User Account Control

We promised that this blog would provide a view of Engineering Windows 7 and that means that we would cover the full range of topics—from performance to user interface, technical and non-technical topics, and of course easy topics and controversial topics. This post is about User Account Control. Our author is Ben Fathi, vice president for core OS development. UAC is a feature that crosses many aspects of the Windows architecture—security, accounts, user interface, design, and so on—we had several other members of the team contribute to the post.  

We continue to value the discussion that the posts seem to inspire—we are betting (not literally of course) that this post will bring out comments from even the most reserved of our readers. Let’s keep the comments constructive and on-topic for this one.

FWIW, the blogs.msdn.com server employs some throttles on comments that aim to reduce spam. We don’t control this and have all the “unmoderated” options checked. I can’t publish the spam protection rules since that sort of defeats the purpose (and I don’t know them). However, I apologize if your comment doesn’t make it through. --Steven

User Account Control (UAC) is, arguably, one of the most controversial features in Windows Vista. Why did Microsoft add all those popups to Windows? Does it actually improve security? Doesn’t everyone just click “continue”? Has anyone in Redmond heard the feedback on users and reviewers? Has anyone seen a tv commercial about this feature? 

In the course of working on Windows 7 we have taken a hard look at UAC – examining customer feedback, volumes of data, the software ecosystem, and Windows itself. Let’s start by looking at why UAC came to be and our approach in Vista.

The Why of UAC

Technical details aside, UAC is really about informing you before any “system-level” change is made to your computer, thus enabling you to be in control of your system. An “unwanted change” can be malicious, such as a virus turning off the firewall or a rootkit stealthily taking over the machine. However an “unwanted change” can also be actions from people who have limited privileges, such as a child trying to bypass Parental Controls on the family computer or an employee installing prohibited software on a work computer. Windows NT has always supported multiple user account types – one of which is the “standard user,” which does not have the administrative privileges necessary to make changes like these. Enterprises can (and commonly do) supply most employees with a standard user account while providing a few IT pros administrative privileges. A standard user can’t make system level changes, even accidentally, by going to a malicious website or installing the wrong program. Controlling the changes most people can make to the computer reduces help desk calls and the overall Total Cost of Ownership (TCO) to the company. At home, a parent can create a standard user account for the children and use Parental Controls to protect them.

However, outside the enterprise and the Parental Controls case, most machines (75%) have a single account with full admin privileges. This is partly due to the first user account defaulting to administrator, since an administrator on the machine is required, and partly due to the fact that people want and expect to be in control of their computer. Since most users have an Administrator account, this has historically created an environment where most applications, as well as some Windows components, always assumed they could make system-level changes to the system. Software written this way would not work for standard users, such as the enterprise user and parental control cases mentioned above. Additionally, giving every application full access to the computer left the door open for damaging changes to the system, either intentionally (by malware) or unintentionally (by poorly written software.)

Figure 1. Percentage of machines (server excluded) with one or more user accounts from January 2008 to June 2008.

User Account Control was implemented in Vista to address two key issues: one, incompatibility of software across user types and two, the lack of user knowledge of system-level changes. We expanded the account types by adding the Protected Admin (PA), which became the default type for the first account on the system. When a PA user logs into the system, she is given two security tokens – one identical to the Standard User token that is sufficient for most basic privileges and a second with full Administrator privileges. Standard users receive only the basic token, but can bring in an Administrator token from another account if needed.

When the system detects that the user wants to perform an operation which requires administrative privileges, the display is switched to “secure desktop” mode, and the user is presented with a prompt asking for approval. The reason the display is transitioned to “secure desktop” is to avoid malicious software attacks that attempt to get you to click yes to the UAC prompt by mimicking the UAC interface (spoofing the UI.) They are not able to do this when the desktop is in its “secure” state. Protected Admin users are thus informed of any system changes, and only need to click yes to approve the action. A standard user sees a similar dialog, but one that enables her to enter Administrative credentials (via password, smart card PIN, fingerprint, etc) from another account to bring in the Administrator privileges needed to complete the action. In the case of a home system utilizing Parental Controls, the parent would enter his or her login name and password to install the software, thus enabling the parent to be in control of software added to the system or changes made to the system. In the enterprise case, the IT administrator can control the prompts through group policy such that the standard user just gets a message informing her that she cannot change system state.

What we have learned so far

We are always trying to improve Windows, especially in the areas that affect our customers the most. This section will look at the data around the ecosystem, Windows, and end-users—recognizing that the data itself does not tell the story of annoyance or frustration that many reading this post might feel. 

UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. As mentioned in previous posts, there are ways for our customers to voluntarily and anonymously send us data on how they use our features (Customer Experience Improvement Program, Windows Feedback Panel, user surveys, user in field testing, blog posts, and in house usability testing). The data and feedback we collect help inform and prioritize the decisions we make about our feature designs. From this data, we’ve learned a lot about UAC’s impact.

Impact on the software ecosystem

UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.

In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their “sessions” - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.

Figure 2. Number of unique applications and tasks creating UAC prompts.

This reduction means more programs work well for Standard Users without prompting every time they run or accidentally changing an administrative or system setting. In addition, we also expect that as people use their machines longer they are installing new software or configuring Windows settings less frequently, which results in fewer prompts, or conversely when a machine is new that is when there is unusually high activity with respect to administrative needs. Customer Experience Improvement Program data indicates that the number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1.

Figure 3. Percentage of sessions with prompts over time.

Impact on Windows

An immediate result of UAC was the increase in engineering quality of Windows. There are now far fewer Windows components with full access to the system. Additionally, all the components that still need to access the full system must ask the user for permission to do so. We know from our data that Windows itself accounts for about 40% of all UAC prompts. This is even more dramatic when you look at the most frequent prompts: Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1. Some targeted improvements in Vista SP1 reduced Windows prompts from frequently used components such as the copy engine, but clearly we have more we can (and will) do. The ecosystem also worked hard to reduce their prompts, thus the number of Windows components on the top 50 list increased. Windows has more of an opportunity to make deeper architectural changes in Windows 7, so you can expect fewer prompts from Windows components. Reducing prompts in the software ecosystem and in Windows is a win-win proposition. It enables people to feel confident they have a greater choice of software that does not make potentially destabilizing changes to the system, and it enables people to more readily identify critical prompts, thus providing a more confident sense of control.

One important area of feedback we’ve heard a lot about is the number of prompts encountered during a download from Internet Explorer. This is a specific example of a more common situation - where an application’s security dialogs overlap with User Account Control. Since XP Service Pack 2, IE has used a security dialog to warn users before running programs from the internet. In Vista, this often results in a double prompt – IE’s security dialog, followed immediately by a UAC dialog. This is an area that should be properly addressed.

Figure 4. Number of Microsoft prompters in the top 50 over time.

Impact on Customers

One extra click to do normal things like open the device manager, install software, or turn off your firewall is sometimes confusing and frustrating for our users. Here is a representative sample of the feedback we’ve received from the Windows Feedback Panel:

• “I do not like to be continuously asked if I want to do what I just told the computer to do.”
• “I feel like I am asked by Vista to approve every little thing that I do on my PC and I find it very aggravating.”
• “The constant asking for input to make any changes is annoying. But it is good that it makes kids ask me for password for stuff they are trying to change.”
• “Please work on simplifying the User Account control.....highly perplexing and bothersome at times”

We understand adding an extra click can be annoying, especially for users who are highly knowledgeable about what is happening with their system (or for people just trying to get work done). However, for most users, the potential benefit is that UAC forces malware or poorly written software to show itself and get your approval before it can potentially harm the system.

Does this make the system more secure? If every user of Windows were an expert that understands the cause/effect of all operations, the UAC prompt would make perfect sense and nothing malicious would slip through. The reality is that some people don’t read the prompts, and thus gain no benefit from them (and are just annoyed). In Vista, some power users have chosen to disable UAC – a setting that is admittedly hard to find. We don’t recommend you do this, but we understand you find value in the ability to turn UAC off. For the rest of you who try to figure out what is going on by reading the UAC prompt , there is the potential for a definite security benefit if you take the time to analyze each prompt and decide if it’s something you want to happen. However, we haven’t made things easy on you - the dialogs in Vista aren’t easy to decipher and are often not memorable. In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista.  Some didn’t remember they had seen a dialog at all when asked about it. Additionally, we are seeing consumer administrators approving 89% of prompts in Vista and 91% in SP1. We are obviously concerned users are responding out of habit due to the large number of prompts rather than focusing on the critical prompts and making confident decisions. Many would say this is entirely predictable.

Figure 5. Percentage of prompts over time per prompt type.

Figure 6. Percentage of UAC prompts allowed over time.

Looking ahead…

Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.

Based on what we’ve learned from our data and feedback we need to address several key issues in Windows 7:

• Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified.
• Enable our customers to be more confident that they are in control of their systems.
• Make prompts informative such that people can make more confident choices.
• Provide better and more obvious control over the mechanism.

The benefits UAC has provided to the ecosystem and Windows are clear; we need to continue that work. By successfully enabling standard users UAC has achieved its goal of giving IT administrators and parents greater control to lock down their systems for certain users. As shown in our data above, we’ve seen the number of external applications and Windows components that unnecessarily require Admin privileges dramatically drop. This also has the direct benefit of reducing the total amount of prompts users see, a common complaint we hear frequently. Moving forward we will look at the scenarios we think are most important for our users so we can ensure none of these scenarios include prompts that can be avoided. Additionally, we will look at “top prompters” and continue to engage with third-party software vendors and internal Microsoft teams to further reduce unnecessary prompts.

More importantly, as we evolve UAC for Windows 7 we will address the customer feedback and satisfaction issues with the prompts themselves. We’ve heard loud and clear that you are frustrated. You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience. We believe this can be achieved by focusing on two key principles. 1) Broaden the control you have over the UAC notifications. We will continue to give you control over the changes made to your system, but in Windows 7, we will also provide options such that when you use the system as an administrator you can determine the range of notifications that you receive. 2) Provide additional and more relevant information in the user interface. We will improve the dialog UI so that you can better understand and make more informed choices. We’ve already run new design concepts based on this principle through our in-house usability testing and we’ve seen very positive results. 83% of participants could provide specific details about why they were seeing the dialog. Participants preferred the new concepts because they are “simple”, “highlight verified publishers,” “provide the file origin,” and “ask a meaningful question.” 

In summary, yes, we’ve heard the responses to the UAC feature – both positive and negative. We plan to continue to build on the benefits UAC provides as an agent for standard user, making systems more secure. In doing so, we will also address the overwhelming feedback that the user experience must improve.

Ben Fathi

Comments

• Anonymous
  October 08, 2008
  No idea if this is possible, but it would be nice to get IE to still run in protected mode even with "overall" UAC off.  Since browsers tend to be the biggest malware entrance portals, a compromise of system protection vs intrusiveness would be nice.

• Anonymous
  October 08, 2008
  Yes, the User Account Control is a great idea and in theory it should ensure that there is no malicious software on Windows computer. Please do not allow this tool to be weakened in any way, only strengthened so that one day, users won't need any anti-spyware software or anything like that. To help the average user understand this feature, you could add a "What is this?" link and include UAC in a walk-around of all the features of Windows 7 that is displayed during installation or the first time that the PC is used. One problem that I've had with the UAC is that sometimes the prompt is delayed and the installation that I am running is stuck at 0% until the prompt is displayed.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  I really thinks UAC is a good thing - though a little annoying. Actually the thing that annoys me must is the safe screen because it makes flicker. So I disable it and enable password. But when you talk about quality software and poorly written applications, I really thinks MS should be the leader and remove all those small artifacts in Windows. Mostly graphical artifacts thinks which make Windows look cheap (which its not ;)). Anyway, this blog is a cool thing :) Best regards

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  Great that finally someone is talking about it. UAC has really been a pain sometimes. Its a great idea about broadening the control because i definitely want to be notified if something unwanted is accessing stuff in my PC but definitely not when i try to open MSCONFIG to remove the startup programs. I second the thot of running IE in a protected mode. I am by no means a OS expert so am not sure if thats totally possible with win NT kernel or not. finally here is my 2 cents - as much as i appreciate the existance of a virtual controller to control the ISVs but wudnt it be better if they are somehow brought under one umbrella to make sure all of them follow a standard. This sure is a herculian task but assures a radical improvement of software quality and user experience.

• Anonymous
  October 08, 2008
  UAC is a great thing for users that want to keep tabs on everything that's being installed. I, myself, have disabled UAC because of the prompts. I move a lot of files around a lot of sensitive folders and it just doesn't make sense to keep it enabeled when I know what I'm doing and the system thinks I don't. It's a great idea to get people started on the path of thinking about what goes on their PCs but for power users like myself it can really only be a hinderance.

• Anonymous
  October 08, 2008
  The thing will all those warning is that some webpages already explain that the user will have to acknowledge this and that to make a program run. Users are trained to acknowledge UAC (and other) security prompts. This situation can only be improved by showing less UAC prompts. And most UAC prompts aren't target audience friendly. They contain way too much text and are (Microsoft-typical) too technical. Technical descriptions using non-technical words acutally. There should be only questions like "Are you trying to install a new program?". Or "Are you attaching a new device to your computer?". With dangerous symbols. Users should be scared when they see the prompt - because they only see the prompt once a year and because it makes a lasting impression. It should give them bad dreams... Two things I couldn't figure out in all those years:

1. The need for the yellow security bar in IE - the one that blocks downloads...
2. Why MS invented UAC instead of just improving the usability of standard user accounts. Because the security subsystem itself was/is perfectly fine...

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  While some have started muttering that this blog is nothing more than another marketing ploy, this post proves them wrong (or for the cynical, partly wrong). A clear, informative, and above all honest post about designing and building in integral part of the OS, targets, successes, flaws and missed opportunities all quantified and addressed. Well done, this makes me feel a lot more comfortable about the work that's going into Win 7. Of course, I'm still not going to use it if you keep that horrible Vista Explorer. XP's was 99% perfect, apart from its intransigent refusal to display folder sizes. (don't tell me it causes too much overhead, because you've got pointless fancy sliders for changing between view types. If I can get it in a balloon tip, show it in Explorer)

• Anonymous
  October 08, 2008
  here's my initial response before even reading the article. i'll append to it if necessary. to me, if i click on something, whether it's to change the time, go into device manager or computer management, i must want to do it. so, once you get uac to know:

1. i clicked on something so i want access to it.
2. something i didn't click on is opening or
3. that i clicked on paint and some other app is trying to launch, i turn it off. (can't believe uac is invoked when accesing the time ui, anyway) once it's smart enough to know this, i'll leave it on.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  Personally I like the UAC. I'm not saying that there aren't areas of improvement, but the fact that I'm very confident about the security of my vista computer I think speaks a lot to UAC. While it can be annoying, and may slow down the computer at times, its a great safety net. And the fact that because of UAC, Windows is changing the software ecosystem is an even better thing.

• Anonymous
  October 08, 2008
  I understand what you are trying to achieve with UAC and I do agree that it is worthwhile goal. Also given where you are starting from the current implementation is a reasonable solution. Perhaps the biggest frustration for me (and I consider myself a knowledgeable Windows user) is the 1 to 2 second screen blank that occurs on my PC before the UAC prompt occurs. Although it sounds silly that long jarring pause has already put me in a bad mood that I don't want to take the time to fully comprehend the information the dialog is telling me. I don't know if the screen blank is a result of my hardware or device drivers or is caused by the OS itself but by getting rid of this one artifact would improve my UAC experience by an order of magnitude. Some quick searching on the web would suggest other people feel the same way. Andrew.

• Anonymous
  October 08, 2008
  >>Of course, I'm still not going to use it if you keep that horrible Vista Explorer. XP's was 99% perfect, apart from its intransigent refusal to display folder sizes. I'm sure if they made a post on the UI/Explorer we'd crash their servers with responses. :) We have much to say. lol >>The ones that I have seen have been useless, though, in that they don't give me any useful information about what's really going on. I love UAC but, generally, the prompts do look rather vague and useless. Makes me interested to see what they're doing with these new UAC dialogs for W7.

• Anonymous
  October 08, 2008
  Personally, I'd like to see the transition to UAC prompts a bit more smooth.  I realize the importance of using secure desktop, but the way the screen flashes is really annoying.  Some kind of smooth fade would be a huge improvement! Also, I'd like to see the ability to "open files as administrator."  For example, if I want to edit a file in Program Files, I have to first run the editor with elevated privileges, then navigate to and open the file.  I'd much rather do that in one click. P.S. I'm one of the few Vista users I know who have left UAC enabled; I think it's useful, if a bit annoying at times.

• Anonymous
  October 08, 2008
  I bought a computer with Windows Vista within the first few days of its release.  UAC was the first thing about Vista that I noticed when I started using it.  After fighting off Malware on Windows 98 and Windows Xp machines for so long, and so many futile hours of trying to sanitize the compromised machines of friends and families, I immediately appreciated what you guys were doing with UAC.  It is absolutely necessary and I'm glad to hear that you will bring an improved version of UAC to the next version of Windows.

• Anonymous
  October 08, 2008
  One easy tweak that could eliminate many UAC prompts would be make a "Programs" folder inside the "User" folder. Make it easy for installers to give an option switch to this alternative "Programs" directory before the UAC popup is presented. Right now applications let either let you choose a folder or default to the "Application Data" folder (See sync-toy). Overall UAC is a great idea, it just has some rough edges and needs more support by making user specific copies of system directories. One graph that I would like to see is the % of people with UAC turned off. From comments on forums it sounds like many people have it turned off, but in my experience I have found very few people with it off.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  It took me a while to get around to using UAC but now that i know how to use it correctly i really dig it, well done! The only problem i have with it is with the secure desktop, when it’s activated it’s sort of a jarring experience, almost akin to a system crash. Would it be possible to maybe smooth the transition somewhat, my nerves are not what they were lol

• Anonymous
  October 08, 2008
  Microsoft has a free software called Steady State. This is a kid safe environment. It doesn't save any changes to the computer. I think MS should consider it build-in. About UAC, it is fine. I am using it to know what the installer is modifying important sector or not. But sometimes it is quite annoying indeed.

• Anonymous
  October 08, 2008
  One of the things I really think would reduce complaints would be if once you okayed a UAC prompt the user wouldn't be prompted for another 30 seconds or minute. I know that for me at least the prompts tend to come in bursts, and if I only have to click once instead of the 5 or so times in a row, that would make me appreciate UAC much more.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  Windows Steady State is very very good, especially if you have kids in the home. Implementing a feature or at least a link to the download location in the Parental Controls would be very very helpful.

• Anonymous
  October 08, 2008
  I have always had user account control on, and I don't mind it too much. The security makes up for the annoyance...most of the time. There are certain things which bring up WAY too many UAC prompts. For example: I want to manually delete a folder from C:/Program Files. First, I have to click "Yes" to confirm that I really wanted to delete it. Then I have to click "Continue" because I am modifying C:/Program Files. Clicking that brings up UAC, where I have to click "Continue" again. Sorry, but that is too many prompts. There should a maximum of ONE prompt after I confirm the deletion. This prompt would tell you why it had appeared ("Modifying C:/Program Files could cause undesirable program errors. Click continue if you are sure you want to delete this folder.") ...Just one example of excess annoyance. I agree with the previous posts that when users see too many prompts, they stop reading them and just click continue. Keep up the great work!

• Anonymous
  October 08, 2008
  Of course, so many people complain about the secure desktop (jarring screen 'crash', etc.) and there is a group policy setting that can turn it off (google "turn off secure desktop") while still leaving uac on. This really tells you something about the people who sit around on forums criticizing MS all day, and what they know.  Anyway, I like UAC as it is, I only see a uac screen when I am doing system wide changes that I want software not to be able to do without my permission.  Compromising UAC would mean any software could do anything it wanted on my system, I can't believe people even suggest that, they should go turn off uac and leave everyone else alone with that asinine nonsense.  One thing I would like to see is a no-read-up policy for low integrity level on most everything.  As it is now, malware can't write to the system areas and auto-start with windows and so on, but it can still read user data and this is a security concern MS should address. MS should notify developers that this will go into effect in Windows 7 so that they have time to fix whatever code this affects and then set it up like that so that users don't have valuable private data stolen by any malware that exploits IE. Thanks for the blog and good work, again.

• Anonymous
  October 08, 2008
  >> I don't know if the screen blank is a result of my hardware or device drivers or is caused by the OS itself but by getting rid of this one artifact would improve my UAC experience by an order of magnitude. It is your hardware.  Is your monitor connected via VGA by chance?  When Windows resets the video mode, VGA monitors have to resync and that takes time.  DVI monitors don't have this problem. Why it resets the video mode I still haven't figured out, there has to be a way to have a secure desktop without the video driver needing to know. >> Example 1: change the source viewer in IE7 to VIM, then choose "View source", then nothing happens. Just an aside, you are enough of a power user to use VIM (heck, even know what VIM is) and you still use IE for anything where viewing source matters?  You are probably one in a million.  The rest of us left that piece of trash long ago and only use it for that one percent of the web that hasn't figured out what standards mean. Directly on topic, I really think the UAC developers should put Windows away for a month and go use either OS X or Linux.  Experience sudo and how it works.  Return to Windows development, throw out UAC entirely, and as Apple would say, "start your photocopiers." Duplicate prompts aren't a problem, the user is allowed to do anything that affects only them without a prompt, and the prompts that you do get have this nifty button titled "Details" which when clicked tells you what wants privs and why.  If you're having prompts being automatically triggered by requests to change certain things, clearly the software knows what triggered it and can tell me so I don't have to guess.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008

• I would like to add the following games to Windows or Windows Ultimate Extras: Shogi, Go, Xiàngqí, sudoku and Pai Sho, which also include the features of the Microsoft Plus Pack for hearing, Microsoft Plus! Labyrinth, dancers for windows media player
• Recommend that the new windows did not have the most win.ini and the registration and be changed to a more secure, better designed and do not let so many traces, which also did not install an administrator account by default but a limited and in linux
• New effects in wpf and more customizable as Compiz-Fusion, the desktop is equal to KDE and GNOME, windows media center that supports full HD audio, video and images, support for Nintendo Wii and PlayStation

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  personally,  UAC has never given nuisance

• Anonymous
  October 08, 2008
  One more thing I forgot while writing my post a minute ago.   UAC hangs for several minutes sometimes in the Secure Desktop. It only happens when my laptop is at home, so on the internet and a valid network, but cannot reach the corporate DCs. I'll cause an elevation, type in my new credentials, and it will sit as long as 1-2 minutes before I regain control of my computer. Given that this is happening while the secure desktop is loaded, this basically makes my computer 100% non-usable and effectively gone during that time period.   Note that this is elevation with credentials, so I have to type in a different set of credentials to elevate. There should be a hard-timeout period of 5 seconds.  Or drop out of secure desktop instantly before doing the network query. This actually seemed to get dramatically worse with SP1, even though I read in the release notes that some work was done to improve that.

• Anonymous
  October 08, 2008
  @marcinw -- what you describe sounds a lot like the former NGSCB project (aka Palladium) -- secure, segregated areas ("nexuses") running on a single machine. @asymtote & wolrah -- One thing to watch for is driver updates which actually make the "blank screen" delay worse.  A while back, updated Nvidia drivers were offered via Windows Update and I installed them, and after that I started getting the same UAC delays.  Rolling back to the previous drivers solved the problem.

• Anonymous
  October 08, 2008
  One thing that I think would be helpful would be a secure hardware-based approval mechanism of some sort, for example a new key on your keyboard that when held down, would surpress the UAC prompt when clicking on a button/program. It's not as easy as it might seem, forever.  First of all, you could have malware just waiting around in the background, trying to elevate repeatedly and it will eventually sneak through when the timing is right. Secondly, how long would the user need to hold down the key after performing the UI action?  If for some reason the app showing the UI has a delay before trying to create the elevated process, the user would need to keep the key down the entire time. In any event, it would be great if there was some way to authoritatively know whether an elevated process creation request was really intended/initiated by the user.

• Anonymous
  October 08, 2008
  I'd have more to say regarding UAC if I had a real amount of experience "using" it on a day to day basis (I turned it off in the Beta), and if I knew what the changes would constitute. So far as I can tell, you're dealing with all the issues I actually care about; keeping my system secure, without bothering the daylights out of me in the process.

• Anonymous
  October 08, 2008
  I think the UAC is very great, but! there are some problems, first there is the problem for just watch for information, a sample: If i would to watch my drive informations with the tool for that i need to give them admin rights. i think you just need to become an admin when you wona change something and not if you just would to watch informations. second, double klicks...also a sample: if i wona create a folder in maybe the Users Folder(i now that is not normal but i use this for the sample) i make ->rightklick->New->Folder->Continoue->Continoue...why we dont have just ->rightklick->New->Folder>Continouem, why we dont just need to say 1 time ok and not 2 times? I saw some screenshots from 7 M3 and the new UAC Settings, i think this is the right way but look for problems like the 2 i told at the beginning of the post...

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  The reason that I have turned UAC off on my machine is because when I want to work with files outside of my profile directory UAC seems to block it all the time.  For example it won't let me create a folder in the program files directory or add files there.  It will UAC prompt me, but then it still won't do what I asked.  I have a couple of programs that don't come with an installer that I normally stick under the program files dir and then just put a shortcut into the start menu.  If there was an easy way for me to run windows explorer in admin mode (with the UAC prompt at the start) I would probably turn UAC back on. I frequently do work on peoples computers and sometimes when their computer won’t boot they want to get some of their files off the disk.  I have an external enclosure for this sort of thing, but windows will tell me that I don’t have sufficient privileges to open their profile directory on the external drive.  It prompts me for elevated privileges, but no matter how many times I click the continue button it still won’t let me through.  As soon as I disable UAC I don’t have a problem anymore.

• Anonymous
  October 08, 2008
  This was meant to go on the bottom of the previous comment, but apparently the comments have a max length. The following paragraphs detail some thoughts I have had on things that could improve my experience with UAC and make it more practical for me to have it on all the time. Another feature that could be cool is if you could automatically raise a specific piece of software to admin privileges while it was running from the task manager.  For example sometimes I need admin privileges to work with some projects in Visual Studio, but I forgot to open it as admin so I have to close everything and then open it again. Also as has already been mentioned it would be nice if even when you’re running with UAC turned off you could set some programs (such as IE) to run with only basic user privileges. Maybe there could be a dialog that let you switch your account mode while it was running.  So I could click a button which would allow everything full privileges while I did something and then I could flick it back into UAC mode straight away so I know if something bad is trying to do something I don’t want it to.

• Anonymous
  October 08, 2008
  Thanks for the blog on the UAC. I had a pretty good understanding before, but it's helpful to have detailed information. I like the idea behind UAC. Anything that helps stability is appreciated. I must say though, that I ended up turning it off because of the constant bombardment of popping up windows while trying to work. I found that it was very distracting and I stopped reading or caring what it was about or what it said. I would simply click to get it off the screen. Another annoyance was that my father would call me several times a day, would read what it said to me and ask for my advise on whether he should allow or not. Needless to say the next time I flew back into town, disabling the UAC was the first thing I did. So again, I like the idea behind it, but this is a incredibly annoying implementation that feels more like a band-aid over a large problem of how easy it is to get down into the core of windows and mess something up. I don't know what the answer is, but I just felt like this was a huge step in the wrong direction in the user experience field.

• Anonymous
  October 08, 2008
  "Run as" would be a very nice addition. Also please notice the way Linux distros prompt for administrator credentials when trying to run system level or maintenance programs. Run as combined with administrator credentials would be very useful in cases where you want to enable/disable some features for a standard user account. (shouldn't appear in an admin account) Personally I hope UAC is gonna get better in Windows 7 and be less obtrusive and more of an adviser.

• Anonymous
  October 08, 2008
  When installing a new app, I get a UAC prompt but I would like a way to control the amount of access that the app gets on my system. e.g. If I were to install a system-level utility, I can give it full access to the system. If I'm installing a text editor or a game, I want to be able to limit its access to its folder in Program Files and any special folders it wants to add in My Documents. I would also like UAC to tell me if an app tries to go beyond app-level access. At the moment, there is not enough granularity so the UAC prompt to install a text editor is the same as what a system-level utility would require. Essentially, I want UAC to have the same customisability as a good firewall. Also, since I try a lot of software that don't even have their own installers, I put them in a separate folder. By not using Program Files, am I lessening my security? Wouldn't these programs try to save settings to their own folders, so they would actually fail if they ran in Program Files? Can we have the app isolation of App-V become part of standard Windows?

• Anonymous
  October 08, 2008
  I like the principle of least privilege and I believe it makes software more secure and less destructive in case of failure. I support extending UAC and building it deeper into the architecture, while making it less annoying. I have the following proposals for UAC:

• I envisage a layered approach for privileges a process can aquire. Not too many, but enough for people to be able to taylor the prompts for their level of security-awareness. For example, one layer could be session-restricted privileges, which doesn't allow the process to make permanent system-level changes, that couldn't be reverted by a simple reboot. Another layer could be per-user privileges, only affecting the current user. An application wants to write its own folder (ex. program update)? Give it access to its files only. The layering could also happen for application classes: trusted ones getting automatic elevation, while recently downloaded programs not. By no means do I think that this can be done without any architectural changes. However, building up a new security-minded architecture could prove beneficial in the long run.
• make prompts meaningful (as read in the blog) = no "Unknown Publisher" or worse, empty prompts

• Anonymous
  October 08, 2008
  As a software professional I was heavily involved in getting our applications to work without the need for admin privileges under Vista. Four key changes that could be made in Windows 7 to reduce UAC dialogs and simplify the development of well-behaved software:

1. Allow processes to have write access to the folder containing the initial executable file of the process, and to sub-folders of that folder. This will avoid the need for admin privileges for programs that keep data files in their installation folder (a common reason for needing admin privileges), without compromising security.
2. Have a catalog of permitted automatic elevations by permitted signed apps when the user is an administrator.
3. Before raising a UAC dialog, determine whether the request was initiated by a "known good" user action in a "known good" program - such as a user drag of a file in Windows Explorer - when the user is an administrator.
4. Allow an already-running process to temporarily automatically elevate to admin privileges (with UAC verification), rather than requiring a separate process or out-of-proc COM object.

• Anonymous
  October 08, 2008
  Does this mean that you keep the Vista kernel eventually? The same hybrid in name but anyway big, over-blown monster? I am probably wrong but UAC seems to me something that is should be handled in core level. I really like this blog but what I miss is feedback from you. Details of Windows 7. I guess you want to make it a big surprise just don't make it a big shock. This time you have to live up to the expectations. And not just on UI and User Interaction level, but also on core level. Maybe these are just my fears, but I really would not like to be disappointed as I did in Vista. Actually I would like if you implement a proper Administrator and User accounts. In Administrator account everything goes without prompting. In user account you should be asked for administrative credentials to change sensitive things. At first run the user should be asked to create an admin account and a user account as well. And the the user should be encouraged to use the user account most of the time. IMHO

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  Why not make it optional to enable UAC when you make a new user account? "Do you want to enable User Account Control on this account? UAC can be useful for kid's accounts bla bla bla.. Read more about UAC". Personally, I like the idea with UAC, but I don't use it. I've been to tired of looking at those UAC overlays, which does not provide enough information about the program to use it as an user who doesn't has much knowlegde about computers and software. Give the user more information in the UAC popups, reduce the number of popups.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 08, 2008
  I am another person who has disabled UAC. Why? Well, to be perfectly honest I found it more annoying then helpful. Sure I appreciated to thought and objective, but the implementation was driving me up the wall. My preference would be to only have it appear when a chance is made to core system files. I am regularly testing programs, accessing files created on my dual boot XP drive (which I rarely use these days)and running software which keeps giving me the popup. I will be paying close attention to this topic and the responses from MS.

• Anonymous
  October 08, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  sounds to me like you guys are well aware how much we all hate the way UAC is currently implemented - it's no exaggeration to say that everyone i know who actually uses Vista (very few people) have it turned off the theory and concept behind it is indeed noble, it's the realisation that's made it a complete dog. as a side note, i know it drives Microsoft mad that Vista gets such bad word-of-mouth reviews between peers. fixing UAC would eliminate half this problem

• Anonymous
  October 09, 2008
  Good to see that introducing UAC actually made software developers change their software to be able to work w/o needing admin privileges, maybe this way, windows' "limited" users will have a purpose too, never used them under XP cause everything needed admin privileges anyway. As for Vista, I'm one of the people who got annoyed by the UAC pop-ups and turned it off. I do understand that it's useful for less experienced users, so please keep it and make the whole process more fluent; i actually hated the flickering screen more than the additional click to do something. Oh and keep the option to turn it off please.

• Anonymous
  October 09, 2008
  There could be two solutions:

• "Don't require UAC prompt for this application" This can be hairy, since this base must be protected well.
• "Don't require UAC prompt for this session". That would be very nice, especially for admins. Current (???) M3 W7 builds "UAC aggressiveness" slider seems not very friendly, and described poorly.

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  I have to agree with commenter Tihiy on this one. I only get peeved with UAC when I'm doing a lot of "work" on the pc. I wouldn't mind being prompted once and have the option to allow for session.

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  I don't think you should attach too much importance to the data that so many admins approve the UAC prompt quickly, and don't remember what the prompt actually said.  For me, it's the timing of the prompt that makes all the difference.  Let me explain... UAC doesn't annoy me most of the time because I learn to expect the prompt, when firing up mmc for example, so the click is somewhat automatic.  However, there have been (rare) occasions when the UAC prompt appears at an unexpected moment.  On those occasions, I definitely stop, read the prompt, and think about my decision. This might mean there's a "window of opportunity" for malware to get my approval when I think I'm approving something else, but I still feel safer than when there was no UAC.

• Anonymous
  October 09, 2008
  The idea of the UAC is right, but you need to work in options like "I Trust in this software" so the UAC don't display every time the popup.... and please avoid duplicate popup, i receive in some circunstancies three popup for one operation ???

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  I think I caught the basic Idea of UAC already in the first Vista beta. But as a so called 'Poweruser' I tend to turn the whole thing off, as soon as the installation is finished. so, instead of controlling ALL of my action, or rather respond to always the same action, it would be great if the UAC had some sort of Training Mode.. You see that in Firewalls a lot, where the software 'tries to get an idea' of how people use the network, Ports etc... (or at least that you would have some kind of option, that UAC remembers the choice I've made...).

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  Only one thing to say, keep the system protected by default but give possibility to desactivate this security. User mustn't be jailed with something he don't want.

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  Can't Windows implement something similar to SUID bit on Unix/Linux system? As a developer, most of time I am forced to create a do-nothing service simply for giving auto-elevation to my application. An Unix-like SUID feature will eliminate the need for creating services in such kind of scenario and reduce the number of services running on the system. On Windows, one can set the flag "Run As Administrator" on an executable file. But Windows would prompt for credential when starting such file. I really hate this.

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  As someone who uses Macs and Linux, the prompts are nothing new to me, I don't mind them at all. It's kind of like asking people to wear seatbelts. It's a pain, and slightly uncomfortable - but in the grand scheme of things it's utterly justifiable. What does concern me is specific flaws are being found that can escalate code to Admin privileges (a recent GDI+ flaw springs to mind).

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  There have been a few questions about the percentage of customers that disable UAC.  Our data is showing that about 92% of people run with UAC enabled. The interesting point to consider is the data about how many popups happen early in the usage of a new PC--this might cause an enthusiast to disable UAC early on and then decide not to enable it or neglect to enable it after the initial flurry of elevation requests.  That is perhaps why this number, 8% disabled, might seem a tad bit higher than expected. --Steven

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  I agree that "Run As" option I think is a must. UAC messages can be displayed in the active window as a modal dialog if the actions are initiated by a process that has an active window. It would eliminate some user frustration. Sometimes, it is hard to determine which program caused a UAC pop-up, and whether the action was expected. User should be able to put applications into the list of trusted applications and permit or disable most common operations that are can be blocked by UAC. User should be able to remember settings for such operations when a UAC dialogs are displayed (add a checkbox or another button). And, developers should be able to incorporate UAC presets into the installation packages so the user would be able to accept recommended settings at once. I somewhat agree with users that recommend suspending UAC messages for an application or even all applications for the duration of the session. Security can be compromised, unless running session in "transaction" mode when the changes to the file system are not committed.

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  In my opinion, the whole idea of the prompts is flawed at its core, and the model of users is not a reflection of how a real system should be. An administrator should have the ability to perform administrative tasks, and it should be assumed that they know what they are doing = they don't need the popups asking them if they are sure. A normal user should not have the ability to perform administrative tasks EVER, NEVER EVER!! Don't ask them if they want to - if they are not an administrator, they aren't allowed to do administrative things. If a regular user account sincerely needs to perform an administrator action, then you should have to authenticate as an admin/superuser ... can you tell what I'm getting at - sudo - Unix/Linux/MacOSX - that's how they work.

• Anonymous
  October 09, 2008
  In my oppinion for an IT Admin or a power-user the UAC is a real annoyance and productivity killer. As many have already said before me I know exactly why I want to do changes to the Registry or delete files or folders in Program Files or Windows. If UAC is a must for Windows 7 I would like to have the following choces (probably anyone who installs and configures Windows for a living will appreciate it):

• have the choice during initial Windows setup process to Enable or permanently disable UAC
• if I choose to Enable UAC please let me select if I want it enabled right away or after x minutes after the first log on
• if I create a new user and I grant it Admin rights I want those rights to be indeed full Admin rights not a slimmed down version
• allow for the UAC to be tweaked so it will show additional prompts only to the events I choose to monitor
• make UAC manageble through GPOs at the domain level
• as other users mentioned before create a distiction between actions made by an actual user and actions made by software Probably I can think a dozen more features I would like to see in the UAC but I know that if I would get half of what I listed already I could consider myself lucky. Finally, UAC was my main reason why I stayed away from Vista... even with UAC disabled there were times were I felt that my user with full admin priviledges was not actually in full control over the system... we the IT people like to feel in control! Thanks!

• Anonymous
  October 09, 2008
  ...and please return the "RunAs" as a choice...

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  @spacejumper "...and please return the "RunAs" as a choice..." why? you can do everything you can do with RunAs in the search field of the startmenue...

• Anonymous
  October 09, 2008
  Once again Administrators should have administrators/system rights. The OS should not questions what an Administrator is doing. If the Admin intention is to infect a computer with 100s of viruses thats fine. (It is actually the AV responsibility to prompt the admin in this case). The OS should make it more comfortable for the admin to change stuff. You should expect that the admin is well aware of that installing downloading softwares can be dangerous you do not have to prompt him. However when you prompt an administrator then you should provide detailed information about whats going on. When the admin creates a user account he should be able to explicitly set the right for each user. During the UA creation process. That should include for example allowing/prohibiting installing softwares/viruses. However those softwares should only allowed to access stuff in the User security sandbox, and not in the Admin security sandbox. If the User wants to do something that requires admin rights then he should be prompted for Admin credentials.

• Anonymous
  October 09, 2008
  I just mention that not including Group Policy Editor (also Terminal Server) into Vista Home products was a sickening thing to do. It actually made me consider to switch to Mac. This is just a cheap shot to make people to upgrade to Ultimate for a 100 bucks. Next time what you don't include notepad? Having Terminal Server on the home computer is more important than on a business computer. They have servers anyway.

• Anonymous
  October 09, 2008
  I can not see anything about MinWin or kernel changes, about hypervisor in Win 7 or core features in the PDC2008 agenda. https://sessions.microsoftpdc.com/public/sessions.aspx Does this mean that Win7 will be a polished Vista?

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  Surely one of the best (and simplest) things that could be done to improve security is to change the installer for Windows 7 to encourage/force the creation of a standard user account. Your own stats show that the majority of home computer have a single user set-up and this is configured as an admin user, this is a situation that you should try and address. I guess this would involve communication with other members of the ecosystem so that suppliers of new computers configure them in this way.

• Anonymous
  October 09, 2008
  The comment has been removed

• Anonymous
  October 09, 2008
  i don't understand what's so difficult about just copying the MacOSX way of doing UAC? a lot of people here are hinting at it, so i'll just go ahead and suggest it out loud great ideas should be shared, and when did you ever hear about anyone complaining about the way OSX handles the UAC side of things?

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  UAC, it's a good thing, for the most part.  However Microsoft please take into account, your power users. You should be able to disable it, you should be able to be a true administrator. And not have to right click to run as Administrator. Now you might ask why? Simply power users are not your atypical user, we want control, we want to be able to change things with out the fanfare that comes with UAC or right clicking to run as an administrator.  Now why should Microsoft care about the small percentage of power users out there?  Easy, we are the ones people ask for advice, companies ask for our opinions. Vista is not power user friendly, it is locked down way to much, the security, and the UI.  I believe a large part of Vista's problems stem from Microsoft alienated the power user, and like it or not, word of mouth is a large part of acceptance. I have been asked many times , "Do you like or use Vista?".  I have to reply no, and most people say, "If your not going to use it, I wont either." Again, don't for get your power users, or computer geeks what ever you want to call us. don't put up "WALLS" allow users a choice. That is why Vista has failed, it no, "CHOICE" it is do it Microsoft way, not every one wants it your way. Choice, is the only thing I can say, Windows 7 really needs to be choice, with UAC, with the UI. Don't fail like like you did with the beta's of Vista, listen users and give us CHOICE. I really want, "life with out walls." Please let Windows 7 be that because Vista is, "Life With Walls".....    

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  I honestly haven't seen a UAC prompt in a few months.  It sure got annoying when I was installing apps on the computer after installing Vista, and configuring system settings, and updating drivers. I think that if I set an application to always run as administrator, it should prompt me when I set that option, not every time I start the application. Also, UAC prompts for writing to any non-user folder is a little silly.  Limit the protection to %windir% and other user's folders.

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  I agree with Dan.F, wolrah and others. I do understand the question you're trying to address with UAC, but disagree completely with UAC. Just copy any UNIX-like OS, like MacOS, Linux distros, etc. First of all: do not create the first user as Administrator! Use Runas/sudo. Do not ever, never promote privileges! Why do not embrace a well-proven concept?

• Anonymous
  October 10, 2008
  I ran as a non-admin user after I first installed Vista for 6 months or so and found it to be surprisingly painless to use my machine as I always have (Knowing the admin user password for UAC overrides was key of course). The eventual deal breaker for me was that application functionality was in some cases degraded. One example being windows update - when running as a non-administrator, I would never get automatically notified/prompted to download patches, regardless of the windows update settings. However, if I ran windows update manually and entered my credentials into the UAC prompt, I would then see the available patches. This ceased to be an issue when I granted my userid admin rights. Another example was the Windows problem and solution reporting tool. I would never be prompted to report an issue, not made aware of an available solution, while the app was running in a non-admin environment. Again, this problem disappeared when I logged in as an admin user. Now it could be argued that these functions are something non-administrators should not be concerned about anyway. But for folks like me who are trying to use their computer in the most secure environment possible, I found it a bit disconcerting that applications behaved different in a non admin environment. Not to mention potentially dangerous, in the case of non-admin users who have their windows update setup to notify them of patches, as this means updates will never be applied to their machines!

• Anonymous
  October 10, 2008
  The comment has been removed

• Anonymous
  October 10, 2008
  Each system has got some advantages and disadvantages. People accepted XP, because it was good enough (enough easy, stable, etc.). Later Microsoft programmers/managers didn't have idea, what to do next (yes, Vista work was restarted in some moment). Somebody decided, that removing some control from user is good way (decreased functionality of defragmenter, more DRM, etc. etc.). People decided - we don't want it. Microsoft decided - we will advertise it, we will discontinue XP.... Now Microsoft needs releasing new system on the time. I have feeling, that it will be another Vista. The same technology, more bells and whistles. Microsoft can do it. I hope, that more and more people will criticize this system then. The reason is simple - removing some things, which make system insecure and difficult in managing (shared Registry for example), can have only good consequences. Speaking and extending only such solutions like UAC (which only mark security in some things) will have bad consequences only. What can I add ? Don't add thousands of API, only change some architecture things (yes, it can make some system apps incompatible, but people will accept it, when will see profits and will switch into new system much faster). As codebase you can use even Windows XP.

• Anonymous
  October 10, 2008
  There were a lot of comments saying they wanted "Run as Administrator", but I didn't see any with the option I was looking for, "Run as limited account".  I'm sure a lot of us here fit into the category of poweruser that generally logs in as an admin account and is pretty smart about not running malicious applications/navigating to infected sites.  What I would like though, when I have an application I'm less sure of, or when browsing the internet, is to specify from the outset that I less than trust this application. As it is now I have to run a VPC to handle these kinds of issues, but it's cumbersome and in some cases not possible (when not on my machine).

• Anonymous
  October 10, 2008
  Hairs, How often do you change the mouse settings? UAC is annoying. And it is NOT SAFE. Because regular users just click "yes" anyway. They do not even notice it any more. They DO NOT read the text any more. Is there any stats how often average user press "no"? Especially how often they press "no" when they should do that? UAC actually would not make any change if it does not exist. Personally I would just remove it completely. If you have admin rights you will do what you want to do anyway. But an admin should never be prompted because he wants to install something or change a settings. You either have your rights or not.

• Anonymous
  October 10, 2008
  > There were a lot of comments saying they > wanted "Run as Administrator", but I didn't > see any with the option I was looking for, > "Run as limited account".  I'm sure a lot of > us here fit into the category of poweruser > that generally logs in as an admin account and > is pretty smart about not running malicious >  applications/navigating to infected sites.   > What I would like though, when I have an > application I'm less sure of, or when browsing >the internet, is to specify from the outset > that I less than trust this application. my opinion: system should be built this way, that will make working all time in Admin account uncomfortable (it must be connected with changing architecture this way, that working in limited account will be more comfortable). in my opinion adding "run as limited user" will not help in this...

• Anonymous
  October 10, 2008
  If Microsoft is now aware of 775,312 applications that display a UAC prmopt to run successfully, why not colour code the background of the prompt (green, amber and red)? Surely Microsoft has a fair idea now of those applications that pose little risk (displaying a green prompt), some potential risk (displaying an amber prompt) or great risk (displaying a red prompt)?

• Anonymous
  October 10, 2008
  My biggest gripe with UAC is when I move/delete files & folders on an external USB drive where I originally added the files & folders using another computer (and another user account). If we can't shut off UAC for external drives, then at least give me the option to enter "Admin" mode for the entire session while I am doing file mgmt. I can't find a way to run Windows Explorer as an Administrator.

• Anonymous
  October 10, 2008
  lyesmith you have it al wrong. IT IS the OS's job to prompt the user. Antivirus software IS NOT needed. Just ask the average Mac / Linux user what AV software they use and they'll laugh in your face. Their OS protects them, not some expensive piece of bloatware.

• Anonymous
  October 10, 2008
  What is about Registry Virtualization and so on? I think this is related to UAC, as was supossed to virtualize access to restricted areas of the registry on applications that were not UAC aware. However this in Vista was never working correctly. Although the virtualized registry was created it never made an app work with that. I can´t imagin why not, if your access is virtualized the app should have worked correctly, if it was well implementend. In my experience I thinked it was incorrectly implemented. Is this going to be improved?

• Anonymous
  October 10, 2008
  As others mentioned already, it can be slow to appear and disappear sometimes. It adds a few seconds to performing a single admin task, which is annoying.

• Anonymous
  October 10, 2008
  What I don't see in this post is the number of UAC prompts that the user encounters before finding what he needs. When I need to look up or change something in the network settings, it always takes me quite a while before finding what I'm looking for. This means selecting things in the control panel, getting a UAC prompt, navigating around, and only to discover that the setting I need is elsewhere. Before I find what I need I can get 4-5 UAC prompts while searching this way, simply because the information is difficult to find. Personally I would get a lot less UAC prompts if all the network configuration stuff was easy to find, and preferrably presented in a single control panel app so that there would always be just one UAC prompt. So improving the way in which Windows presents information to the user can also reduce the number of UAC prompts. Concerning UAC itself, I mainly see it as a kind of improved RunAs in the sense that it automatically prompts me when something needs admin rights. Saves me from thinking of running stuff using RunAs/RunAsAdmin, and works for things that don't propose a RunAs. Being able to look at the system configuration and having a button that allows elevation in order to make changes is also very nice. In practice this saves me from switching between a normal user and the admin account; logging off and on is annoying. Something I still miss is the option of running installers elevated or not. Currently, at least pre-vista setup programs always provoke an elevation prompt, there doesn't seem to be a way to run such setup programs as normal user. Not all setup programs install stuff in program files and such, some only install a plug-in in a user-accessible folder. So such setups are now impossible unless the installer is updated by the developer. The only work-around is to temporarily give myself admin rights, which is a bit annoying as well. It would be nice if the UAC dialog proposed an option to run the program without elevation (which is exactly what happens when running such a setup as a normal user under XP).

• Anonymous
  October 10, 2008
  Regarding the post from ababiec: > If we can't shut off UAC for external drives, > then at least give me the option to enter > "Admin" mode for the entire session while I am > doing file mgmt. I can't find a way to run > Windows Explorer as an Administrator. Open a command prompt using "Run as Administrator" (i.e. right click on cmd.exe and then Run As Administrator).  In the resultant elevated command prompt, type "explorer /separate".  The resultant explorer window (and  only this window) will have a full admin token - and, therefore, will not trigger any UAC prompts. If you require another elevated instance, you can "explorer /separate" again from the elavated cmd.exe prompt.  To differentiate between filtered and full instances of explorer.exe, I recommend the use of PrivBar. Regards, Patrick

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 11, 2008
  Whats the idea behind that "to change the User Account Control message behavior" I have to have Windows Vista Enterprise or Windows Vista Ultimate? Home versions does not need proper UAC? I still can not see the advantage of UAC as implemented now. MS educated the user to click "Yes" every popup he sees. Exactly how is UAC makes the system safer? Are there significant user group who actually reads them?

• Anonymous
  October 11, 2008
  Like someone else said on here, I'm getting more worried about this blog as time goes by. MS has hinted that they'll release an alpha fairly soon, possibly in a few months, and a release within a year. We can't still be discussing basic concepts such as these and meet that timeline. I think the feature set has already been decided, and we're simply being softened up for what is already coming. And most of that is simply a warming over of concepts that already exist in Vista, such as UAC, which just don't work and can't ever work because they come at an issue from the wrong angle. I really am getting the feeling that MS believe Vista can simply be tweaked. We've seen discussions on the basic fundamental OS building blocks, that basically haven't gone anywhere: they see no problem with what they have or are 'locked into' some concepts that are fundamentally flawed. I'm seeing the same here. There's analysis galore, but it all makes the same fundamental mistake: its looking to fix or tweak something that shouldn't be the starting point in the first place. MS need to go back and look at the iPod and Wii: they changed the game with their UIs and avoided the problems of existing UIs and interaction by simply doing it differently at the outset.

• Anonymous
  October 11, 2008
  Other than the frequency of the prompts, the two most annoying this about it are the     -delay, which leaves installer at 0% for some time before UAC pops up.     -the fact that it locks up the whole screen (although it does go int the background sometimes. A better way would be to instead pop-up a little message on the side above the system tray (similar to live messenger), and have it stay there, which would probably reduce all the funny graphics stuff that happens. And I agree that there really should be a safe list that frequent programs could be added to. In addition to this though, Windows really should have some of the common programs, like security suites, already recognized, much like firewalls in recent days have become smarter and instead of prompting users, they make smart decisions, which for the most are 'smart'.

