Jorge Coelho

I'm beginning to reach the conclusion that the current implementation of the UAC in Vista is, IMO, a nightmare that creates more problems than it solves. If Microsoft wants developers - and users - to embrace the UAC (instead of just turning it off altogether) then it better come forward with a LOT MORE information and support than it is currently providing! If it doesn't, I will begin to suspect Microsoft only added the UAC so it can tell Windows users 'well, we added the option to secure Windows - you're the ones turning it off' and therefore wash its corporate hands. I would really hate to see this happening.

To name just a few of the problems the UAC brings to us developers:

1 - Applications that require Admin privileges are blocked at startup.

Heh The work around is to create a service that does the actual program launch at startup Am I reading right

2 - Applications with lower privileges cannot communicate/send Windows messages to applications running at higher security levels.

One of the applications I develop replaces the Windows taskbar. For this to work, my application needs to be able to bring other windows to the foreground, minimize/maximize/restore them, etc... I'm not trying to control other applications, just minimize a window, and I can't even do that. On the other hand, the Explorer taskbar, which is running at medium privilege, is able to do it... HOW Where is the information that would enable me to add the same functionality to my application

My application is just an example here, there are literally hundreds, if not thousands, of other applications that NEED to legitimally communicate with other windows, regardless of their security level. WHERE is the information that will allow us developers to do this Where is the answer to the following questions:

a) Exactly what does uiAccess=True do

b) How can I use uiAcess=True without requiring Admin privileges

c) Does digitally signing an application solve ANY of these problems in Vista

3 - Because of (2), applications running at Admin level do not accept drag & drops from applications (such as Explorer) running at lower privilege levels.

This is simply unacceptable, whichever way you look at it! If another workaround is required to solve this problem, then you can bet hackers and such will use the same work around to do their thing... so why make life difficult to us normal developers !

This is just a sample of the questions Microsoft should be actively providing the answers for in these forums or in the MSDN. Instead there is only silence, and Vista for consumers is just around the corner!!!

I also don't understand why the UAC can't act more like Firewalls do: tell the user that application X is asking for admin rights, ask if it should provide them or not and then provide an option to remember the answer, so that, if the user says yes, the next time it doesn't need to ask again and the app is automatically given admin rights as required. It would also keep an eye on application checksums and ask again if the executable has changed for some reason. If Firewalls can be trusted to protect your PC from Internet threats coming from the outside - and the inside - with this method, why not the UAC for elevating applications It would vastly reduce the number of UAC prompts and solve most of our problems as developers, while still providing more than reasonable security.



Re: Security for Applications in Windows Vista The UAC Nightmare

Jorge Coelho

Ok, looks that I am the only one replying to my own message... Sigh.

For future reference, I managed to track down exactly *two* posts on this issue, both apparently by MS employees (nothing on MSDN that is actually useful, just a statement that there is indeed something called uiAccess. Great quality documentation - not!):

The uiAccess flag in a Vista manifest allows an application to bypass UI protection levels to drive input to higher privilege windows on the desktop.

However, for it to work, two things must also be true:

1 - The application that wishes to receive the uiAccess privilege MUST reside in a trusted location on the hard drive (i.e.; c:\Windows\ or c:\Program Files\). They will still run if they are not in one of these locations, but they will not receive the privilege, which means my application will fail to function properly if the user decides to install it anywhere outside c:\Program Files\.

2 - Applications that request uiAccess=true must have a valid, trusted digital signature to execute. Personally I resent being *forced* to shell out $199 for a digital certificate from MS *every year* so my application runs properly on Vista. And what will a freeware application developer do when he finds out his utility won't run - or will not run correctly - unless he actually pays MS money every year

I think these two issues provide some food for thought, even if your application is not affected by them.

I still have a couple of questions, though:

1 - Will my application accept dragged files from lower privilege applications if it is digitally signed *and* has the uiAccess privilege *and* is installed on a trusted location *and* is running with administrator privileges

2 - After compilation, data critical to license key validation is appended to the end of my application's executable file. This data is read every time my application is run. Since a Digital Certificate also appends data to the end of an executable, how can I get the two to work together i.e.; if I append the data AFTER signing the application, won't it complain later about code tampering If I append the data before, how would my application then know WHERE to look for it

By the way, I'm *assuming* that the uiAccess flag set to true does NOT automatically require the application to also have admin privileges. I really hope I'm not wrong.





Re: Security for Applications in Windows Vista The UAC Nightmare

Jimmy Brush

Hello,

1) Applications that both start when the computer turns on and require administrative privileges probably should be implemented as a service anyway, since that is essentially what they are.

2) I agree that this is unfortunate. This restriciton is in place due to the fact that win32 wasn't really designed to support different privileged apps running on the same desktop, so this kind of isolation is necessary to prevent privilege escalation between different privileged processes [known as a shatter attack]. Luckily, (as of now) neither hackers nor programmers can get around this, so the security is intact.

3) Agreed - this is unacceptable. However, the security implications of not having UAC is even more unacceptable, IMHO.

The reason UAC doesn't allow "blessing" of an executable is becuase it would allow lower-privileged applications to start blessed higher-privileged applications and abuse them. Imagine the (likely) common case of a user blessing a command prompt to always run as administrator. A lower-privileged application could thus start the always-trusted command prompt and use it to elevate its privilege level and abuse the system.

One might say "well don't let non-privileged apps run always-blessed apps." Well, from the OS's perspective, how can you tell the difference between the user starting a program and a program starting a program (And no, it's not as simple as tracking mouse clicks :) Answer: A UAC prompt! A UAC prompt both ensures that the user is the one initiating the action and that the user has unbiased info about the program requesting permission. Hopefully in the future Windows will have a better way to tell if a user is intending for a program to start elevated, without having to go thru the hussle of a UAC prompt; until then, we're stuck with what we have. Throwing in a 'always elevate this program without prompting' option right now would completely defeat the security of UAC.

In the same vien, this is why you don't have an option to 'approve all admin actions automatically for the next X minutes' - malicious apps would just wait for the user to enter this mode and then silently execute their payload.

As for the firewall analogy - UAC and firewalls are different beasts. Firewalls ensure that two computers (or applications) can only communicate with each other according to a pre-defined policy. UAC allows the user to decide if they want a program to run privileged or not. Unfortunately, it is not possible yet for UAC to tell if the user wants a program to run privileged without prompting them every time it runs.

- JB

Microsoft MVP - Windows Shell/User





Re: Security for Applications in Windows Vista The UAC Nightmare

Jimmy Brush

Jorge Coelho wrote:

1 - Will my application accept dragged files from lower privilege applications if it is digitally signed *and* has the uiAccess privilege *and* is installed on a trusted location *and* is running with administrator privileges

Not by default. However, any higher-privileged application can specify that it wants to allow lesser-privileged apps to send it certain windows messages using the ChangeWindowMessageFilter API. http://msdn.microsoft.com/library/default.asp url=/library/en-us/winui/winui/windowsuserinterface/windowing/windows/windowreference/windowfunctions/changewindowmessagefilter.asp





Re: Security for Applications in Windows Vista The UAC Nightmare

Jorge Coelho

Hi Jimmy - and thanks for your reply.

I have nothing against making Windows more secure, except when that security starts to seriously compromise your ability to make things work. Going a bit overboard, it's almost the same as thinking that 'the only truly secure computer is the one that is turned off, so lets prevent the user from turning it on and call it a day'!

In the name of security, Microsoft has broken one of the golden rules that made Windows what it is today: backwards application compatibility (read the very interesting Raymond Chen's true story at http://blogs.msdn.com/oldnewthing/archive/2005/08/24/455557.aspx to get an idea how important this was to Microsoft when Windows 95 was being developed). The new security features in Vista, as they currently are, have broken compatibility with hundreds, if not thousands, of applications out there (http://biz.yahoo.com/prnews/070129/nym254.html .v=27). This is not a good sign.

Although developers are rushing to change their applications so they run in Vista (they have to, no choice), all these limitations are generating a lot of ill feelings towards Microsoft (http://searchnetworking.techtarget.com/originalContent/0,289142,sid14_gci1210002,00.html , http://www.gamasutra.com/php-bin/news_index.php story=12314 , etc...) and, worse, seriously compromising what the software can actually do.

I for one intensely dislike that, from now on, I have to pay Microsoft a fee every year in order for my software to run as well in Vista as it did in XP and all Windows versions before it.

