Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
There’s been a ton of interest in how we have improved user account control (UAC) and so we thought we’d offer a quick update for folks. We know most of you have discovered this and picked a setting that works for you, and we're happy with the feedback we've seen. This just goes into the details on the choice of defaults. --Steven
In an earlier blog post we discussed the why of UAC and its implications for Windows, the ecosystem, and our customers. We also talked about what we needed to do moving forward to address the data and feedback we’ve received. This blog post will provide additional detail on our response and what you can expect to see in the upcoming beta build in early 2009.
As mentioned in our previous post, and your comments supported this, the goals for UAC are good and important ones. User Account Control was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. It is important not to abandon these goals. Instead, we want to address feedback we’ve received and build on the telemetry we have using those to improve the overall experience without losing sight of the goals with which we agree.
For those of you using 6801 you have started to see the benefits of prompt reduction and our new and improved dialog designs. You also have seen our efforts to give the user greater control of their system – the new UAC Control Panel. The administrator now has more control over the level of notification received from UAC. Look for the UAC Control Panel to appear in Start Search, Action Center, Getting Started, and even directly from the UAC prompt itself. Of course, the familiar ways to access it from Vista are still present.
Figure 1: UAC Control Panel
The UAC Control Panel enables you to choose between four different settings:
We know from the feedback we’ve received that our customers are looking for a better balance of control versus the amount of notifications they see. As we mentioned in our last post we have a large number of admin (aka developer) customers looking for this balance, our data shows us that most machines (75%) run with a single account with full admin privileges.
Figure 2. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.
For the in-box default, we are focusing on these customers, and we have chosen number 2, “Notify me only when programs try to make changes to my computer”. This setting does not prompt when you change Windows settings (control panels, etc.), but instead enables you to focus on administrative changes being requested by non-Windows applications (like installing new software). For people who want greater control in changing Windows settings frequently, without the additional notifications, this setting results in fewer overall prompts and enables customers to zero in on the key remaining notifications that they do see.
This default setting provides the right degree of change notification that a broad range of customers’ desire. At the same time we’ve made it easy and readily discoverable for the administrator to adjust the setting to provide more or fewer notifications via the new control panel (and policy). As with all of our default choices we will continue to closely monitor the feedback and data that come in through beta before finalizing for ship.
--UAC, Kernel, and Security program managers
I'm really not entirely impressed. The standard user is set to an 'administrator', important settings like the properties of the network adapter are not run through UAC for the default(admin) user and most importantly the admin tools are not in the slightest bit granular. I'll grant you the network applet is doing something funky, though, as netsh refuses alterations from an unelavated command prompt even under the default 'admin' user.
A non admin user cannot use the network settings dialog to see (but not alter) the settings without going through UAC entering a password.
Undoubtedly in some cases (installation of new programs from the web springs to mind) the multiple UAC confirmations were overkill. For the remainder it's down to poor program and user interface design. Need I mention that Microsoft's Visual Studio Express 2005, amongst others, triggered UAC prompts in Vista due to requiring admin privilege.
It's not always about 'what the customer wants' - customers don't care about security until the moment their system is hacked out of existance.
More intelligent admin tool design and shims to handle misbehaving programs (dare I say it, a setuid equivalent) would remove the majority of user concerns.
However, I suspect that due to marketing and timescales the security/UI teams currently have no option to prepare more sophisticated options. Unfortunately.
As it is, I suppose this is an improvement on Vista, but it falls short of the ideal.
I would like Windows to give ME the control of my OWN computer, currently, if a program has a admin manifest, there is NO WAY for me to run it as non admin (other than turning off UAC and rebooting) I want a button in the UAC dialog that says Run non-elevated (registry hack or whatever, I guess you don't want to confuse the noobs) I'm tired of resource hacking the manifest for stuff (Take regedit for example, what if I only want to edit HKCU, don't force me to elevate, give ME the OPTION)
I really want to move to W7, but if you don't add this, I'm sticking with XP (I have my own custom UAC like solution there) or move to Linux
>I want a button in the UAC dialog that says Run non-elevated
Currently, when faced with an application that demands admin privs before it will consent to run, we have three options to get around that:
1) Edit its manifest ourselves
2) Install a RunAsInvoker shim using the Application Compatibility Toolkit
3) Copy the application into a virtual machine and run it there instead
A RunAsInvoker mode availble off the right-click menu would be nice.
