Windows 7 UAC - Quick notes on why I disable it.

nouac

Microsoft introduced User Account Control (UAC) with Windows Vista. Windows 7 has an "improved" version of UAC. The purpose of this short note is to explain why I do not like or use UAC on my own machines (because I get asked so much), it is not to start an argument or to try to convince others to disable UAC.

What is UAC?
   UAC is designed to alert you  before you do something that may have system wide implications. Installing a program or making system changes are among those things. When such an event occurs the user gets a prompt. The UAC prompt is there to say something like "Do you want the following program to make changes to your computer?". What I see is something like, "Hey idiot, are you sure you know what you are doing?".
   UAC in Windows 7 is much improved over Vista. The annoying prompts are much less often. However as shown in the links below, UAC is not a security boundary. It isn't for 3 reasons: The first is that it was never designed to be a security boundary, the second is that it can be bypassed, the third is that most users just click "Yes" (rendering it useless). In effect UAC draws a line in the sand and asks you if you want to cross it. Some would argue that UAC better than nothing but I'm not so sure. I am sure that UAC is not the barrier that many folks would have you believe. UAC is a line in the sand not a wall. It also cannot protect the ignorant and the lazy.

   I'm not saying that UAC is useless for everyone or entirely bad. I install operating systems for many people and I would never disable it for someone else unless specifically requested to do so. I also ask if they were aware of the implications of disabling UAC. I reckon a line in the sand is better than nothing for some folks.

The links below contain the majority of material I have used to come to my conclusions on UAC.
(Yes I've read every word of every one of them. Yeah, I know, I'm a Geek.)

Readings on what UAC is:
Microsoft: What is User Account Control?
Inside Windows 7 User Account Control - Mark Russinovich
Windows 7: User Account Control (UAC) overview - Neowin
Microsoft: Windows 7 features - User Account Control
Microsoft: What's New in User Account Control


Quotable Quotes

"As we've stated since before the launch of Windows Vista, the primary purpose of elevation is not security, though, it's convenience Inside Windows 7 User Account Control - Mark Russinovich

"It's a best effort to raise the bar and stop malware from making changes to the operating system but it's not a security boundary," Mark Russinovich

"Elevations are a convenience and not a security boundary," Mark Russinovich

"One important thing to know is that UAC is not a security boundary." Engineering Windows 7 Blog

"The reason we put UAC into the platform was to annoy users. I'm serious," David Cross, Director of Program Management for Windows Security (microsoft)

"we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1." Engineering Windows 7 Blog


Mark Russinovich at PDC 2009 - Windows 7 and Windows Server 2008 R2 Kernel Changes
Link: Windows 7 and Windows Server 2008 R2 Kernel Changes (Continued from 1:30 Session)
At this time the link contains a Silverlight movie and a link to the WMV file.

"UAC does not stop you from malware"

"If Malware gets on your box and you are admain, you must assume that that malware will gain admin rights the second you ask for admin rights."

"UAC is not about malware. It is about one thing and that is getting you guys to write your code so that it runs well as standard user."

He actually demonstrates how approving a legitmate looking UAC prompt leads to a malware on the system.

mratpdc2009

Excellent third party articles on the shortcomings of UAC:
Within Windows - UAC, UAC, go away, come again some other day

iStartedSomething - Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code)
iStartedSomething - UAC in Windows 7 still broken, Microsoft won’t/can’t fix code-injection vulnerability
iStartedSomething - Windows 7 UAC code-injection vulnerability: video demonstration, source code released

ARS Technica - ARS Technica - Vista's UAC security prompt was designed to annoy you
ARS Technica - Windows 7 UAC flaws and how to fix them
ARS Technica - Opinion: Windows 7's UAC is a broken mess; mend it or end it

TweakUAC - Am I at risk if I disable UAC?

***You should know that when using Internet Explorer "If UAC is disabled, Protected Mode is turned OFF. When UAC is disabled, some of the protections which Protected Mode depends on are not available, for example, UI Privilege Isolation (UIPI) is disabled." source IEBlog

Final Thoughts
   Whether or not you disable UAC is entirely your choice. This is simply my attempt at explaining why I disable UAC. I understand exactly what UAC is and isn't. I have made an informed decision and weighed the consequences. I would encourage you to do some reading at the links above before you disable UAC. It should be noted that I have multiple images of all my systems and backups of data stored in multiple locations.

Want to argue about this subject or want to see what others have to say? Head over to The Great UAC Debate at Neowin

 

 

/fandq.htm">iTunes, iPod File Types & Quality

 

 

Software I Use

t12009

I use True Image 2011 for all my OS backups and Disk Director 11.0 for all my partitioning requirements.

TweakHound readers often get a discount off Acronis Products. Check the links for more info.

acronis disk director