By default, UAC virtualizes requests for protected resources to provide compatibility with applications not developed for UAC. This is important because many applications written for Windows XP and earlier operating systems assume that the user has administrative privileges and attempt to write to protected resources such as the Program Files or System folders.
UAC virtualization redirects requests for the following resources to safer, user-specific locations:
- %Program Files%
When a user process attempts to add a file to a protected folder, UAC redirects the request to the \AppData\Local\VirtualStore\ folder in the user's profile. For example, if a user named MyUser runs an application that stores a log file at C:\Program Files\MyApps\Logs\Log.txt, the file write attempt will succeed. However, UAC will actually store the file at C:\Users\MyUser \AppData\Local\VirtualStore\Program Files\MyApps\Logs\Log.txt. The application will be able to access the file at C:\Program Files\MyApps\Logs\Log.txt, but the user will need to browse to her profile to access the file directly, because virtualization affects only the application process itself. In other words, if the user browses to open the log file from within the application, it will appear to be under %Program Files%. If the user browses to open the log file using a Windows Explorer window, it will be under her profile.
The first time an application makes a change to a virtualized resource, Windows copies the folder or registry key to the location within the user's profile. Then, the change is made to the user's copy of that resource.
UAC virtualization is designed to allow already-installed applications to run successfully with standard user privileges, even if they store temporary files or logs in a protected folder. UAC virtualization does not allow users to install applications that make changes to these resources; users will still need to provide administrator credentials to do the installation.
When an executable has a requested execution level manifest, Windows automatically disables UAC virtualization. Therefore, virtualization should never be a factor for applications designed for Windows Vista or Windows 7. Native 64-bit applications are required to be UAC aware and to write data into the correct locations and thus are not affected. Virtualization also does not affect applications that administrators run with elevated privileges.
If you plan to run applications that would support virtualization, and you specifically want to prevent UAC from virtualizing requests from the application, you can disable virtualization by using the ACT to mark the application. Setting the NoVirtualization marking makes applications easier to debug (because you don't have to worry about file and registry requests being redirected), and it reduces the attack surface by making it more difficult for malware to infect an application (because that application's files would not be moved into the relatively unprotected user profile).
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection