Notes on comments.
Welcome to our blog dedicated to the engineering of Microsoft Windows 7
There’s been a ton of interest in how we have improved user account control (UAC) and so we thought we’d offer a quick update for folks. We know most of you have discovered this and picked a setting that works for you, and we're happy with the feedback we've seen. This just goes into the details on the choice of defaults. --Steven
In an earlier blog post we discussed the why of UAC and its implications for Windows, the ecosystem, and our customers. We also talked about what we needed to do moving forward to address the data and feedback we’ve received. This blog post will provide additional detail on our response and what you can expect to see in the upcoming beta build in early 2009.
As mentioned in our previous post, and your comments supported this, the goals for UAC are good and important ones. User Account Control was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. It is important not to abandon these goals. Instead, we want to address feedback we’ve received and build on the telemetry we have using those to improve the overall experience without losing sight of the goals with which we agree.
For those of you using 6801 you have started to see the benefits of prompt reduction and our new and improved dialog designs. You also have seen our efforts to give the user greater control of their system – the new UAC Control Panel. The administrator now has more control over the level of notification received from UAC. Look for the UAC Control Panel to appear in Start Search, Action Center, Getting Started, and even directly from the UAC prompt itself. Of course, the familiar ways to access it from Vista are still present.
Figure 1: UAC Control Panel
The UAC Control Panel enables you to choose between four different settings:
We know from the feedback we’ve received that our customers are looking for a better balance of control versus the amount of notifications they see. As we mentioned in our last post we have a large number of admin (aka developer) customers looking for this balance, our data shows us that most machines (75%) run with a single account with full admin privileges.
Figure 2. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.
For the in-box default, we are focusing on these customers, and we have chosen number 2, “Notify me only when programs try to make changes to my computer”. This setting does not prompt when you change Windows settings (control panels, etc.), but instead enables you to focus on administrative changes being requested by non-Windows applications (like installing new software). For people who want greater control in changing Windows settings frequently, without the additional notifications, this setting results in fewer overall prompts and enables customers to zero in on the key remaining notifications that they do see.
This default setting provides the right degree of change notification that a broad range of customers’ desire. At the same time we’ve made it easy and readily discoverable for the administrator to adjust the setting to provide more or fewer notifications via the new control panel (and policy). As with all of our default choices we will continue to closely monitor the feedback and data that come in through beta before finalizing for ship.
--UAC, Kernel, and Security program managers
I'm also interested to know how Windows differentiates between mouse and keystrokes coming directly from a user and those coming from a program.
In Vista it did not matter since every action that triggered UAC switched to the secure desktop, so only something running in the secure desktop could acknowledge the UAC prompt. However, in Win7 many things that would trigger UAC in Vista no longer do. For example you can create a new administrator without triggering a UAC prompt.
However, I noticed that the sendkeys method in VBscript does not seem to work with mmc for example. I think that is good, but I'm curious how it was done. Also what are the risks of someone being able to bypass UAC in Win7 by simulating user input.
Overall I'm pleased with the improvements in UAC. This is probably what people were hoping for when they complained about UAC prompts being too intrusive in beta 1 of Vista.
"It also works better then sudo imo, as it prompts when you need the access rather then telling you access denied, then reminding you to use it."
"One issue with compatibility is that Windows does not notify when a program tries to do things it is not allowed to (Because of UAC), and therefore the program crashes."
Why not show a UAC prompt when the running program requires admin rights to continue? For example, when the administrator wants to save the changes to a text file in another user's Documents. Instead of coming up with an error, why are programs not given a way to request for admin rights when they need it? It could be in the same way like how Windows prompts you about writing into a restricted folder.
I think the UAC and secure desktop are a great idea, but I ama little more adept at working with computers than some of the people that I deal with.
As a MS partner I understand the need for security, but face it even the most adept small buisness owner does not want to answer prompts to run a peice of software.
Please make it so I can continue selling MS Solutions, I actually have a customer who wants to switch to Apple because of UAC.
And as far as the Average User...wow they just want to do those things that impower the repair industry.
As far as that goes, a lot of software is not written correctly as to allow user to install in an elevated state, but I do not think that re-writting all the software that does work in Windows 7 would be economically viable for most developers and software companies in at least the immediate future, maybe you could include a dialog to allow the installation with elevated privledge, because if Joe User happens to modify the Local Security Policy that person will be put at risk and also Windows 7 may not be successful.
Just like in Vista why does UAC in Windows 7 Build 7000 block the entire screen when displaying it's dialog box? that's the most annoying part of UAC. Rather than doing so, UAC's dialog box should act a child window of the application that requested elevated privileges. If it was meant to prevent hackers from bypassing then it's of no use as it can be done by using SendInput and keybd_event APIs.
@Asesh -- you can read more about the secure desktop http://technet.microsoft.com/en-us/library/cc709628.aspx and learn more about the process/security model of the secure desktop.
Good work with the UAC so far, but I do have some concerns.
I don't know if this has been mentioned before, but there needs to be a checkbox to "remember this program" for the UAC prompts.
I use a program called EVGA Precision which increases the speed of my fan on my videocard. This program is set to automatically start when windows starts. However, I get a UAC prompt every time the program wants to start.
IMO the UAC needs a whitelist like a firewall, or even Microsoft's own popup blocker does in IE. This way the UAC can still be turned on, but then lets the programs in the whitelist run with no problem.
I trust everyone here recognizes the fact that almost none of you will get UAC to do what you want it to do. MS must design and implement UAC with security for the masses in mind - that means your pet idea for how UAC would not annoy you may never happen.
It is an interesting step forward, but it isn't too hard to make the system think code initiated the action instead of the user.
1. when I click "Run as administrator" and run some application, I don't have later clear info, that this application has got admin privileges (it would be good to have something like "(Admin mode)" added to window title)
2. when I run cmd and later chkdsk, it displays, that, that needs admin privileges. Can't it simply display disk info only then ?
3. can't Run window in Start menu have "Run as administrator" option ?
4. there are 4 levels of UAC in 7. But still: what exactly actions are blocked or not on each one ? how does system know, that something was initiated by user or not ?
5. Explorer - it displays the same info, when you try to enter link directory (C:\documents and settings) and when you try to enter directory, where you don't have access (c:\system volume information"). BTW, it a very funny for me, that Explorer is not able to enter link directory....
6. there is great SysInternals Suite available on MS page. You have such tool like ProcessExplorer there. I was very surprised, that it's still not used instead of Task Manager. And I'm very surprised - when ran it in limited mode, it can display some info about all processes (at least exe names, cpu usage, etc.). Task Manager needs clicking button "show processes from all users". could you fix it ?
7. I hear a lot about increasing security here. But:
* Windows 7 doesn't allow user to see, if there is some traffic over concrete network interface (yes, in XP it was possible to display animated icon for each card)
* Windows 7 doesn't have option "Disable all network interfaces" in menu for Network Sharing Center displayed near clock
* Windows 7 doesn't display clear, what servers and what ports should be opened for good system work (for example - user doesn't know, if this OK or not, when Windows Update contacts server 192.168.1.1...)
UAC in Windows 7 is much better than in Vista, that is true.
But one thing I did not understand in Vista, that still does not work in Windows 7 Beta is inability to do drag&drop between a non-elevated app and elevated one.
For example, if I run Visual Studio as elevated user, I cannot drag files from Windows Explorer in it. At the same time, the same files are easily (not so easily as with drag&drop though) opened via the File->Open command.
Clipboard is also accessible by both elevated and non-elevated processes.
What is so secure in disabling drag&drop?
What's the big deal about UAC? It takes 1 second to click "OK" yet gives many hours of piece of mind!
UAC is annoying sob, so I turn it off, but that's my choice. I'm glad it's there, it keeps people who don't know what they are doing from doing harm. I take full responsibility for my own actions, if I screw up my system it's my fault, because I have it set that way. It's real simple, the only gripe I still have with windows 7 is not being a true administrator, that should be an option along with turning off UAC. I should not have to right click to run as a administrator if I so desire. Microsoft could have a little disclaimer stating that I understand that I am responsible for this action. Great job keep up the work.
P.S. Allow access to the tool bars, menu bars, command bar has nothing to do with UAC, just would like to see Microsoft allow this control like we had in XP
There are still a few unresolved niggles about UAC. Yes, Win7 makes it much more pleasant to use, but it doesn't really fix the most obvious security problem with it.
People are perfectly capable of clicking 'yes' out of habit without even noticing that there was a popup, much less what it actually said.
That's why the trial version of WinZip shuffles the position of the "yes" and "no" buttons every time you launch it, to force the user to stop and pay attention.
And arguably, requiring a password, rather than a "ok" would have something of the same effect - which leads me to wonder why Win7 creates an admin account by default. Wasn't the entire point in UAC that this would no longer be necessary?
And yet, Win7 still puts everyone in an admin account, and merely asks you to click "ok" to any UAC prompt. Which people obviously do, because why wouldn't they? How would they know when to click no? Why would they even take the time to read the prompt, when they're used to clicking "ok" anyway?
And the other problem: You really need an option 2.5 in the above list, and it could easily replace both 2 and 3.
Yes, it's a good thing that software can not tamper with the UAC prompt. That's a point in #2's favor. But no, switching desktop is a pain. Locking me out of every other app I'm using is absolute overkill. Those are points in #3's favor.
So what you need is a secure popup. Not an entire desktop, but a way to ensure that the windows belonging to this particular process can not be tampered with. That means I can continue using my web browser or whatever other aps I'm running, even when something comes up with a UAC prompt. Even if it asks me for a password and the sysadmin isn't around to provide it.
It also means we get rid of the delay in switching desktops.
The whole "secure desktop" deal just seems like a badly thought out hack. "We need security. We already have the ability to have multiple desktops. I guess we'll hijack another desktop then, and switch to/from that".
Great, it saved you a fair bit of work in Vista, which was plenty delayed already. But it's not really a good solution in the long run.