Tool shoves 'annoying' Vista security feature aside

Software developers claim they have created a tool to bypass User Account Control — an "annoying" security feature in Windows Vista, according to Microsoft executives.

Software developers claim they have created a tool to bypass User Account Control — an "annoying" security feature in Windows Vista, according to Microsoft executives.

The developers from NeoSmart said on their Web site that the UAC feature was "only there to give the impression of security".

UAC is a controversial feature of Vista designed to stop users from installing or executing arbitrary code. Many see it as a hindrance to performing everyday tasks, as it requests confirmation from users without administrator rights for many actions where no user confirmation was needed in Vista's predecessor, XP — in Vista, administrator is not the default setting.

iReboot, the tool developed by NeoSmart, helps users choose which operating system to reboot into. UAC had stopped the application from running at start-up, but the developers now claim to have bypassed UAC by splitting iReboot into two. One of the parts, running in the background, has privileged access to the operating system without requiring administrator approval each time the machine boots; the other part, running as a client program, interacts with this back-end service.

As the developers were able to grant the back-end part of the program privileges to run without express user approval every time the machine starts up, they claimed that Windows Vista's security limitations are "artificial at best, easy to code around, and only there to give the impression of security".

"Any program that UAC blocks from starting up 'for good security reasons' can be coded to work around these limitations with (relative) ease," wrote the developers in a blog post. "The 'architectural redesign' of Vista's security framework isn't so much a rebuilt system as much as it is a makeover, intended to give the false impression of a more secure operating system."

Earlier this month Microsoft product unit manager David Cross, said that UAC was deliberately designed to "annoy users", in order to put pressure on third-party software makers to make their applications more secure.

Microsoft had not responded to a request for comment at the time of writing.