Knowledge Base updates about UAC
I should be working on the Sysinternals book, but there were a couple of KB articles about User Account Control that needed some work. Writing KBs is not normally part of my job; in the past 15 years I've authored two that I can remember (the ones described here) and been a major contributor to just two or three more. In some ways writing a KB article is harder than writing a book because of the sometimes-stilted style guidelines that they require, which are designed to facilitate automated translation to other languages. Writing technical content that remains clear and accurate while also conforming to those guidelines is challenging.
Anyway, we updated two KB articles today:
Disabling User Account Control (UAC) on Windows Server (KB 2526083)
This was a relatively minor update. The text is clearer on some points that weren't as sharp as they could have been. The primary changes are in two bullet points under "Additional effects of disabling UAC". First: for some reason when we first published this KB, we kind of punted when it came to describing anything about UAC vs. Windows Explorer (a.k.a., "File Explorer" beginning in Windows 8). That's been addressed with a new bullet that references KB 950934, which got a complete rewrite (see below). Second, the bullet that describes LocalAccountTokenFilterPolicy and UAC's default restrictions on the use of local accounts over the network adds a caveat about how relaxing the restrictions can increase the risk of "Pass-the-Hash" or other forms of credential theft, referencing the recent Pass-the-Hash whitepaper.
When you click Continue for folder access in Windows Explorer, your user account is added to the ACL for the folder (KB 950934)
This KB was completely rewritten, including the title (the original content wasn't mine). It now covers all the details about when Explorer might prompt you to change a folder's permissions, why, and how. It describes how the behavior changes depending on whether UAC is enabled and on the folder's attributes and permissions. Finally, it describes some of the potentially undesirable side effects and offers some workarounds.
These KB changes were driven by a customer request. I expect they'll be helpful to other customers also.