Windows Vista User Account Control (UAC)

Jesper apparently stirred up things a bit with his latest post, Please don’t disable security features, at least while we are testing them, asking folks to recognize that a Beta is not a final product and that you should wait to see the final before making hasty decisions like disabling a security feature.  The UAC development team endorse what Jesper says as well.

I’ve been running Windows Vista Beta2, so I’ve experienced the same user experience as all those who’ve made comments about UAC pop-ups.  Next week, I plan to upgrade to later builds and see how things are changing based upon all of the Beta feedback that the team has received.  So, given that, and the current topical interest in UAC, I think it is interesing to lay out what my ideal product requirements are so I can compare them with the final product when it ships.

Scenario 1:  My daughter’s account.  I’m a bit like Jesper in this area.  I want to be able to set up accounts for my kids that are completely unprivileged.  When they try to install a program into a system directory – DENIED.  When they try to plug some new hardware into the USB port and need to install a driver – DENIED.  If they plug in a USB memory stick – ALLOWED.  I certainly don’t want the system prompting her for credentials, because she is definitely not going to have those credentials.  On the other hand, after I’ve initially connected my daughter’s camera to the computer the first time, she should be able to plug it into the USB port the next time and transfer over her pictures.  That’s about it.  What would be nice is to be able to customize the DENY message to say something like “Daddy has to install this for you.”

  • On installs, let’s be reasonable.  If someone can make a program that works when you just unzip it into any old directory, then having write access really gives my daughter the ability to install a new program.  Any equivalent to this should just succeed, even if it is in the Program Files folder, though I’d settle for forcing her to specify a different folder.

Scenario 2:  Jeff_Admin.  I like to separate my own roles, so I want a protected admin account that behaves a lot like Vista Beta2, where it pops up (once!) and has me confirm when credentials are needed.  I’ll use this to administer the system, install new hardware drivers and install new programs (including games and learning software for the kids).

Scenario 3: Jeff-User.  This account should be just like my daughter’s account, with only a few exceptions. 

  • I like the convenience of being prompted for credentials when I plug in some plug-n-play hardware, like my scanner or camera, so drivers can be installed without logging out and back in as Jeff_Admin.  I should be prompted one time only.
  • The one install related exception I can think of is association of file extensions, where I do not want to log in as Jeff_Admin to do an install just for this reason.  For all other reasons the install might need “admin”, I’d like it to fail and tell me why.  Is it trying to drop something in the windows tree?  Is it modifying protected registry?  Is it trying to put something in startup?  Fail, so I can make an informed decision.  I may go ahead and install it as Jeff_Admin, but then I’ll know to go nuke “quicktime-task” if I don’t want it in my startup (for example.)
  • Browser plug-ins.  I’d like the convenience of a credential prompt for this, with some explanation.  It’d be neat if plug-ins were required to provide a text justification what was displayed during install and shown when you were prompted for credentials.
  • I’d like to be able to approve new updates that have been downloaded or check for new updates at MicrosoftUpdate and be prompted for credentials.

I think the key is to make the setting configurable.  I want to run as a user and clearly shift to an administrator role when doing administrator things.  I like a few conveniences, but in general, I really want app developers to create better installers that don’t secretly install stuff in my startup and remap file extensions without telling me.

A little convenience can be good, but I just imagine my daughter getting lots of prompts for credentials she’s not supposed to have…

I can’t wait to see what the final implementation looks like.  It probably won’t quite match my ideal, but I’m optimistic that it’s going to be a huge step forward in security and usability.

If you can think of other roles/behavior you’d like to see, or items that would be configurable, I’d be interested in hearing your ideas.

Interesting related links:

The UAC team blog:

The non-Admin blog: 



About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »