FACTOID # 24: Looking for table makers? Head to Mississippi, with an overwhlemingly large number of employees in furniture manufacturing.
 
 Home   Encyclopedia   Statistics   States A-Z   Flags   Maps   FAQ   About 
   
 
WHAT'S NEW
 

SEARCH ALL

FACTS & STATISTICS    Advanced view

Search encyclopedia, statistics and forums:

 

 

(* = Graphable)

 

 


Encyclopedia > User Account Control
UAC confirmation dialog
UAC credentials dialog

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft's Windows Vista operating system. It aims to improve the security of Windows by limiting applications to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges, and malware is kept from receiving the privileges necessary to wreak havoc on the operating system. Image File history File links User_Account_Control_administrator_dialog. ... Image File history File links User_Account_Control_administrator_dialog. ... Image File history File links User_Account_Control. ... Image File history File links User_Account_Control. ... Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... Windows Vista is a line of graphical operating systems used on personal computers, including home and business desktops, notebook computers, Tablet PCs, and media centers. ... // An operating system (OS) is a set of computer programs that manage the hardware and software resources of a computer. ... Microsoft Windows is the name of several families of proprietary software operating systems by Microsoft. ... Malware or malicious software is software designed to infiltrate or damage a computer system without the owners informed consent. ...


In other words, with UAC a user may have administrator privileges, but an application that that user runs does not unless it is approved beforehand or the user explicitly authorizes it to have higher privileges.


UAC will usually prompt the user for additional privileges automatically, but the user can also right-click a program and click "Run as administrator".

Contents

Overview

Before Windows XP was released, previous versions of Windows targeted at the consumer audience, such as Windows 95, Windows 98 and Windows Me, were all operating systems where the user had super user rights despite multi-user capabilities. Windows XP on the other hand was a multi-user operating system based on Windows NT. This allowed for different user levels and permissions. Windows XP is a line of operating systems developed by Microsoft for use on general-purpose computer systems, including home and business desktops, notebook computers, and media centers. ... On many computer operating systems, superuser, or root, is the term used for the special user account that is controlled by the system administrator. ... Multi-user is a term that defines an operating system that allows concurrent access by multiple users of a computer. ... Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. ...


However, in Windows XP the first user created when installing the operating system is given administrative privileges by default. As such, most users would use this account for everyday use. This ensured that all software, including malware, was also running with administrator privileges as well, thereby giving it full access to the operating system. Malware or malicious software is software designed to infiltrate or damage a computer system without the owners informed consent. ...


Unfortunately, most legacy Windows applications and even new Windows applications were or are not designed to work without full administrator privileges.[1] Running these as a standard user or even as a power user could lead to errors or strange behavior. As such, it was often normal practice to give users full administrator access when running normally. A power users desktop. ...


In contrast to this, other Operating Systems, such as Linux and other Unices have always been designed for multiple users, with multiple security levels, and so applications have almost always been aware of and compliant with this system. // An operating system (OS) is a set of computer programs that manage the hardware and software resources of a computer. ... Linux (IPA pronunciation: ) is a Unix-like computer operating system. ... UNIX® (or Unix) is a portable, multi-task and multi-user computer operating system originally developed by a group of AT&T Bell Labs employees including Ken Thompson, Dennis Ritchie and Douglas McIlroy. ...


With Windows Vista, an attempt has been made to embrace more of the Unix user security model, so that actions that can affect the security and stability of the operating system require the input of an administrator name and password before they are executed. If the user is an administrator, by default they are not asked to re-enter their password. Instead, a dialog is shown with the choices to allow or deny the action.


When logging into Windows Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group however, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or "Run as administrator" is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.[2] In the Windows NT architecture, a token is a system object (type name Token) representing the subject in access control operations, i. ... In computing, Windows Shell is the most visible aspect of the Microsoft Windows line of operating systems. ...


Tasks that trigger a UAC prompt

Operating system commands or actions that require administrator rights (and thus are likely to trigger UAC) are marked with the security shield symbol.

Tasks that will trigger a UAC prompt (if UAC is enabled) are typically marked by a 4-color security shield symbol. These tasks include:[3] Image File history File links No higher resolution available. ... Image File history File links No higher resolution available. ...

  • Right-clicking an application's icon and clicking "Run as administrator"
  • Changes to files in %SystemRoot% or %ProgramFiles%
  • Installing and uninstalling applications
  • Installing device drivers
  • Installing ActiveX controls
  • Changing settings for Windows Firewall
  • Changing UAC settings
  • Configuring Windows Update
  • Adding or removing user accounts
  • Changing a user’s account type
  • Configuring Parental Controls
  • Running Task Scheduler
  • Restoring backed-up system files
  • Viewing or changing another user’s folders and files

Common tasks, such as changing the time zone, do not require administrator privileges.[4] In addition, a number of tasks that required administrator privileges in earlier versions of Windows, such as installing critical Windows updates, no longer do so in Vista.[5]


Features

  • User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is blacked out and temporarily disabled and only the authorization window is enlightened, to present only the elevation UI. This is to prevent spoofing of the UI or the mouse by the application requesting elevation.[6] If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective.[7]
  • Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts; often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM)[1] UAC attempts to alleviate this using File and Registry Virtualization, which redirects writes (and subsequent reads) to a per-user location within the user’s profile. For example, if an application attempts to write to “C:program filesappnamesettings.ini” and the user doesn’t have permissions to write to that directory, the write will get redirected to “C:UsersusernameAppDataLocalVirtualStoreProgram Filesappname.”
  • There are a number of configurable UAC settings. It is possible to:[8]
    • Require administrators to re-enter their password for heightened security
    • Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security
    • Disable Admin Approval Mode (UAC prompts for administrators) entirely
  • Command prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user can discern which command prompts are running with elevated privileges.[9]

In computing, the focus is the component of the graphical user interface which is currently selected. ... The Windows registry is a database which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. ... This article is about Control-Alt-Delete, the keyboard shortcut. ...

Requesting elevation

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:

 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> <v3:requestedExecutionLevel level="highestAvailable" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly> 

Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation.[10] In both highestAvailiable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.


A new process with elevated privileges can be spawned from within a .NET application using the "runas" verb. An example using C++/CLI: C++/CLI (Common Language Infrastructure) is the newer language specification due to supersede Managed Extensions for C++. Completely reviewed to simplify the older Managed C++ syntax, it provides much more clarity over code readability than Managed C++. C++/CLI is standardized by ECMA. It is currently only available on Visual...

 System::Diagnostics::Process^ proc = gcnew System::Diagnostics::Process(); proc->StartInfo->FileName = "C:Windowssystem32notepad.exe"; proc->StartInfo->Verb = "runas"; // Elevate the application proc->Start(); 

In a native Win32 application the same "runas" verb can be added to a ShellExecute() call.[2] Windows API is a set of APIs, (application programming interfaces) available in the Microsoft Windows operating systems. ...

 ShellExecute(0, "runas", "C:WindowsNotepad.exe", 0, 0, SW_SHOWNORMAL); 

In the absence of a specific directive stating what privileges the application requests, UAC will apply heuristics to determine whether or not the application needs administrator privileges. For example, if UAC detects that the application is a setup program, in the absence of a manifest it will assume that the application needs administrator privileges.[11] Look up Heuristic in Wiktionary, the free dictionary. ...


Criticism

There have been complaints that UAC notifications slow down various tasks on the computer such as the initial installation of software onto Windows Vista.[12] It is possible to turn off UAC while installing software, and reenable it at a later time.[13] However, this is not recommended, since as File & Registry Virtualization is only active when UAC is turned on, user settings and configuration files may be installed to a different place (a system directory rather than a user-specific directory) if UAC is switched off than they would be otherwise.[14]


Speaking of UAC, Yankee Group analyst Andrew Jaquith stated that "while the new security system shows promise, it is far too chatty and annoying."[15] However, this statement was made over six months before Vista was actually released (even before Beta 2 was released). By the time Windows Vista was released in November 2006, Microsoft had drastically reduced the number of operating system tasks that triggered UAC prompts, and added file and registry virtualization to reduce the number of legacy applications that trigger UAC prompts.[1] This article or section reads like an advertisement. ... Development of Windows Vista occurred over the span of five and a half years, starting in earnest in May 2001,[1] prior to the release of Microsofts Windows XP operating system, and continuing until November 2006. ... It has been suggested that Legacy code be merged into this article or section. ...


See also

A number of computer operating systems employ security features to reduce the ability of administrators from giving malware sufficient privileges to compromise the computer system. ... Windows Vista (formerly codenamed Windows Longhorn) has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system. ... There are a number of security and safety settings of Windows Vista. ... Windows Vista is the latest release of Microsoft Windows, a line of graphical operating systems used on personal computers, including home and business desktops, notebook computers, Tablet PCs, and media centers. ... Also known as least-privileged user account, least user access is a security feature based on the principle that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible. ...

References

  1. ^ a b c Charles (2007-03-05). UAC - What. How. Why. (video). Retrieved on 2007-03-23.
  2. ^ a b Kenny Kerr (2006-09-29). Windows Vista for Developers – Part 4 – User Account Control. Retrieved on 2007-03-15.
  3. ^ Bott, Ed (2007-02-02). What triggers User Account Control prompts?.
  4. ^ Allchin, Jim (2007-01-23). Security Features vs. Convenience. Windows Vista Team Blog. Microsoft. Retrieved on 2007-03-04.
  5. ^ User Account Control Overview. Technet.
  6. ^ User Account Control Prompts on the Secure Desktop. UACBlog. MSDN Blogs (2006-05-03). Retrieved on 2007-02-25.
  7. ^ Why you need to be discriminating with those Vista tips.
  8. ^ Chapter 2: Defend Against Malware. Windows Vista Security Guide. Microsoft (2006-11-08). Retrieved on 2007-03-15.
  9. ^ Administrator Marking for Command Prompt. UACBlog. MSDN Blogs (2006-08-01). Retrieved on 2006-08-07.
  10. ^ Mike Carlisle (2007-03-10). Making Your Application UAC Aware. The Code Project. Retrieved on 2007-03-15.
  11. ^ Understanding and Configuring User Account Control in Windows Vista. Microsoft. Retrieved on 2007-07-05.
  12. ^ Disabling the UAC feature (2007-03-10). Retrieved on 2007-03-10.
  13. ^ Windows Vista upgrade power tips.
  14. ^ Bott, Ed (2007-02-02). Why you need to be discriminating with those Vista tips. Ed Bott's Windows Expertise. Retrieved on 2007-07-05.
  15. ^ Evers, Joris (2006-05-07). Report: Vista to hit anti-spyware, firewall markets. ZDNet News. CNet. Retrieved on 2007-01-21.

Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... is the 82nd day of the year (83rd in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... March 15 is the 74th day of the year in the Gregorian calendar (75th in leap years). ... James Allchin James Edward Allchin (born in Grand Rapids, Michigan in 1951) is co-President of the Platform Products and Services Group at Microsoft, responsible for Microsofts operating systems, streaming media products and Internet services. ... Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... is the 63rd day of the year (64th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... February 25 is the 56th day of the year in the Gregorian calendar. ... Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... March 15 is the 74th day of the year in the Gregorian calendar (75th in leap years). ... For the Manfred Mann album, see 2006 (album). ... August 7 is the 219th day of the year (220th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... March 15 is the 74th day of the year in the Gregorian calendar (75th in leap years). ... Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... is the 186th day of the year (187th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... March 10 is the 69th day of the year (70th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... is the 186th day of the year (187th in leap years) in the Gregorian calendar. ... In 1989 Ziff Davis Inc. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era. ... January 21 is the 21st day of the year in the Gregorian calendar. ...

External links


 
 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments

Want to know more?
Search encyclopedia, statistics and forums:

 


Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms, 1022, m