Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
We promised that this blog would provide a view of Engineering Windows 7 and that means that we would cover the full range of topics—from performance to user interface, technical and non-technical topics, and of course easy topics and controversial topics. This post is about User Account Control. Our author is Ben Fathi, vice president for core OS development. UAC is a feature that crosses many aspects of the Windows architecture—security, accounts, user interface, design, and so on—we had several other members of the team contribute to the post.
We continue to value the discussion that the posts seem to inspire—we are betting (not literally of course) that this post will bring out comments from even the most reserved of our readers. Let’s keep the comments constructive and on-topic for this one.
FWIW, the blogs.msdn.com server employs some throttles on comments that aim to reduce spam. We don’t control this and have all the “unmoderated” options checked. I can’t publish the spam protection rules since that sort of defeats the purpose (and I don’t know them). However, I apologize if your comment doesn’t make it through. --Steven
User Account Control (UAC) is, arguably, one of the most controversial features in Windows Vista. Why did Microsoft add all those popups to Windows? Does it actually improve security? Doesn’t everyone just click “continue”? Has anyone in Redmond heard the feedback on users and reviewers? Has anyone seen a tv commercial about this feature?
In the course of working on Windows 7 we have taken a hard look at UAC – examining customer feedback, volumes of data, the software ecosystem, and Windows itself. Let’s start by looking at why UAC came to be and our approach in Vista.
Technical details aside, UAC is really about informing you before any “system-level” change is made to your computer, thus enabling you to be in control of your system. An “unwanted change” can be malicious, such as a virus turning off the firewall or a rootkit stealthily taking over the machine. However an “unwanted change” can also be actions from people who have limited privileges, such as a child trying to bypass Parental Controls on the family computer or an employee installing prohibited software on a work computer. Windows NT has always supported multiple user account types – one of which is the “standard user,” which does not have the administrative privileges necessary to make changes like these. Enterprises can (and commonly do) supply most employees with a standard user account while providing a few IT pros administrative privileges. A standard user can’t make system level changes, even accidentally, by going to a malicious website or installing the wrong program. Controlling the changes most people can make to the computer reduces help desk calls and the overall Total Cost of Ownership (TCO) to the company. At home, a parent can create a standard user account for the children and use Parental Controls to protect them.
However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. This is partly due to the first user account defaulting to administrator, since an administrator on the machine is required, and partly due to the fact that people want and expect to be in control of their computer. Since most users have an Administrator account, this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. Software written this way would not work for standard users, such as the enterprise user and parental control cases mentioned above. Additionally, giving every application full access to the computer left the door open for damaging changes to the system, either intentionally (by malware) or unintentionally (by poorly written software.)
Figure 1. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.
User Account Control was implemented in Vista to address two key issues: one, incompatibility of software across user types and two, the lack of user knowledge of system-level changes. We expanded the account types by adding the Protected Admin (PA), which became the default type for the first account on the system. When a PA user logs into the system, she is given two security tokens – one identical to the Standard User token that is sufficient for most basic privileges and a second with full Administrator privileges. Standard users receive only the basic token, but can bring in an Administrator token from another account if needed.
When the system detects that the user wants to perform an operation which requires administrative privileges, the display is switched to “secure desktop” mode, and the user is presented with a prompt asking for approval. The reason the display is transitioned to “secure desktop” is to avoid malicious software attacks that attempt to get you to click yes to the UAC prompt by mimicking the UAC interface (spoofing the UI.) They are not able to do this when the desktop is in its “secure” state. Protected Admin users are thus informed of any system changes, and only need to click yes to approve the action. A standard user sees a similar dialog, but one that enables her to enter Administrative credentials (via password, smart card PIN, fingerprint, etc) from another account to bring in the Administrator privileges needed to complete the action. In the case of a home system utilizing Parental Controls, the parent would enter his or her login name and password to install the software, thus enabling the parent to be in control of software added to the system or changes made to the system. In the enterprise case, the IT administrator can control the prompts through group policy such that the standard user just gets a message informing her that she cannot change system state.
We are always trying to improve Windows, especially in the areas that affect our customers the most. This section will look at the data around the ecosystem, Windows, and end-users—recognizing that the data itself does not tell the story of annoyance or frustration that many reading this post might feel.
UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. As mentioned in previous posts, there are ways for our customers to voluntarily and anonymously send us data on how they use our features (Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, blog posts, and in house usability testing). The data and feedback we collect help inform and prioritize the decisions we make about our feature designs. From this data, we’ve learned a lot about UAC’s impact.
UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.
In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their “sessions” - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.
Figure 2. Number of unique applications and tasks creating UAC prompts.
This reduction means more programs work well for Standard Users without prompting every time they run or accidentally changing an administrative or system setting. In addition, we also expect that as people use their machines longer they are installing new software or configuring Windows settings less frequently, which results in fewer prompts, or conversely when a machine is new that is when there is unusually high activity with respect to administrative needs. Customer Experience Improvement Program data indicates that the number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1.
Figure 3. Percentage of sessions with prompts over time.
An immediate result of UAC was the increase in engineering quality of Windows. There are now far fewer Windows components with full access to the system. Additionally, all the components that still need to access the full system must ask the user for permission to do so. We know from our data that Windows itself accounts for about 40% of all UAC prompts. This is even more dramatic when you look at the most frequent prompts: Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1. Some targeted improvements in Vista SP1 reduced Windows prompts from frequently used components such as the copy engine, but clearly we have more we can (and will) do. The ecosystem also worked hard to reduce their prompts, thus the number of Windows components on the top 50 list increased. Windows has more of an opportunity to make deeper architectural changes in Windows 7, so you can expect fewer prompts from Windows components. Reducing prompts in the software ecosystem and in Windows is a win-win proposition. It enables people to feel confident they have a greater choice of software that does not make potentially destabilizing changes to the system, and it enables people to more readily identify critical prompts, thus providing a more confident sense of control.
One important area of feedback we’ve heard a lot about is the number of prompts encountered during a download from Internet Explorer. This is a specific example of a more common situation - where an application’s security dialogs overlap with User Account Control. Since XP Service Pack 2, IE has used a security dialog to warn users before running programs from the internet. In Vista, this often results in a double prompt – IE’s security dialog, followed immediately by a UAC dialog. This is an area that should be properly addressed.
Figure 4. Number of Microsoft prompters in the top 50 over time.
One extra click to do normal things like open the device manager, install software, or turn off your firewall is sometimes confusing and frustrating for our users. Here is a representative sample of the feedback we’ve received from the Windows Feedback Panel:
We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done). However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.
Does this make the system more secure? If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don’t read the prompts, and thus gain no benefit from them (and are just annoyed). In Vista, some power users have chosen to disable UAC – a setting that is admittedly hard to find. We don’t recommend you do this, but we understand you find value in the ability to turn UAC off. For the rest of you who try to figure out what is going on by reading the UAC prompt , there is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it’s something you want to happen. However, we haven’t made things easy on you - the dialogs in Vista aren’t easy to decipher and are often not memorable. In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista. Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable.
Figure 5. Percentage of prompts over time per prompt type.
Figure 6. Percentage of UAC prompts allowed over time.
Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.
Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:
The benefits UAC has provided to the ecosystem and Windows are clear; we need to continue that work. By successfully enabling standard users UAC has achieved its goal of giving IT administrators and parents greater control to lock down their systems for certain users. As shown in our data above, we’ve seen the number of external applications and Windows components that unnecessarily require Admin privileges dramatically drop. This also has the direct benefit of reducing the total amount of prompts users see, a common complaint we hear frequently. Moving forward we will look at the scenarios we think are most important for our users so we can ensure none of these scenarios include prompts that can be avoided. Additionally, we will look at “top prompters” and continue to engage with third-party software vendors and internal Microsoft teams to further reduce unnecessary prompts.
More importantly, as we evolve UAC for Windows 7 we will address the customer feedback and satisfaction issues with the prompts themselves. We’ve heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience. We believe this can be achieved by focusing on two key principles. 1) Broaden the control you have over the UAC notifications. We will continue to give you control over the changes made to your system, but in Windows 7, we will also provide options such that when you use the system as an administrator you can determine the range of notifications that you receive. 2) Provide additional and more relevant information in the user interface. We will improve the dialog UI so that you can better understand and make more informed choices. We’ve already run new design concepts based on this principle through our in-house usability testing and we’ve seen very positive results. 83% of participants could provide specific details about why they were seeing the dialog. Participants preferred the new concepts because they are “simple”, “highlight verified publishers,” “provide the file origin,” and “ask a meaningful question.”
In summary, yes, we’ve heard the responses to the UAC feature – both positive and negative. We plan to continue to build on the benefits UAC provides as an agent for standard user, making systems more secure. In doing so, we will also address the overwhelming feedback that the user experience must improve.
I like the principle of least privilege and I believe it makes software more secure and less destructive in case of failure. I support extending UAC and building it deeper into the architecture, while making it less annoying.
I have the following proposals for UAC:
- I envisage a layered approach for privileges a process can aquire. Not too many, but enough for people to be able to taylor the prompts for their level of security-awareness. For example, one layer could be session-restricted privileges, which doesn't allow the process to make permanent system-level changes, that couldn't be reverted by a simple reboot. Another layer could be per-user privileges, only affecting the current user.
An application wants to write its own folder (ex. program update)? Give it access to its files only. The layering could also happen for application classes: trusted ones getting automatic elevation, while recently downloaded programs not.
By no means do I think that this can be done without any architectural changes. However, building up a new security-minded architecture could prove beneficial in the long run.
- make prompts meaningful (as read in the blog) = no "Unknown Publisher" or worse, empty prompts
As a software professional I was heavily involved in getting our applications to work without the need for admin privileges under Vista. Four key changes that could be made in Windows 7 to reduce UAC dialogs and simplify the development of well-behaved software:
1. Allow processes to have write access to the folder containing the initial executable file of the process, and to sub-folders of that folder. This will avoid the need for admin privileges for programs that keep data files in their installation folder (a common reason for needing admin privileges), without compromising security.
2. Have a catalog of permitted automatic elevations by permitted signed apps when the user is an administrator.
3. Before raising a UAC dialog, determine whether the request was initiated by a "known good" user action in a "known good" program - such as a user drag of a file in Windows Explorer - when the user is an administrator.
4. Allow an already-running process to temporarily automatically elevate to admin privileges (with UAC verification), rather than requiring a separate process or out-of-proc COM object.
Does this mean that you keep the Vista kernel eventually? The same hybrid in name but anyway big, over-blown monster? I am probably wrong but UAC seems to me something that is should be handled in core level.
I really like this blog but what I miss is feedback from you. Details of Windows 7. I guess you want to make it a big surprise just don't make it a big shock. This time you have to live up to the expectations. And not just on UI and User Interaction level, but also on core level.
Maybe these are just my fears, but I really would not like to be disappointed as I did in Vista.
Actually I would like if you implement a proper Administrator and User accounts. In Administrator account everything goes without prompting. In user account you should be asked for administrative credentials to change sensitive things.
At first run the user should be asked to create an admin account and a user account as well. And the the user should be encouraged to use the user account most of the time. IMHO
I always disable UAC because in it's current state it's useless.
My current gripes are:
1) WHY is a prompt appearing? If it's going to appear, I want to know WHY an application is asking for admin privileges. Is there any use for it otherwise? I can potentially be allowing a malicious program to cause havoc. Come on! Even security software is better at this than UAC!
2) Don't ask me ALL the time. Implement a feature to "don't ask me next time", like security software has. Next time an application asks and I already answered, Windows should be able to remember it!
3) Security first - make a whitelist. Find safe programs and allow Windows to actually recommend if to allow or deny it, because frankly, half of the time we don't know what a program is doing and don't know if we should approve or not.
4) The default permissions are probably wrong. Then inability to extract and unpack files using compression utilities anywhere is a common need, but it requires admin privileges! This usually results in running the program as admin.
Don't get me wrong - the ability to monitor and approve changes to the system on-the-fly is a very good idea, and I already have security software that takes care of this simply because UAC is so useless. If UAC were to be as good as these software, then there would be no need to disable it and use 3rd party software!
Why not make it optional to enable UAC when you make a new user account?
"Do you want to enable User Account Control on this account? UAC can be useful for kid's accounts bla bla bla.. Read more about UAC".
Personally, I like the idea with UAC, but I don't use it. I've been to tired of looking at those UAC overlays, which does not provide enough information about the program to use it as an user who doesn't has much knowlegde about computers and software.
Give the user more information in the UAC popups, reduce the number of popups.
I'm afraid I'm no big fan of UAC. I do get the idea of it but it fails quite badly in achieving it's goal.
Firstly I am tempted to ask what the security of my computer has to do with Microsoft. If I want to have a really secure computer then surely I would but security programs and not an OS. If it is to be integrated at the core level then it should be optional. MY computer is my computer... if I wish to run it like a school boy without a clue then the software should allow that. I don't like being nannied.
Secondly, why was the administrator account hidden in vista? I can understand ensuring that the user is most strongly warned about switching off security features but disabling it and forcing people to use command lines etc? A little extreme.
Personally I found the best solution was to have an admin and normal user account but then you have to know pre-emptively that you'll need full admin rights before you log in or sit there loging in and out. If I were to design a revamp for the UAC it would not be based upon single actions but rather a more literal interpretation of being able to elevate the user rights to admin rights. Basically the user logs in with a standard account. When asked or upon command they can raise the security level to that of an admin whilst in session. This elevation lasts for a user set period of time (possibly 30 seconds or so as default).
Now this may produce some instances where someone elevates their privaledges and then manages to get a virus because they went on a dodgy internet site within the 30 seconds but I'm afraid you can't stop people pouring water into their computer and this should be treated the same. At some point the human being has to take responsibility otherwise you'll just frustrate those who do know what their doing as happened with Vista's UAC.
Either that or at least unhide the administrators account. That way when I'm installing hardware or any large amounts of software I can switch account. I've had more than a couple of instances where the something hasn't installed properly unless it's done as an administrator.
Oh that reminds me... please also fix the backwards compatability. Battlefield requiring administrator privalledges to run without crashing was irritating.
I am another person who has disabled UAC. Why? Well, to be perfectly honest I found it more annoying then helpful. Sure I appreciated to thought and objective, but the implementation was driving me up the wall.
My preference would be to only have it appear when a chance is made to core system files. I am regularly testing programs, accessing files created on my dual boot XP drive (which I rarely use these days)and running software which keeps giving me the popup.
I will be paying close attention to this topic and the responses from MS.
I think that the ideas behind the implementation of UAC are fundamentally sound, although, there's a way to go before the technology has really reached a state that casual computer users and professionals are fully accepting of it.
However, one idea I really think you should consider would be something that various Unix operating systems have implemented; the ability to temporarily supress requests for superuser access for a period of time. For example, this may be done on a Unix system when doing a bunch of system-level configuration changes through the GUI, that would otherwise result in numerous confirmation prompts.
Something similar for UAC would definitely have its uses, as there are situations that will occur where several UAC prompts can be expected over a short period of time. For example, a fresh installation of Windows while installing numerous hardware drivers and software that requires specific kernel additions, such as virus scanners, firewalls, virtual CD/DVD drivers, and so on. The current solution of disabling UAC (reboot), do the task, enable UAC (reboot), does to me seem a little clumsy and far from ideal.
Of course, how such a feature is implemented at the UI level could vary, there are many posibilities, but the core functionality that could be provided I suspect many power users would really value.
sounds to me like you guys are well aware how much we all hate the way UAC is currently implemented - it's no exaggeration to say that everyone i know who actually uses Vista (very few people) have it turned off
the theory and concept behind it is indeed noble, it's the realisation that's made it a complete dog.
as a side note, i know it drives Microsoft mad that Vista gets such bad word-of-mouth reviews between peers. fixing UAC would eliminate half this problem
Good to see that introducing UAC actually made software developers change their software to be able to work w/o needing admin privileges, maybe this way, windows' "limited" users will have a purpose too, never used them under XP cause everything needed admin privileges anyway.
As for Vista, I'm one of the people who got annoyed by the UAC pop-ups and turned it off. I do understand that it's useful for less experienced users, so please keep it and make the whole process more fluent; i actually hated the flickering screen more than the additional click to do something. Oh and keep the option to turn it off please.
There could be two solutions:
- "Don't require UAC prompt for this application"
This can be hairy, since this base must be protected well.
- "Don't require UAC prompt for this session".
That would be very nice, especially for admins.
Current (???) M3 W7 builds "UAC aggressiveness" slider seems not very friendly, and described poorly.
I am glad to see that the number of software requiring admin access is being reduced - which helps security.
I really cannot stand the UAC. I find it really annoying. I click to do an action and it asks me if I am sure I want to pursue this action. As a power user, I don't want to be bugged by silly prompts every time I want to do something. I appreciate the purpose of the UAC and understand it is reducing security threats however to me - a power user that knows what hes doing, I shouldn't have to be bugged which is why I have disabled the UAC. I tried to get used to it but even after 9 months of trying, it simply did my head in.
What annoys me even more is now that I have disabled it, every time I start up my laptop, I am introduced with a lovely popup from the notification area telling me to enable it again and it won't stop - adding to the frustration.
I have to agree with commenter Tihiy on this one.
I only get peeved with UAC when I'm doing a lot of "work" on the pc. I wouldn't mind being prompted once and have the option to allow for session.
_"Slightly OT but I'd like to remove the dialog box that pops up when you move something to the recycle bin asking if I'm sure I want to do this. I understand why you do this but I'd like the option to turn this off."_
You can turn it off. (1) open the recycle bin. (2) click "organize / properties" from the menu bar. (3) uncheck "display delete confirmation box."
Heck, you can have things delete immediately if you want. You've been able to set these options since long before vista. You just need to dig around.
I don't think you should attach too much importance to the data that so many admins approve the UAC prompt quickly, and don't remember what the prompt actually said. For me, it's the timing of the prompt that makes all the difference. Let me explain...
UAC doesn't annoy me most of the time because I learn to expect the prompt, when firing up mmc for example, so the click is somewhat automatic. However, there have been (rare) occasions when the UAC prompt appears at an unexpected moment. On those occasions, I definitely stop, read the prompt, and think about my decision.
This might mean there's a "window of opportunity" for malware to get my approval when I think I'm approving something else, but I still feel safer than when there was no UAC.