UAC Processes and Interactions
Updated: May 11, 2009
Applies To: Windows 7, Windows Server 2003 R2
Windows 7 logon process
The following illustration demonstrates how the logon process for an administrator differs from the logon process for a standard user.
By default, standard users and administrators access resources and run applications in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start applications that do not perform administrative tasks (standard user applications). The standard user access token is then used to display the desktop (Explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all applications run as a standard user unless a user provides consent or credentials to approve an application to use a full administrative access token.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 7 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.
The term "elevate" is used to refer to the process in Windows 7 that prompts the user for consent or credentials to use a full administrator access token.
Each application that requires the administrator access token must prompt the administrator for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user access token from the parent process. Both the parent and child processes, however, must have the same integrity level.
Windows 7 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.
When a standard user attempts to run an application that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
The UAC user experience
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 7 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt. The UAC elevation prompting behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.
The consent and credential prompts
With UAC enabled, Windows 7 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. This prompt ensures that no malicious software can be silently installed.
The consent prompt
The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is a screen shot of the UAC consent prompt.
The credential prompt
The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. This standard user default prompt behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. Administrators can also be required to provide their credentials by setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting value to Prompt for credentials.
The following screen shot is an example of the UAC credential prompt.
UAC elevation prompts
The UAC elevation prompts are color-coded to be application-specific, enabling for immediate identification of an application's potential security risk. When an application attempts to run with an administrator's full access token, Windows 7 first analyzes the executable file to determine its publisher. Applications are first separated into three categories based on the executable file's publisher: Windows 7, publisher verified (signed), and publisher not verified (unsigned). The following diagram illustrates how Windows 7 determines which color elevation prompt to present to the user.
The elevation prompt color-coding is as follows:
Red background with a red shield icon: The application is blocked by Group Policy or is from a publisher that is blocked.
Blue background with a blue and gold shield icon: The application is a Windows 7 administrative application, such as a Control Panel item.
Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
The elevation prompts use the same color-coding as the dialog boxes in Windows Internet Explorer 8.
Some Control Panel items, such as Date and Time Properties, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the Date and Time Properties Control Panel item.
The shield icon on the Change date and time button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
Securing the elevation prompt
The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 7. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the User Account Control: Switch to the secure desktop when prompting for elevation policy setting enabled.
When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user clicks Yes or No, the desktop switches back to the user desktop.
Malware can present an imitation of the secure desktop, but when the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent, the malware does not gain elevation if the user clicks Yes on the imitation. If the policy setting is set to Prompt for credentials, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the computer. Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking Yes or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon Group Policy.