1. Computing

What Is UAC?

Understanding Why UAC Does What It Does


UAC. You may have heard of it. Since before Windows Vista hit the streets, UAC has been one of the most talked about features of the flagship operating system. We're going to take a quick look at UAC and try to understand more about why it is there and what its purpose is.

So, what is this UAC and why did Microsoft create such a vile technology to curse the users with? Before I go any further, I should start by saying that UAC is not a security feature per se. It certainly has security implications, and the box that pops up for consent to proceed with administrator level access has the feel of a security control, but security is not the true mission of UAC.

Let's start with defining the acronym. UAC stands for User Account Control. By definition then, the goal of UAC should be to control user accounts or the way user accounts are used. I'm going to digress though and explain UAC in terms that perhaps you can relate to better.

Assume there is a mountain plateau at an elevation of 5,000 feet. Most of the plateau is flat and safe and usable by anyone that chooses, but if you fall off the edge it is a 5,000 foot plummet to doom.

There is a small selection of people who are trained in how to safely navigate the perimeter without falling. They know where the dangers are, and how to avoid the edge. Meanwhile, most of the people run and play on the plateau unaware that the edge even exists or the dangers that can lure them to their doom. Time and time again these people unknowingly come too close to the edge and fall to their death.

There are shops scattered all over the plateau. Most of the common businesses- video stores, ice cream shops, etc.- exist on the safe part of the plateau. However, a few that were looking to cut corners and build faster / cheaper rather than safer have built their businesses in the dangerous perimeter. There are also businesses along the perimeter that are intended specifically for the trained experts who know how to navigate the perimeter without peril. In addition, there are unscrupulous and malicious businesses that exist on the perimeter specifically because they want to lure users outside of the safe zone and do harm. They enjoy watching people fall off the cliff.

One day, someone decides to erect a barrier around the plateau to keep untrained people away from the edge and protect them from falling off of the cliff. They determine that the majority of the plateau is perfectly safe, but that perilous perimeter should be reserved for those who are properly trained to use it safely.

People are still able to access and visit the vast majority of businesses, but they are no longer able to visit the perimeter. They can't go to stores for trained professionals. They can't get to stores targeted at common people but that built on the wrong side of the barrier. And, they can't get to the malicious businesses intent on luring people to their doom.

Those 'legitimate' businesses that built in the danger zone at first got very upset that this border is keeping their customers from visiting them any longer. But, they realize it was short-sighted of them to build in the danger zone, and they simply relocate their businesses to operate within the safe zone where their customers can visit them without danger.

The trained professionals can still get to the perimeter and visit the businesses, both legitimate and malicious, that exist there. However, every time they want to do so they must go through a checkpoint in the barrier where they receive a warning to remind them that they are leaving the safe zone and should exercise caution.

This story illustrates UAC. Most of the system is safe, but the Registry, operating system kernel, and core system files are more sensitive and should only be accessed by applications and users that have a legitimate reason to do so and the knowledge to so properly and without crashing the system. Common users have no need to operate in this area and should not do so.

UAC is the barrier between the safe portion of the computer and the danger zone. Common users aren't allowed into the perimeter and have no reason to go there so they never encounter the barrier checkpoint and never receive the warnings to notify them that they are elevating their privileges and that they should exercise caution.

Most applications are written to operate in the safe zone just fine. Some software vendors wrote their applications poorly or took shortcuts that cause their software to require administrator level privileges when that level of access is not truly necessary and common, untrained users should not be granted such privileges. For normal users, those applications will not work. For Administrators, those applications will work, but UAC will prompt for elevation and warn the administrator to exercise caution.

Most existing malware will fall into the category of software requiring administrative privileges to perform its functions, so normal users should not be able to successfully execute most malware. In that respect, UAC acts as a security feature - at least until malware developers write their code to work with Standard User privileges.

In an enterprise, users should be running as Standard User, not Administrator. That means they should never see the UAC prompt for elevated privileges. Those who are running as Administrator in an enterprise, or those home users who choose to log in with Administrator privileges will see the prompt for elevation when they cross the line from the safe zone to the core system where they might be able to alter or corrupt the system, or successfully execute malware.

Users should log in as Standard User. Even home users should have Standard User access for their normal login, and a separate Administrator account they use when necessary. In that case, those users won't be bothered with the 'evil' UAC prompt.

Those instances where an Administrator does see the UAC prompt are either valid- meaning that elevation of privileges is necessary and UAC is properly warning the user, or the software is poorly written and the issue should be directed at the software vendor. Don't shoot the messenger (UAC) for identifying the flaws in poorly designed applications.

©2014 About.com. All rights reserved.