Microsoft listens, changes UAC behavior in Windows 7

Long Zheng and Rafael had come up with proof earlier that malware can turn off UAC in Windows 7. Later Microsoft responded insisting that this is by design and actually not a bug. Microsoft has finally agreed to do changes to the Windows 7 UAC and deliver the changes to the Windows 7 Release Candidate.

Jon DeVann and Steven Sinofsky have blogged about the two changes Microsoft is planning to bring to Windows 7 RC:

  • UAC control panel will run in a high integrity process
  • Changing the level of the UAC will also prompt for confirmation

There you go! Simple changes, but brings out big differences to the way UAC behaves in Windows 7!

UAC control panel will run in a high integrity process

UAC control panel running in a high integrity process means it requires elevation. So, you might get prompted to change the UAC settings in your system, even if you are an protected admin (the default user account created during the installation process)

Expect the UAC icon appear just before the setting Change User Account Control Settings in the above screenshot in Windows 7 RC

Changing the level of the UAC will also prompt for confirmation

As there is going to be a prompt for confirmation to change the UAC level, expect a prompt when you click Ok to change your UAC settings

These two changes are more than enough to make Windows 7 UAC to respond to the threat Zheng and Rafael had come up. The user now, when running a malware has to bypass the UAC prompt in order to execute it.

Jon and Steven still insisted on - Malware making it onto a PC and being run Vs What it can do once it is running - and treat very seriously the ability to get code on a machine and run without consent.

They were also very serious that users should still not download code and run it unless the source is trusted. HTML, EXE, VBS, BAT, CMD and more are all code and all have the potential to alter the environment (user settings, user files) running as a standard user or an administrator.

So, here we have - many were furious about this UAC flaw, Microsoft listened, reiterated back that 'this is by design' and now have responded really well!

Thanks Microsoft!

Report a problem with article
Previous Story

Ballmer tells companies to upgrade from XP

Next Story

Google Chrome getting extensions in May?

63 Comments

View more comments

They knew about this issue way back in Pre- Beta (6801 build) and they had promised to fix this in Beta build
http://channel9.msdn.com/forums/Coffeehous...ommentID=437606

But, they didnt bother and the bad news it generated on web finally made them to fix this in RC. I think we should not hurry with Windows 7. Fix bugs like these and get a better product during RTM.... or else it will be a irony to again wait for SP1 of Windows 7

Great news!...and also, i showed my Windows 7 installed to my colleagues...they were very impressed & seeing the memory usage compared to Vista, they were delighted..

Hope it rocks everywhere as XP does....(though vista is good..but win 7 is gr8)

I don't know what Paul's problem is. There was already evidence that MS was already making changes (for instance, Rafael's blog states that "birdies" told him that the UAC exploit using rundll32.exe was already fixed in internal builds), so the statement that Paul points out still stands.

Also, the E7 blog itself states that "The second change is due directly to the feedback we're seeing" while Paul claims that MS refuses to admit that they changed their minds due to feedback.

Whatever...

Gotta keep yourself relevant even though others do a better job than yourself, eh? The time that he's the first to break this and that about Windows news has long passed.

Thats what I did when the first 'issue' was discovered, and thats what I'll do when I buy Windows 7. Better to be safe than sorry and Vista's UAC didn't bother me.

No, it just means if you're going to change the level of your UAC settings, the UAC will prompt you and ask you whether you want to change it or not. That way, malware can't change your level of security and harm your comp.

liemfukliang said,
How about changing UAC level via registry?

Without UAC disabled in the first place anyway you won't be making registry changes without triggering it.

bbfc_uk said,
I don't think so.

Windows 7 will be more secure than Vista, period!


wut? the level in win7 ist just the same as in xp! who the hell say's that malware HAS to change the uac level permanently to harm your comp or execute what ever it needs...setting it to HIGH would do the justice period!

but hey,,maybe iam going back to win2k after 2 years of using vista,,,just to be safe from this joke security of xp and which win7 is!

actually it's more a question about the quantitity of users, not the quality of the product! sadly...

A mandatory prompt upon changing UAC is good for me. Good show! I love the increased transparency "7" has had from past versions.

blade1269 said,
hey,

Opps, I really want them to fix the transfer speed between drives and though the network,


it's called KB938979

Wow a security hole fixed in 48 hours! Not bad! Not bad at all! Much better than Firefox's record of a fixing a security hole in 36 hours.

Commenting is disabled on this article.