UACMe - Defeating Windows User Account Control

No, far from it. While UAC elevations itself isn't a security feature (it's convenience).....

.....disabling UAC would means 2 things:

a) disrupts UAC goals of encouraging developing software with standard user rights in mind
b) negatively affect parts of Windows security model which includes UIPI and ILs

http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx#id0560012
http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx
http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

 

@MrBrian

I think this applies to your question...

From "The Long-Term Impact of User Account Control"

 

From what I've seen, Microsoft's Mark Russinovich has been primarily responsible for describing UAC as a convenience feature rather than a security feature. However, you then see this 2011 Microsoft guide describing it as a security component.

 

I guess that if user doesn't run any application elevated, than even malicious application doesn't have anything to poison and is trapped in medium integrity level.

 

Yes exactly. I already explained that the alerts are not worth the hassle when running as admin. Also, don't forget that the UAC alerts are there only to ask you if some app may have admin permissions or not. It doesn't give you any info about what system settings some app is going to modify after approval. So that's why it's not a real security feature to me. On top of that, it's easier to bypass than anti-exploit/sandboxing/HIPS. The only thing it does, is to make it more easy to run as limited/standard user.

http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/
http://arstechnica.com/business/2009/02/the-curious-tale-of-windows-7s-uac/

 

a) I agree. One of my conditions though was "and also don't use a standard account."
b) That seems security-related .

 

It would seem that each user certainly has their own opinions with regards to which UAC settings they user and also with regards to using an Admin account or Standard. I am definitely thankful for all of the information that has come about here. Although I must admit, it does leave me wondering what the general consensus might be if we were to create a poll over in the poll section (unless that had already been done in the past here).

Do any of you think a poll would be worthwhile? And if so, what options should be presented?

- Always notify me
- Notify me only when... (default)
- Notify me only when... (no dimming)
- Never notify me
- Custom UAC Group Policy or Reg Key settings

And obviously somehow incorporating Standard User Account or Administrator account in there as well.

 

I created a new thread UAC (User Account Control) discussion thread.

 

You know what I don't get. I wonder if apps running in "medium integrity" can ask for admin rights only during installation/execution, or can they also do it when they are already running?

 

They can do it even when they are already running. If I want to copy any file to let's say Program files folder, Total Commander will ask me for admin rights before copying a file.

EDIT: Total Commander launches new process when UAC prompt is confirmed so my previous statement might not be true.

 

Of course, I forgot about this, that's why some apps ask to restart with admin rights. So it's safe to say that with UAC turned off, apps can automatically restart to get admin rights, this applies to Win 8. But what if some app (running in medium integrity) starts a child process, can that child process also gain admin rights?

To clarify, the reason why I'm asking, is because I'm still trying to think of ways to make UAC (on admin account) smarter and less annoying. I already explained that it does not make sense to alert when you run/install some app yourself, so UAC should shut up when "explorer.exe" launches some app.

If some other app (like the browser) restarts itself or launches a child process that's wanting to get admin rights (high integrity) then UAC should pop up, because that is out of the ordinary. Good idea or not?

 

I don't know if whitelisting explorer.exe would be wise. Also installation can be launched from other file managers like Total Commander.
I think that disabling detection of application installation would be safer, if you don't want to be prompted about them. You can use group policy option described in post #30. If you don't have access to management console you can change registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - key EnableInstallerDetection. Set the value to 0. You might have to reset the system after changing value.

 

If Microsoft auto-allows any given process to elevate, what's to stop malware from abusing it?

Example: Windows 7 UAC whitelist: Code-injection Issue (and more).

 

You can do it via registry.

I've felt the same, and also respect his dicision though I often have different opinion with him and now it's the case, also I feel sympathy for his attitude of trying to understand things.

As to UAC, I mostly agree with safeguy. While UAC itself don't make security boundary, it consequently enhances security by encouraging use or standard user account either for dev and for user. LUA is not for detecting or blocking exploit or malicious behavior, but it is for limiting damage. And at least in Vista & 7, some OS-based sandbox will be weakened if you totally disable UAC.

I don't understand why so many people complain about UAC prompt. It will be problem for some environment, but for most home user it will be at most just "annoying" and not real problem. I need elevation in some scheduled task I created and some .bat file I made too, besides some program such as TrueCrypt (portable) or some installer, but haven't been bothered to enter less than 20 char password and currently don't use programs like RunAsSpc as it makes another attack surface by temporarily put credentials on memory as plain text. For me this kind of authentication is ubiquitous: On Linux, I have to enter admin password when I use sudo or su. On Android, I have to enter PIN every time I rebooted the phone, then enter pattern to unlock screen, and finally have to enter password to use sensitive apps outside of my home wifi. Same goes for iPad.
When I reverted back to default Win7 installation, I feel somewhat strange because it don't make UAC prompt when e.g. I try to change system setting.

 

RunasRob can avoid this in some use cases because it can optionally use a service, if I recall correctly.

 

Interesting, though creating new service also can be potential attack surface...I might consider it when I need to reply much more UAC prompt than now.

 

You can still do what MrBrian does without using RunasRob. Just elevate normally one "launcher" app (1-click prompt in AAM; 1 OTS prompt in standard user account) and then use it as parent-app to start other apps with admin rights.

 

I know that, but currently don't feel need. But may be worth considering when the time comes.
Thanks anyway!

 

I have tried the tweak but it only worked for a couple of installers. But my idea is perhaps not even feasible, you would need to monitor restarting of apps and child processes. Actually, it is possible but it would make UAC more like a HIPS.

 

That's the thing, I wouldn't rely on UAC for REAL security. But anyway, it seems like what I'm looking for is already offered by some apps. I'm basically looking for a way to whitelist certain apps and folders.

M$ has already white-listed certain Windows system apps. So why not shut up about apps that I have given admin rights myself (with run as admin)? UAC should also be quite when I install/run apps from certain folders. So I will check out the RunAsRob tool.

But the current implementation of UAC (with alerts) is retarded, that's for sure. BTW, is the "run as admin" feature a registry setting? If so, it could be abused by malware.

http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/
http://www.makeuseof.com/tag/stop-a...ate-a-user-account-control-whitelist-windows/
https://www.raymond.cc/blog/task-scheduler-bypass-uac-prompt/