Introduction To UAC





Ever since Windows Vista came around a security feature UAC has made it's way into the OS. UAC came around, people were annoyed by it and disable it on a regular basis.

Yet it wasn't developed for nothing. Windows was never designed as a true multi-user OS. Usually, you were logged in as an administrator to do stuff, switching accounts just to install some software was just too annoying.

Windows XP with 'Run as another user'

Yet there was a way. You could make yourself a standard-level account and use that; running special apps as an admin when needed. But who actually did that?

Instead you ended up with operating as the system's admin. No one asked you, whether you want to give that program you just ran permissions over your entire OS. So viruses came around and ripped up your PC to shit. Then antimalware programs came. Then it became a huge fuckup of a fight between your antimalware program and other software.





Microsoft's Solution





So Microsoft (as strange as it sounds) actually developed a solution (well at least a partial one, anyway) for their shiny new Windows Vista. This was called UAC - User Account Control.



UAC was designed to make your OS more secure by running all apps as a standard user - even if you were an admin. If a program either requested admin privileges, or wished to make changes to the protected areas of the system, it could request for those permissions. You then had to either put the name and password of an admin (when logged as standard user) or click YES/NO button (when already an admin) to confirm your choice. Or you can authenticate with a fingerprint scanner, a retina scanner or with Windows Hello.



That is what most people noticed, anyway. It actually does a lot more than that. Let's see what it actually does.













1. Secure Desktop

So let's imagine a situation. We've just downloaded a file. It is an installer file. Great! Let's run it.





That prompt appears and our screen dims. What's going on is that the system actually switches the desktop into 'Secure Desktop Mode'. This is a specialized desktop that is protected against other applications - this is so that standard application (for example a virus) cannot overlay any text or graphics on top of the prompt and cannot get you tricked to press YES instead of NO, for example. It should also help to protect against keyloggers.





Secure Desktop

Windows also checks the certificate of the app. If it's signed, you can also open some hidden windows about the certificate by clicking the 'Show more details' button. This makes it so you can visually easily check the app if it's safe.





You have limited control on this desktop. It's supposed to be safe and protect you. It should be safe and protect you. It's a good thing to have.





There was another app in Windows that used Secure Desktop by default called 'Windows CardSpace' It was an app used for keeping track of your credentials and contacts in Windows 7. Deprecated and gone now; although it wasn't bad back then.





KeePass is using the Secure Desktop, as well I believe.





Internet explorer 7 actually ran effectively as a sandboxed app, thanks to UAC. It was pretty secure in that regard.





So anyway, back to our app, let's allow it to run. The app gets administrator privileges and we install it.





2. File and Registry Virtualization

Another feature of the UAC system is to help old apps run well. Usually, old apps wrote many of their files into system directories, such as Program Files or other. When such an attempt is made, and the application (only 32-bit apps bro') is not running with admin privileges, these write commands get redirected from the system directory to the $USER directory (e. g. from C:\Program Files -> C:\Users\daiman).





A cool feature, right?

















3. Blocking Shit Employees Can Run





You can also block certain apps from running through the Group Policy editor. Pretty handy of you want your employees to stay on the secure-r side of things and make your job easier.





UAC Settings

So now everyone loves to set up their UAC - meaning to turn the shit off. Great fucking idea.





You can configure UAC with 4 different levels of security.





UAC settings

The top-most level was the default one in Windows Vista.





By default, the UAC doesn't require authentication from apps that are residing in the %SystemRoot% directory and are digitally signed by Microsoft. In Windows Vista, it notified even when running such apps. Now it doesn't.





The second level is the default one. Use that.





The third level disables Secure Desktop. Useful maybe on a virtual machine, if the switching takes aeons.





The fourth level (the bottom one) disables pretty much everything I talked about on this page and makes your system like a Windows XP one. Great fucking choice, isn't it?





Conclusion

Microsoft made it as much of a convenient thing as possible. Yet people are so lazy and ignorant they actually dig themselves a grave and then complain they get viruses.





So yah if you want to disable UAC - go right ahead. Good for you. Security will never be convenient. Never. That is the point of being secure.





On UNIX systems, you have to put in your password to do pretty much anything. It's normal. No one complains. Because people using UNIX actually understand why they have to put their password in (most do anyway). Good thing now you do too.







I used pictures of other websites purely for demonstration purposes. It's kind of impossible to screenshot secure desktop.











