Blog english Blog german Blog UAC

Understand UAC permission and application rights.

UAC and administrator privileges for a program are easy to set by understanding the simple process of the UAC.

On a system with activated UAC every application run without administrator rights, even though you are logged in with an administrator account.
The application can only run with administrator rights if the application request elevated privileges in its own source code
or the logged in administrator start the application with the additional command run as administrator.
In both cases the System send an UAC dialog where you have to confirm this request.

Run a program as administrator and the UAC

There are a lot of reasons why to run an application as administrator in Windows.

  1. You have to install software, change Windows settings, monitor the system, configure a backup, install hardware driver, update applications or find an Error, then usually you need elevated privileges.
  2. Some programs don’t work without administrator rights or the software is written quick and dirty.
  3. Other applications need elevated rights only for some parts within the software.
  4. Maybe you are person who only need sometimes elevated rights to check something like a software developer or an IT manager.

In all cases you have to be a member of the group administrators and the appropriate program have to request elevated rights.
In spite of many reasons, there are only few moments in few applications you really need this rights.
For everyday work you need only be a member in the group standard user, because no changes on the system settings are necessary.
Nevertheless a lot of users working daily with an administrator account in order to call this few programs or its functions directly.
This often usage of that privileged account can be easily discovered to manipulate the system.
It is missing an option to give a specific program privileges, like you can do it with a user account.
A user then doesn’t need administrator rights to call these programs with administrator rights, because the application itself has already that right.

Explanation User Access Control UAC

Work daily with an administrator account open attackers to manipulate the system.
Therefor Microsoft implements the User Access Control UAC to ask these administrators in an UAC dialog, if they really want to start a program that need system rights.
The principle works, because since the beginning of the UAC all software developer must implement in their source code to ask the UAC for elevated rights if it is needed.
If the software developers don’t do it, there is no UAC warning dialog for the administrators, their program will not run with elevated administrator rights and a simple setup routine of their software doesn’t work.
It is still possible for the administrators of the computer systems to run this program with administrator privileges, but he must request explicit elevated privileges from the UAC for this software.
This is necessary if the developer of the software forgot to do this, the software is developed before the UAC, but in most cases it is necessary for applications you need the option to run it without and with administrator rights.
Best example is the command line cmd.exe or a batch file. Sometimes it needs elevated privileges for some commands in it but only in a few cases.
Therefor the cmd.exe or a batch file doesn’t request elevated rights and it is the job of an administrator to give it the rights if it is needed and not the job of the developer of the cmd.exe.
This point and other reasons make the UAC to a security instrument which is often misunderstanding. But a wrong understanding of security instrument is a security whole.

Security of UAC

A lot of users think they are save with an active UAC, even though they don’t know how it works.
More clear and save is to switch off the UAC and work with a standard user account instead to use an administrator account on an active UAC system.
The UAC would not be necessary, if users work with a standard user account as it is the default security setting in the 90s since Windows NT.
The user roles would be clearer and a user can only change system settings after he input the credentials of an administrator account.
This is more secure than only a warning dialog from the User access control UAC.
Too much warning make the user’s blind, they ignore the warning and click forward because they do not become active at this point.
Because of that annoying warning message a lot of users disabled the UAC complete, therefore Microsoft loosen the strict User Access Control rules and implements different warning and security levels of the UAC.
But this makes the UAC even more unsecure, complicated, unclear, and the result is a lot of misunderstanding and a vulnerable system.
Turn off the UAC and work with a standard user account is safer, you don’t need administrator right very often.
Look at an android smartphone, Mr. Google is the administrator of the operating system, how often is Mr. Google needed there?
By the way Microsoft goes the same way with its Microsoft account as Google and wants to be the administrator of all windows installations.

Bypass UAC

Normally the User access control can’t bypass directly. If it would be possible to bypass the UAC, each malware could use it for an attack and the UAC has no longer any sense. An outcry from all security experts, that fundamental component of Microsoft's overall security vision is dead. But there are some options the administrator of the system can bypass the UAC

  1. Disable the User Access Control in the system settings
  2. Change individual Settings of the UAC in the group policy editor gpedit.msc Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
  3. Use third party tools like RunAsRob to set individual application rights
  4. Activate and use the predefined account Administrator. This account ignores an active UAC and bypass it.
There are ways for a hacker to bypass the UAC I don’t want to write a tutorial. But I can say it is not a directly security hole of the UAC. These attacks need an active help from the administrator of the system or a vulnerability of other installed software on the system.

Administrator is not an administrator

On a system without UAC the differences are clear. A standard User logs on with a standard user access token, has limited rights and can’t change system settings. An Administrator logs on with an administrator access token, work with elevated rights to configure the system.

On a system with an active UAC is the differences complicated and not clear anymore, because an administrator logs on with a standard user access token and an administrator access token which is not active. Three conditions must be met to be an administrator

  1. The account must be a member from the local group administrators.
  2. The started application must request elevated privileges or the user account must request elevated privileges for the program.
  3. The user must confirm the appeared UAC Warning message, that application needs system rights.
Microsoft Link UAC >>>

Contact:

For any suggestions, errors, questions, specific requirements or adjustments please contact:
runas@robotronic.net

Licence:

RunasRob is only free for private use.
For companies and other organisations we deliver a licensed version, registered to the organisation name.
Order RunasRob >>>
Download RunasRob >>>

Date: 2024-04-12
Data protection
Imprint