Controls on the family computer or an employee installing prohibited software on a work computer. Windows NT has always supported multiple user account types – one of which is the “standard user,” which does not have the administrative privileges necessary to make changes like these. Enterprises can (and commonly do) supply most employees with a standard user account while providing a few IT pros administrative privileges. A standard user can’t make system level changes, even accidentally, by going to a malicious website or installing the wrong program. Controlling the changes most people can make to the computer reduces help desk calls and the overall Total Cost of Ownership (TCO) to the company. At home, a parent can create a standard user account for the children and use Parental Controls to protect them.
However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. This is partly due to the first user account defaulting to administrator, since an administrator on the machine is required, and partly due to the fact that people want and expect to be in control of their computer. Since most users have an Administrator account, this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. Software written this way would not work for standard users, such as the enterprise user and parental control cases mentioned above. Additionally, giving every application full access to the computer left the door open for damaging changes to the system, either intentionally (by malware) or unintentionally (by poorly written software.)
Figure 1. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.
User Account Control was implemented in Vista to address two key issues: one, incompatibility of software across user types and two, the lack of user knowledge of system-level changes. We expanded the account types by adding the Protected Admin (PA), which became the default type for the first account on the system. When a PA user logs into the system, she is given two security tokens – one identical to the Standard User token that is sufficient for most basic privileges and a second with full Administrator privileges. Standard users receive only the basic token, but can bring in an Administrator token from another account if needed.
When the system detects that the user wants to perform an operation which requires administrative privileges, the display is switched to “secure desktop” mode, and the user is presented with a prompt asking for approval. The reason the display is transitioned to “secure desktop” is to avoid malicious software attacks that attempt to get you to click yes to the UAC prompt by mimicking the UAC interface (spoofing the UI.) They are not able to do this when the desktop is in its “secure” state. Protected Admin users are thus informed of any system changes, and only need to click yes to approve the action. A standard user sees a similar dialog, but one that enables her to enter Administrative credentials (via password, smart card PIN, fingerprint, etc) from another account to bring in the Administrator privileges needed to complete the action. In the case of a home system utilizing Parental Controls, the parent would enter his or her login name and password to install the software, thus enabling the parent to be in control of software added to the system or changes made to the system. In the enterprise case, the IT administrator can control the prompts through group policy such that the standard user just gets a message informing her that she cannot change system state.
We are always trying to improve Windows, especially in the areas that affect our customers the most. This section will look at the data around the ecosystem, Windows, and end-users—recognizing that the data itself does not tell the story of annoyance or frustration that many reading this post might feel.
UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. As mentioned in previous posts, there are ways for our customers to voluntarily and anonymously send us data on how they use our features (Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, blog posts, and in house usability testing). The data and feedback we collect help inform and prioritize the decisions we make about our feature designs. From this data, we’ve learned a lot about UAC’s impact.
UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.
In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their “sessions” - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.
Figure 2. Number of unique applications and tasks creating UAC prompts.
This reduction means more programs work well for Standard Users without prompting every time they run or accidentally changing an administrative or system setting. In addition, we also expect that as people use their machines longer they are installing new software or configuring Windows settings less frequently, which results in fewer prompts, or conversely when a machine is new that is when there is unusually high activity with respect to administrative needs. Customer Experience Improvement Program data indicates that the number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1.
Figure 3. Percentage of sessions with prompts over time.
An immediate result of UAC was the increase in engineering quality of Windows. There are now far fewer Windows components with full access to the system. Additionally, all the components that still need to access the full system must ask the user for permission to do so. We know from our data that Windows itself accounts for about 40% of all UAC prompts. This is even more dramatic when you look at the most frequent prompts: Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1. Some targeted improvements in Vista SP1 reduced Windows prompts from frequently used components such as the copy engine, but clearly we have more we can (and will) do. The ecosystem also worked hard to reduce their prompts, thus the number of Windows components on the top 50 list increased. Windows has more of an opportunity to make deeper architectural changes in Windows 7, so you can expect fewer prompts from Windows components. Reducing prompts in the software ecosystem and in Windows is a win-win proposition. It enables people to feel confident they have a greater choice of software that does not make potentially destabilizing changes to the system, and it enables people to more readily identify critical prompts, thus providing a more confident sense of control.
One important area of feedback we’ve heard a lot about is the number of prompts encountered during a download from Internet Explorer. This is a specific example of a more common situation - where an application’s security dialogs overlap with User Account Control. Since XP Service Pack 2, IE has used a security dialog to warn users before running programs from the internet. In Vista, this often results in a double prompt – IE’s security dialog, followed immediately by a UAC dialog. This is an area that should be properly addressed.