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 11, 2008
  I have been following these comments and I agree with many. UAC does seem to slow down productivity because of the "lag" it causes before and after it asks for permission. Security center really needs to "forget" about UAC. It never seems to give up on it (create an option for this please!). It would be great to for us interesting in the engineering of W7 to understand how our comments/posts help improve/shape W7 when we are so close to beta 1 and I (as others) guess that now W7 is feature locked? I would also greatly appreciate if staff replies in the comments area where shaded another colour so I can identify who is staff and who isn't.

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 11, 2008
  The comment has been removed

• Anonymous
  October 12, 2008
  The comment has been removed

• Anonymous
  October 12, 2008
  I have no problem with UAC. I'm glad though you are making a UAC control center to control the prompts. If only you did this sooner. Looking forward to seeing this in person

• Anonymous
  October 12, 2008
  The comment has been removed

• Anonymous
  October 12, 2008
  The comment has been removed

• Anonymous
  October 12, 2008
  Just to add again. By default applications that are not installed should launch with least privilege rights (XP-> right click a program and select 'Run as...' and click ok) which is a feature not available in Vista when you are logged in as Admin, which would definitely make the OS very secure. There should be options to run that programs with either Admin and Standard privileges.

• Anonymous
  October 12, 2008
  The comment has been removed

• Anonymous
  October 12, 2008
  An other problem with UAC and the "one UA" is that you deliberitly make stuff hard to find or change stuff when the user has admin account. The OS should make these changes easy for an administrator. Just a bit of brain dumping... What if you the admin user account (or the one you would like to have) has two mode. First is the "user" mode what is optimized for average user and a protected "admin" mode which is optimized for admins. The admin mode even could be different UI for admins a a separate Admin Virtual Desktop. On this desktop the user would find every tool to make the admin work easy. When the user goes to the Admin Desktop then he can work with admin security settings. When he goes back to User Desktop then user security kicks in. For example no software could install itself if the user desktop is active. if something needs to be done then the user gets a subtle notification and he can go to the admin desktop. But if the user have to do a lots of admin work then he could just go to admin desktop and change stuff without annoying UAC prompts. I the User Desktop should be viewable from Admin Desktop in a secure way The chalange here is to make sure that the user dont stay in the Admin Desktop all the time. But I guess it is doabble if the Admin Desktop is optimized for admin work and not for general work.

• Anonymous
  October 13, 2008
  It seems to me that one of the biggest fustrations comes from having just clicked something to perform an action, and then a UAC prompt effectively (it seems to the user) asking them if they're sure they want to perform said action. "Of course I want to do that, I just clicked it!". Ideally, it seems to me, it would be able to distinguish between actions the user invoked explicitly and implicit operations. Probably impossible to impliment in a system wide scheme, but perhaps possible to do in the shell to reduce the number of dialogs Windows pops up. On a more achievable note, I think it could be improved with increased granularity. A portion of users who disable UAC disable it because they perform a small subset of tasks that routinely bring up a UAC prompt. If they could disable it just for those tasks but still benefit from the increased security in other areas it would be good.

• Anonymous
  October 13, 2008
  Symnatec released their UAC beta software with ability do search from internet and blbock unneeded reappearing popups so I hope you take a look what is already being built if you haven't looked the news yet

• Anonymous
  October 13, 2008
  I agree with Asesh why not make this feature as an update in Vista SP2.

• Anonymous
  October 13, 2008
  [disclosure: I am a developer at Symantec and was involved in the Norton UAC Tool.] The Norton UAC Tool was written to address what we see as a usability issue in Vista's UAC prompting.  The Microsoft Vista team did a fantastic job of improving the security of Windows by implemented integrity levels, isolation, user interface privilege isolation, and file/registry virtualization (which lead to protected mode IE) - but we were concerned with the trend of users disabling UAC all together or blindly clicking allow (Chicken Little, "the sky is falling", syndrome). Both resulting in the fantastic new security in Vista becoming useless (by either being disabled or ignored). I am very pleased to see that the Windows 7 team is taking this problem seriously, paying very close attention to the CEIP data, and putting time and effort in to improving the usability and readability of UAC prompts while also working to reduce the number of prompts generated by Windows. All around fantastic news!

• Anonymous
  October 13, 2008
  The installation key could be the default admin password - default name "admin". Then we might be able to log in with either a new password (easier) or the installation key.

• Anonymous
  October 13, 2008
  UAC as a idea is not bad, but the core idea of 'how to protect' is a mistake from the very beginning of NT workstation (w2k wrks). The idea was (and regrettably still is and even more terrifying you write it is going to be) to give an administrator privileges to the first account created. you write how cool UAC is changing app ecosystem and less and less application need admin privileges - true, but imagine how would today IT look like, if XP would create non-administrator account for the first user. probably there wouldn't be such apps at all. you had a chance with vista to change the situation - but instead you decided to create UAC. and the solution was so simple, with no need of architecture changes: simple add some 'special admin session' (some kind of GUI) to make system changes, some easy way to create 'run as admin' shortcut icons to commonly used tasks. this would force users (AND STUPID DEVELOPER COMPANIES!) to write app for standard users. some may say - it would be hard to educate ppl and how to use it and what is all about. i answer: look at this all mess about UAC - it's not simple as well, but you decided to though. more over - it's the matter of well designed interface giving easy way to configure that (in some part automatically) and giving enough information. UAC would be nice supplement then. for now a moment - as you wrote above - the users don't even know why they are abused by some question, and what they are asked for. as result most of users simply accepts clicking 'allow' - so what kind of security it is? ...so keep making complex statistics, make UAC and then slowly define object by object what operation will not prompt - and in effect you will have gr8 functionality of UAC-with-no-UAC, malicious software and spyware will learn how to use those no-prompt actions, and the apps will still be written as in w9x epoch - as there is one user on the computer with admin privileges. imho this situation (admin-apps) is your (microsoft) fault, and as i can read - you put a lot of effort to keep it that way.

• Anonymous
  October 13, 2008
  The comment has been removed

• Anonymous
  October 14, 2008
  The comment has been removed

• Anonymous
  October 14, 2008
  I'm a sysadmin and personally I very much like UAC - in fact I consider it the best reason to upgrade to Vista. I have had a habit of running nonadmin since NT4, and UAC makes this much MUCH easier. So to me, the benefits are obvious. But I encounter UAC hate on an almost daily basis from other users. You've heard all the epithets I'm sure, so I will not repeat them. But I have a difficult time expressing the value of UAC in ways that don't cause instant contempt and/or glazed over "I'm not really listening" expressions on the faces of the UAC-haters. I can see where they are coming from (they've always been in full control of their systems; why are they now being demoted?), but they have a tough time seeing where I'm coming from. This gets me to thinking: how can MS soften the introduction to UAC, and better tell its story to the users who will be shocked and angered by it? First, I think it would be very worthwhile to hire a really good media team and have them film a few short introductory videos. People need to be taken by the hand and led through a story which brings home the problem and the solution. I have read everything I could find about UAC, and talked to as many people as I could. It seems to me that the stuff which really explains the issue would bore a nontechnical user. With many other things vying for their attention, this is where they just click some other link and move on - still not really understanding the issues UAC works to resolve, still feeling that it is an unnecessary imposition on their day. So they simply type 'disable UAC' into the search bar, find a recipe, and use it. Once you have a couple of movies, and perhaps a few text-and-graphic explanations for various audiences, link these from every UAC prompt. My thinking is that there should be a series of quick 2-5 minute hits, from basic to more advanced. A couple of episodes would address the question of 'what can I trust?'. And so on. All should be given in a plainspoken manner that does not patronize or talk down to the customer (for some reason I keep thinking of the videos Amazon used to introduce their Kindle, though of course the problem is much different here). I don't know where you will find the people who can explain UAC in ways that new-to-UAC and already-hate-UAC folks can connect with. Media consultants? Documentary directors? Independent film types who premier at place like the Sundance Film Festival? I do think it's important to look outside the standard tech writer crowd, though - they have already struck out. Thanks for providing this forum. Now I'll go back and read the rest of the comments!

• Anonymous
  October 14, 2008
  The comment has been removed

• Anonymous
  October 14, 2008
  The comment has been removed

• Anonymous
  October 15, 2008
  The comment has been removed

• Anonymous
  October 15, 2008
  UAC leads to problems with standard (non-administrator) accounts.  

