FAQ: What is the UAC?

[MagicAndre1981]

FAQ: What is the UAC?

With the beginning of Windows NT MS introduced the concept of control access and creates several types of user accounts.

Standard users, administrators, power users, guests and many more.

All those account types have different rights.

Administrators are the most powerful accounts. They can do (almost) everything and are able to write to C:\Program Files and the Windows folder.

Standard users are limited accounts which can do all stuff you do when you use your pc for normal work (listen to music, browsing the www, writing emails and documents), but you are not able to change settings which effects the PC (like installing new hardware drivers, installing applications, changing the system time, running apps which require hardware access through drivers and are NOT able to write to C:\, C:\Program Folders and the windows folder).

Power users are standard users but can do some operations which only administrators can do.

guests have the same rights like standard users but they only have a temporary profil which is deleted at every logoff.

When Windows XP came out, Ms made the decision to make all new users part of the administrator group. So you can do mostly everything on your PC. And that's why working with administrator rights is so dangerous. Malware also runs with adminrights and can do also nearly everything on your PC like the user.

If you put your new created user, under XP, into the stand users group and try to do operations which requires administrator rights, you are not able to do it. It fail's with an Error 5: Access denied. So you have to use the fast user switch to logon as a member of the administrator group, change the settings you want and go back to your limited account. This is very annoying and so most of the users stay with the administrator accounts.

But in 2002-2004 several virus and worms attacks happen and so many PCs with XP were infected because most people are using an account of the administrator group. Now MS realizes that running with a limited account is better. But Windows XP doesn't offer a way to combine running with limited rights and having the ability to do operations which require administrator rights.

So Microsoft introduced LUA (limited User Account) in the first Beta of Vista which was renamed to UAC in the Final.

With UAC turned on MS combines 2 accounts (standard users and administrator) into one.

For normal work all applications are started with limited rights (shell, all launched applications). If you want to do things which require elevated rights (installing apps, deleting files where standard user don't have the rights to do it) UAC prompt is shown and you have to accept it.

When you accept the UAC prompt the operation is started inside your user account but with administrator rights.

Wow, this is cool! There is no need to create a second account which is part of the administrator group and use

fast user switch to logon with this second account.

because of this you are no as safe as you are when you are using a standard suer in XP, but you can easily run operations (writing to C:, C:\Program files, windows folder or installing new drivers) by accepting the UAC prompt.

So, why do most people hate the UAC?

That's because mostly 99% do not know that they are limited users. They check their useraccount inside the "groups and user" setting and still see that they are part of the administrator group.

But as I already told you, that's not true.

So, the UAC NEVER annoys you, it HELPS you to to operations with administrator rights very easily without having switching between 2 accounts.

Try the same things with a limited user account under XP and you'll see that this is annoying. All the message boxes popping up with the message "Access denied".

What did Microsoft do in Windows 7?

In Windows 7 MS introduced a slider where you can adjust where you can see the UAC prompt. The default setting allows the users to change windows settings and install drivers, updates without accepting the UAC prompt. This is done by adding a small entry to the MS applications. But why is this bad? As we learned you are a standarduser when UAC is on, so this is a violation of what standard users can do. It also introduces a security risks, because malware can bypass the UAC prompt by using the build in Windows 7 applications like Leo Davidson demonstrated on his homepage ( http://www.pretentiousname.com/misc/win7_uac_whitelist2.html ).

SUMMARY:

With the UAC MS combines a limited account and an administrator into 1 account. You are able to do operations which allows to have administrator rights. And by running with standard user rights UAC also protects you against viruses and trojans. So the UAC nevers annoys you it helps you.

The Way it was done in Windows Vista is right (but MS failed to make clear, that you are no longer administrator by default) and when you use Windows 7 always set the slider on top so that you are always prompted to accept the UAC dialog.

If you are interested in understanding the UAC from the technical point, read the book "Writing secure code for Windows Vista" from Michale Howard and David LeBranc and read the Articles on Technet.

[gamehead200]

[ Pinned. ]

[PC_LOAD_LETTER]

UAC Tweaks here:

http://www.askvg.com/how-to-tweak-user-acc...c-home-premium/