UAC changes in Windows 7

153 views
Skip to first unread message

Jon Potter

unread,
Jan 11, 2009, 2:52:09 PM1/11/09
to
Hi,

We have observed with the Windows 7 Beta that Explorer is now able to make
changes (eg, create a child folder) to protected folders like %ProgramFiles%
without showing a UAC prompt, using the default UAC settings in Windows 7.

However, our product, which is a file manager, still requires an elevation
prompt before it is able to do the same.

Presumably there is a way for an application to be marked as not requiring
elevation for this sort of thing (because if there wasn't, it would
certainly be leaving Microsoft open to a lawsuit) - so I was wondering if
you could perhaps explain how this can be done?

Regards,
Jonathan Potter
GP Software

Jon Potter

unread,
Jan 16, 2009, 9:33:36 PM1/16/09
to
Hi,


(PS: Reposted due to posting alias being incorrectly configured; my
apologies for duplicate post)

Jialiang Ge [MSFT]

unread,
Jan 18, 2009, 11:14:36 PM1/18/09
to
Good morning Jonathan. Welcome to Microsoft Newsgroup support service!

Your account is configured rightly now, however, this post regarding
Windows 7 Beta is not in our support scope. (Managed Newsgroup support
service does not cover the Beta products). Considering that this is your
first time to use our service, I'm going to try my best to help you in this
case. I'm building the Windows 7 environment and will report back my
research results.

Regards,
Jialiang Ge (jia...@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

Jialiang Ge [MSFT]

unread,
Jan 21, 2009, 5:19:06 AM1/21/09
to
Hello Jon

Sorry for letting you wait. I get the following information from the
Windows team. It explains the prompt of elevation in your File Manager
program. Please let me know if there's anything else I can do for you in
this case.

The change we made in Windows 7 default UAC settings is that any operation
that is necessary to manage windows will not require an elevation - which
in technical terms translates into a white list of trusted action /
binaries which the user can make perform without UAC prompting from an
elevation. This list does include windows file operations.

You see a prompt in your File Manager program because your binary is not an
inbox binary - i.e. not an executable which ships with windows. Hope that
explains and clarifies. For security considerations, Windows 7 does not
allow any 3rd party binary to be in the Windows trusted list. Therefore,
your File Manager program still needs to handle the elevations.

Kornél Pál

unread,
Jan 21, 2009, 6:03:50 AM1/21/09
to
Hi,

A very straightforward solution is to use a service that will create
your elevated process. Your exe file in this case can simply call your
service to create a second process for you that will result in no UAC
prompt. Note that you will have to secure your communication channel to
ensure that:
- only administrators are able to create elevated processes

- if possible don't pass any user token to avoid identity theft, just
use the token of the caller/client

- hard code the path to the elevated executable relative to your service
executable so that your service is unable to create elevated processes
from other executables

- secure the path of your executable files so that only TrustedInstaller
can modify your high privileged executables to avoid gaining elevated
privileges by replacing your executables (or DLLs or anything else)

Configuring the service to start manually and make the service stop
itself after some inactivity also can safe system resources and makes
more difficult for 3rd party programs to abuse your service.

Notes to Microsoft:

As you can see the same behavior can easily be achieved. Having a system
service for each application in undesirable and also weakens security. I
would propose to create an open while-list that yould be based on the
full path of the executable and on the hash of the actual executable. If
the file is updated legitimately the installer would be able to update
this hash as well but a malicious software using a security hole may not
be able to do that.

Also note that if a process is somehow able to gain elevated privileges,
it has full control over the system and is even able to install a
service, driver of just disable UAC entirely. Thus disallowing a
while-list for 3rd party code would not enhance security in any way just
would require more knowledge of publically documented Windows API.
Assuming that malware programmers are dumb as security measure is not
acceptable however and average users are usually much dumber than
malware programmers.

I also belive that if users get too much UAC promts they just learn how
to ignore them rather than evaluating whether a program actually needs
administrative privileges. As a conclusion I believe that because a
white-list reduces the number of unnecessary UAC promts this actually
strengthens security because users will only get UAC prompts when
something unusual/unexpected happens and hopefully will not just accept
all the UAC promtps.

Kornél

Kornél Pál

unread,
Jan 21, 2009, 6:17:48 AM1/21/09
to
Just one more note:
A more clever solution for securing the white-list would be to use a
prompt (similar to UAC, trusted certificate installation, unsigned
driver installation, running downloaded files) whenever a program is
appended to this list that would alert the user only once and he/she
could be free of unnecessary UAC prompts for the rest of his/her life.

Kornél

Günter Prossliner

unread,
Jan 21, 2009, 8:49:46 AM1/21/09
to
Hello all!

> A more clever solution for securing the white-list would be to use a
> prompt (similar to UAC, trusted certificate installation, unsigned
> driver installation, running downloaded files) whenever a program is
> appended to this list that would alert the user only once and he/she
> could be free of unnecessary UAC prompts for the rest of his/her life.

A secure white-list based solution is IMO only possible if it's based on a
Authenticode Signature. This list could be managed by windows like the SAM
Database, so that it is not easly modifyable on a running system.

GP


David Lowndes

unread,
Jan 21, 2009, 9:35:23 AM1/21/09
to
>The change we made in Windows 7 default UAC settings is that any operation
>that is necessary to manage windows will not require an elevation - which
>in technical terms translates into a white list of trusted action /
>binaries which the user can make perform without UAC prompting from an
>elevation. This list does include windows file operations.

So the description of the default UAC setting in Windows 7 is
incorrect where it says:

"Don't notify me when I make changes to Windows settings"

... it's really:

"Don't notify me when MS Windows applications make changes to
Windows settings"

... so the user thinks other vendors products suck by requiring
interaction in elevating :(

Dave

Pavel A.

unread,
Jan 21, 2009, 11:23:06 AM1/21/09
to

It still is beta...
As Kornél noted, if this situation remains in the
RTM version, MS certainly would be up to a trouble.

Regards,
--pa

David Lowndes

unread,
Jan 21, 2009, 12:31:19 PM1/21/09
to
>It still is beta...

Yes, but experience tells me that this is already set into concrete.

>As Kornél noted, if this situation remains in the
>RTM version, MS certainly would be up to a trouble.

They've made UAC appear less of a nuisance to the large majority of
users, it's not going to trouble them that much. Only 3'rd party
vendors will be made to look like they're annoying users.

Dave

Jon Potter

unread,
Jan 23, 2009, 4:05:03 PM1/23/09
to
Hi Jialiang,

Thanks for the reply and explanation. I know you're not really meant to
answer questions on beta products here so thank you for doing so.

I really hope Microsoft change this decision and allow the user to add other
programs to the white list. It's as if MS haven't learned anything from all
the anti-trust lawsuits over the years. They simply cannot discriminate
against third-party vendors' products like this :(

Regards,
Jonathan Potter
GP Software

""Jialiang Ge [MSFT]"" <jia...@online.microsoft.com> wrote in message
news:mxv64G7e...@TK2MSFTNGHUB02.phx.gbl...

Reply all
Reply to author
Forward
0 new messages