Engineering Windows 7

Welcome to our blog dedicated to the engineering of Microsoft Windows 7

User Account Control (UAC) – quick update

User Account Control (UAC) – quick update

  • Comments 59

There’s been a ton of interest in how we have improved user account control (UAC) and so we thought we’d offer a quick update for folks. We know most of you have discovered this and picked a setting that works for you, and we're happy with the feedback we've seen.  This just goes into the details on the choice of defaults.  --Steven

In an earlier blog post we discussed the why of UAC and its implications for Windows, the ecosystem, and our customers. We also talked about what we needed to do moving forward to address the data and feedback we’ve received. This blog post will provide additional detail on our response and what you can expect to see in the upcoming beta build in early 2009.

As mentioned in our previous post, and your comments supported this, the goals for UAC are good and important ones. User Account Control was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. It is important not to abandon these goals. Instead, we want to address feedback we’ve received and build on the telemetry we have using those to improve the overall experience without losing sight of the goals with which we agree.

For those of you using 6801 you have started to see the benefits of prompt reduction and our new and improved dialog designs. You also have seen our efforts to give the user greater control of their system – the new UAC Control Panel. The administrator now has more control over the level of notification received from UAC. Look for the UAC Control Panel to appear in Start Search, Action Center, Getting Started, and even directly from the UAC prompt itself. Of course, the familiar ways to access it from Vista are still present.

User Account Control control panel.

Figure 1: UAC Control Panel

The UAC Control Panel enables you to choose between four different settings:

  1. Always notify on every system change. This is Vista behavior – a UAC prompt will result when any system-level change is made (Windows settings, software installation, etc.)
  2. Notify me only when programs try to make changes to my computer. This setting does not prompt when you change Windows settings, such as control panel and administration tasks.
  3. Notify me only when programs try to make changes to my computer, without using the Secure Desktop. This is the same as #2, but the UAC prompt appears on the normal desktop instead of the Secure Desktop. While this is useful for certain video drivers which make the desktop switch slowly, note that the Secure Desktop is a barrier to software that might try to spoof your response.
  4. Never notify. This turns off UAC altogether.

We know from the feedback we’ve received that our customers are looking for a better balance of control versus the amount of notifications they see. As we mentioned in our last post we have a large number of admin (aka developer) customers looking for this balance, our data shows us that most machines (75%) run with a single account with full admin privileges.

Distribution of number of accounts per PC

Figure 2. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.

For the in-box default, we are focusing on these customers, and we have chosen number 2, “Notify me only when programs try to make changes to my computer”. This setting does not prompt when you change Windows settings (control panels, etc.), but instead enables you to focus on administrative changes being requested by non-Windows applications (like installing new software). For people who want greater control in changing Windows settings frequently, without the additional notifications, this setting results in fewer overall prompts and enables customers to zero in on the key remaining notifications that they do see.

This default setting provides the right degree of change notification that a broad range of customers’ desire. At the same time we’ve made it easy and readily discoverable for the administrator to adjust the setting to provide more or fewer notifications via the new control panel (and policy). As with all of our default choices we will continue to closely monitor the feedback and data that come in through beta before finalizing for ship.

--UAC, Kernel, and Security program managers

Leave a Comment
  • Please add 6 and 2 and type the answer here:
  • Post
  • Everyone,

    I have read the comments and I feel I must come to the defense of UAC.  Before I do, let me tell you a little story.

    In college 2 years ago, one of my friends needed to use several of the lab computers (which all ran XP) to do some graphics rendering that took hours to perform.  He would set up his program on about 5 or 6 of the machines around 10pm when no one was around and let it run.  Much to his dismay, he found that all of the machines he setup were not running his program the following morning and that all of his work, along with the rendering programs he had installed, was gone.  In fact, it appeared as though the machines reinstalled everything on themselves.  So he stayed up really late to find out what was going on.  He discovered that at 3am every morning a program called Deep Freeze rebooted the machines automatically setting them back to the original image they were installed with and wiping out any programs and files intalled by students.  So my friend wrote a little program in VISUAL BASIC 6.0 that would look for the notification window from Deep Freeze asking if it was OK to reboot and it would automatically click CANCEL before the prompt timed out.  Therefore, my friend's program ran unfettered and he was able to finish his work and no one was the wiser.

    This story may sound funny, but I think all of us can imagine other scenarios where a program could easily trick a user into doing something harmful or could trick the system itself into doing something harmful by looking for and clicking on certain prompts.  

    Thanks to UAC there are several malicious programs that I have peronally witnessed that, while able to totally own an XP box, don't stand a chance on Vista.  I would also like to remind everyone that you could always go back to the way you are supposed to be running your machines which is to log on as a standard user for day-to-day stuff but then LOG OFF AND BACK ON AS ADMINISTRATOR to do admin things.  To me, that is a real pain in the ass as opposed to clicking OK or CANCEL on one little dialog box after taking 3 seconds to read it.

    Honestly, I think some of you are just playing into your annoyances with having to break old habits instead of giving UAC a fair chance and realizing what it does.  And for those of you who want to see less UAC prompts, do yourself a favor:  Instead of bitching to Microsoft all day, try contacting your third party application vendors and demand to know why their checkbook or other little program requires admin rights to run.  You guys know who I'm talking about, right?  The third party vendor whose software you paid more for to run on a dozen machines than all the copies of Windows you run on all your machines put together costs?  The one who you pay $1200 a year for tech support to and they only support a version of their product for two years while MS supports Windows for 10?  Yeah, that guy.

    JamesNT

  • domhal,

    There is nothing wrong with the way UAC is implemented and it is secure by default.  Users that log on with Administrator rights are given two tokens - the admin token and a standard user token.  Anytime the admin token is required you get the UAC prompt.  This is a major convenience as it allows you to make a decision by simply interacting with one prompt that has two buttons instead of having to type in your password every damn time (which I would find to be very annoying).  

    If you want to type in the admin password whenever elevation is needed you can configure Windows to do so by using Group Policy.

    JamesNT

  • xiphi,

    "Given what I just said. There should be a way to have the option of running a program as a standard user. Currently, it's either "Yes" or "No" if you want to run the program. What the options really should be are "Run as Admin", "Run as Standard User", "Don't run the application". UAC was designed with this in mind, but how come it's not implemented in the UI?"

    I would assume because if a program requires admin rights to run, then it will not run without those rights.  In fact, most programs I have seen that require admin rights to run, if you try to use them logged on as a standard user, just crash leaving some weird error message that confuses users.  Also, what sense does "run as standard user" make for a program that was clearly designed to run as admin because it performs some admin task?

    Bringing everything down to a simple yes or no makes things easier for users.

    JamesNT

  • Honestly, UAC has been a godsend to LUA wanting users the world over, which is hillarous when people who claim that running as Admin all the time is a crime, but turn around and say UAC is annoying. Try using XP as a limited account for a week. Then tell me UAC is annoying. It also works better then sudo imo, as it prompts when you need the access rather then telling you access denied, then reminding you to use it.

    Still, the major annoyance anyone had was of course duplication prompts, such as from IE asking if you want to open a file, then UAC asking if you want to give access to that executable, even though IE just asked you about it twice (once to download, once to open). A good solution will fix these problems before touching UAC. But I'm sure the Win7 dev team knows this already.

  • I'd just like to say that I've been using the Win7 Beta for almost a week now, and I love the new UAC.  I've kept it on the default setting, and I'm only prompted when an application needs to elevate.  Changing system settings, copying files to the desktop, deleting files, all run with no prompts.

    Fantastic job on reworking a misunderstood (but needed) Vista feature.

  • The setting second to the last feels about right.  I really like how it just feels like any confirmation dialog now.  I can't figure out how to make it never prompt for certain things, like running a new shell as admin.  It would be nice to be able to just have it do that for me. Overall it has really gotten out of the way and makes the Vista experience much better ;)

  • @xiphi: clearly, when turning off UAC, I'm not running as admin user

    @JamesNT: Thats not my feeling, take installers made by NSIS for example, Vista detects them as installers that need admin access, no matter what. Inno Setup installers are also very admin happy, after unpacking by hand, most of this stuff works 100% as non admin

  • @xiphi: just to make it clear, when UAC is on, yes you have the option of running something or not, but HOW it's run is up to the programmer that made the program, not me. If I want to deny write access to HKLM and no drivers etc. that should be MY choice (and also my fault if the program does not work)

  • Been testing the Windows 7 beta myself for a few days and UAC seems to be much improved over Vista. Not that I had any real issue with UAC in Vista to begin with, but the less prompts I see, the easier my life is.

    That is based on the assumption of course that the protection provided by UAC has not been scaled back in anyway! Assuming the controls are not too onerous, I'll take better security over convenience any day.

  • I've already submitted this via Send Feedback, but running regedit with UAC setting #2, which should only prompt for non-Microsoft software such as installs, displays a UAC prompt.

  • Can you please add "Run as Admin" in the context menu of BAT, CMD, MSI, MSP, VBS, JS, WSH and WSF extensions besides EXE? For file types that are considered executable and in situations where they aren't called by a .EXE, things break with UAC turn on.

  • @nwoolls: regedit might be a MS program, but if it did not prompt, people could do evil things by importing .reg files. The whole manifest approach is wrong IMHO, regedit can only know at runtime if it should elevate or not (I guess this could be worked around by giving it a asInvoker manifest and restarting itself with ShExec(.."RunAs"..) and a special param when a write access to HKLM/HKCR is needed)

  • @nwoolls,

    UAC documentation never states any thing about Microsoft or Non Microsoft software.

    Prompting (or like double cheking with the user) for RegEdit is a safe thing to do. It will take me a day at the max to write a bot to launch regedit, do all harmful things and close it, even faster than a user can notice it..

  • I second people asking for an option to run any software asking for admin rights (thus evoking UAC prompt) as a standard user rights. As Anders puts that, if the program fails then its users headache.

    But user should get a chance to run it as standard user until the actual developer (or company) updates the software to run in both modes.

  • UAC in Windows 7 beta 1 is ALOT more better than UAC in Vista. One notification - not two.

    One issue with compatibility is that Windows soes not notify when a program tries to do things it is not allowed to (Because of UAC), and therefore the program crashes.

    I don't like that we must restart our computer to disable/enable UAC.

    But, the UAC is much more improoved and not so much anoying like in Windows Vista.

    Martin

Page 2 of 4 (59 items) 1234