Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
We promised that this blog would provide a view of Engineering Windows 7 and that means that we would cover the full range of topics—from performance to user interface, technical and non-technical topics, and of course easy topics and controversial topics. This post is about User Account Control. Our author is Ben Fathi, vice president for core OS development. UAC is a feature that crosses many aspects of the Windows architecture—security, accounts, user interface, design, and so on—we had several other members of the team contribute to the post.
We continue to value the discussion that the posts seem to inspire—we are betting (not literally of course) that this post will bring out comments from even the most reserved of our readers. Let’s keep the comments constructive and on-topic for this one.
FWIW, the blogs.msdn.com server employs some throttles on comments that aim to reduce spam. We don’t control this and have all the “unmoderated” options checked. I can’t publish the spam protection rules since that sort of defeats the purpose (and I don’t know them). However, I apologize if your comment doesn’t make it through. --Steven
User Account Control (UAC) is, arguably, one of the most controversial features in Windows Vista. Why did Microsoft add all those popups to Windows? Does it actually improve security? Doesn’t everyone just click “continue”? Has anyone in Redmond heard the feedback on users and reviewers? Has anyone seen a tv commercial about this feature?
In the course of working on Windows 7 we have taken a hard look at UAC – examining customer feedback, volumes of data, the software ecosystem, and Windows itself. Let’s start by looking at why UAC came to be and our approach in Vista.
Technical details aside, UAC is really about informing you before any “system-level” change is made to your computer, thus enabling you to be in control of your system. An “unwanted change” can be malicious, such as a virus turning off the firewall or a rootkit stealthily taking over the machine. However an “unwanted change” can also be actions from people who have limited privileges, such as a child trying to bypass Parental Controls on the family computer or an employee installing prohibited software on a work computer. Windows NT has always supported multiple user account types – one of which is the “standard user,” which does not have the administrative privileges necessary to make changes like these. Enterprises can (and commonly do) supply most employees with a standard user account while providing a few IT pros administrative privileges. A standard user can’t make system level changes, even accidentally, by going to a malicious website or installing the wrong program. Controlling the changes most people can make to the computer reduces help desk calls and the overall Total Cost of Ownership (TCO) to the company. At home, a parent can create a standard user account for the children and use Parental Controls to protect them.
However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. This is partly due to the first user account defaulting to administrator, since an administrator on the machine is required, and partly due to the fact that people want and expect to be in control of their computer. Since most users have an Administrator account, this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. Software written this way would not work for standard users, such as the enterprise user and parental control cases mentioned above. Additionally, giving every application full access to the computer left the door open for damaging changes to the system, either intentionally (by malware) or unintentionally (by poorly written software.)
Figure 1. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.
User Account Control was implemented in Vista to address two key issues: one, incompatibility of software across user types and two, the lack of user knowledge of system-level changes. We expanded the account types by adding the Protected Admin (PA), which became the default type for the first account on the system. When a PA user logs into the system, she is given two security tokens – one identical to the Standard User token that is sufficient for most basic privileges and a second with full Administrator privileges. Standard users receive only the basic token, but can bring in an Administrator token from another account if needed.
When the system detects that the user wants to perform an operation which requires administrative privileges, the display is switched to “secure desktop” mode, and the user is presented with a prompt asking for approval. The reason the display is transitioned to “secure desktop” is to avoid malicious software attacks that attempt to get you to click yes to the UAC prompt by mimicking the UAC interface (spoofing the UI.) They are not able to do this when the desktop is in its “secure” state. Protected Admin users are thus informed of any system changes, and only need to click yes to approve the action. A standard user sees a similar dialog, but one that enables her to enter Administrative credentials (via password, smart card PIN, fingerprint, etc) from another account to bring in the Administrator privileges needed to complete the action. In the case of a home system utilizing Parental Controls, the parent would enter his or her login name and password to install the software, thus enabling the parent to be in control of software added to the system or changes made to the system. In the enterprise case, the IT administrator can control the prompts through group policy such that the standard user just gets a message informing her that she cannot change system state.
We are always trying to improve Windows, especially in the areas that affect our customers the most. This section will look at the data around the ecosystem, Windows, and end-users—recognizing that the data itself does not tell the story of annoyance or frustration that many reading this post might feel.
UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. As mentioned in previous posts, there are ways for our customers to voluntarily and anonymously send us data on how they use our features (Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, blog posts, and in house usability testing). The data and feedback we collect help inform and prioritize the decisions we make about our feature designs. From this data, we’ve learned a lot about UAC’s impact.
UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.
In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their “sessions” - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.
Figure 2. Number of unique applications and tasks creating UAC prompts.
This reduction means more programs work well for Standard Users without prompting every time they run or accidentally changing an administrative or system setting. In addition, we also expect that as people use their machines longer they are installing new software or configuring Windows settings less frequently, which results in fewer prompts, or conversely when a machine is new that is when there is unusually high activity with respect to administrative needs. Customer Experience Improvement Program data indicates that the number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1.
Figure 3. Percentage of sessions with prompts over time.
An immediate result of UAC was the increase in engineering quality of Windows. There are now far fewer Windows components with full access to the system. Additionally, all the components that still need to access the full system must ask the user for permission to do so. We know from our data that Windows itself accounts for about 40% of all UAC prompts. This is even more dramatic when you look at the most frequent prompts: Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1. Some targeted improvements in Vista SP1 reduced Windows prompts from frequently used components such as the copy engine, but clearly we have more we can (and will) do. The ecosystem also worked hard to reduce their prompts, thus the number of Windows components on the top 50 list increased. Windows has more of an opportunity to make deeper architectural changes in Windows 7, so you can expect fewer prompts from Windows components. Reducing prompts in the software ecosystem and in Windows is a win-win proposition. It enables people to feel confident they have a greater choice of software that does not make potentially destabilizing changes to the system, and it enables people to more readily identify critical prompts, thus providing a more confident sense of control.
One important area of feedback we’ve heard a lot about is the number of prompts encountered during a download from Internet Explorer. This is a specific example of a more common situation - where an application’s security dialogs overlap with User Account Control. Since XP Service Pack 2, IE has used a security dialog to warn users before running programs from the internet. In Vista, this often results in a double prompt – IE’s security dialog, followed immediately by a UAC dialog. This is an area that should be properly addressed.
Figure 4. Number of Microsoft prompters in the top 50 over time.
One extra click to do normal things like open the device manager, install software, or turn off your firewall is sometimes confusing and frustrating for our users. Here is a representative sample of the feedback we’ve received from the Windows Feedback Panel:
We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done). However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.
Does this make the system more secure? If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don’t read the prompts, and thus gain no benefit from them (and are just annoyed). In Vista, some power users have chosen to disable UAC – a setting that is admittedly hard to find. We don’t recommend you do this, but we understand you find value in the ability to turn UAC off. For the rest of you who try to figure out what is going on by reading the UAC prompt , there is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it’s something you want to happen. However, we haven’t made things easy on you - the dialogs in Vista aren’t easy to decipher and are often not memorable. In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista. Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable.
Figure 5. Percentage of prompts over time per prompt type.
Figure 6. Percentage of UAC prompts allowed over time.
Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.
Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:
The benefits UAC has provided to the ecosystem and Windows are clear; we need to continue that work. By successfully enabling standard users UAC has achieved its goal of giving IT administrators and parents greater control to lock down their systems for certain users. As shown in our data above, we’ve seen the number of external applications and Windows components that unnecessarily require Admin privileges dramatically drop. This also has the direct benefit of reducing the total amount of prompts users see, a common complaint we hear frequently. Moving forward we will look at the scenarios we think are most important for our users so we can ensure none of these scenarios include prompts that can be avoided. Additionally, we will look at “top prompters” and continue to engage with third-party software vendors and internal Microsoft teams to further reduce unnecessary prompts.
More importantly, as we evolve UAC for Windows 7 we will address the customer feedback and satisfaction issues with the prompts themselves. We’ve heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience. We believe this can be achieved by focusing on two key principles. 1) Broaden the control you have over the UAC notifications. We will continue to give you control over the changes made to your system, but in Windows 7, we will also provide options such that when you use the system as an administrator you can determine the range of notifications that you receive. 2) Provide additional and more relevant information in the user interface. We will improve the dialog UI so that you can better understand and make more informed choices. We’ve already run new design concepts based on this principle through our in-house usability testing and we’ve seen very positive results. 83% of participants could provide specific details about why they were seeing the dialog. Participants preferred the new concepts because they are “simple”, “highlight verified publishers,” “provide the file origin,” and “ask a meaningful question.”
In summary, yes, we’ve heard the responses to the UAC feature – both positive and negative. We plan to continue to build on the benefits UAC provides as an agent for standard user, making systems more secure. In doing so, we will also address the overwhelming feedback that the user experience must improve.
