Windows 10

Preventing unsafe actions with User Account Control

Widely scorned when it was introduced as part of Windows Vista, User Account Control (UAC) intercedes whenever a user or program attempts to perform a system administrative task and asks for the consent of a computer administrator before commencing what could be risky business. Since that rocky start, UAC has been tuned to become an effective security aid-without the annoyance factor that plagued the original implementation.

In Windows 10, user accounts you set up after the first one are standard (nonadministrator) accounts by default; although they can carry out all the usual daily computing tasks, they're prevented from performing potentially harmful operations. These restrictions apply not just to the user; more importantly, they also apply to any programs launched by the user. Even administrator accounts run as "protected administrator" accounts allowed only standard-user privileges except when they need to perform administrative tasks. (This is sometimes called Admin Approval Mode.)

Most programs are written so that they don't require administrator privileges for performing everyday tasks. Programs that truly need administrative access (such as utility programs that change computer settings) request elevation-and that's where UAC comes in.

What triggers UAC prompts

The types of actions that require elevation to administrator status (and therefore display a UAC elevation prompt) include those that make changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%. (On a default Windows installation, these environment variables represent C:\Windows and C:\Program Files, respectively.) Among the actions that require elevation are the following:

  • Installing and uninstalling desktop applications
  • Installing device drivers that are not included in Windows or provided through Windows Update
  • Installing ActiveX controls
  • Changing settings for Windows Firewall
  • Changing UAC settings
  • Configuring Windows Update
  • Adding or removing user accounts
  • Changing a user's account type
  • Running Task Scheduler
  • Restoring backed-up system files
  • Viewing or changing another user's folders and files

Within Windows, you can identify in advance many actions that require elevation. A shield icon next to a button or link indicates that a UAC prompt will appear if you're using a standard account.

If you sign in with an administrator account (and if you leave the default UAC settings unchanged), you'll see fewer consent prompts than if you use a standard account. That's because the default setting prompts only when a program tries to install software or make other changes to the computer, but not when you make changes to Windows settings-even those that would trigger a prompt for a standard user with default UAC settings. Windows uses autoelevation to elevate without prompting certain programs that are part of Windows. Programs that are elevated automatically are from a predefined list, they must be digitally signed by the Windows publisher, and they must be stored in certain secure folders.

Limitations of User Account Control:
User Account Control isn't a security silver bullet. It's one layer of a defense-in-depth strategy.
Some Windows users assume that UAC consent dialog boxes represent a security boundary. They don't. They simply represent a place for an administrator to make a trust decision. If a bad guy uses social engineering to convince you that you need his program, you've already made a trust decision. You'll click at least a half-dozen times to download, save, and launch the bad guy's program. A UAC consent request is perfectly normal in this sequence, so why wouldn't you click one more time?
If this scenario bothers you, the obvious solution is to adjust UAC to its highest level. Among other changes, this setting disables the autoelevation behavior. If a program tries to use this subterfuge to sneak system changes past you, you'll see an unexpected consent dialog box from the system. But as soon as you provide those elevated credentials, the code can do anything it wants.
A better alternative is to sign in using a standard account, which provides a real security boundary. A standard user who does not have the administrator password can make changes only in her own user profile, protecting the system from unintended tampering.
Even running as a standard user doesn't provide complete protection. Malware can be installed in your user profile without triggering any system alarms. It can log your keystrokes, steal your passwords, and send out email using your identity. Even if you reset UAC to its highest level, you could fall victim to malware that lies in wait for you to elevate your privileges and then does its own dirty work alongside you.
As we said, enabling UAC is only one part of a multilayered security strategy. It works best when supplemented by a healthy skepticism and up-to-date antimalware software.

Dealing with UAC prompts

At sign-in, Windows creates a token that is used to identify the privilege levels of your account. Standard users get a standard token, but administrators actually get two: a standard token and an administrator token. The standard token is used to open Explorer.exe (the Windows shell), from which all subsequent programs are launched. Child processes inherit the token of the process that launches them, so by default all applications run as a standard user-even when you're signed in with an administrator account. Certain programs request elevation to administrator privileges; that's when the UAC prompt is displayed. If you provide administrator credentials, Windows then uses the administrator token to open the program. Note that any processes that the successfully elevated program opens also run as an administrator.

As an elevation-requesting application attempts to open, UAC evaluates the application and the request and then displays an appropriate prompt. As an administrator, the most common prompt you're likely to see is the consent prompt. Read it, check the name of the program, click Yes if you're confident that it's safe to proceed, and carry on.

If you use a standard account, when a program requires elevation you'll see the credentials prompt. If the user is able to provide the credentials (that is, user name and password, smart card, or fingerprint, depending on how sign-in authentication is configured on the computer) of an administrator, the application opens using the administrator's access token.

