This post is part 4 of a series about using a limited (standard) account in Windows for everyday activities rather than logging in as a computer administrator all the time. (You may want to read parts 1, 2, and 3 before continuing.)
When Microsoft released Windows Vista, they introduced a new feature: User Account Control (UAC). This basically meant that when you ran certain programs, you would get a message popping up, asking “Are you sure about this?” It’s fair to say that this wasn’t very popular; lots of people acted as though it was the return of Clippy. Quoting from one of Apple’s “I’m a Mac” adverts (YouTube): “He asks me to authorise pretty much anything I do.” However, if you actually understand what UAC is for then it’s quite useful, and I think that Vista is a definite improvement over Windows XP.
In Vista, by default you run all programs as a standard user, even if you’re logged in as an administrator. This is a good thing, because it limits the damage that those programs can do. However, you can still “elevate” programs, by running them with administrator privileges. Windows will recognise that certain programs need elevation, so it will always prompt for them; you can also right-click on a file and choose “Run as administrator” from the context menu.
There are two versions of the elevation prompt:
1) If you are logged in as an administrator, you get a “consent prompt”, where you just have to click “Yes” or “No”.
2) If you are logged in as a standard user, you get a “credential prompt”, where you have to enter a username and password (for an administrator account).
I think that how you react to this will partly depend on your previous habits. If you’re used to running as administrator in XP, where the computer will do everything it’s told without question, the new consent prompts will seem intrusive. On the other hand, if you’re used to running as a limited user in XP, you’ll already be used to taking extra steps to run a program with admin privileges, and the credential prompt makes life a lot easier. It’s similar to the old “Run As…” command in XP, except that it works better, e.g. it can handle mapped network drives. In particular, this makes it much easier to update applications: the program will download the new setup file, then Windows will automatically prompt me for credentials as soon as it runs. This has also been useful for configuring the firewall, e.g. if I install an FTP client then in XP it would be blocked, but in Vista I get prompted to add a new exception the first time I run it.
Whether you view the prompts as good or bad, the other issue is that you shouldn’t see them very often. Quoting from MSDN: “Microsoft’s goal is for customers to understand that applications should not unnecessarily run as an administrator and for users to question any time they are asked to approve an application’s request to run as an administrator. UAC is a fundamental component for helping to achieve this goal.”
For instance, suppose that you get a self-extracting zip file, i.e. an exe file that will unzip a bunch of compressed files when you run it. This shouldn’t require admin privileges, unless you want to put the files into a restricted folder (e.g. under “Program Files”). So, if you’re just extracting these files to your desktop and you get a prompt saying “This program wants full administrator control of your computer”, you should stop and ask why. Is it really doing what you think? If the program shouldn’t need admin privileges, you need to go back to the company that wrote it and ask them to fix it. Going back to the Apple advert, if you get asked to confirm everything that you do then something is seriously wrong!
Having said all that, there are a few quirks to be aware of.
Firstly, the elevation prompt appears in a “secure desktop”, where no other programs can interact with it; this means that you won’t get other programs clicking “Yes” on your behalf. However, there can be a bit of a “ker-chunk” effect when this kicks in, and it feels a bit like changing down to 2nd gear when you’re driving at 50mph. Still, if you’ve got a decent graphics card then it’s not too bad; this is mainly an issue if you’re using embedded VGA, so it’s more likely to affect you at work than at home.
Secondly, you can get repeated messages. When Vista first came out, if you wanted to create a new folder under “Program Files” then you would have to confirm this four times! That’s been fixed now, so if you run Vista with SP2 then you only have to confirm it once. However, you will ideally create new folders by using a setup program rather than doing it manually, so this was never much of an issue for me anyway.
Thirdly, Vista doesn’t always identify when programs need admin privileges. For instance, suppose that you want to edit C:\Windows\ODBC.INI. If you double click on it, it will open in Notepad (without an elevation prompt), and you can make whatever changes you like. However, if you try to save it then you get an error message, even if you’re logged into Windows as an administrator. So, you need to explicitly run Notepad as administrator and browse for the file you want; you will then be able to save it. This should be a fairly rare situation, but I’ve seen a couple of people get caught out by it.
Exchange 2007 provides another example of that third point: you have to run the Exchange Management Console as administrator (i.e. it will prompt you every time), but you can run the Exchange Management Shell (EMS) as a standard user. Unfortunately, you can’t do much in the EMS without admin privileges, and the error messages can be pretty cryptic if you forget to run it as administrator. This leads some people (e.g. this blog) to overreact, by saying that the best solution is to disable UAC altogether.
I think that UAC is a bit like the warning light in modern cars that tells you if you haven’t done up your seatbelt. There are a few different ways to react to this.
* The classic car enthusiast: “Bah, old Bessie here never nags me about that, it’s just these new fangled cars, dagnabbit!”
(Computer equivalent: “Vista sucks, I’ll stick with XP!”)
* The mechanic: “Nah, mate, it’s easy – just open the bonnet, unplug this wire, then the alarm won’t go off any more.”
(Computer equivalent: “I can’t get things working with UAC, so I’ll disable it.”)
* The careful driver: “Clunk, click, every trip! If I plug my seatbelt in, the warning light goes away.”
(Computer equivalent: “I’d rather solve the problem than mask the symptom.”)
If you use UAC, you have to decide whether your main account will be standard or administrator. In theory you get the same protection either way, but an admin account means that you don’t have to keep retyping your password, so that seems like the best choice. However, I still keep separate accounts; I feel better knowing that applications can’t elevate unless I actually type in the admin password. Jesper Johansson has written more about this on his blog (Confusion about Vista Features: What UAC Really Is):
Good: Run in admin-approval mode
Better: Run as standard user and elevate to separate admin account
Best: Run as standard user and switch user to a separate admin account instead of using UAC to elevate
(I also recommend Jesper’s books for general advice about Windows security.)
Mind you, there’s more to UAC then just prompts: it also includes file and registry virtualization, to help run older programs. (There’s more detail at MSDN: New UAC Technologies for Windows Vista.) As a standard user, you can’t modify registry keys under HKEY_LOCAL_MACHINE and you can’t modify files under “C:Program Files”, so virtualization gives you a private copy of them. For instance, if I run an application, and it tries to create the file “C:\Program Files\Foobar\Settings.ini”, Vista will actually create a file called “C:\Users\John\AppData\Local\VirtualStore\Program Files\Foobar\Settings.ini”.
This is something of a mixed blessing. If you’re running a program on your home PC, and you’re the only one who uses it, this means that it will work fine without needing admin privileges, so it will actually behave better than it did on XP. However, if you run a program at work, each person who logs in will (silently) get their own private copy of the data files and registry settings. If this program is accounting software, it could lead to nasty consequences where several people enter data but none of them see each other’s changes. Again, the real solution is for the software vendor to fix their applications, but it’s certainly worth being aware of this feature.
This virtualization only applies to older programs that aren’t “UAC aware”. If an application has a “manifest” with UAC settings then no virtualization takes place, and you’ll get an error if you try to modify parts of the registry or file system that are read-only. If you create a program in Visual Studio 2008, it will automatically get a manifest, although it’s invisible until you click “View UAC Settings”. (You can then specify whether this program needs to run as administrator.) In the longer term, Microsoft may remove this virtualization from future versions of Windows, and then applications without manifests may not run at all. Anyway, I definitely recommend creating a manifest for all new programs.
Windows 7 is much the same as Vista, but there are a couple of extra options for UAC, i.e. you can be a bit more selective about when it prompts you. Mark Russinovich has written more about that at TechNet (Inside Windows 7 User Account Control), although the options have changed a bit since then. Basically, Windows can now “auto-elevate” its own executables (if you allow it to). However, this is only relevant if you’re logged in as an administrator; a standard user will still need to enter admin credentials to run those programs. Also, you can now choose to put the elevation prompt on the existing desktop: that’s quicker, but less secure. Personally, I think it’s best to stick with the Vista behaviour (“Always notify on every system change”).
In part 5, I’ll briefly cover a few other technologies that work in conjunction with LUA to protect your computer.