23 Dec 2009

Understanding User Account Control in Windows Vista (Part 1)

When Microsoft Windows® XP is initially installed, the Windows XP Setup Wizard creates all user accounts as local administrators. This account type enables users to install, update, and run software since an administrator account has system-wide access. When a user is added to the local administrators group, that user is automatically granted every Windows privilege. These privileges are collected and maintained in a user’s access token. Every Windows resource has an Access Control List (ACL), which is a list that records which users and services have permission to access the resource and what level of permission they have. Windows' authorization model uses the data contained within a user's access token to determine what access the user is permitted/denied in a resource's ACL.
Administrative users automatically have:
* Read/Write/Execute permissions to all resources
* All Windows privileges

In Windows Vista, there are two types of user accounts: standard user accounts and administrator accounts. Standard users have limited administrative privileges and user rights—they cannot install or uninstall applications that install into %systemroot%, change system settings, or perform other administrative tasks. However, standard users can perform these tasks if they are able to provide valid administrative credentials when prompted. With UAC enabled, members of the local Administrators group run with the same access token as standard users. Only when a member of the local Administrators group gives approval can a process use the administrator’s full access token. This process is the basis of the principle of Admin Approval Mode.

UAC Architeccture:
Each application that requires the administrator’s access token must prompt the administrator for consent. The one exception is the relationship that exists between parent and child processes. Child processes will inherit the user’s access token from their parents. Both the parent and child processes, however, must have the same integrity level.

Windows Vista protects processes by marking them with integrity levels. Integrity levels are measurements of trust. A “high” integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a “low” integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Windows Vista prevents applications with lower integrity levels from modifying data in applications with higher integrity levels.

When a standard user attempts to run an application that requires an administrator access token, UAC requires that the user provide valid administrator credentials. The "UAC User Experience" section in this document details this process.

Windows Vista includes file and registry virtualization technology for applications that are not UAC compliant and that have historically required an administrator's access token to run correctly. Virtualization ensures that even applications that are not UAC compliant will be compatible with Windows Vista. When a non-UAC-compliant administrative application attempts to write to a protected directory, such as Program Files, UAC gives the application its own virtualized view of the resource it is attempting to change, using a copy-on-write strategy. The virtualized copy is maintained under the user's profile. As a result, a separate copy of the virtualized file is created for each user that runs the non-compliant application.

The virtualization technology ensures that non-compliant applications will not silently fail to run or fail in a non-deterministic way. UAC also provides file and registry virtualization and logging by default for pre-Windows Vista applications that write to protected areas.

Microsoft official site


comments powered by Disqus