Figure 4. Number of Microsoft prompters in the top 50 over time.
One extra click to do normal things like open the device manager, install software, or turn off your firewall is sometimes confusing and frustrating for our users. Here is a representative sample of the feedback we’ve received from the Windows Feedback Panel:
We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done). However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.
Does this make the system more secure? If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don’t read the prompts, and thus gain no benefit from them (and are just annoyed). In Vista, some power users have chosen to disable UAC – a setting that is admittedly hard to find. We don’t recommend you do this, but we understand you find value in the ability to turn UAC off. For the rest of you who try to figure out what is going on by reading the UAC prompt , there is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it’s something you want to happen. However, we haven’t made things easy on you - the dialogs in Vista aren’t easy to decipher and are often not memorable. In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista. Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable.
Figure 5. Percentage of prompts over time per prompt type.
Figure 6. Percentage of UAC prompts allowed over time.
Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.
Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:
The benefits UAC has provided to the ecosystem and Windows are clear; we need to continue that work. By successfully enabling standard users UAC has achieved its goal of giving IT administrators and parents greater control to lock down their systems for certain users. As shown in our data above, we’ve seen the number of external applications and Windows components that unnecessarily require Admin privileges dramatically drop. This also has the direct benefit of reducing the total amount of prompts users see, a common complaint we hear frequently. Moving forward we will look at the scenarios we think are most important for our users so we can ensure none of these scenarios include prompts that can be avoided. Additionally, we will look at “top prompters” and continue to engage with third-party software vendors and internal Microsoft teams to further reduce unnecessary prompts.
More importantly, as we evolve UAC for Windows 7 we will address the customer feedback and satisfaction issues with the prompts themselves. We’ve heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience. We believe this can be achieved by focusing on two key principles. 1) Broaden the control you have over the UAC notifications. We will continue to give you control over the changes made to your system, but in Windows 7, we will also provide options such that when you use the system as an administrator you can determine the range of notifications that you receive. 2) Provide additional and more relevant information in the user interface. We will improve the dialog UI so that you can better understand and make more informed choices. We’ve already run new design concepts based on this principle through our in-house usability testing and we’ve seen very positive results. 83% of participants could provide specific details about why they were seeing the dialog. Participants preferred the new concepts because they are “simple”, “highlight verified publishers,” “provide the file origin,” and “ask a meaningful question.”
In summary, yes, we’ve heard the responses to the UAC feature – both positive and negative. We plan to continue to build on the benefits UAC provides as an agent for standard user, making systems more secure. In doing so, we will also address the overwhelming feedback that the user experience must improve.
- I would like to add the following games to Windows or Windows Ultimate Extras: Shogi, Go, Xiàngqí, sudoku and Pai Sho, which also include the features of the Microsoft Plus Pack for hearing, Microsoft Plus! Labyrinth, dancers for windows media player
- Recommend that the new windows did not have the most win.ini and the registration and be changed to a more secure, better designed and do not let so many traces, which also did not install an administrator account by default but a limited and in linux
- New effects in wpf and more customizable as Compiz-Fusion, the desktop is equal to KDE and GNOME, windows media center that supports full HD audio, video and images, support for Nintendo Wii and PlayStation
I also find that UAC has some performance issues. Sometimes it can take as long as two seconds for a prompt to appear, and in the meantime my display is either solid black, or the machine appears frozen. This is intermittant, but happens frequently enough to be a real annoyance.
I also totally agree with d_e's comments about the form UAC prompts should take. In essence, "Program x needs your permission to continue," followed by one of the following:
- "Are you attaching a new device to your computer?"
- "Are you updating a driver or system component?"
- "Are you installing or updating a program?"
- "Are you making changes to your system settings or files?"
A "Details" button would also be helpful, especially if it includes details like:
- the full path and filename of the app that produced the prompt
- the publisher of the app
- what, exactly, the app is attempting to do.
Lastly, and most importantly, I believe UAC should be taken a step further. When a user approves an action, immediately create a Restore Point before allowing the app to proceed (perhaps display a progress bar while the restore point is made so the user doesn't think the machine simply froze). That way, if approves something they shouldn't have, they can still recover.
UAC was a good step in the right direction (particularly in forcing the 1st and 3rd party ecosystem to stop expecting users as admin), but needs a few improvements.
1. UAC needs to provide enough information to make a valid choice!
I realize you dont want to add a bunch of technical information to the front of it. But that technical information needs to be available somehow, otherwise you cant make an informed decision.
This means executable triggering it, file locations and names its trying to write. Reg locations and values its trying to write. And detailed information if adding to startup, or otherwise installing drivers or similar.
This information just is not available now, and it needs to be.
2. Remember last-used username when UAC is running in credentials mode (ie, requiring a user-name and password to elevate).
On a non-server, the vast, vast majority of the usage of elevation is going to be to the same alternate account (ie, an la-* local admin or a da-* domain admin account).
Why cant it remember the last used username in my profile, to save me a bunch of typing every time I have to elevate?
3. RunAs needs to return!
It's insane that we lost a big piece of functionality in this space when UAC hit by losing RunAs. And unless it was just sheer lack of manpower, I cant imagine why you would take that away. There is still a very common set of use-cases for RunAs, even with UAC turned on, PARTICULARLY in the corporate environment.
I do understand that the switches will become more complicated, as you have to handle in-place elevation on the same account vs. elevating to a different account, etc. But we need that back.
4. Tighter integration with RunAs/etc with the Shell.
For example, I would really like to be able to modify my hosts files by right clicking it, and holding down shift while I choose 'Edit with Notepad++' which launches it with elevation.
Right now, you have to manually elevate/launch the editor, then find and open the text file. Seems like an unnecessary pain.
5. Opening a new explorer.exe shell as admin is fairly broken.
For example, if I wade through the program files, accessories, and launch Windows Explorer as Admin, do I get it actually launched as Admin? No! It silently fails to do what I told it to do, and launches a new explorer window in the regular account.
If this worked, much like we have been doing for years on XP, we can launch an explorer window as Admin, and keep it open for days or weeks while we do stuff there we need admin for.
Overall, nearly every IT pro needs to run Vista with a permanently-running command prompt that has been 'Run as Administrator' opened.
Look for ways to eliminate needing to do that.
And please oh please bring back runas, or make something new similar to sudo/su. We need this so much on the command line.
personally, UAC has never given nuisance
One more thing I forgot while writing my post a minute ago.
UAC hangs for several minutes sometimes in the Secure Desktop.
It only happens when my laptop is at home, so on the internet and a valid network, but cannot reach the corporate DCs.
I'll cause an elevation, type in my new credentials, and it will sit as long as 1-2 minutes before I regain control of my computer.
Given that this is happening while the secure desktop is loaded, this basically makes my computer 100% non-usable and effectively gone during that time period.
Note that this is elevation with credentials, so I have to type in a different set of credentials to elevate.
There should be a hard-timeout period of 5 seconds. Or drop out of secure desktop instantly before doing the network query.
This actually seemed to get dramatically worse with SP1, even though I read in the release notes that some work was done to improve that.
@marcinw -- what you describe sounds a lot like the former NGSCB project (aka Palladium) -- secure, segregated areas ("nexuses") running on a single machine.
@asymtote & wolrah -- One thing to watch for is driver updates which actually make the "blank screen" delay worse. A while back, updated Nvidia drivers were offered via Windows Update and I installed them, and after that I started getting the same UAC delays. Rolling back to the previous drivers solved the problem.
One thing that I think would be helpful would be a secure hardware-based approval mechanism of some sort, for example a new key on your keyboard that when held down, would surpress the UAC prompt when clicking on a button/program.
It's not as easy as it might seem, forever. First of all, you could have malware just waiting around in the background, trying to elevate repeatedly and it will eventually sneak through when the timing is right.
Secondly, how long would the user need to hold down the key after performing the UI action? If for some reason the app showing the UI has a delay before trying to create the elevated process, the user would need to keep the key down the entire time.
In any event, it would be great if there was some way to authoritatively know whether an elevated process creation request was really intended/initiated by the user.
I'd have more to say regarding UAC if I had a real amount of experience "using" it on a day to day basis (I turned it off in the Beta), and if I knew what the changes would constitute. So far as I can tell, you're dealing with all the issues I actually care about; keeping my system secure, without bothering the daylights out of me in the process.
I think the UAC is very great, but! there are some problems, first there is the problem for just watch for information, a sample: If i would to watch my drive informations with the tool for that i need to give them admin rights. i think you just need to become an admin when you wona change something and not if you just would to watch informations.
second, double klicks...also a sample: if i wona create a folder in maybe the Users Folder(i now that is not normal but i use this for the sample) i make ->rightklick->New->Folder->Continoue->Continoue...why we dont have just ->rightklick->New->Folder>Continouem, why we dont just need to say 1 time ok and not 2 times?
I saw some screenshots from 7 M3 and the new UAC Settings, i think this is the right way but look for problems like the 2 i told at the beginning of the post...
One that drives me bonkers is why I need elevation to do an ipconfig release or renew? Since Vista took away the very handy "repair" option (which renews the address very quickly) I find myself running into a roadblock here all the time. The vista repair option takes forever to run since I already know what the problem is.
As an admin, I may go to someones machine and need to make a networking adjustment. I then open a command prompt and try to release and renew but of course get the elevation error. I then have to close the cmd window and hunt down the cmd icon (since it's not my machine I'm usually doing this on so don't have an admin shortcut already made) so I can right click and choose run as administrator.
Often times I find it easier to just unplug the network cable and plug it back in which does the same thing with no UAC issues! There is a real breakdown somewhere when software behavior pushes users to a hardware workaround because the software is making a relatively benign task such a pain.
I am encouraged to see that we will have more control in the next Windows over generates these error messages.
The reason that I have turned UAC off on my machine is because when I want to work with files outside of my profile directory UAC seems to block it all the time. For example it won't let me create a folder in the program files directory or add files there. It will UAC prompt me, but then it still won't do what I asked. I have a couple of programs that don't come with an installer that I normally stick under the program files dir and then just put a shortcut into the start menu. If there was an easy way for me to run windows explorer in admin mode (with the UAC prompt at the start) I would probably turn UAC back on.
I frequently do work on peoples computers and sometimes when their computer won’t boot they want to get some of their files off the disk. I have an external enclosure for this sort of thing, but windows will tell me that I don’t have sufficient privileges to open their profile directory on the external drive. It prompts me for elevated privileges, but no matter how many times I click the continue button it still won’t let me through. As soon as I disable UAC I don’t have a problem anymore.
This was meant to go on the bottom of the previous comment, but apparently the comments have a max length.
The following paragraphs detail some thoughts I have had on things that could improve my experience with UAC and make it more practical for me to have it on all the time.
Another feature that could be cool is if you could automatically raise a specific piece of software to admin privileges while it was running from the task manager. For example sometimes I need admin privileges to work with some projects in Visual Studio, but I forgot to open it as admin so I have to close everything and then open it again.
Also as has already been mentioned it would be nice if even when you’re running with UAC turned off you could set some programs (such as IE) to run with only basic user privileges.
Maybe there could be a dialog that let you switch your account mode while it was running. So I could click a button which would allow everything full privileges while I did something and then I could flick it back into UAC mode straight away so I know if something bad is trying to do something I don’t want it to.
Thanks for the blog on the UAC. I had a pretty good understanding before, but it's helpful to have detailed information.
I like the idea behind UAC. Anything that helps stability is appreciated. I must say though, that I ended up turning it off because of the constant bombardment of popping up windows while trying to work. I found that it was very distracting and I stopped reading or caring what it was about or what it said. I would simply click to get it off the screen.
Another annoyance was that my father would call me several times a day, would read what it said to me and ask for my advise on whether he should allow or not. Needless to say the next time I flew back into town, disabling the UAC was the first thing I did.
So again, I like the idea behind it, but this is a incredibly annoying implementation that feels more like a band-aid over a large problem of how easy it is to get down into the core of windows and mess something up.
I don't know what the answer is, but I just felt like this was a huge step in the wrong direction in the user experience field.
"Run as" would be a very nice addition. Also please notice the way Linux distros prompt for administrator credentials when trying to run system level or maintenance programs.
Run as combined with administrator credentials would be very useful in cases where you want to enable/disable some features for a standard user account. (shouldn't appear in an admin account)
Personally I hope UAC is gonna get better in Windows 7 and be less obtrusive and more of an adviser.
When installing a new app, I get a UAC prompt but I would like a way to control the amount of access that the app gets on my system. e.g. If I were to install a system-level utility, I can give it full access to the system. If I'm installing a text editor or a game, I want to be able to limit its access to its folder in Program Files and any special folders it wants to add in My Documents. I would also like UAC to tell me if an app tries to go beyond app-level access. At the moment, there is not enough granularity so the UAC prompt to install a text editor is the same as what a system-level utility would require. Essentially, I want UAC to have the same customisability as a good firewall.
Also, since I try a lot of software that don't even have their own installers, I put them in a separate folder. By not using Program Files, am I lessening my security? Wouldn't these programs try to save settings to their own folders, so they would actually fail if they ran in Program Files?
Can we have the app isolation of App-V become part of standard Windows?