I just mention that not including Group Policy Editor (also Terminal Server) into Vista Home products was a sickening thing to do. It actually made me consider to switch to Mac. This is just a cheap shot to make people to upgrade to Ultimate for a 100 bucks. Next time what you don't include notepad?
Having Terminal Server on the home computer is more important than on a business computer. They have servers anyway.
I can not see anything about MinWin or kernel changes, about hypervisor in Win 7 or core features in the PDC2008 agenda.
Does this mean that Win7 will be a polished Vista?
Every time UAC pops up I feel like the system slows down. This is very annoying, a task that previously took less than a second, now can take more than 10 seconds. UAC dialogs often never say why admin rights are needed. I would like a way of sand-box the program, with temporary admin rights, to an sandboxed version of my system, and when the program terminates, I would be given the option of committing these changes to my system, or just saving them for this program to use the next time it is used. This way, badly written programs may run in admin-mode, and never know anything about it. Dangerous commits should be warned about, whilst commits not affecting anything important, would be just safe.
Sandbox admin rights! :)
Surely one of the best (and simplest) things that could be done to improve security is to change the installer for Windows 7 to encourage/force the creation of a standard user account. Your own stats show that the majority of home computer have a single user set-up and this is configured as an admin user, this is a situation that you should try and address.
I guess this would involve communication with other members of the ecosystem so that suppliers of new computers configure them in this way.
UAC is just another hack to poorly address flaws in Windows. UAC only exists because previous versions of Windows:
- let applications write to any part of the registry
- applications write to any part of the disk
- weren't designed with security in mind
Windows needs a redesign from scratch. Take the current kernel and scratch the rest. Heck, take a version of BSD and build on that. It couldn't be any worse than Vista.
i don't understand what's so difficult about just copying the MacOSX way of doing UAC? a lot of people here are hinting at it, so i'll just go ahead and suggest it out loud
great ideas should be shared, and when did you ever hear about anyone complaining about the way OSX handles the UAC side of things?
After reading all this, the two ideas that really struck home with me, such that I'd be perfectly happy with UAC are...
1. Ability to add apps to an approved whitelist.
2. The prompt needs to report what the system is about to do.
I'm firmly in the disabled UAC category; it was my first step in coming to terms with Vista, and I'm glad to have it gone.
UAC fails for two reasons:
1. There's no white list. I don't want to be asked every time I open the same program. It needs an option to remember my choices, and only prompt if the program has changed.
2. The feedback is non-informative. Unless I already know the application being installed, I can't garner much from a UAC prompt. And of course, if I know what I'm installing, I also know I don't need to be prompted about it...
I like to be protected by UAC, but I wish it remembered my choice - I hate it when I have to click "allow" even if I launch the same application for 100th time. Add a simple check box "Remember me next time" and I'll be happy as a mouse.
Those of you who don’t like secure desktop, if it wasn’t for this then any rough application could modify the UAC prompt and make it green, with text to say it’s a trusted window component.
What about a White List? How long would it be before hackers realized how to get their application into the White list? Not long. Mac OS X has a good idea by remembering your action for the session. How it implements this I have no idea, something to do with the keychain.
IIRC then the MAC OS windowing system means you can't easily adapt another Window's contents or listen to it's messages.
"... most machines (75%) have a single account with full admin privileges. ... this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. "
So because of "historical" reason you just inherited this bad practice to every MS OS. Congratulation.
Those users who does not understand why should they have admin account and user account as well will just click on YES for every popup you display. Do you think they will actually read what you display? Or understand?
Why can't you just break away of the bad inheritance of earlier Windows OS.
Win7 needs a proper UA managment! Not more pop-up.
UAC, it's a good thing, for the most part. However Microsoft please take into account, your power users. You should be able to disable it, you should be able to be a true administrator. And not have to right click to run as Administrator. Now you might ask why? Simply power users are not your atypical user, we want control, we want to be able to change things with out the fanfare that comes with UAC or right clicking to run as an administrator. Now why should Microsoft care about the small percentage of power users out there? Easy, we are the ones people ask for advice, companies ask for our opinions. Vista is not power user friendly, it is locked down way to much, the security, and the UI. I believe a large part of Vista's problems stem from Microsoft alienated the power user, and like it or not, word of mouth is a large part of acceptance. I have been asked many times , "Do you like or use Vista?". I have to reply no, and most people say, "If your not going to use it, I wont either." Again, don't for get your power users, or computer geeks what ever you want to call us. don't put up "WALLS" allow users a choice. That is why Vista has failed, it no, "CHOICE" it is do it Microsoft way, not every one wants it your way. Choice, is the only thing I can say, Windows 7 really needs to be choice, with UAC, with the UI. Don't fail like like you did with the beta's of Vista, listen users and give us CHOICE. I really want, "life with out walls." Please let Windows 7 be that because Vista is, "Life With Walls".....