I think the UAC still has a long way to go. As it still is, I believe most users will simply start turning it off in order to run their favorite applications.





Re: Security for Applications in Windows Vista The UAC Nightmare

layer

Jorge,

Just want you to know that you are not alone, and further that you have put into words very well how I feel about Vista. Thank you.

Kevin





Re: Security for Applications in Windows Vista The UAC Nightmare

ImDaFrEaK

I have been developing Software for MS for years and I have talked good of MS for a long time as well but I agree with you Jorge 100%. I almost smashed my studio when I found out my application would have to work so hard in order to work and FURTHER I aint paying MS NO MORE $$$ than I paid for Vista, VS2005, Office, Ect just to have a program that I wrote work! That is freaking stupid. I will start programming on Linux before I pay MS anything to approve my application. Unless my application is making mad cash then screw that ***. I develop freeware and share useful tools and applications as a hobby and job. I don't usually charge and if I do it's minimal. This is rediculous.






Re: Security for Applications in Windows Vista The UAC Nightmare

chueh8

Hi, JB,

Are u sure for the following I create a service there, but it still blocked by Vista... Why

Thanks

1) Applications that both start when the computer turns on and require administrative privileges probably should be implemented as a service anyway, since that is essentially what they are.

-chueh8






Re: Security for Applications in Windows Vista The UAC Nightmare

Jorge Coelho

Maybe because your service is not signed No idea, just guessing here.

This is precisely one of the things that really gets on my nerves: the current lack of information from Microsoft on how to handle all these UAC imposed limitations...





Re: Security for Applications in Windows Vista The UAC Nightmare

MattAus

I do not get why the user is unable to pre-approve an application (at install time) to silently elevate and run at startup with admin privileges.



Re: Security for Applications in Windows Vista The UAC Nightmare

Zachovich

I was thinking the same thing.

Can't I create an application that a user may download, install, and run without problems in the UAC

Will users have to click "allow" every time from now on

Is the only way around this to send MORE money to microsoft

If that is the case, we may opt to recommend our clients to disable the UAC.
Either that or take the same route that some other companies did. Telling people "Seer clear of Vista for now."

The reason We already paid Microsoft upward of $1500 PER WORKSTATION for Windows, Office, and Visual Studio, why should we have to pay more, just to work around a stupid popup message in Vista, (which I thought was supposed to be better for developers)

Don't get me wrong, they are awesome products, but our lawns aren't made of cash.

in my dreams.. someone comes along here and tells me i got it all wrong and there is a way after all ;)

-zacho




Re: Security for Applications in Windows Vista The UAC Nightmare

Jorge Coelho

Jimmy explained it in a post above: because if this was possible (and lets call this 'blessing an application') and the user blessed, say, the Command Prompt, then a malware application could in theory launch the Command Prompt (which would then run with admin privileges WITHOUT displaying a UAC prompt) and use it to lauch a copy of itself. Because privilege is inherited, the malware launched by the 'blessed' Command Prompt would in turn run with admin privileges and have access to the whole system.

Even if I do understand the reasoning behind this, there are two things I would like to point out: first, how would the malware know which applications have been blessed and which not, so it knows which ones to 'abuse' Second, it's still the user's responsability to reply Yes or No to an UAC prompt. Why trust the user for this and not for 'blessing' applications, then ! Doesn't make sense to me.





Re: Security for Applications in Windows Vista The UAC Nightmare

MattAus

" ... and use it to lauch a copy of itself"

Yes, but at this point an approval request would pop up becuase the malware is not allowed to run as full admin. The command prompt is but the malware not.





Re: Security for Applications in Windows Vista The UAC Nightmare

Jorge Coelho

No it wouldn't because privilege levels are inherited:

If application A launches application B, then application B will run with - i.e.; inherits - the same privilege level of application A (unless A is running at normal privilege level and B requests an elevation of privilege, which is not the case). Assuming A is the 'blessed' Command Prompt and B the malware, then B will run with the full admin privileges of the 'blessed' Command Prompt that launched it.





Re: Security for Applications in Windows Vista The UAC Nightmare

MattAus

You are right, but the malware is running not elevated.... so it should not be able to run Command Prompt elevated.

I only approved that Windows startup/shell can do that automatically.