How reliable is windows 7 UAC?

I also have good experiences with Surun, from Windows 7 to windows 8 (64 bits). Have to use the Surun beta on Windows 8 but still works wonders

 

I've been using the beta since it was released in February and I don't see any bug reports in the forum. Not sure why Kay hasn't released it as a final by now.

 

I don't find UAC annoying, once you know how to use it. The never-ending prompts are a relic of non-optimized software, when people didn't know how to code in the limited environment or work around it with Task Scheduler, Services, Drivers, etc. Of course the "bypasses" need admin privileges in the first place, if the rights are necessary.

I don't really see how SuRun makes it more usable, is that in the form of permanent and/or temporary exceptions?

 

Yes. Surun uses a very configurable set of rules you create to choose when to run a process with elevated privileges. It also moves your user account out of the administrators group and into a limited group (which is where user accounts should be to begin with).

 

SuRun is convenient but just take note of this:

SuRun elevations can allow malware to elevate in a standard account

If you're on XP and using LUA is a nightmare for you, then SuRun might be of help.

If you're on Vista on-wards, it's better to go with UAC elevations on LUA account because elevations occur in a different user context (slightly better security-wise).

If you still choose to use SuRun on Vista on-wards, do not disable UAC as you would lose the advantages of Integrity Levels.

 

safeguy already explained, but I can't believe people are forgetting that UAC is system-wide unless you're the hidden default admin.

 

Thanks for the info safeguy. I need to do some reading regarding Microsoft's Integrity Control. At the end of the day though, I suspect that the convenience of Surun is going to outweigh the benefits of UAC. In Kay I trust!

 

I just had an interesting experience with malware on Windows 7. I was considering whether to use the autosandbox feature (now DeepScreen in v2014) of Avast Free Antivirus as a behavior-based malware detector in a virtual machine. So I found a malware sample to test. Here is what happened when I ran the malware:

1. Gave warning screen that looked very much like it was from Microsoft (although it really wasn't) stating that some of the user's documents are corrupt, and gives the user the option to fix the corrupt documents.
2. If the user decides to "repair" the allegedly corrupt documents, a UAC prompt for a legitimate Microsoft program (rundll32.exe) pops up.
3. If I give UAC consent to run the legitimate Microsoft program, I noticed that within a few minutes Avast had been uninstalled!

This worked whether in a UAC-protected admin account (with either the default UAC setting or the max UAC setting) or a standard account. Rundll32 was used with some parameters to launch a malware program.

This could really fool some people....

 

Since the first time I see UAC prompts up until now, I've never seen rundll32 asked for elevation. Sure it was a legitimate rundll32?

 

My biggest gripe with UAC is that there is no way for a limited user (e.g. my kids) from running a program which requires admin privileges (e.g. suppose I have a backup program set to auto-run for all users, or some games which require admin privileges to run) without knowing the admin password.

I have been using surun on XP and am continuing to do so on 7 with UAC turned off, since I could not get the combo of surun + UAC to auto-elevate without also displaying the UAC prompt.

The big advantage of surun from a user's point of view is that as the admin I can set up specific applications to automatically elevate with no password prompt, without handing out the admin password or having the kids run as admin all the time.

 

The usefulness of UAC can be easily demonstrated. A few weeks ago I wrote a Proof of Concept application, the sole purpose of which was to wipe out System files thus trashing one's computer. I decided to do a trial today on two different Win7 systems:

1). System 1- installed Forticlient, updated it. Installed EMET, set it at Maximum Protection (did not do any further tweaks). UAC was disabled.
The malware file was run, Forticlient of course being oblivious to it. I let the file finish running, rebooted the computer. System trashed.

2). System 2- Protected only by UAC which was set at default- Malware was run, allowed to complete. On reboot, computer remains happy and healthy.

For any interested, file can be found over at Malwaretips- (Virus Exchange- post from 11/13, Thread- "Try Me").

 

@cruelsister

A very interesting result. I never thought UAC could be that powerful. Wondering why? Registry virtualization? Thanks for the test anyway.

 

@cruelsister

That's very interesting and would love to know how the system kept integrity.

 

Registry virtualization is my vote at the moment.

 

You can actually. Here's how:
Avoid UAC prompts by using an elevated program launcher
How to run a program elevated at startup in a standard account when UAC is enabled

When I log into my standard account, I have to confirm a UAC prompt once (but enter no password) for my program launcher. From then on, there are no more UAC prompts for programs launched from the elevated program launcher .

Alternately, if I recall correctly, you can use PowerBroker Desktops Free Edition.

Yes - the UAC prompt was "trustworthy" blue color, and rundll32 was in the proper location. Also, a web search turned up evidence that other malwares are doing the same thing; for example, see http://about-threats.trendmicro.com/Malware.aspx?id=4130&name=TROJ_UPDPOKR.A&language=en for the basic idea (ignore the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svctt=" part.) The malware that I encountered was different from that link in that the malware .exe that was launched by rundll32 was placed in a folder ( C:\ProgramData ) that a standard user could write to, and the action was only done once instead of being an autostart.

The malware also uses an autostart entry that doesn't need admin privileges.

 

Assuming that you ran cruelsister's program unelevated, it wouldn't have the rights to delete those system files. When I ran it UAC-elevated, my virtual machine restarted with a blue screen.

 

You are correct, there are ways to bypass UAC though I'm not sure how the task scheduler trick works with programs that auto-run through the registry instead of the user's Startup folder.

Still, it seems to me that MS did not consider these use-cases of LUA users needing to elevate without knowing the admin password, and in spite of what some websites say, UAC is nothing at all like sudo or SuRun. As implemented, UAC is fine if I am both the user and the admin, or if I never want the user to elevate an application. I'll have to take a look at PowerBroker Desktops, though - that could be interesting.

 

RedMoon- CIS (or CF) protects the computer via the sandbox (at any sandbox level). The HIPS pretty much blows it off (as most HIPS will). Also, didn't mean to pick on FortiClient alone, as most Def based apps will also fail (like BitDefender).

And just for giggles-http://www.securitystronghold.com/gates/remove-cruelsister-rootkit.html

Slight issue here being:
1). It's not really a rootkit
2). It doesn't work by that mechanism
3). No point removing it as it has already removed itself (along with the OS).

 

Comment from Fabian Wosar (of Emsisoft) (April 2013) in http://malwaretips.com/threads/windows-8-uac.15175/:

 

My feelings exactly That is how I use it, and don't find it an irritation at all. On the contrary, it is a highly visible sign of one way Windows is protecting you.
I can't agree with people who complain about, and disable it.

 

Even at the lowest settings UAC can prove very beneficial. Earlier today there was a Ransomware file that would cause the system when rebooted not to find the OS. As at the time the malware was detected by very few vendors, in the absence of a security product without any sandbox/proactive protection (like FortiClient) one would have been lost without UAC.

In Win 7 UAC afforded protection even at the level above Never Notify, whereas in Win 8, where UAC cannot truly be shut off without a registry modification, the system was saved at any UAC level.

 

Although written a few years ago now, I'm sure this article Inside Windows 7 User Account Control by Mark Russinovich, is a help also.

 

True, it is ideal in those situations. I have 15 coworkers running standard user accounts. They have to come get me to elevate anything. It is still pretty rare that it happens. Backups run on a schedule with admin credentials (Acronis) and there really is nothing else they need that doesn't run as standard user.

If it is a regular problem that you have other users that you trust to run elevated processes maybe they should have an admin password, even if it is an alternate admin account. I'll take UAC any day over the XP model of having to login to another account or set file and registry level permissions or both.

 

Example of malware bypassing UAC if it's not at max setting: http://www.symantec.com/connect/blogs/64-bit-system-driver-infected-and-signed-after-uac-bypassed.

 

Can running the UAC on max while using an administrator account give you the same protection as using a standard account?