One more thing, if you want to see Microsoft's, "WALLS" just head over to the IE 8 blog, Dean still will not discus the UI on IE 8, He and his team are ignoring it, and ignoring the power users. IE 8 is, "you will use it Microsoft's way." I use FF3, I would love to recommend and use IE 8, but Dean and his team needs to realize, power users are your word of mouth, power users are your, "go to person's" Power Users are your life blood. Dean give up control allow users to customize. Stop putting up, "walls" and allow users a choice.... Again it is all about, "CHOICE" it is all about, "Life with our Walls"....
I honestly haven't seen a UAC prompt in a few months. It sure got annoying when I was installing apps on the computer after installing Vista, and configuring system settings, and updating drivers.
I think that if I set an application to always run as administrator, it should prompt me when I set that option, not every time I start the application.
Also, UAC prompts for writing to any non-user folder is a little silly. Limit the protection to %windir% and other user's folders.
"In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista. Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable."
Predictable? No, glaringly obvious. It's the single first thing we were taught in our HCI class on first year in computer science. Requiring the user to repeatedly press 'ok' only guarantees on thing: They'll do it automatically, without even noticing or remembering that they did it.
And this was the first thing I thought when I first saw a UAC prompt. God dammit, what were Microsoft thinking? This is worse than useless, you finally decided to tackle the problem of everyone using admin privileges, and you botch it by training everyone to grant admin privileges to anyone who asks, which isn't much of an improvement over just having admin privileges on to begin with.
As it turned out, it had a large effect on the ecosystem, which is nice, but in teaching the end user to behave sensibly, you might be worse off now than before Vista. At least when Vista came out, people noticed the UAC prompts. Now they don't.
One step in fixing this might be to provide some sensible context information. Tell me *which* action it is I'm approving. But that in itself is not enough. The UAC prompts must also be so rare that you *notice* when you finally get one.
Anyway, I suspect that one major factor in the frustration with UAC is that it slows you down so much. First, the graphical component is generally useless, and it takes time (the screen goes blank, and then a moment later, the secure desktop shows up, allowing you to click. And then, another small wait before your regular desktop is back. (Of course, I understand that it'd be a problem if applications could mess with the UAC prompt, but the delay in the current implementation is enough to drive anyone mad.
And second, this retroactive prompt interrupts the user, injecting several new actions into what should have (and was expected to be) one or two simple mouse clicks (say, to open the control panel)
One obvious solution, then, is to make it easy for the user to specify in advance that "this should run with admin privileges, and here is my login info", so it doesn't have to pop up and prompt, similar to the sudo command in Linux. If I know that the task I'm about to perform requires admin privileges, I'd like to be able to proactively approve it. And definitely without the whole desktop-switching nonsense. I don't mind typing in my password every time. That doesn't take long to do. But the "secure desktop" fails because it completely interrupts my flow, and slows me down noticeably. (So no, I'm not asking for a whitelist, just an easier way to proactively approve individual tasks. And of course, if I don't "pre-approve" the task I'm performing, I'll still have to deal with a UAC prompt. I'd just like a more streamlined and less disruptive way to approve the task I'm doing before I get the big prompt.
I fully agree with the goal of UAC, but if I can't perform individual tasks as admin without being slowed down, it becomes frustrating. Perhaps instead of a "secure desktop" clearing the entire screen just to show this prompt, a "secure dialog box" would suffice? I mean, sure, so Explorer needs UAC approval to copy these files, fine, but why shouldn't I be able to continue surfing in Firefox in the background? The prompt must obviously prevent me from completing the action in Explorer, but it has no business locking down my other applications. (Both because it's not very user-friendly, and because switching to a separate secure desktop seems, at least in the Vista incarnation, to be extremely slow).
And if it isn't possible to make such a "secure dialog", perhaps you should make it possible. There's no technical reason why it couldn't be done, and it would be a hell of a lot less frustrating than the full-screen UAC prompts.