By default, the UAC dialog box sits atop the secure desktop, a darkened representation of your desktop that runs in a separate process that no other application can interfere with. (If the secure desktop wasn't secure, a malicious program could put another dialog box in front of the UAC dialog box, perhaps with a message encouraging you to let the program proceed. Or a malicious program could grab your keystrokes, thereby learning your administrator sign-in password.) When the secure desktop is displayed, you can't switch tasks or click the windows on the desktop. (In fact, they're not really windows. When UAC invokes the secure desktop, it snaps a picture of the desktop, darkens it, and then displays that image behind the dialog box.)

Troubleshooting: There's a delay before the secure desktop appears:
On some systems, you have to wait a few seconds before the screen darkens and the UAC prompt appears on the secure desktop. There's no easy way to solve the slowdown, but you can easily work around it. In User Account Control Settings, you can take the protection level down a notch. The setting below the default provides the same level of UAC protection (albeit with a slight risk that malware could hijack the desktop), except that it does not dim the desktop.
Note:
If an application other than the foreground application requests elevation, instead of interrupting your work (the foreground task) with a prompt, UAC signals its request with a flashing taskbar button. Click the taskbar button to see the prompt.

It becomes natural to click through dialog boxes without reading them or giving them a second thought. But it's important to recognize that security risks to your computer are real and that actions that trigger a UAC prompt are potentially dangerous. Clearly, if you know what you're doing and you click a button to, say, change Windows Update settings, you can blow past that security dialog box with no more than a quick glance to be sure it was raised by the expected application. But if a UAC prompt appears when you're not expecting it-stop, read it carefully, and think before you click.

Modifying UAC settings

To review your User Account Control options and make changes to the way it works, in the search box or in Control Panel, type uac and then click Change User Account Control Settings.

Your choices in this window vary slightly depending on whether you use an administrator account or a standard accountYour choices in this window vary slightly depending on whether you use an administrator account or a standard account. For standard accounts, the top setting is the default; for administrator accounts, the second setting from the top is the default. Table summarizes the available options. For standard accounts, the top setting is the default; for administrator accounts, the second setting from the top is the default. Table summarizes the available options.


Slider 	      Prompt when a program	  Prompts when you     Display Prompts
Position      tries to install software	  make changes to      on a secure
	      or make changes to the	  Windows Settings     desktop
	      computer
Standard	
user account	
Top (default)	✔			    ✔			    ✔
Second		✔			    ✔			    ✔
Third		✔
Bottom (off)
Administrator Account
Top		✔			    ✔			    ✔
Second
(default)	✔						    ✔
Third		✔
Bottom (off)

To make changes, move the slider to the position you want. Be sure to take note of the advisory message in the bottom of the box as you move the slider. Click OK when you're done-and then respond to the UAC prompt that appears! Note that when you're signed in with a standard account, you can't select one of the bottom two options, even if you have the password for an administrator account. To select one of those options, you must sign in as an administrator and then make the change.

Troubleshooting: User Account Control settings don't stick
If you find that nothing happens when you make a change to User Account Control settings, be sure that you're the only one signed in to your computer. Simultaneous sign-ins that use Fast User Switching can cause this problem.
Use Local Security Policy to customize UAC behavior:
Users of the Pro and Enterprise editions of Windows 10 can use the Local Security Policy console to modify the behavior of UAC. Start Local Security Policy (Secpol.msc), and open Security Settings\Local Policies\Security Options. In the details pane, scroll down to the policies whose names begin with "User Account Control." For each policy, double-click it and then click the Explain tab for information before you decide on a setting. With these policies, you can make several refinements in the way UAC works-including some that are not possible in the User Account Control Settings window. (Administrators on Windows-based enterprise networks can also configure these options using Group Policy management tools.) For details about each of these policies, see "UAC Group Policy Settings" at https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx.

Regardless of your UAC setting, the shield icons still appear throughout Control Panel, but you won't see UAC prompts if you've lowered the UAC protection level. Clicking a button or link identified with a shield immediately begins the action. Administrators run with full administrator privileges; standard users, of course, still have only standard privileges.

Caution:
Don't forget that UAC is more than annoying prompts. Only when UAC is enabled does an administrator run with a standard token. Only when UAC is enabled does Internet Explorer run in a low-privilege Protected Mode. Only when UAC is enabled does it warn you when a rogue application attempts to perform a task with system-wide impact. And, of course, disabling UAC also disables file and registry virtualization, which can cause compatibility problems with applications that use fixes provided by the UAC feature. For these reasons, we urge you not to select the bottom option in User Account Control Settings, which turns off UAC completely.
[Previous] [Contents] [Next]