What is UAC?

Mar 4, 2009

If you are VISTA user then you might have seen this screen a lot of time appearing in front of you

This screen comes in front of you whenever you open any executable file, it ask for your permission to execute that file, Ahh! for one instance it looks fine, that your OS seeks your permisssion to execute something, but when it happens evry often it looks wiered. I will tell you about tweaking UAC but not right now. Let first start with what is UAC?



Q.1 So what is UAC?

UAC stands for User Account Control (UAC), is a new technology introduced by Microsoft to improve the security of Microsoft’s Windows VISTA by limiting application software to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges.

In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not also have those privileges unless they are approved beforehand or the user explicitly authorizes it to have higher privileges. To reduce the possibility of lower-privilege applications communicating with higher-privilege ones, another new technology, User Interface Privilege Isolation is used in conjunction with User Account Control to isolate these processes from each other

When logging into Vista as a standard user (a non-administrators is called standard users in Windows Vista), a logon session is created and a tokencontaining only the most basic privileges is assigned. In this way, the new logon session is incapable of making changes that would affect the entire system. When logging in as a user in the Administrators group, two separate tokens are assigned. The first token contains all privileges typically awarded to an administrator, and the second is a restricted token similar to what a standard user would receive. User applications, including the Windows Shell, are then started with the restricted token, resulting in a reduced privilege environment even under an Administrator account. When an application requests higher privileges or “Run as administrator” is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.

Q.2 I can’t get it completely can you tell me some thing more?

To understand UAC, we need to take a look at history of the security of Microsoft Windows.

In early DOS-based versions of Windows there is no  built-in security at all. If the user was not careful and got the computer infected with a virus, the virus could do a considerable damage to the system, as well as other nasty stuff, like collecting email addresses, sending spam from infected machines, etc. The only way to secure such a computer was to use third-party security tools, such as our Folder Locker.

To compete this lack of the built-in security,Microsoft introduced Windows NT. Although it looked very much like Windows 95, Windows NT was very different under the hood, and the new code provided for the ability to set up user accounts with different sets of permissions, from unlimited (the Administrators) to very limited (the Guests).

Now the computers could have different accounts for the administrators andstandard users . If a standard user was not careful and got the computer infected with a virus, the virus could only damage what the standard used had access to, the core system files and data of other users would be protected. This worked well for the organizations when administrators and users where actually different persons.

So you might be thinking thats all, now windows is protected, but it is not the case, it did not work so well for the home users and small businesses, where there was no properly trained computer administrator around to set up and maintain the computer. Because for one person to use two different accounts (one to play the administrator’s role, and another one to actually use the computer for the day-to-day tasks) was way too much of a hassle. So the majority of people ended up using the computer with just the administrator’s account. The result was that although Windows XP now had the means to secure the computer, such means were not used, and the computers remained as vulnerable as they were in the old Windows 95 days!

That was (and still is!) a serious problem that UAC was designed to solve. Instead of forcing us to create separate administrator and standard user accounts, UAC lets us use just one user account, but play two different roles with it: the role of a standard user for the day-to-day tasks, and the role of the administrator for system maintenance, when needed.

Think of it as two separate identities that UAC creates for you when you log in to Vista: the one of a standard user, and another one of an administrator. When you use the computer for the regular tasks (like checking email or editing documents), the standard user’s identity is used. Only when you attempt to do a system maintenance task (like installing new software, or changing settings that affect other users), then UAC temporarily puts the administrator’s hat on you and (with your permission) allows you to perform the task. When the task is finished, UAC returns to using your standard user identity. That’s what all those elevation prompts are about: they ask you to confirm that you are about to perform a task that requires elevated(administrative) access to your computer.

Q.3 What process trigers UAC?

  • Changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%
  • Installing and uninstalling applications
  • Installing device drivers
  • Installing ActiveX controls
  • Changing settings for Windows Firewall
  • Changing UAC settings
  • Configuring Windows Update
  • Adding or removing user accounts
  • Changing a user’s account type
  • Configuring Parental Controls
  • Running Task Scheduler
  • Restoring backed-up system files
  • Viewing or changing another user’s folders and files

Q.4 oh so it is a security feature it means i can’t configure it?

NO, you can!


Q.5 How to turn off UAC?

To perform the following procedure, you must be able to log on asAdministrator.

  1. Click Start, and then click Control Panel.
  2. In Control Panel, click User Accounts.
  3. In the User Accounts window, click User Accounts.
  4. In the User Accounts tasks window, click Turn User Account Control on or off.
  5. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
  6. Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK.
  7. Click Restart Now to apply the change right away, or click Restart Later and close the User Accounts tasks window.


Q.6 Wow i have turned off UAC, but is there any other GEEKY method for the same?

An alternate method to configure UAC and switch it off:

  • Create a new text file in notepad
  • enter the following:


C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
pause

  • Save the text file as
  1. Save as type: All Files
  2. Name: UAC_Off.bat
  • Right click on the new file and run as administrator
  • Restart.

To switch UAC back on using this method, repeat the above steps, but save the file as UAC_On.bat and enter the following instead:

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
pause


Q.7 That’s fine but is there is any 3rd party tool which can do this for me, i don’t want to be in problem?

For those who don’t dare to do it by there own, TweakUAC is the solution, TweakUAC(TM) is a free software tool that you can use to quickly turn UAC (User Account Control of Windows Vista) on or off, or to make UAC operate in the quiet mode:

Using TweakUAC is extremely easy: just download and run it, then select the desired option on its window and press OK:

It provides you 3 simple options

  • Turn UAC off
  • Switch UAC to the quiet mode
  • Leave UAC on

TweakUAC does NOT require installation, the file is immediately available for use right after you download it.

To download TweakUAC, click this link: Download TweakUAC

To know more about it visit


Q.8 How to disable Admin Approval Mode?

To perform the following procedure, you must be able to log on asAdministrator.

  1. Click Start, click All Programs, click Accessories, click Run, typesecpol.msc in the Open box, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue..
  3. From the Local Security Settings console tree, double-click Local Policies, and then double-click Security Options.
  4. Scroll down and double-click User Account Control: Run all administrators in Admin Approval Mode.
  5. Select the Disabled option, and then click OK.
  6. Close the Local Security Settings window.

Q.9 How to disable UAC from prompting for credentials to install application?

To perform the following procedure, you must be able to log on asAdministrator.

  1. Click Start, click All Programs, click Accessories, click Run, typesecpol.msc in the Open text box, and then click OK.
  2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
  3. Scroll down and double-click User Account Control: Detect application installations and prompt for elevation.
  4. Select the Disabled option, and then click OK.
  5. Close the Local Security Settings window.

Q.10 How to change the elevation prompt behavior?

  1. Click Start, click Accessories, click Run, type secpol.msc in the Openbox, and then click OK.
  2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
  3. Scroll down to and double-click User Account Control: Behavior of the elevation prompt for administrators.
  4. From the drop-down menu, select one of the following settings:
    • Elevate without prompting (tasks requesting elevation will automatically run as elevated without prompting the administrator)
    • Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated)
    • Prompt for consent (default setting for administrators)
  5. Click OK.
  6. Close the Local Security Settings window.

Q.11 Oh that’s great but i want to configure different changes in elevation prompt for standard user?

  1. Click Start, click Accessories, click Run, type secpol.msc in the Openbox, and then click OK.
  2. From the Local Security Settings console tree, click Local Policies, and then Security Options.
  3. Scroll down to and double-click User Account Control: Behavior of the elevation prompt for standard users.
  4. From the drop-down menu, select one of the following settings:
    • Automatically deny elevation requests (standard users will not be able to run programs requiring elevation, and will not be prompted)
    • Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated, and is the default for standard users)
  5. Click OK.
  6. Close the Local Security Settings window.


Q.12 How UAC protect us from Viruses?

Since the virus infects your computer when you use it as a standard user, the virus cannot get access to the global system resources, and therefore the amount of damage it can do is severely limited. Although it still can corrupt your documents and read your email, it cannot infect Windows system files or install itself to be automatically activated every time you login to the computer. If a virus attempts to modify the system files and settings, UAC will alert you by displaying an elevation prompt.


Q.13 Your information is very good but i am a programmer how can i request elevation?

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:

 version="1.0" encoding="UTF-8" standalone="yes"?>  xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">    xmlns:v3="urn:schemas-microsoft-com:asm.v3">     >       >          level="highestAvailable" />       >     >   > >  read more


References :


0 comments:

Post a Comment

 
 
 

Connect With ME