preinstalled tend to be a lot happier than those who upgraded from XP, especially those who failed to run the upgrade advisor. The same is true of . Even after following all advice from the Windows 7 Upgrade Advisor, I still had to jump through hoops to re-enable my connection to PCMag's Virtual Private Network after upgrading from Vista.

Even the biggest Vista fans, the ones who've never experienced any upgrade tribulations, have to admit that User Account Control (UAC) can be a pain in the neck. Fortunately Microsoft made some significant improvements in it for Windows 7.

Why User Account Control?

Vista was designed to be significantly more secure than XP, and UAC is a cornerstone of its security scheme. The point of UAC is to make sure no system-level changes occur without an Administrator's permission. Even if you normally use an Administrator account, all of your day-to-day activity happens at the low-privilege Standard level. Before a nasty virus (or a useful application) can do something potentially dangerous like writing to the Windows folder, it has to get permission.

UAC pop-ups in Vista are especially shocking because of what's called "secure desktop mode." The screen blanks out briefly, then everything except the UAC pop-up goes dim. Anything else you were doing is out of reach until you respond to the pop-up. This prevents sneaky programs from meddling with the UAC dialog, but it can be an unpleasant shock.

Less frightening but equally annoying is the "I just told you!" scenario. You launch a program and UAC immediately asks if you want to run this program. D'oh! Of course you do! Users can really get steamed about this, even Administrator users who merely have to click Yes. Imagine the frustration of a Standard user who must type an Administrator password or (more likely) go track down a supervisor to enter the password. One time in a thousand this precaution might prevent a malicious program from launching, assuming (and it's a big assumption) that the user was alert enough to choose No. The other 999 times it's just a pain.

In the Engineering Windows 7 blog, Microsoft's engineers trot out the notion that requiring a UAC confirmation for every sensitive action is good, because it "forces malware or poorly written software to show itself and get your approval before it can potentially harm the system." That same rationale gave us old-style (and now obsolete) personal firewalls that deluged us with incomprehensible pop-up queriesugh!

In fact, Microsoft's designers admit that UAC can't really keep out malware, because users don't know enough to correctly respond to its prompts. Most users just click Yes and allow the program to do what it was going to anyhow. Microsoft's own figures show that users click Yes about 90 percent of the time. That's usually the correct answer, but Joe User can't distinguish a scary UAC prompt about a perfectly valid program from a scary UAC prompt about a malware attack.

Big Ideas

In the Windows 9 blog, Microsoft Engineers congratulate themselves on the fact that UAC has made program developers leery of techniques that unnecessarily require Administrator privilege. (Thanks, guys, but couldn't you have found a way to whip developers into line without torturing users?) Eventually, though, they fess up to UAC's problems. For example, their research shows that Windows itself accounts for about 40 percent of all UAC prompts. No, really! A Windows component tries to do something important and UAC stops it until you give the okay. They say we "can expect fewer prompts from Windows components" in Windows 7. Their goals for improvement with Windows 7 were to:

Reduce unnecessary and redundant UAC queries

Make customers confident that they're in control

Make UAC prompts more informative

Offer better and more obvious control over UAC

The beta showed some progress toward these goals and the Release Candidate even more. UAC in the final Windows 7 is significantly less irksome that of Vista.

Clearer Choices

Where a Vista UAC prompt announces "Windows needs your permission to continue," Windows 7 may ask, "Do you want to allow the following program to make changes to this computer?" or "You'll need to provide administrator permission to rename this folder." Microsoft says focus groups showed these modified messages are easier to understand.

Vista users had the option to shut down UAC; Windows 7 offers alternatives short of total shutdown. By tweaking a simple slider, users can select from four different notification levels. From the most to the least restrictive, they are:

Level 4. Always notify me when programs try to install software or make changes to my computer and when I make changes to Windows settings.

Level 3. Notify me only when programs try to make changes to my computer. Don't notify me when I make changes to Windows settings.

Level 2. Notify me only when programs try to make changes to my computer (do not dim my desktop). Don't notify me when I make changes to Windows settings.

Level 1. Never notify me when programs try to install software or make changes to my computer or when I make changes to Windows settings.

Level 3 is the default. At this level, program-initiated system changes trigger UAC prompts, but configuration changes made by the user do not. Crank it up to level 4, and even user-initiated changes can trigger UAC, as in Vista. Level 2 is the same as level 3, except that it doesn't dim the desktop. That makes it less shocking, but without the benefit of the secure desktop there's a faint possibility that malware could finagle its way into the process and interfere with UAC.

I used to think that level 1 meant UAC is off, but the Help clarifies that it only turns off the pop-ups. For Administrator users, all programsgood and badcan make system changes without hindrance. For Standard users, any action that would have triggered a UAC pop-up will just fail silently. Ouch!

A Microsoft user study revealed that users who got more than one UAC prompt during a Windows session were a lot more likely to report the prompts as irritating. (I could have told them that.) They also found no measurable difference in malware defense between levels 3 and 4. That's why they chose the less-strict level 3 as the default, and that's why you should leave it set to the default.

Resisting Key Stuffing

Earlier this year, security experts reported that the UAC settings dialog in Windows 7 beta was vulnerable to attack. If the UAC level was set to anything but the maximum, a user-mode program could turn it entirely off by "key stuffing"sending simulated keystrokes to the UAC control dialog. Security Watch blogger Larry Seltzer points out that this attack only works if you're running in Administrator mode. UAC is supposed to encourage everyone to run as a Standard user. Seltzer goes on to note that the same sort of attack could do a lot more damage if applied to other Control Panel applets. Microsoft didn't ignore the problem, but fixed it by forcing the UAC dialog to run as a high-integrity process which, they say, "prevents all the mechanics around SendKeys and the like from working." It seems to be true; the UAC settings dialog completely ignored a small program I wrote to send fake keystrokes and mouse clicks. I'd still be happier if any attempt to lower the protection level would always trigger a UAC pop-up with the desktop dimmedthat would be hard to break.

My UAC Wish List

UAC in Windows 7 is improved, but still somewhat annoying. I don't think it should ever ask whether to allow elevated privileges for a known, valid program, and certainly never for a Windows component. Many security vendors use whitelist databases identifying millions of known good programs; surely Microsoft has the resources to do the same. If it's not a known program, UAC could examine all of its behaviors, not just the fact that it needs elevated privilege, and make a considered decision to allow or block it. Don't foist that responsibility off on the user! Now that would be a classy version of UAC.

The much-maligned Windows Firewall is also showing some new tricks; I'll look at those next.