Friday, May 9, 2008

UAC: Microsoft Programs act weird

(This article uses a lot of technical UAC terms. If you have trouble understanding it, check out my UAC glossary: Let's Talk UAC for the Enterprise)

I thought I'd warn you about some Microsoft programs that behave rather weirdly under Vista. When I say "weird", I mean they don't act at all like generic Vista documentation says they should. This was a big problem for me in the beginning when I was trying to learn about Vista and UAC.

The programs I am talking about are Windows Explorer, Internet Explorer and Outlook. Whenever I look at my task bar, these are programs that are always running - no matter what else I might be doing. So naturally when I wanted to learn about UAC and elevation, I started playing with the ones staring me in the face. Big mistake. Confused the hell out of me.

When learning UAC, avoid Windows Explorer, Internet Explorer and Outlook. Microsoft has built extra barriers and behaviours that cause these programs to act differently. If you want to learn how programs generally behave, pick something safe like Notepad to test with.

Internet Explorer and Outlook are problematic because Microsoft has given them special attention. Historically Windows has been exploited by trojans and viruses coming from the web via web pages or e-mail. These two applications had a bad habit of letting these badies into the system to have a good time. Microsoft has introduced barriers to minimize the opportunity for these badies to get into Vista. Some good examples are Protected Mode and Low Integrity levels. I haven't done much work with these technologies, but here's an article that gives you an idea how confusing it can get when trying to understand what's going on:

http://xato.net/bl/2007/03/12/why-doesnt-ie7-protected-mode-mark-downloaded-files-as-low-integrity/

Windows Explorer's behavior is difficult to understand for different reasons. You have likely wanted to elevate Windows Explorer to an administrative token in order to perform
some work on files in a sensitive area like System32 - but failed. Explorer just wouldn't elevate for you. In this case the problem is more technical in nature resulting from Vista's design.

Vista's UAC can only elevate applications to use different tokens when the application is being launched - when a new process is being initiated. You may think this problem doesn't apply to you because you were right-clicking on Windows Explorer and choosing "Run as Administrator" when launching the program - but you'd be wrong. It turns out you weren't launching a new instance of Windows Explorer at all.

Windows Explorer does more than just show you a file management window when you demand it - it is also used to present the user interface (desktop, etc.). You are actually using Windows Explorer just by logging in and looking at the screen or navigating the Start Menu. This means the Windows Explorer is always running. When you think you are launching Windows Explorer fresh with the "Run as Administrator" option, you are actually just asking for a new file management window in an application that is already in progress. As a result, Vista is unable to elevate Windows Explorer to an Administrative Token.

I will be talking more about the problems Windows Explorer has and tricks for overcoming them in future articles. I just wanted to warn you to watch out for these three apps - they won't behave in ways you are expecting for generic applications.

No comments: