Detailed usage of Vista UAC

Detailed usage of Vista UAC
Compared with the previous Windows version, such as Windows XP, Windows Vista brings comprehensive improvements, but I am afraid that the biggest changes in operation are not caused by UAC (User Account Control: user Account Control) does not belong.

Therefore, although we have already made a considerable introduction to UAC, such as UAC in Vista in terms of mechanism and principle: What does User Account Control and UAC bring to Windows Vista? And the specific operation methods, such as disabling UAC in Windows Vista, but for the use of Windows Vista, it is always indispensable to introduce UAC in detail in a separate chapter.

The introduction of UAC in this article focuses on operations and usage. For more details, refer to other related content of Vista world.

3.1 UAC goals and policies

Because of its huge market share, Windows has become the primary target of all types of malware and viruses. Various attack methods and technologies against Windows systems are emerging one after another, this is Microsoft's success, but it is also Microsoft's biggest sorrow: using the power of a company to fight the world's avid "attack fans" can only be hard to prevent and be exhausted, this also directly caused the impression of many users that Windows is a very fragile operating system.

Of course, this is not an excuse for Microsoft. From a technical point of view, in order to ensure ease of use and user friendliness, Windows has a high cost in terms of security and has a fatal defect, the most notable problems are the user-level and execution permissions. For example, I believe many of my friends have been harassed by "rogue software" more or less. Many people even talk about the "network" color change to form such a bad internet environment. Microsoft cannot escape it.-Of course, the proliferation of rogue software in China is also related to the lack of the most basic ethical principles of some "ethnic enterprises"-for the most common plug-in rogue software, although it is not very technical, it is often able to easily break through the windows system defense, the biggest problem lies in the existence of many problems in the Windows system, such as the Windows XP Standard account, which allows users to log on with superusers for operation, so that rogue software can easily obtain permissions.

UAC (User Account Control: User Account Control) is a new technology introduced by Microsoft in Windows Vista to improve system security. Its design goal is to prevent spyware or viruses.ProgramObtain permissions in the user's computer system and execute them without notice. Under UAC, when Windows Vista detects an unknown potential threat, a "Windows requires your permission to continue!" will pop up !" Dialog Box to remind the user to pay attention to or to allow/block execution according to the specific situation.

To put it simply, the core of the UAC mechanism is that Windows Vista requires all users to run programs and tasks in standard account mode. In this way, when the execution of the corresponding program or task may affect the operation of the computer or the operation of the modification that affects the settings of other users, that is, when you need/attempt to obtain higher than the standard account permission, the system will pop up the corresponding warning information and wait for the user to confirm and grant permissions, so as to prevent unauthenticated program installation, or prevent Standard Users from making improper system settings changes.

Obviously, Windows Vista has made great improvements in security by introducing UAC, but likewise, the negative impact of the UAC mechanism on user operation smoothness cannot be avoided: even users with patience may be interrupted by UAC windows frequently popped up during routine operations, so many users may consider disabling UAC on Windows Vista or bypassing UAC to enable super administrator. -- Of course, from the perspective of system security, this is by no means a wise choice.

For Microsoft, it may still be a long-term task to find the optimal balance between system security and smooth system operations. UAC may need to make careful and meticulous adjustments.

3.2 UAC Mechanism

In Windows Vista, there are two levels of user groups by default, namely the standard user group and the Administrator group. The standard user is a member of the computer users group, and the Administrator is a member of the Computer Administrators Group.

Microsoft's improvements in windows are that, unlike earlier versions of Windows, standard users and administrators access resources and run applications in the standard user security context by default. In this way, after the user logs on to the computer, the system creates an access token for the user. The access token contains information about the access level granted to the user, including the specific security identifier (SID) and Windows permissions.

If the logon user belongs to the Administrator group, Windows Vista creates two separate access tokens for the user: standard user access token and administrator access token. The user-specific information contained in the standard user access token is the same as that contained in the administrator access token. However, the Windows permission and Sid have been deleted to start applications that do not execute management tasks. While Windows Vista prompts users to change or "Upgrade" their security context from a standard user to an administrator when running applications that execute management tasks, this process is called "Management Review mode ". Only in this mode, applications require specific permissions to run as Administrator applications (applications with the same access permissions as administrators.

By default, the "User Account Control" message is displayed when the administrator application starts. If the user is an administrator, the message provides the option to allow or disable application startup. If you are a standard user, you can enter the user name and password of the account of a member of the local Administrators Group.

3.3 UAC everywhere

In Windows Vista, UAC is everywhere in the system. In fact, as long as you operate on Windows Vista, you may encounter UAC operation prompts marked with a small shield from time to time, such as in the control panel:

Or set "Advanced sharing" on the folder property page:

When you click the operation items marked with a small shield, the system will trigger UAC, and the corresponding permission escalation and confirmation window will pop up, depending on the identity of the login user, there will be two Prompt Windows described in the previous section. In this case, you need to enter the administrator password (standard user) or confirm whether execution is allowed (administrator ).

It should be noted that in the pop-up UAC window, the key focus is "canceled" by default, that is, if the program/service execution is allowed, you need to manually select the "OK" button, this also avoids the risk of accidental misoperation to some extent.

3.4 installer, download file and UAC

UAC not only exists in system settings related operations, in fact, when we install an application in Windows Vista, we often encounter UAC, especially for the application installation files downloaded over the network.

That is, when writing a custom Windows Vista boot screen, we use the Vista boot Logo Generator to download the file. Pay attention to the small shield in the icon.

When Windows Vista detects that the program may change the system settings during installation, a UAC request is displayed to confirm or escalate permissions.

3.5 change the UAC prompt Mode

Needless to say, frequent pop-up UAC prompt windows are often annoying. However, although Vista has introduced how to disable UAC in Windows Vista, however, to ensure system security, we strongly recommend that you do not do this. If you have to do so for some reason, make sure you fully weigh the risks and keep in mind the consequences of disabling UAC.

As an alternative solution, we can try to change the prompts of UAC (User Account Control) messages to avoid operations being interrupted by UAC pop-up whenever possible.

Note: For general users, this is still not recommended. Therefore, do not modify unless you are sure of the risks and understand how to avoid them..

To change the display mode of UAC prompt information, you must first log on as a member of the local administrator group-or provide authentication creden。 for members of the Administrator group after logging on as a standard user-to modify the corresponding security policy.

• Enter "gpedit. then press enter to open the Group Policy object editor, choose Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options ";
  Enter "secpol. msc" in the search box of the Start Menu, press enter, open the Local Security Policy Editor, and select "Local Policy" => "Security Options ";
  In the default configuration of Windows Vista, The UAC permission information window is displayed when you run these two system setting tools.
• Change the UAC information prompt when logging on as an administrator
  In the right pane, find "User Account Control: Administrator promotion prompt in administrator Approval Mode", double-click it, and select from the drop-down menu.

  There are three options in the drop-down menu:

  • Upgrade without prompt
    When this option is enabled, all applications marked as Administrator applications and those detected to be installed will run automatically with a full administrator access token. -- That is to say, after a user logs on to Windows Vista as an administrator, the system automatically handles the operation of elevation of permissions without the UAC Confirmation window. -- All other applications will run automatically using the standard User Token.
  • Prompt credential
    When this option is enabled, you must enter the Administrator creden。 when you need to raise the permission. This setting is generally used in the domain environment or enterprise policy.
  • Consent prompt
    This item is the default setting for Windows Vista.

  Therefore, if you select "do not prompt, upgrade directly", when you log on to Windows Vista as an administrator, you will no longer see the annoying UAC information Prompt window.

• Change the UAC information prompt mode when logging on with a standard user identity
  In the right pane, find "User Account Control: standard user promotion prompt behavior", double-click it, and select from the drop-down menu.

  There are two options in the drop-down menu:

  • Automatic Blocking of escalation requests
    When this option is enabled, Windows Vista disables a standard user from running an administrator application or service. The user will only see an error message from the application, prompting that a policy has blocked the application from running.
  • Prompt credential
    This item is the default setting for Windows Vista. That is to say, a standard user can obtain an administrator access token when running a program that needs to change system settings-provided that the user must enter the Administrator creden.

  If we do not want standard users to change system settings, we can directly enable "automatic blocking of escalation requests" to avoid the risks that standard user operations may bring to the system, at the same time, there will be no frequent UAC prompt windows.

• After completing the settings, click "application.

-----------------------------
From: Skynet