Dear Microsoft: Please get UAC right this time

Dear Microsoft: Please get UAC right this time

Summary: The trouble with UAC isn't a single request for permission. Instead, what bothers most people is the second UAC prompt, and the third, and the fourth, and so on. was all prepared to lay out my modest proposal for how Microsoft should tweak UAC in Windows 7. And then I said, "Hey, wait a minute! I already did this." My four suggestions for easing the pain of UAC fell on deaf ears when I first published them more than two years ago. Maybe someone in Redmond is more willing to listen today.


Alex Eckelberry of Sunbelt Software vents, intelligently, about Windows Vista's UAC conundrum:

UAC could certainly have been handled better. It does something the security industry has been well aware of for a long time — it creates the “cry wolf” problem of popup fatigue (people turn off or ignore the popups after awhile). Vista is more secure than XP, despite what others might say, but it still gets infected. Since over 80% of all infections are based on social engineering, the popups should focus on that weak point. If UAC targeted the key areas where people run into trouble (as opposed to harassing the user on inane actions), it would be far more helpful and potentially make a really significant impact on infection rates.

Absolutely right. A single request for permission doesn't bother most people. What gets under the skin is the second UAC prompt, and the third, and the fourth, and so on. The closer together those dialog boxes arrive, the more annoying the phenomenon.

I was all prepared to lay out my modest proposal for how Microsoft should tweak UAC in Windows 7. And then I said, "Hey, wait a minute! I already did this."

And sure enough, with a little help from Google I was able to reread "How Microsoft can save User Account Control." which I wrote way back in May 2006, while Vista was still in beta. In that post, I offered four "suggestions that might ease the pain" of UAC. Two years later, I think those recommendations are still valid, so I'm reprinting them here, with a little updated commentary on each one:

Create a special Admin Mode. Power users would appreciate a UAC option that lets an administrator respond to a single prompt and temporarily open a session that runs with full administrative permissions. The devil is in the details, of course. How do you keep people from choosing this option as the default?

I sure hope someone at Microsoft has been actively working on a way to implement this type of behavior, which I like to think of as Advance Consent mode. In Vista as it exists today, I can do this by switching into silent consent mode (as I describe in Fixing Windows Vista, Part 2: Taming UAC), but that setting is persistent, in the current session and in future sessions. If I forget to switch UAC back to its normal behavior, I've made myself more vulnerable to a variety of attacks. The default settings could exit Advance Consent mode after a specified time - say, 15 minutes -  in which I take no activity that would have required UAC approval.

Put a time limit on UAC. [E]ach UAC prompt is tied to a single process. When that process ends, so does the elevated set of permissions. But what if a UAC consent dialog box elevated your permissions for 10 minutes? Long enough to install a couple of programs or make a series of system tweaks, but not so long that you forget and fall victim to a piece of malware.

I think this should be an option in every UAC dialog box. It can be hidden, just as the Options section of IE7's Close dialog box is hidden by default. Give me a check box that says "Automatically approve elevation requests for the next 10 minutes." That way, I get to approve the first UAC dialog box and then don't have to worry about a flurry of additional, related UAC prompts.

Provide easy options to open Control Panel and/or Explorer with full Admin rights. As I indicated earlier, it takes only a right-click and a quick OK to open either of these windows with full permissions. So why not offer those options on the Start menu?

This is an especially important change to make for Control Panel. If I open Control Panel and double-click an icon with the UAC shield, that consent should transfer to any other action I execute from Control Panel, until I close the Control Panel window. This feature might work especially well in tandem with the next suggestion.

Identify applications running in an elevated context. Today, if I open two Windows Explorer sessions – one as a standard user and another using an administrator’s process token – I have no way to distinguish which is which. A text label in the title bar, or a blood-red border around the window, would help prevent this convenient shortcut from becoming a security hole.

For Command Prompt sessions, this was addressed (too subtly, in my opinion) in Vista RTM. When you run Cmd.exe as an Administrator, the word "Administrator:" appears in front of the window title in the title bar. I still like the idea of the blood-red border.

As I noted in that original May 2006 post, "Microsoft has to deal decisively with the perception that UAC imposes an unacceptable tradeoff between performance and security. In its current incarnation, too many people are likely to dismiss it completely, and if that happens, everyone loses."

That plea fell on deaf ears two years ago. Maybe, after more than a year of user complaints and frustration, someone is finally ready to listen.

Topics: Operating Systems, Microsoft, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Simpler idea

    The problem with UAC is not really how it works to protect potentially vulnerable areas of the OS, it's that tons of applications NEED to do potentially OS-threatening things in order to work as an everyday course of business.

    If an app wants to remember a little bit of info for itself, or query something, it should be possible for that to happen without having access to the entire windows registry, the entire disk drive, etc.

    Admin privs should NOT be needed dozens of times per day. That's the problem.
    • Well-written apps already behave that way

      I don't have a single app that prompts me for UAC consent during normal operation. The only time I see an app-related UAC dialog is when a system utility (defragger, AV scanner, etc.) wants to do something that involves system access.

      If you're seeing UAC prompts "dozens of times a day," then that app needs to be looked at. Are you talking about a specific piece of software?
      Ed Bott
      • Most apps are not written for Vista

        and may not be ever. You are always going to have people resistent to migrating to Vista because of these programs. UAC has put up a strong case for stopping people moving in it's current implementation. As you say in the article, there are ways to make it less obtrusive without compromising the whole idea of it.

        Personally, I disable UAC because it actually totally prevents me from doing certain actions at all! For example, rearranging my start menu where shortcuts are in the ALL USERS profile. Not even privilege elevation allows you to move them (at least not pre-SP1). For someone with local admin privileges that to me is totally inexcusable.
        • I didn't say written for Vista

          Any app written using 6-year-old guidelines for XP should work perfectly under Vista.
          Ed Bott
        • you should learn what permissions are

          if a file is marked as "ALL USERS", then you can't delete it without administrative privileges. This is the same in linux, you can delete only your files, not files of other users.
          • Don't think that's the reason...

            You [b]can[/b] make changes to the ALL USERS start menu. UAC prompts for elevation before you do it, as it's supposed to do, but you can.

            I'm suspecting open handles to the folder or some file inside that caused the problem, not UAC.
          • If you have privilege elevation

            you should be able to do whatever you want with non-system files. And I think shortcuts to programs should be included in that.
        • Hmmm - seems to work for me...

          Just for curiosity, i tried to change to the ALL USERS start menu. Sure enough, you get two UAC messages for every change, where one certainly would suffice, but it works fine.

          My machine has Vista SP1, but i think it also worked before SP1. Are you sure that it was UAC that prevented your changes? Because, in the beginning, i also seemed to have a UAC problem which wasn't one, after all. The scenario was like that: i tried to change a folder name that i needed administrator rights for. The UAC message popped up, i confirmed, but the UAC message popped up again and again, and the folder wasn't renamed. The reason, as it turned out some minutes later, was that there was a hidden explorer windows showing the contents of that folder, and that would prevent the rename, so a log off and log on solved my problem that i thought UAC was responsible for.

          oh, and btw: do you still reorganize your start menu? I used to do that a lot under XP, because that was your only chance to find anything there, but under Vista, i don't even open the start menu any more, but use start menu search all the time instead. I've found the typing <WIN>exc<RETURN> is a much faster way to start Excel than doing it XP-style by opening, searching and clicking the start menu.
          • I may try the search

            but as for the UAC problem, I am running on a machine in a domain at work - perhaps the domain and UAC are the difference that is causing the problem. I will retry with UAC enabled and see if it is still a problem for me (I am running Vista Business w/ SP1).
    • UAC's file and registry virtualization already does it

      UAC's file and registry virtualization already dooes it. When a program is trying to write in a system location (file system or registry), the write is redirected to the users folder.
  • just use the admin account or enjoy the ride in the passanger seat

    What is wrong with switching to an admin account or "run as administrator" option and then switching back? If a user wants to be the driver in the car he/she has to get driver license, push the pedals, use the weel, look in the mirrors, talk to policemen, and do all other wonderful stuff. Otherwise, move to the passanger seat and enjoy the ride.
    • Locks on houses ae so inconvenient.

      Oh nothing, except they often stay there. XP tried that approach, and it failed miserably. Everybody just stayed in their Admin account.

      Don't worry about that stranger in your house you let in while you were away. After all, locks are so inconvenient.
  • Is anyone home?