1. Software installation typically fails, even under "Run as administrator". Users have to download home-made "Run as other user" shell extensions from Internet in order to really run as administrators.
2. When a console program attempts to start a graphical application, the system doesn't allow the graphical application to start. The user cannot change that behavior. The only available option is to turn UAC off. To see more problems, just try to build some UAC software module using non-admin account on Vista with UAC turned on :-) Please, make next version of UAC more friendly to standard users (think about office/enterprise environment). Ideal case for me is "like in XP" (UAC is off for non-administrators). Acceptable case is to ask standard users for login/password in situations where Administrator's UAC asks for a confirmation.

• Anonymous
  October 16, 2008
  The comment has been removed

• Anonymous
  October 16, 2008
  The comment has been removed

• Anonymous
  October 18, 2008
  The comment has been removed

• Anonymous
  October 19, 2008
  I'd like to propose you a feature for windows security improvement. In a nutshell, idea is to set restriction what API's can be called for every process. For example - any process started from downloaded executable can access GDI and windowing API's, but can't access any disk operations API or registry writing functions. When process starts, OS creates "API permission map" for this process depending on  origin of executable, location of executable(under Program Files folder or not), system-level rules and so on. And when this process tries to call some API function which is forbidden for him, this function just returns immediately with error code. This will efectively prevent the most of malware from functioning, even when it was executed under admin privileges. This feature doesn't require significant architecture changes and can be done with quite small effort, but it can provide really big security boost for Windows.

• Anonymous
  October 22, 2008

1.  Why should we have to wait for W7, give us an improved UAC in a Vista Update?
2.  I have UAC off as it blocks me doing legitimate things.  I share the same data & the associated app across multiple user accounts.  My solution uses junctions to "point" each "user-name/AppData/app/" folder to "Public/AppData/app", and task scheduler to start the app when a user account gets control & stop the app when a user account loses control.  Thus there's only ever one instance of the app running using the same data.  Works fine on XP, works fine on Vista with UAC off, does not work with UAC on.  UAC prevents the application accessing data via a junction, the application gets a "file not found" exception when it tries to open it's data file.
3.  Junctions are "core" feature of NTFS, task scheduler is a "core feature" of NT.  So why does UAC prevent their use in this way?  If you can answer in language that a language that a non sysadm can understand I'd be grateful, I've been asking for about 18 months.

• Anonymous
  October 27, 2008
  UAC? I hate UAC. It is the worst thing ever to happen with Windows. It popup every time I do something. If you are going to continue with UAC. I hope you make it more smart, and obly pops up when it should (Open a dangerous program, not when I insert a music CD). And the UAC needs to remember, so it doesn`t popu-up for the same things each time (exept dangerous stuff).

• Anonymous
  November 02, 2008
  From a previous comment: The best thing about UAC is that it forces ALL software developers to think about writing their software to run without admin privileges. I completelly agree. But the worst thing about UAC is that in order to force DEVELOPERS from fixing their software, billions of innocent people were atacked by super annoying and instrusive message boxes. But going forward is good to know that Win 7 will learn from Vista's feedback.

• Anonymous
  November 03, 2008
  The comment has been removed

• Anonymous
  November 05, 2008
  Snaven, you are right. I get frustrated all the time. But then I think, why do I even bother. It only takes me 1 sec to press alt-F4

• Anonymous
  November 11, 2008
  UAC is the lazy answer to the fundamental problem that Windows can't distinguish between software-initiated processes and user-initiated processes. User-devices (or more specifically, their drivers), should have their messages flagged as having been generated by a person. An actual mouse click is not the same as a code-generated click. Then the O/S could stop asking me to confirm what I just told it to do, and only prompt me for risky actions initiated by something other than me. Please, don't argue about the security of the drivers either. If the input device drivers are hacked, you have bigger problems.

• Anonymous
  November 14, 2008
  The comment has been removed

• Anonymous
  November 20, 2008
  Thanks for your input Phil! I hope the new Windows will be good!

• Anonymous
  November 28, 2008
  pskovacs, actually, it's still possible to distinguish software-generated "user input emulation". It can be achieved by intercepting SendMessage/PostMessage calls on the sender's side. It's very easy, working prototype can be made in a few days. However, I'm afraid nobody reads these comments and Microsoft will do as they usually do - invent something overcomplicated and poorly functioning ;)

• Anonymous
  December 17, 2008
  The comment has been removed

• Anonymous
  December 28, 2008
  Thank you for posting this information. I understand all your points, however, some applications (e.g., Adobe CS4 Premiere Pro) will just not start when the UAC is on. So, I had to turn it off. So, please, do not remove the capability for the user to turn UAC off (sometime it is the only solution to use a software)

• Anonymous
  January 08, 2009
  The comment has been removed

• Anonymous
  January 09, 2009
  The comment has been removed

• Anonymous
  January 16, 2009
  Mark Twain said there are three types of lies: 1) Lies, 2) D*** Lies, and 3) Statistics. I'm curious if the data reported about user experience and ecosystem changes is being interpretted correctly. For example, could the  user sessions with a UAC prompt and in the number of applications requiring one, instead, be due to users disabling UAC altogether, at least in part?

• Anonymous
  January 18, 2009
  Great blog, thanks! so far windows 7 is very impressive! Luv ya work Microsoft Team! :)

• Anonymous
  February 03, 2009
  The comment has been removed

• Anonymous
  July 03, 2009
  Mac gives me smaller or bigger icons when I want to, but not Win7. Why can't the backups be removed? Shouldn't updates be working and fully compatible? You means those posted ain't safe that I shouldn't even update in the first place?

• Anonymous
  August 15, 2009
  There were a lot of comments saying they wanted "Run as Administrator", but I didn't see any with the option I was looking for, "Run as limited account".  I'm sure a lot of us here fit into the category of poweruser that generally logs in as an admin account and is pretty smart about not running malicious applications/navigating to infected sites.  What I would like though, when I have an application I'm less sure of, or when browsing the internet, is to specify from the outset that I less than trust this application. As it is now I have to run a VPC to handle these kinds of issues, but it's cumbersome and in some cases not possible (when not on my machine).

• Anonymous
  February 22, 2010
  The comment has been removed

• Anonymous
  March 03, 2010
  Only one thing to say, keep the system protected by default but give possibility to desactivate this security. User mustn't be jailed with something he don't want.

• Anonymous
  March 03, 2010
  Yes it is an annoyance with the popups, sometimes they appear a few times for one action, but I would rather this happen than to have a system that is inferior in security.

• Anonymous
  March 04, 2010
  UAC has had a significant impact on the software ecosystem, Vista users, and Windows itself. I’ve learned a lot about UAC’s impact.

• Anonymous
  April 04, 2010
  User Account Control in Vista stopped Access 2003 Linked Table Manager from providing a connection between the Access Database and Paradox database files. However turning off UAC allowed the connection. I have upgraded to Windows 7 and cannot, apparently, now turn off UAC, so my Access MDB cannot now work at all. There was never any problem with the same MDB when running under Windows XP. Is there a workaround available? (Urgent)

• Anonymous
  April 29, 2010
  Any sports figure who succeeds at a early age seems to give up just being a kid. Maybe now she can just enjoy being herself. <a href=http://www.net-a-porteronline.com/>net-a-porter</a>Good Luck!

• Anonymous
  May 13, 2010
  Very interesting post. Thanks again.. Please Keep it Up!! <a href="http://www.goahats.com/new-era-mlb-hats-boston-red-sox-hats-c-18_30.html">new era Boston Red Sox hats</a>

• Anonymous
  May 16, 2010
  A good website recommend to you: http://www.goahats.com, they sell New Era Hats, <a href="http://www.goahats.com/new-era-mlb-hats-pittsburgh-pirates-hats-c-18_48.html">new era Pittsburgh Pirates Hats</a>, Dc Shoes Hats, Red Bull Hats,<a href="http://www.goahats.com/new-era-mlb-hats-san-francisco-giants-hats-c-18_50.html">new era San Francisco Giants Hats</a>,NFL Hats And Famous Hats at cheap price.

• Anonymous
  July 18, 2010
  Dear friends, our web site provides a variety of cheap price  <a href=www.watchesky.com/>fade rolex watches</a> ， welcome your arrival,just kick here http://www.watchesky.com/ .

• Anonymous
  July 22, 2010
  Dears, our web site provides a variety of cheap price  <a href=www.watchesky.com/>fade rolex watches</a> ， welcome your arrival,just kick here http://www.watchesky.com/ .

• Anonymous
  July 28, 2010
  Dear friends, our web site provides a variety of cheap price  <a href=www.watchesky.com/omega-watches>fade omega watches</a> ， welcome your arrival,just kick here http://www.watchesky.com/ .

• Anonymous
  January 27, 2011
  The comment has been removed

• Anonymous
  April 30, 2012
  The comment has been removed

• Anonymous
  December 18, 2012
  The comment has been removed