This is not related to the current posting but i would like to bring it up since i know so many people out there would love this feature include in 7. I think it would be great if you guys add a Folder copy que feature that would obviously allow to create a cue when moving or copying several folders. I think this would be a killer feature that many people would make great use of it. It's been noted recently that now Windows 7 has the feature that if a file is being used by another program it will let you know what program it is. I am hoping with my finger crossed that you guys can add a que to the copying or moving of folders.
Too many settings!
I'm glad the default is #2 instead of #1. The Vista behavior is overkill: I trust the control panel.
#4 is clearly unsafe and dangerous. Hopefully, the new default will be not annoying enough to push people to #4
Now, #2 vs #3 is far more interesting.
If the "secure desktop" is the only difference, why not just create a secure window? Something like this already exists for email protections in Outlook...
I say, make a #2.5 and delete this entire dialog and setting.
I have mixed feelings about Windows 7’s UAC default setting.
At least as of build 7000, a standard-token process can open the UAC settings control panel, change the setting to off, and then reboot the machine (after, presumably, first sticking something in the user's startup list). A standard-token process can also open the user accounts control panel, create a new admin account, assign it a password, and turn on Remote Desktop.
From this way of looking at it, Windows 7 has reverted to the XP default of every process the user runs having the ability to hijack the machine, and I feel a bit sorry for users who won’t realize that upgrading from Vista to Windows 7 means a buffer overflow exploit can now run a payload with admin privs without ever triggering a UAC prompt unless they specifically change the UAC setting themselves.
On the other hand, the Widows 7 default setting still forces application developers (as opposed to malware developers) to code for standard user privileges just as in Vista, which means the Windows software ecosystem stays based around standard privileges, which means individuals and organizations who want real security (max UAC, or actual standard accounts) can set it up and their applications will still work the same—quite a different experience from using limited accounts in the XP days.
"I would like Windows to give ME the control of my OWN computer, currently, if a program has a admin manifest, there is NO WAY for me to run it as non admin (other than turning off UAC and rebooting)" Anders, you do realize once UAC is off, EVERYTHING is ran as admin (unless you run as a standard user, then those programs that DO require admin access will be denied and there's little you can do about it), right? Contrary to what you believe, UAC DOES give you control.
Given what I just said. There should be a way to have the option of running a program as a standard user. Currently, it's either "Yes" or "No" if you want to run the program. What the options really should be are "Run as Admin", "Run as Standard User", "Don't run the application". UAC was designed with this in mind, but how come it's not implemented in the UI?
I'm curious how you are able to accurately distinguish between software controlling the mouse and a human controlling the mouse.
For many years, the message back was that due to accessibility & tutorial/training type of technology built into windows, it wasnt physically possible to distinguish between a human controlling the mouse and a piece of software controlling the mouse.
Has this changed in Vista & W7? Or how is this problematic scenario handled?
Still not a true security bounder. :(
Until it is, it's pretty darn useless!! Still too damn annoying!
>I'm curious how you are able to accurately distinguish between software controlling the mouse and a human controlling the mouse.
Vista and Windows 7 switch to a separate, isolated desktop (indicated visually by the screen-dim effect) to display UAC prompts, so the user's other processes can't interact with them.
UAC is ok, but:
- Like some mentioned. We need an easy way to run as non-elevated (as simple as an advanced settings on the popup window?
- A simpler solution to turn of the irritating flashing secure desktop.
Reading this post you'd think all they changed was a slider bar with a lower default. But I'm using the Windows 7 beta, and it rocks. No more double prompts and far less of them. So far, I'm keeping UAC turned on. I guess this post is the "PM" sales story for something the developers thought up. Cool.
I agree with the poster above that the difference between #2 and #3 is confusing.
For some very strange reason though, the Gadgets don't work when the UAC is turned off. I have to say this is very annoying. I can get it to work when replacing elements of the Win7 sidebar with elements of Vista, but this obviously isn't a feasible workaround.
I think you're ignoring a bigger problem here. You shouldn't be setting up users as administrators in the first place. The UAC should be a convenience item for non-admins. Set up an admin account, but setup the user accounts as a non-admins; then when the UAC prompt appears then get them to enter the admin password (have the username preselected (or remember the last one used) so you don't have to type machine or domain name\username AND the password). If the user does not want to elevate then the app runs with its current credentials. Be secure by default. If the end user wants to run as an administrator, then there is not much you can do about it. Administrators should not be bothered with UAC…except when running IE (should be run with no privileges (similar to dropmyrights) )where the user is prompted to elevate for things like activeX installs etc.
There is a problem with one UAC scenario:
- I can't delete my monitor profile (it turns pictures fawny) since color management applet can't elevate itself.