Friday, December 7, 2007

UAC: An introduction to User Account Control

It's high time that I get on with my articles about UAC. I have a lot of good info to share - so come back often to read the latest articles about UAC. Let's try to make sense of it together.

User Account Control is one of the major features of Windows Vista. Vista's UAC feature touches all aspects of the operating system and certainly has a huge impact on the user experience. It changes the way users, administrators and developers work within the environment. If you are going to work with Vista, it is important that you understand this feature.

Because the details of UAC are so diverse, it is not possible to describe them to you in one short article and leave you with a good understanding. Instead I present to you many of the best UAC articles I have found on the web.

In future articles I will build on the general information presented here. I will tackle individual aspects of UAC and discuss strategies for coping with the new paradigm as an enterprise administrator.

You will probably want to read these pages in the order I have presented them. They start with general concept and progress to in-depth analysis:

Wikipedia: User Account Control
Read this. The best introductory article on UAC. It avoids the romp through the UAC feature acronyms and gets down to the business of explaining UAC to you. It should give you a good grounding for the rest of the articles to come.

Getting Started with User Account Control on Windows Vista
This is a very nice Microsoft article that does it's best to describe how UAC manifests itself when a user or administrator wants to go about his daily tasks. It shows the different prompts one would see and provides sample actions that would trigger their appearance. Different UAC configuration choices are also discussed.

Inside Windows Vista User Account Control by Mark Russinovich
Ready for some detail? This article is quite heavy on the technical details, but if you can get through it, you will have a very good understanding of UAC.

Understanding and Configuring User Account Control in Windows Vista
This is a very long Microsoft document aimed at most IT professionals. It gives a tour of many of the UAC features from an administrator's perspective. It covers concepts like Integrity Levels, Elevation Prompts, Admin Approval Mode and Application Compatibility. It attempts to give many of the UAC features context, but often overly simplifies complex paradigms - I consider it the UAC brochure. This document is a very useful resource, but will still leave you scratching your head when you meet real world examples.

UAC - What. How. Why.
Do you have an hour? Watch this video! Microsoft's Jon Schwartz, UAC Architect, and Chris Corio, UAC Technical Program Manager, discuss in detail, the development history and architecture of UAC. This video will give you great insight into what the developers were thinking and what problems they were trying to solve. They almost get you thinking that UAC is a desirable feature ;-) The attached viewer Q&A is also very educational.

Teach Your Apps To Play Nicely With Windows Vista User Account Control by Chris Corio
Although aimed at application developers, this article is a valuable read for everyone. It is written by UAC's Technical Program Manager and provides valuable details about how and why UAC does some of the things it does.

The Long-Term Impact of User Account Control by Dr. Jesper M. Johansson
Aimed at anyone who is concerned about security, this article tells you exactly what UAC is and IS NOT from a security perspective. The points made in the article are accurate and can't be stated strongly enough. UAC is not a security boundary - use the best practices suggested to protect yourself.

Windows Vista Application Development Requirements for User Account Control Compatibility
(Also available as a downloadable Word document)
This is a very long Microsoft document aimed at developers. It takes them on a tour of UAC by covering such topics as Access Control List (ACL) Settings, User Interface Privilege Isolation (UIPI), Virtualization and UAC Architecture. It covers many of the UAC features and is therefore a very useful resource. However, despite it's length, it only just touches most topics and does not give the reader enough of an appreciation of how the features will impact their development work.

In-depth analysis of Vista UAC and the creation of CreateProcess...Elevated() APIs by Thomas Hruska
A must read for application developers and some scripting admins. This article looks at how to elevate applications that require full administrative access to the system. It discusses the ShellExecuteEx() with the undocumented "runas" verb and the much talked about manifests. You will understand the UAC Virtualization feature after reading this article. This is a very detailed in-depth article - not for the faint of heart.

PsExec, User Account Control and Security Boundaries by Mark Russinovich
Aimed at the extremely technical administrator, this is an extremely well-informed article. It discusses the UAC security model and how Integrity Levels relate to it. You will know you have a good understand of UAC if you are able to follow this article. BTW, if you are unfamiliar with PSExec, look into it - one awesome tool!

Had enough? Go forth into the world and play with UAC. See how you like it. I think you will quickly find that UAC impacts your life in some rather unexpected ways. As an enterprise administrator and scripter I have bumped into many of these undocumented "features" and behaviours.

I have learned to overcome some limitations and cope with others. In some cases I am still struggling. Perhaps we can work together to achieve workable environments that include UAC. Check back often for many upcoming articles about UAC. (I hope to continue writing two articles per week.) Feel free to ask questions or comment on any of the upcoming articles... now where should I start....


Anonymous said...

All I want to know is: where did my program stuff go? Stuff I've made, stuff I've downloaded. When I do a search of c drive, I can get one full monitor of same document, placed in many different folders. Which is the real one? Which is the one I can actually click on and use or mail to people, etc. WHERE IS MY PROGRAM file stuff? Example: Living Cookbook FDX's that come attached in emails and use to easily be found in programs/qualcomm/eudora/attach.
I am so lost ... I just want to access my STUFF. Thanks.

Gordon Martin said...

I here ya! -- you may be interested in this article:

User Files Folders: What's with all these extra folders?

Mehdi said...

The link to "Understanding and Configuring User Account Control in Windows Vista" has been hit with "TechNetitis" (a disease that is prevalent on Microsoft web servers, causing a page to be moved to a different URI, and the original URI will be reassigned to a somewhat related article, but never the one you're expecting...:-)

Here's the new link: