StackOverflowImportant change to UAC when disabled with process integrity in Windows 8
News and other things I find interesting
Important change to UAC when disabled with process integrity in Windows 8
Last modified: Saturday, May 26, 2012
User Account Control (UAC) is a security enhancement in Windows introduced in Vista.
It makes applications that run by administrators, by default, only have access to what limited users would have access to.
Another way to say this is that applications run at medium integrity level by default.
If an application needs more privileges, it need to request it, and Windows will show a UAC dialog. If you press Yes to elevate on the UAC dialog, the process is said to be running as a high integrity process.
UAC can be disabled, and when it is, applications in Windows Vista and Windows 7 run as high integrity processes by default.
This changes in Windows 8, if UAC is disabled, your applications will no longer run as a high integrity process, they will run as a medium integrity process.
Applications can request elevation to a high integrity process when UAC is off explicitly and no UAC dialog will be shown.
We first realized this in Firefox because we noticed the update service was being used for all updates in Windows 8, even when UAC is off.
We designed the update service to only use the service when UAC is on though.
So this change broke that design choice, and to fix it we need to check if the process is running on Windows 8 and if UAC is off.
If those conditions are met we would elevate our process which would not produce a UAC dialog.
Overall this is a great change by Microsoft though. It makes Windows more secure when users disable UAC. It's good to know about if you develop software for Windows.
Tags: firefox mozilla uac windows8
Add a new comment | 5 comment(s)
|
Moving the UAC slider to the button no longer disables UAC in Windows 8. UAC is still on! This was done because Metro apps CAN'T run if UAC if OFF. If you disable the EnableLUA setting in the registry UAC is off and you have full admin token but all metro apps can't be launched. |
|
Could you expand on the last paragraph? I fail to see how this change improves security. Sure, a process that has been compromised (buffer overflow or whatever) won't have highest privileges automatically. But if UAC is off it will be able to request them at any time nevertheless. Effectively, it's the same situation as in Windows 7 with UAC off, only one more step required. And I don't see why malware authors would be afraid of doing that step. |
|
Why does it matter whether you use the service or a free elevation? |
|
Aren't they basically just removing the ability to turn off UAC? Presumably they can afford to do that now applications have learnt to deal with the UAC restrictions, whereas if they had done it when they launched Vista then lots of applications would have been incompatible. |
|
> Could you expand on the last paragraph? It's better to have your non malware process run as medium integrity. Sometimes things can be exploited where arbitrary code cannot be executed, but there is still an exploit to be had. That's a good point though that if you can run arbitrary code through the exploit, then they are equivalent. > Why does it matter whether you use the service or a Security has asked that we only use the service when we need to so that updates only run as SYSTEM account when needed. Personally I think it's the same since any admin can install a service and start it which would run as SYSTEM account. Free elevation is a new concept though only introduced in Windows 8 so this hasn't been discussed explicitly. Maybe the second sentence in the above answer to the previous question is a reason why it's better to run the process only as SYSTEM when needed, and I think that's what security would say. > Aren't they basically just removing the ability to In a way but this run as medium with free elevation concept is new. So whether you call that the new disabled or the new level when not disabled is up to you :) |
