:: infotechGuyz.com ::
> For the IT community by the IT community

• BlackBerry Server (BES)
• Excel Macro/VBA
• Exchange 2007
• Exchange 2010
• Lync 2010
• Scripting/Command-line
• SQL Server 2008
• SQL Server 2012
• Team Foundation Server
• VMware
• Windows 7
• Windows 8
• Windows Server 2008
• Windows Server 2012

Windows 8 User Account Control (UAC) Explained

No Windows feature has proven as controversial and misunderstood as User Account Control, or UAC. When it debuted in Windows Vista, tech pundits screamed far and wide about this reviled feature, spreading mistruths and misunderstandings and generally raising a lot of ruckus about nothing. If these pundits had just calmed down long enough to actually use User Account Control for longer than a single afternoon, they’d have dis-covered something very simple: it’s not really that annoying, and it does in fact increase the security of the system. Indeed, we would argue that User Account Control is one of the few features that really differentiate modern Windows versions from the increasingly crusty XP, because there’s no way to add this kind of functionality to XP, even through third-party add-on software. User Account Control is effective, and as ongoing security assessments have proven, it really does work.Great, but what is it exactly? In order to make the operating system more secure, Microsoft has architected Windows so that all of the tasks you can perform in the system are divided into two groups, those that require administrative privileges and those that don’t. Thisrequired a lot of thought and a lot of engineering work, naturally, because the com-pany had to weigh the ramifications of each potential action and then code the system accordingly.
The first iteration of UAC was implemented in Windows Vista with what Microsoft thought to be a decent technical compromise. In response to overwhelming user feedback surrounding the frequency of prompts, however, Microsoft modified UAC in Windows 8 to make it “less noisy” (that is, less annoying) by default. They did this by implementing a pair of “Notify me only when. . .” options, letting users perform common configuration tasks, prompting only when something out of the ordinary is done (for example, changing important configuration settings). The result is that UAC in Windows 8 is more configurable and less irritating than it was in Vista. But it’s even more controversial, because it’s not clear that it’s as secure as it used to be.

How UAC Works under the hood

Every user, whether cond as a standard user or an administrator, can perform any of the tasks in Windows 8 that do not require administrator privileges, just as they did in Windows XP. (The problem with XP, from a security standpoint, of course, is that all tasks were denoted as not requiring administrative privileges.) You can launch applica-tions, change time zone and power-management settings, add a printer, run Windows Update, and perform other similar tasks. However, when you attempt to run a task that does require administrative privileges, the system will force you to provide appropriate credentials in order to continue. The experiences vary a bit depending on the account type. Predictably, those who log on with administrator-class accounts experience a less annoying interruption.Standard users receive a User Account Control credentials dialog, as in 8-1. This dialog requires you to enter the password for an administrator account that is already cond on the system. Consider why this is useful. If you have cond your chil-dren with standard user accounts (as, frankly, you should if you’re going to allow them to share your PC), then they can let you know when they run into this dialog, giving you the option to allow or deny the task they are attempting to complete. Administrators receive a simpler dialog, called the User Account Control consent dialog,2. Because these users are already cond as administrators, theydo not have to provide administrator credentials. Instead they can simply click Yes to keep going. The presentation of these User Account Control dialogs can be quite jarring if you’re not familiar with the feature or if you’ve just recently switched to Windows 8 from XP. (Vista users are very well accustomed to this effect.) If you attempt to complete an adminis-trative task, the screen will flash, the background will darken, and the credentials or consent dialog will appear somewhere onscreen. Most important, the dialogs are modal: you can’t continue doing anything else until you have dealt with these dialogs one way or the other.
There’s also a third type of User Account Control dialog that sometimes appears regard-less of which type of user account you have cond. This dialog appears whenever you attempt to install an application that has not been digitally signed or validated by its creator. These types of applications are quite common, so you’re likely to see the dialog fairly frequently, especially when you’re initially configuring a new PC. Over time, these prompts will occur less and less because you won’t be regularly installing applications anymore.By design, this dialog is more colorful and “in your face” than the other User Account Control dialogs. Microsoft wants to ensure that you really think about it before continuing. Rule of thumb: you’re going to see this one a lot, but if you just downloaded an installer from a place you trust, it’s probably okay to go ahead and install it.
When UAC is left at its default setting, Windows 8 automatically elevates a hand-picked list of applications, further reducing the UAC dialogs you see. These applications are referred to as being white-listed for auto-elevation. They include:
\Windows\ehome\Mcx2Prov.exe
\Windows\System32\AdapterTroubleshooter.exe
\Windows\System32\BitLockerWizardElev.exe
\Windows\System32\bthudtask.exe
\Windows\System32\chkntfs.exe
\Windows\System32\cleanmgr.exe
\Windows\System32\cliconfg.exe
\Windows\System32\CompMgmtLauncher.exe
\Windows\System32\ComputerDefaults.exe
\Windows\System32\dccw.exe
\Windows\System32\dcomcnfg.exe
\Windows\System32\DeviceEject.exe
\Windows\System32\DeviceProperties.exe
\Windows\System32\dfrgui.exe
\Windows\System32\djoin.exe
\Windows\System32\eudcedit.exe
\Windows\System32\eventvwr.exe
\Windows\System32\FXSUNATD.exe
\Windows\System32\hdwwiz.exe
\Windows\System32\ieUnatt.exe
\Windows\System32\iscsicli.exe
\Windows\System32\iscsicpl.exe
\Windows\System32\lpksetup.exe
\Windows\System32\MdSched.exe
\Windows\System32\msconfig.exe
\Windows\System32\msdt.exe
\Windows\System32\msra.exe
\Windows\System32\MultiDigiMon.exe
\Windows\System32\Netplwiz.exe
\Windows\System32\newdev.exe
\Windows\System32\ntprint.exe
\Windows\System32\ocsetup.exe
\Windows\System32\odbcad32.exe
\Windows\System32\OptionalFeatures.exe
\Windows\System32\perfmon.exe
\Windows\System32\printui.exe
\Windows\System32\rdpshell.exe
\Windows\System32\recdisc.exe
\Windows\System32\rrinstaller.exe
\Windows\System32\rstrui.exe
\Windows\System32\sdbinst.exe
\Windows\System32\sdclt.exe