User Account Control

• Windows 1.0x–3.11 and Windows 9x: all applications had privileges equivalent to the operating system; • All versions of Windows NT up to, and including, Windows XP and Windows Server 2003: introduced multiple user-accounts, but in practice most users continued to function as an administrator for their normal operations. Further, some applications would require that the user be an administrator for some or all of their functions to work. • Windows Vista and Windows Server 2008: Microsoft developed Vista security firstly from the Limited User Account (LUA), then renamed the concept to User Account Protection (UAP) before finally shipping User Account Control (UAC). Introduced in Windows Vista, User Account Control (UAC) offers an approach to encourage "super-user when necessary". The key to UAC lies in its ability to elevate privileges without changing the user context (user "Bob" is still user "Bob"). As always, it is difficult to introduce new security features without breaking compatibility with existing applications. • When someone logs into Vista as a standard user, the system sets up a logon session and assigns a token containing only the most basic privileges. In this way, the new logon session cannot make changes that would affect the entire system. • When a person logs in as a user with membership in the Administrators group, the system assigns two separate tokens: the first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. • User applications, including the Windows Shell, then start with the restricted token, resulting in a reduced-privilege environment – even when running under an Administrator account. • When an application requests higher privileges or when a user selects a "Run as administrator" option, UAC will prompt standard users to enter the credentials of an Administrator account and prompt Administrators for confirmation and, if consent is given, continue or start the process using an unrestricted token. • Windows 7 and Windows Server 2008 R2: Microsoft included a user interface to change User Account Control settings, and introduced one new notification mode: the default setting. By default, UAC does not prompt for consent when users make changes to Windows settings that require elevated permission through programs stored in %SystemRoot% and digitally signed by Microsoft. Programs that require permission to run still trigger a prompt. Other User Account Control settings that can be changed through the new UI could have been accessed through the registry in Windows Vista. • Windows 8/8.1 and Windows Server 2012/R2: add a design change. When UAC is triggered, all applications and the taskbar are hidden when the desktop is dimmed. • Windows 10 and Windows Server 2016-2022: early versions have the same layout as Windows 8 and 8.1. The Anniversary Update (including Windows Server 2016, which is based on said update) adds a more modern look, along with support for dark mode. Also, Windows 10 adds support for Windows Hello in the User Account Control dialog box. • Windows 11 and Windows Server 2025: has mostly the same layout as in later versions of Windows 10, but with visual changes that match the rest of the operating system's new look and feel. ==Tasks that trigger a UAC prompt==

Tasks that require administrator privileges will trigger a UAC prompt (if UAC is enabled); they are typically marked by a security shield icon with the 4 colors of the Windows logo (in Vista and Windows Server 2008) or with two panels yellow and two blue (Windows 7, Windows Server 2008 R2 and later). In the case of executable files, the icon will have a security shield overlay. The following tasks require administrator privileges: • Running an Application as an Administrator • Changes to system-wide settings • Changes to files in folders that standard users don't have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases) • Changes to an access control list (ACL), commonly referred to as file or folder permissions • Installing and uninstalling applications outside of: • The %USERPROFILE% (e.g. C:\Users\{logged in user}) folder and its sub-folders. • Most of the time this is in %APPDATA%. (e.g. C:\Users\{logged in user}\AppData), by default, this is a hidden folder. • Chrome's and Firefox's installer ask for admin rights during install, if given, Chrome will install in the Program Files folder and be usable for all users, if denied, Chrome will install in the %APPDATA% folder instead and only be usable by the current user. • The Microsoft Store. • The folder of the installer and its sub-folders. • Steam installs its games in the /steamapps/ sub-folder, thus not prompting UAC. Some games require prerequisites to be installed, which may prompt UAC. • Installing device drivers • Installing ActiveX controls • Changing settings for Windows Firewall • Changing UAC settings • Configuring Windows Update • Adding or removing user accounts • Changing a user's account name or type • Turning on Guest account (Windows 7 to 8.1) • Turning on network discovery, file and printer sharing, Public folder sharing, turning off password protected sharing or turning on media streaming • Configuring Parental Controls (in Windows 7) or Family Safety (Windows 8.1) • Running Task Scheduler • Backing up and restoring folders and files • Merging and deleting network locations • Turning on or cleaning logging in Remote Access Preferences • Running Color Calibration • Changing remote, system protection or advanced system settings • Restoring backed-up system files • Viewing or changing another user's folders and files • Running Disk Defragmenter, System Restore or Windows Easy Transfer (Windows 7 to 8.1) • Running Registry Editor • Running the Windows Experience Index assessment • Troubleshoot audio recording and playing, hardware / devices and power use • Change power settings, turning off Windows features, uninstall, change or repair a program • Change date and time and synchronizing with an Internet time server • Installing and uninstalling display languages • Change Ease of Access administrative settings Common tasks, such as changing the time zone, do not require administrator privileges{{cite web |url=http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx |title=Security Features vs. Convenience |work=Windows Vista Team Blog |publisher=Microsoft |last=Allchin ==Features==

User Account Control asks for credentials in a Secure Desktop mode, where the entire screen is temporarily dimmed, Windows Aero disabled, and only the authorization window at full brightness, to present only the elevation user interface (UI). Normal applications cannot interact with the Secure Desktop. This helps prevent spoofing, such as overlaying different text or graphics on top of the elevation request, or tweaking the mouse pointer to click the confirmation button when that's not what the user intended. If an administrative activity comes from a minimized application, the secure desktop request will also be minimized so as to prevent the focus from being lost. It is possible to disable Secure Desktop, though this is inadvisable from a security perspective. • Require administrators to re-enter their password for heightened security, • Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security; • Disable only file and registry virtualization • Disable Admin Approval Mode (UAC prompts for administrators) entirely; note that, while this disables the UAC confirmation dialogs, it does not disable Windows' built-in LUA feature, which means that users, even those marked as administrators, are still limited users with no true administrative access. Command Prompt windows that are running elevated will prefix the title of the window with the word "Administrator", so that a user can discern which instances are running with elevated privileges. A distinction is made between elevation requests from a signed executable and an unsigned executable; and if the former, whether the publisher is 'Windows Vista'. The color, icon, and wording of the prompts are different in each case; for example, attempting to convey a greater sense of warning if the executable is unsigned than if not. Internet Explorer 7's "Protected Mode" feature uses UAC to run with a 'low' integrity level (a Standard user token has an integrity level of 'medium'; an elevated (Administrator) token has an integrity level of 'high'). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC. Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system. ==Requesting elevation==

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context: Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation. If elevation is not required, a success return code will be returned at which point one can use TerminateProcess() on the newly created, suspended process. This will not allow one to detect that an executable requires elevation if one is already executing in an elevated process, however. A new process with elevated privileges can be spawned from within a .NET application using the "runas" verb. An example using C#: System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe"; proc.StartInfo.Verb = "runas"; // Elevate the application proc.StartInfo.UseShellExecute = true; proc.Start(); In a native Win32 application the same "runas" verb can be added to a ShellExecute() or ShellExecuteEx() call: ==Security==

UAC is a convenience feature; it neither introduces a security boundary nor prevents execution of malware. Leo Davidson discovered that Microsoft weakened UAC in Windows 7 through exemption of about 70 Windows programs from displaying a UAC prompt and presented a proof of concept for a privilege escalation. Stefan Kanthak presented a proof of concept for a privilege escalation via UAC's installer detection and IExpress installers. Stefan Kanthak presented another proof of concept for arbitrary code execution as well as privilege escalation via UAC's auto-elevation and binary planting. ==Criticism==

There have been complaints that UAC notifications slow down various tasks on the computer such as the initial installation of software onto Windows Vista. It is possible to turn off UAC while installing software, and re-enable it at a later time. By the time Windows Vista was released in November 2006, Microsoft had drastically reduced the number of operating system tasks that triggered UAC prompts, and added file and registry virtualization to reduce the number of legacy applications that triggered UAC prompts. In response to these criticisms, Microsoft altered UAC activity in Windows 7. For example, by default users are not prompted to confirm many actions initiated with the mouse and keyboard alone such as operating Control Panel applets. In a controversial article, New York Times Gadgetwise writer Paul Boutin said "Turn off Vista's overly protective User Account Control. Those pop-ups are like having your mother hover over your shoulder while you work." Computerworld journalist Preston Gralla described the NYT article as "...one of the worst pieces of technical advice ever issued." ==See also==