Windows 7 UAC - Quick notes on why I disable it.
***
31 December, 2020
As of today my original article is over eleven years old.
Links to sources have disappeared.
Updated article
UAC - Quick notes on why I disable it
*** This article was created in 2009, many links are now dead.***
Microsoft introduced User Account Control (UAC) with Windows Vista.
Windows 7 has an "improved" version of UAC. The purpose of
this short note is to explain why I do not like or use UAC
on my own machines (because I get asked so much), it is not
to start an argument or to try to convince others to disable
UAC.
What is UAC? UAC is designed to alert you
before you do something that may have system wide
implications. Installing a program or making system changes
are among those things. When such an event occurs the user
gets a prompt. The UAC prompt is there to say something like
"Do you want the following program to make changes to your
computer?". What I see is something like, "Hey idiot, are
you sure you know what you are doing?".
UAC in
Windows 7 is much improved over Vista. The annoying prompts
are much less often. However as shown in the links below,
UAC is not a security boundary. It isn't for 3 reasons: The
first is that it was never designed to be a security
boundary, the second is that it can be bypassed, the third
is that most users just click "Yes" (rendering it useless).
In effect UAC draws a line in the sand and asks you if you
want to cross it. Some would argue that UAC better than
nothing but I'm not so sure. I am sure that UAC is not the
barrier that many folks would have you believe. UAC is a
line in the sand not a wall. It also cannot protect the
ignorant and the lazy.
I'm not saying that UAC is useless for everyone or entirely bad. I
install operating systems for many people and I would never
disable it for someone else unless specifically requested to
do so. I also ask if they were aware of the implications of
disabling UAC. I reckon a line in the sand is better than
nothing for some folks.
The links below contain the majority of material I have used
to come to my conclusions on UAC.
(Yes I've read every word of every one of them. Yeah, I
know, I'm a Geek.)
Readings on what UAC is:
Microsoft: What is User Account Control?
Inside Windows 7 User Account Control - Mark Russinovich
Windows 7: User Account Control (UAC) overview - Neowin ARTICLE REMOVED
Microsoft: Windows 7 features - User Account Control
ARTICLE REMOVED - See web archive of page: https://web.archive.org/web/20090928001738/http://windows.microsoft.com/en-us/windows7/products/features/user-account-control
Microsoft: What's New in User Account Control
Quotable Quotes
"
As we've stated since
before the launch of Windows Vista,
the primary purpose of elevation
is not security, though, it's convenience"
Inside Windows 7 User Account Control - Mark Russinovich
"
It's a best effort to
raise the bar and stop malware from making changes to the
operating system but it's not a
security boundary,"
Mark Russinovich
"
Elevations are a
convenience and not a security
boundary,"
Mark Russinovich
"
One important thing to
know is that UAC is not a security
boundary."
Engineering Windows 7 Blog
"
The reason we put UAC
into the platform was to annoy
users. I'm serious,"
David Cross, Director of Program Management for Windows
Security (microsoft)
"
we are seeing consumer
administrators approving 89% of prompts in Vista and 91% in
SP1."
Engineering Windows 7 Blog
Mark Russinovich at PDC 2009 - Windows 7 and
Windows Server 2008 R2 Kernel Changes
Link:
Windows 7 and Windows Server 2008 R2 Kernel Changes
(Continued from 1:30 Session)
At this time the link contains a Silverlight movie and a
link to the WMV file.
"
UAC does not stop you
from malware"
"
If Malware gets on your
box and you are admain, you must assume that that malware
will gain admin rights the second you ask for admin rights."
"
UAC is not about malware.
It is about one thing and that is getting you guys to write
your code so that it runs well as standard user."
He actually demonstrates how approving a legitmate looking
UAC prompt leads to a malware on the system.
Excellent third party articles on the shortcomings of UAC:
Within Windows - UAC, UAC, go away, come again some other
day
iStartedSomething - Sacrificing security for usability: UAC
security flaw in Windows 7 beta (with proof of concept code)
iStartedSomething - UAC in Windows 7 still broken, Microsoft
won’t/can’t fix code-injection vulnerability
iStartedSomething - Windows 7 UAC code-injection
vulnerability: video demonstration, source code released
ARS Technica - ARS Technica - Vista's UAC security prompt
was designed to annoy you
ARS Technica - Windows 7 UAC flaws and how to fix them
ARS Technica - Opinion: Windows 7's UAC is a broken mess;
mend it or end it
TweakUAC - Am I at risk if I disable UAC?
***You should know that when using
Internet Explorer "If UAC is disabled, Protected Mode is
turned OFF. When UAC is disabled, some of the protections
which Protected Mode depends on are not available, for
example, UI Privilege Isolation (UIPI) is disabled." source
IEBlog
Final Thoughts Whether or not you disable UAC
is entirely your choice. This is simply my attempt at
explaining why I disable UAC. I understand exactly what UAC
is and isn't. I have made an informed decision and weighed
the consequences. I would encourage you to do some reading
at the links above before you disable UAC. It should be
noted that I have multiple images of all my systems and
backups of data stored in multiple locations.
Want to argue about this subject or want to see what others
have to say? Head over to
The Great UAC Debate at Neowin
