Windows UAC - A Bit More Detail

I don't remember anyone calling UAC a one-stop security solution. Some points to consider with this:

• victim is using an outdated version of WinRaR
• victim downloads and extracts malicious file without checking it first
• victim does not have proper security in place. An anti executable in default-deny should stop the payload from launching, or even updated anti virus should detect it.

 

Microsoft has said this from UAC day one. That is, it is not a security boundary. Its sole purpose is to restrict process execution privileges.

The best way to view it is it's a warning mechanism. And the warning is some process is wanting to execute with higher execution privileges than that permitted for the logged on user. Again, remember that the limited user account runs by default as a standard user but has the capability to self-elevate to admin level. UAC is simply a mechanism that brokers the transition from standard to admin account process status. The current problem is Microsoft designed select system utilities to silently self-elevate to admin status so that they could run unimpeded without user interaction. Malware is exploiting this capability. So the only current mitigation for this is to set UAC to its highest level which will prevent silent self-elevation. Or alternatively, monitor these system utilities execution by some other means; e.g. OSArmor, and, pray that it will be able to detect every possible system process that can silently elevate.

 

why a malware has to trigger UAC ? or more precisely, why UAC should be triggered by every malware?
UAC isn't made for that.

 

Actually, what UAC monitors is process/task privilege escalation request.

At the process level, it is first assigned an execution privilege level; SU or Admin. This is done at process creation time. If the process execution privilege is lower than that assigned to logged on account, it must elevate it status to be allowed to run. At this point, it becomes an active task. Next if an active task wants to access a resource with assigned privileges higher than the task execution privileges, it will be blocked from doing so. User account directories are assigned privileges based on the type of account logged on to. Note that this also applies to registry keys. Hence, malware having no problem writing to Current User keys regardless of user account type.

 

I never claimed anyone said this. I just wanted to remind people that even on SUA malware can run still run. But to be fair, it's not clear if the malware that loads after system restart, will trigger UAC or not.

When we discuss UAC on this forum, we're talking about UAC as a method to block malware. We all know that SUA can be used to restrict other users on a system, but that's not what is discussed. What if malware didn't exist, would we use UAC on a single user machine? No we would not.

 

Your view is too limited, UAC is about privileges escalation in term of all security threats, malware are just a fraction of threats.
you think that there is only remote compromisation by RAT or exploits or whatever?
What about vengeful employees, corporate spying, etc... they also need to get admin rights to do bad stuff.
Windows wasn't made only made for Mr Rasheed...

 

You have to be kidding me. I have already said that SUA has multiple purposes, but in this forum, the anti-malware aspect is mostly being discussed. How many times do I need to explain the same thing? So when I say that UAC sucks, I mean it sucks when it comes to using it to protect yourself against malware. So stop bringing up all of the other security threats that it may tackle!

 

Yes and no.

Yes in that in itself, there is nothing UAC offers that will unconditionally prevent a malware infection.

No in that, UAC can alert you to an abnormal process execution. This could be an attempt by the malicious process to elevate itself. Or as is currently the case, to use a legit process that requires elevation in a malicious way.

In the case of a nob user, UAC is worthless since he will just click on allow every time. In the case of someone with a moderate understanding of Windows operational mechanisms, it might just "save you butt."

 

@Rasheed187 are you deaf or what?
UAC is to prevent any elevation (malware or not). It is not an anti-malware by design, it is only an elevation-blocker that coincidentally block some malware, you don't compare it with any anti-malware solutions, do you get it?

On Windows the anti-malware features are WD and smartscreen.

Do you see UAC in Security Center main window? No, it is tied to User Accounts settings, so stop saying otherwise.

Even if malware didn't exist UAC would be still useful because he still prevent elevation from other sources.

It is not because a soldier conventional helmet can protect the head, that you start shooting large caliber rounds to it and say "it suxx, bullets pass through like butter", not its purpose.

And last time, it is not because you focus on one aspect, that the whole forum do the same. As far as I know, this forum consider all security aspects.

 

@Rasheed187

@guest and in particular @itman I feel have explained the purpose of UAC extremely well. The links some of us have posted further explain it in great detail. It is clearly not an anti-malware nor an anti-executable feature, and it was never intended to be one, but it just so happens it can, on occasion, alert to unsolicited elevation attempts from unwanted binaries. Of course it's useless with click-happy users who ignore the unexpected alerts, especially when they provide some detail on the processes's properties (signed, unsigned, Windows signed, blocked). Still ,no one in their right mind with even a modicum of computer security knowledge would ever depend on UAC to keep their computers secure. I guess as you imply in your post #82, it does suck for those who do view it as a primary anti-malware security feature, but I'm sure those people are few and far between.

EDIT

I knew somewhere in the dark recesses pf my memory there was an old but interesting thread on this subject: -https://www.wilderssecurity.com/threads/testing-windows-7-uac.245775/

There are points made that support what all of us are trying to say, including @Rasheed187 stating why it sucks...

 

The very first posting in that thread "says it all."

Also of note is the Home vers. of Windows do not include Group Policy capability. Even if it did, most home users wouldn't know how to configure it properly. Most Win Home users do not employ anti-exec software. So that leaves UAC as the only front-end execution mechanism that will alert you that something is amiss.

Finally, the most "bullet proof" method in the posting is Group Policy. It removes the need for any user decision making and just unconditionally blocks the process execution attempt.

 

Things have a definite purpose, if it fulfill that purpose, it doesn't suxx.
Now if people decide to attribute it an illegitimate purpose, then they have no right to complain if it does not fulfill it.

 

Pretty much, yes, although that entire thread, imo, is chock full of terrific posts.

Agreed.

Agreed again. The only problem with this approach is it only works in business/enterprise environments where a system admin is in control of the end user devices, or if in a home environment, where a parent, for example, is locking down the device against family members making unauthorized changes or actions to the O/S.

 

Seriously, this is becoming ridiculous. Ask yourself, why you're the only one who fails to understand my point? Of course SUA/UAC has a purpose, if I was managing a computer network, I would obviously restrict all users with SUA. And I would also install white-listing software, because even on SUA you can still run portable apps and malware that don't need admin rights.

But that's not what this discussion is about, is it? The discussion is about if enabling UAC on a single-user PC (protected admin) is worth it or not. I have already explained zillions of times why I don't think it's worth it. I understand that SUA/UAC is not necessarily designed to block malware. But if you do enable it on a single user machine, then what is the purpose? Isn't it to block automatic elevation from malware? What if malware didn't exist, would you enable it on a single user machine?

 

I have to kinda agree with @Rasheed187

When UAC first time came, at about the time of Vista, I thinked myself: "Wow! Windows world finally got equivalent of Linux world privilege nagging a la sudo (plus it's zillion frontends)"

And that's what it basically is: Nagging.

Your ordinary grandmother will happily just click "Next" "Next" "Next"
and will not give a **** if what they just did was allow a banking malware or something like that to run with full power of admin ...
They just want to use the damn computer

 

Only for those who don't get it.

 

@Rasheed187 no, the discussion is about the wide use of UAC, you made it (as usual) a discussion about its need on a particular system/situation, yours.

Some people here have shared computers with several accounts for each family members, so the thread is also for them, and talking about UAC compartmentalization abilities is not futile.

Discussing about UAC efficiency vs Malware isn't primordial, UAC wasn't made originally to be a first response anti-malware feature and will never be.
It has become a protection layer because many malware requires elevation.

If you can't cope with this, then create your own thread "UAC vs Malware" or "UAC needed on single admin system?"

 

The point is, that I explained why UAC sucks for me personally, and you keep replying with complete nonsense, as if I don't understand the purpose of SUA/UAC.

And it's funny, because look at your first reply in this thread. You mention "malware elevation" yourself. And you still didn't answer my question. Would you enable UAC in a world where malware doesn't exist? Remember, you're the only user on the machine, so need to restrict others.

 

How do "we" don't get UAC? What you don't get, is that if you have already secured your single user PC with stuff like AV/BB, white-listing, firewall and what not, you have to be pretty paranoid to also use UAC as an extra "annoying" security layer. But that's my personal opinion. Now that I think about it, I wouldn't be surprised if elite hackers that you "pro-UAC" guys are so afraid of, can probably easily bypass UAC with kernel exploits, but I'm not sure about that.

LOL, exactly.

 

The comment wasn't directed at you or anyone in this thread or forum for that matter; only at those, whoever they may be, who blindly allow the UAC alerts without taking a few moments to read and try to understand the prompts.

 

If I'm only user and malware don't exist, I would still use it. Because even some legitimate apps prompt for unneeded elevation. Also UAC prevent the OS to do something I don't want, I use SRP like Appguard for a reason, full control of my OS, not just security.
However, I credit you, if none of the cases above appears at all, I would probably disable it.
But we don't live in a malware free world..

 

OK I see, but I still disagree, because to me it's nagging, and I fully understand the purpose of UAC. But to give an example, let's take the CCleaner backdoor. It could download and execute malware on the system.

If the malware needs admin rights, then UAC would pop up "out of the blue", and you would block it. Very cool, but you know what else could have blocked it? You already guessed it, namely AE/white-listing. In fact, it would have even blocked malware that don't need admin rights. So if the chance that this malware will be blocked by AE is 99%, I'll take my chances and happily disable UAC, to get rid of the nagging.

 

But why would you care about unneeded elevation if all apps are good-ware? They won't do anything to harm you, so no spying and no stealing. So who cares about elevation?

Exactly my point. Right now, if you buy a Win 10 PC (desktop or laptop) you will automatically run as protected admin, with UAC enabled. This should protect users against exploits that deliver malware. That is the true purpose of UAC.

But if the PC is secured with multiple layers, I really don't need any nagging UAC alerts. To me it's pure insanity that I will keep having to give permission to install apps (AV already said the file is clean), and keep having to give permission to run Win Task Manager. You don't have to agree with this, but please don't try to act like I don't understand what UAC is about.

 

Following this long exchange with @Rasheed187 reminds me of the "you can bring a horse to water, but you can't make him drink" truism. So I think its time we just let @Rasheed187 die of thirst.

 

This is exactly the problem. Now you seem to be implying that I don't understand UAC. Delusional is the right word to describe some of you guys, no offense.