    It's more than obvious UAC has room for vast improvement. But, as is often the case, is anyone listening? Hello MS, is anyone home?

    The more Microsoft tries to steer and micro-manage its user base, by replacing multi-choice options with singular (and often dumbed down) defaults, the more it peeves me. You see these deficits and shortcomings all across their GUI, and how often do you find yourself asking: "Why couldn't they have included an additional choice or two in this dialog prompt?" It's not like they lack the brainpower at Redmond to accomplish these kinds of things.

    In the same way MS prefers to peddle their flagship OS packages to the OEM vendors to promote new machine purchases, and thus relegates DIY warriors to second class status by overcharging for retail offerings, I often times feel they would prefer power users and enthusiasts to just go away so they can be left to baby-sit their dumbed down charges - charging as they go of course. "Simply Dial 1-800-MSFTSOS, and you're as good as gold!" Nothing like a bunch of tame and blind lemmings to call your own.

    Ironically it is the power user/enthusiast class that generally sets the tone in most things computing and not the masses, by creating both the challenges to be met, and suggestions and critiques on how they're best fulfilled.

    Choice is good Microsoft. Remember that. Please.
  • RE: Dear Microsoft: Please get UAC right this time

    Let's see... umm... most Active-X controls, most exe's that don't happen to be on the C drive, NOD32, ccleaner, administering automatic updates, uninstalling anything, simply opening device manager to look at it, turning off or altering file sharing, daring to even look at the event viewer, creating a folder an assorted places...

    Many of these things might be worthy of ONE double-check from the OS. Alas, most of them nag repeatedly - as many as 4 times just to create an empty folder (now that's dangerous!).

    And since there is no trusted-app feature in UAC, the presence of just one app or activity that you do frequently results in endless nags and thus causes the user to either turn off UAC or auto-click-ok to the nags, leaving the machine open to social engineering attacks.
    • What are you talking about?

      1) I use Vista daily, in the NON-administrator mode.

      2) What application do you run that requires privilege elevation?

      3) I haven't seen a UAC prompt except when:

      A) Installing/uninstalling a program (where it should appear)

      B) Running Task Manager and trying to view/kill system level processes (ditto)

      C) Running admin level tools (defrag, etc). (You want non-admins running this stuff?)

      If you're seeing UAC prompts while running a simple application it means the application violates *XP* guidelines. Personally, I haven't seen such an app in months--most companies have issued patches/updates to run apps correctly in Vista.

      Oh, and that double-click non-sense? Doesn't work in an Active Directory environment. We disable the local admin account and use a domain admin instead. Doing that requires you supply both the admin account name and the password--which is how UAC *should* behave. :)
  • UAC time delay

    Your suggestion that MS should put a time limit on UAC will leave a gaping hole in the security. Malware that was executed with standard user rights and that wants to gain full administrative rights just needs to lurk in the background until the user gives his or her consent to a UAC prompt, and then it can spring into action and install itself in parts of the system that would otherwise be protected.
    • Some times a compromise on useability is needed.

      If it is too painful then people won't use it at all.

      That said, I personally don't agree with you in your logic. If malware is "lurking in the background" you are already compromised and theoretically as soon as you elevate privileges it could strike. Yes, damage might be more limited but once the crook is in the house it is time to call the cops and get him out.
    • You're assuming that privilege escalation...

      would be retroactive for previously launched processes.
      It doesn't have to work that way.
    • That's not a real issue.

      I think this goes in the "can't happen" file, which is rather

      Let's assume that a key logger was not maliciously installed
      on the system. Processes cannot just peer into other
      processes and siphon off permissions. Not in Windows, not
      in Linux, not in OS X, not in... not in any competent
      operating system released this decade and some which
      have been around since the 70s.

      Everyone other than Microsoft uses sudo which does allow
      a limited time for uses without password re-entry within
      the same process (think opening a terminal.) If one needs
      more time, one could sudo /bin/bash and operate as root
      until entering exit.

      I'm surprised runas/UAC doesn't seem to provide for this
      (unless I read Mr. Bott's comments incorrectly.)
    • The time limit causes other problems.

      There are some programs that require admin rights for extended periods such as disk defragmenting programs or other long running processes. Imposing a time limit on such a utility could be fatal to the computer.