Compatibility Problems with UAC
For applications to receive the Certified For Windows Vista or Certified For Windows 7 logo, the application must be designed to work well for standard users unless the tool is specifically intended for use by administrators. However, many applications were developed prior to Windows Vista and will not work correctly with UAC enabled. These might include some older antispyware, antivirus, firewall, CD/DVD-authoring, disk-defragmentation, and video-editing tools designed for Windows XP or earlier versions of Windows.
Typically, most features of an application will work correctly with UAC enabled, but specific features might fail. You have several ways to work around this:
- Run the application with administrator credentials As described in the section titled "How to Control UAC Using Application Properties" earlier in this tutorial, you can specify that an application always requires administrator credentials.
- Modify permissions on the computer If an application requires access to a protected resource, you can change the permissions on that resource so that standard users have the necessary privileges. Instructions on how to isolate the protected resources are provided later in this section.
- Run Windows XP (or an earlier version of Windows) in a virtual machine If the application fails with administrative privileges or you do not want to grant the application administrative privileges to your computer, you can run the application within a virtual machine. Virtual machines provide an operating system within a sandbox environment, allowing you to run applications within Windows XP without requiring a separate computer. You can maximize virtual machines so that they display full screen, providing a similar experience to running the operating system natively. Virtual machines perform slightly slower than applications that run natively within Windows, however. Windows 7 Professional, Enterprise, and Ultimate operating systems include Windows Virtual PC and the Windows XP Mode environment.
- Disable UAC You can disable UAC to bypass most application compatibility problems related to the permission changes in Windows Vista. However, this increases the security risks of client computers when running any application, and therefore is not recommended. To disable UAC, read the section titled "How to Configure User Account Control" later in this tutorial.
To isolate the protected resources accessed by an application, follow these steps:
- On a computer running Windows 7 with UAC enabled, download and install the Microsoft Application Verifier from http://www.microsoft.com/downloads/details.aspx?FamilyID=C4A25AB9-649D-4A1B-B4A7-C9D8B095DF18&displaylang=en.
- On the same computer, install the ACT, which you can download at http://go.microsoft.com/fwlink/?LinkId=23302.
- Start the Standard User Analyzer (which is installed with the ACT). On the App Info tab, click Browse and then select the application's executable file.
- Click Launch and then respond to any UAC prompts that appear. The Standard User Analyzer will start the application. Use the application, especially any aspects that might require elevated privileges, and then close the application.
- Click the View menu and select Detailed Information.
- Wait a few moments for the Standard User Analyzer to examine the application log file. Browse the different tabs to examine any errors. Errors indicate that the application attempted to perform an action that would have failed if it were not run with administrative privileges.
On the File tab and the Registry tab, notice the Work With Virtualization column. If the entry in that column is Yes, that particular error will not cause a problem as long as UAC virtualization is enabled. If UAC virtualization is disabled, the error will still occur. If the entry in the column is No, it will always be a problem unless the application is run as an administrator.
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection