Windows UAC - A Bit More Detail

Discussion in 'other software & services' started by itman, Feb 21, 2019.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,589
    Location:
    U.S.A.
    I came across two articles that help "demystify" UAC settings.

    The first article shows what individual UAC options apply for each UAC Level: http://woshub.com/user-account-control-slider-and-group-policy-

    The problem with the first article is it does not show individual registry key values or all the options for that matter for each setting. This article provides this information: https://www.ghacks.net/2013/06/20/how-to-configure-windows-uac-prompt-behavior-for-admins-and-users/ .

    Bottom line - it is possible to customize UAC settings beyond the level setting defaults. Personally, I would just stick with the Microsoft defaults assigned to each UAC level.
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    I always use "always notify", it thwarts most of the common malware elevation attempts.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,717
    Location:
    Here
    I do the same. Default level is just too leaky.
     
  4. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Frankly, the "Always Notify" settings set up by microsoft are almost perfect, only setting that needs adjustment is enabling admin approval mode for the built-in admin account, if that account isn't disabled, I don't think it is by default. The fact that standard users use "Prompt for credentials" instead of "Prompt for credentials on the secure desktop" is irrelevant because the "Switch to the secure desktop when prompting for elevation" setting overrides it. But if you're like most people using a single admin account, it wouldn't hurt to set the former to automatically deny elevation requests, even though processes started by you will be running under your admin account and will thus not use that setting but instead use the admin elevation prompt setting when they need to elevate, it never hurts to be 100% sure
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    882
    Location:
    Member state of European Union
    I use UAC at default level. I use ReHIPS, so UAC is redundant for me. Majority of time I don't use account belonging to Administrators group. I also have "User Account Control: Behavior of the elevation prompt for standard users" set to "Automatically deny elevation requests".
     
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    Remember that UAC original purpose was to be a privacy boundary, not security, so standard users can't access other standard user accounts. The security aspect is a side effect that overthrew the privacy one.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,176
    Location:
    USA
    I disagree. The original intent was to get people to use standard user accounts while still being able to elevate admin processes and encouraging software developers to write software that could be used by standard users.. When everyone was using XP they all ran as admin because it was too hard to configure a standard account for apparently most people.
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    my mistake, it was SUA not UAC.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,589
    Location:
    U.S.A.
    :thumb:

    Also subsequent Win versions introduced the limited admin account by default. This allows you to run with standard user privileges but have the capability to switch to admin level via desktop UAC prompt without having to enter full admin credentials. The problem is at default UAC level 3 setting, it is possible for malware to use select Win system utilities, etc. that allow for silent UAC elevation to bypass level 3 prompting. Hence, the need to run at level 4(maximum slider) setting to detect most but unfortunately not all LOL misuse.

    It appears to me that setting the ConsentPromptBehaviorAdmin reg. key to "3" or equal Group Policy value to prompt for credentials will prevent all hidden UAC bypass attempts. However, this would entail entering your logon password for every UAC elevation request. Note that the default value of this key is "2", no authentication required.
     
  10. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    I don't think a UAC bypass is based on whether you're using "prompt for consent on the secure desktop" or "... for credentials ...", in both cases it's on the secure desktop and if every other setting is the same, it shouldn't matter. The former just saves a ton of time, even better if you're not using any password for your account, maximum time-saving, but ofc if you're not living by yourself not the smartest idea. Doesn't matter for thieves cuz if they have physical access a password won't stop them, but it might stop your family member or w/e, in combination with a bios password, disable booting cd, usb etc. and put your case in a metal box with a metal lock (remove the box when you're using the pc so the case can properly cool). Besides, as I always like to say, even if that setting did matter, which I don't think it does but who knows, you'd have to first run the executable that will do the bypass, it won't download onto your drive and run itself
     
    Last edited: Feb 22, 2019
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,176
    Location:
    USA
    Yes, that fits the description better.
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,176
    Location:
    USA
    Yep, I've seen plenty of examples of Microsoft executables being exploited with default UAC.
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    I wonder, what those two new ones do?

    "EnableFullTrustStartupTasks"
    "EnableUwpStartupTasks"

    I have it set like this:
    Code:
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableFullTrustStartupTasks" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUwpStartupTasks" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d "1" /f
    
     
  14. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    They're not related to UAC https://docs.microsoft.com/en-us/wi...ontrol-group-policy-and-registry-key-settings

    Something related to this https://docs.microsoft.com/en-us/uwp/api/windows.applicationmodel.startuptask

    Also there's SupportFullTrustStartupTasks and SupportUwpStartupTasks, they're both (1) for me, and the Enable ones are both (2) for me. Very interesting indeed. Perhaps one can clean install and check the default values, and if they're not respectively (1) for Support... and (2) for Enable... then that means I tweaked some setting that changed those values (I can confirm I haven't explicitly changed those values from my bat file), so then one can monitor the values and see when they're changed and figure out what setting is changing them. Although if I had to guess, I'd say these are the default ones, but who knows
     
    Last edited: Feb 23, 2019
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    Well, you guys already know my opinion about UAC. It's quite useless, can't believe that there are people that click on that stupid UAC alert, every time they launch a tool like Win Task Manager or Process Explorer. :D
     
  16. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    Why u think it's useless?
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    i can't believe that there are people using admin account as daily account because they can't stand one click on UAC while clicking 20 times on HIPS alerts and anti-script browser addon:D
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    The thing is, alerts from HIPS make sense, because you are monitoring app behavior. UAC alerts don't make sense. It simply tells you that a (trusted) process needs admin rights.
     
  19. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    UAC is to prevent unwanted elevation (and not execution) , so it makes sense.
     
  20. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    548
    Location:
    Europe
    UAC is not just for when a process wants to run elevated, UAC is for a lot more stuff, here is some of it, scroll down https://en.wikipedia.org/wiki/User_Account_Control
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    No, it doesn't make sense to keep having to give a trusted app elevation rights. :p
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    i believe you don't get the point, please look, at the big picture, not only at your personal situation. Things are made for all people, not just you.
    Let say you deploy Windows on several endpoints of the company, do you want the employees to be able to run admin tools? i dont think so...
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,879
    Location:
    The Netherlands
    This is totally irrelevant, I believe you have lost the plot. You don't need UAC to lock down PC's. But let's not start all over again.
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    6,149
    Location:
    Europe then Asia
    Of course it is relevant. You confound blocking execution and blocking elevation. I hammered this to you since a while now, you still don't get it. :D

    UAC won't prevent malware and legit apps to run if they don't require elevation. But will block them if they do.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,474
    Location:
    Canada
    @Rasheed187

    the UAC prompts provide some useful and important information.

    • they tell if the Publisher is blocked
    • they tell if the application is a windows administrative app
    • if the app is Authenticode-signed and trusted
    • is unsigned or signed but not yet trusted
    it's all easy to comprehend as long as one is willing to take a few moments to read the prompts.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.