Tuesday, July 15, 2008

Hacking Windows Vista’s User Account Control

Vista’s User Account Control is one of Vista’s new security tools—and is without a doubt, Vista’s most annoying feature as well. Here’s how to bend it to your will.

Quick, answer this: What’s the most maddening feature of Windows Vista? If you’re like 99% of the world, you’ll probably answer User Account Control (UAC). When you try to make any one of a variety of changes to Windows Vista, a UAC prompt appears, and you have to click the Continue button or enter a password before you proceed.

There’s some method to this madness. UAC is designed to stop your system and its files from being tampered with. If malware gets loose on your PC, the thinking goes, UAC will help stop it from doing damage because the malware won’t be able to click a Continue button or type in a password. You’ll get some warning before you try to make a change that will launch a UAC prompt.

The kind of UAC prompt that appears—either one that asks you to continue or one that asks you to type in your password—depends on whether you’re logged in as a standard user or an administrator. If you’re logged in as an administrator, you’ll only have to click Continue. If you’re logged in as a standard user, you’ll have to type in an administrator’s password. If there are multiple administrators set up on the computer, the prompt will include a list of all the administrators. You’ll have to type the password underneath the right administrator account.

UAC and Elevating Privileges
Before you hack UAC, you need to understand its guiding principle—that of the least-privileged user. Under it, an account is set up that has only the minimum amount of privileges needed in order to run the computer for most tasks. A standard user, in Windows Vista, is this least-privileged user.

But when a change needs to be made that can affect the overall operation or security of the operating system, the user’s privilege needs to be elevated. In other words, someone with greater privileges than the least-privileged user must make the change. That’s why a standard user will need to type in an administrator password to make a change, and why an administrator will have to confirm when wants to make a change.

Hacking UAC
You’re not stuck with Windows Vista’s default behavior when it comes to UAC; you can change how UAC works on your PC. To do it, run Local Security Policy by typing secpol.msc in the Search box or command prompt and then typing Enter. Now go to Security Settings/Local Policies/Security Options. This lets you edit various security policies on your PC, including those related to UAC. To edit a policy, double-click it, and fill in a dialog box—for example, choosing Enable or Disable.

secpol.msc is not available in the home editions of Windows Vista. However, you can use the Registry to make changes to UAC’s behavior. Launch the Registry Editor by typing regedit at the Start Search box or a command prompt. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies System\EnableLUA, and give it a value of 0 to turn off UAC. You may need to reboot in order for the change to take effect. The rest of this hack includes registry keys for many of the settings you can change in UAC.

You’ll need to edit these policies to hack UAC:
User Account Control: Admin Approval Mode for the Built-In Administrator Account
Registry key: FilterAdministratorToken. This determines whether the main Administrator account is subject to UAC. Enabling it means that the account will be treated by UAC like any other administrator; the prompt will appear as normal. If it is not enabled, no prompt will appear for the Administrator account but will appear for standard user accounts.

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.
Registry key: ConsentPromptBehaviorAdmin. This determines what prompt appears for
administrators (members of the Administrators Group, not the built-in Administrator account). The default is Prompt for Consent, which means that a UAC prompt will appear, and the administrator needs to click Continue or Cancel. You can also choose Prompt for Credentials, in which case the administrator password will have to be typed in. If you choose No Prompt, a UAC prompt won’t appear, and you can make the change.

User Account Control: Behavior of the elevation prompt for standard users
Registry key: ConsentPromptBehaviorUser. This determines what prompt appears for standard users. The choices are Prompt for Consent, Prompt for Credentials, or No Prompt. The default is Prompt for Credentials.

User Account Control: Detect application installations and prompt for elevation
Registry key: EnableInstallerDetection. By default, this is enabled, and so before software can be installed, UAC will ask for a prompt or a password. Disabling it allows software to be installed without the prompt.

User Account Control: Elevate only executables that are signed and validated
Registry key: ValidateAdminCodeSignatures. When enabled, UAC allows programs to be installed without a prompt if those programs have been properly signed and validated by their creators. By default it is disabled, and all programs, whether signed and validated or not, require the prompt.

User Account Control: Run all administrators in Admin Approval Mode
Registry key: EnableLUA. This setting requires all administrators (except for the built-in Administrator account) to give consent or supply credentials (depending on the setting of ConsentPromptBehaviorAdmin). By default, it is enabled.

User Account Control: Switch to the secure desktop when prompting for elevation
Registry key: PromptOnSecureDesktop. This determines whether Windows Vista will switch to the secure desktop when the prompt appears. You’ll notice that when the UAC prompt appears, the screen first goes black, and that when the prompt appears, the rest of the screen is dark. That’s the secure desktop. By default, the secure desktop is enabled.

User Account Control: Virtualize fi le and Registry write failures to per-user locations
Registry key: EnableVirtualization. This controls whether changes to the Registry made by standard users should be written to a special, virtual area, rather than directly to the Registry. This protects the Registry. By default, it is enabled.

There is a great deal of confusion about administrator accounts in Windows Vista. There are in fact two different types of administrator accounts—the single, all-powerful, built-in Administrator account, and accounts that are part of the Administrators group. The Administrator account can do anything on the computer, while members of the Administrators group run much as standard users, except they can elevate their privileges by clicking a Continue button in a dialog box when prompted.

Turn Off UAC
If UAC prompts drive you around the bend, you can turn them off. Choose Control Panel -> User Accounts and Family Safety -> User Accounts, and click Turn User Account Control on or off.

Alternately, you can run the MSCONFIG tool by typing MSCONFIG at the command line or search box. When the tool runs, click the Tools tab, and scroll down until you see Disable UAC. Highlight it, and click the Launch button, then reboot. To turn it back on again, follow the same steps, except choose Enable UAC instead.

Hack the Elevated Command Prompt
When you try to run certain commands from the command prompt, you’re told that you don’t have administrative rights to run them, even if you’re currently logged in as an administrator.

The problem is that these commands are protected by UAC. So if you want to run them, you’ll have to run the command prompt itself as an administrator; what’s called running an elevated command prompt.

One way to run an elevated command prompt is to type cmd into the Search box on the Start menu, right-click the command prompt icon that appears at the top of the Start menu, then select “Run as administrator.” You can also type cmd.exe into the search box, and press Ctrl-Shift-Enter to launch it as an administrator.

Do you really want to have to do that every time you want to run an elevated command prompt? Most likely not. Instead, create a Desktop shortcut for an elevated prompt, or pin an elevated prompt to the Start menu.

To create a shortcut to an elevated prompt on the Desktop:
1. Right-click the Desktop, and select New -> Shortcut.

2. In the text box of the Create Shortcut dialog box that appears, type CMD, and then click Next.

3. On the next screen, type a name for the shortcut, for example, Elevated Command Prompt. Then click Finish.

4. Right-click on the shortcut you just created, and select Properties.

5. Click the Shortcut tab, and click Advanced.

6. Check the box entitled “Run as administrator”, and click OK, and then OK again.

If you’d like the elevated command prompt to appear on the Start menu, drag it from the Desktop to the Start button, and place it where you would like it to be.

When a user is asked to type in an administrator password, it’s called credential prompting; when an administrator is asked to permit an operation, it’s called consent prompting.

No comments: