User Account Control (UAC) changes the way that
applications are installed and run, where applications write data, and
what permissions applications have. In this section, I’ll look at how
UAC affects application installation, from application security tokens
to file and registry virtualization to run levels. This information is
essential when you are installing and maintaining applications on
Windows 8.
1. Application Access Tokens and Location Virtualization
All applications used with Windows 8 are divided into two general categories:
-
UAC-compliant Any
application written specifically for Windows Vista or later is
considered a compliant application. Applications certified as complying
with the Windows 8 architecture have the UAC-compliant logo.
-
Legacy Any application written for Windows XP or an earlier version of Windows is considered a legacy application.
The distinction between UAC-compliant applications and legacy
applications is important because of the architectural changes required
to support UAC. UAC-compliant applications use UAC to reduce the attack
surface of the operating system. They do this by preventing
unauthorized applications from installing or running without the user’s
consent and by restricting the default privileges granted to
applications. These measures make it harder for malicious software to
take over a computer.
Note
The Windows 8 component responsible for UAC is the Application
Information service. This service facilitates the running of
interactive applications with an “administrator” access token. You can
see the difference between the administrator
user and standard user access tokens by opening two Command Prompt
windows, running one with elevation (press and hold or right-click, and
then tap or click Run As Administrator), and the other as a standard
user. In each window, type whoami/all and compare the results. Both access tokens have the same security identifiers (SIDs), but the elevated administrator user access token has more privileges than the standard user access token.
All applications that run on Windows 8 derive their security context
from the current user’s access token. By default, UAC turns all users
into standard users even if they are members of the Administrators
group. If an administrator user consents to the use of her
administrator privileges, a new access token is created for the user.
It contains all the user’s privileges, and this access token—rather
than the user’s standard access token—is used to start an application or process.
In Windows 8, most applications can run using a standard user access
token. Whether applications need to run with standard or administrator
privileges depends on the actions the application performs. Applications that require administrator privileges, referred to as administrator user applications, differ from applications that require standard user privileges, referred to as standard user applications, in the following ways:
-
Administrator user applications require elevated privileges to run and perform core tasks. Once started in elevated mode, an application
with a user’s administrator access token can perform tasks that require
administrator privileges and can also write to system locations of the
registry and the file system.
-
Standard user applications do not require elevated privileges to run
or to perform core tasks. Once started in standard user mode, an
application with a user’s standard access token must request elevated
privileges to perform administration tasks. For all other tasks, the
application should not run using elevated privileges. Further, the
application should write data only to nonsystem locations of the
registry and the file system.
Applications not written for Windows 8 run with a user’s standard
access token by default. To support the UAC architecture, these
applications run in a special compatibility mode and use file system
and registry virtualization
to provide “virtualized” views of file and registry locations. When an
application attempts to write to a system location, Windows 8 gives the
application a private copy of the file or registry value. Any changes
are then written to the private copy, and this private copy is then
stored in the user’s profile data. If the application attempts to read
or write to this system location again, it is given the private copy
from the user’s profile to work with. By default, if an error occurs
when the application is working with virtualized data, the error
notification and logging information show the virtualized location
rather than the actual location that the application was trying to work
with.
2. Application Integrity and Run Levels
The focus on standard user and administrator privileges also changes
the general permissions required to install and run applications. In
Windows XP and earlier versions of Windows, the Power Users group gave
users specific administrator privileges to perform basic system tasks
when installing and running applications. Applications written for
Windows 8 do not require the use of the Power Users group. Windows 8
maintains it only for legacy application compatibility.
As part of UAC, Windows 8 by default detects application
installations and prompts users for elevation to continue the
installation. Installation packages for UAC-compliant applications use
application manifests that contain run-level designations to help track
required privileges. Application manifests define the application’s
privileges as one of the following:
-
RunAsInvoker
Run
the application with the same privileges as the user. Any user can run
the application. For a standard user or a user who is a member of the
Administrators group, the application runs with a standard access
token. The application runs with higher privileges only if the parent
process from which it is started has an administrator access token. For
example, if you open an elevated Command Prompt window and then start
an application from this window, the application runs with an
administrator access token.
-
RunAsHighest
Run the application
with the highest privileges of the user. The application can be run by
both administrator users and standard users. The tasks the application
can perform depend on the user’s privileges. For a standard user, the
application runs with a standard access token. For a user who is a
member of a group with additional privileges, such as the Backup
Operators, Server Operators, or Account Operators group, the
application runs with a partial administrator access token that
contains only the privileges the user has been granted. For a user who
is a member of the Administrators group, the application runs with a
full administrator access token.
-
RunAsAdmin
Run the application
with administrator privileges. Only administrators can run the
application. For a standard user or a user who is a member of a group
with additional privileges, the application runs only if the user can
be prompted for credentials required to run in elevated mode or if the
application is started from an elevated process, such as an elevated
Command Prompt window. For a user who is a member of the Administrators
group, the application runs with an administrator access token.
To protect application processes, Windows 8 labels them with
integrity levels ranging from high to low. Applications that modify
system data, such as Disk Management, are considered high integrity.
Applications performing tasks that could compromise the operating
system, such as Windows Internet Explorer 8 in Windows 8, are
considered low integrity. Applications with lower integrity levels
cannot modify data in applications with higher integrity levels.
Windows 8 identifies the publisher of any application that attempts
to run with an administrator’s full access token. Then, depending on
that publisher, Windows 8 marks the application as belonging to one of
the following three categories:
To help you quickly identify the potential security risk of installing or running the application,
a color-coded elevation prompt displays a particular message depending
on the category to which the application belongs:
-
If the application is from a blocked publisher or is blocked by
Group Policy, the elevation prompt has a red background and displays
the message “The application is blocked from running.”
-
If the application is administrative (such as Computer Management),
the elevation prompt has a blue-green background and displays the
message “Windows needs your permission to continue.”
-
If the application has been signed by Authenticode and is trusted by
the local computer, the elevation prompt has a gray background and
displays the message “A program needs your permission to continue.”
-
If the application is unsigned (or is signed but not yet trusted),
the elevation prompt has a yellow background and red shield icon and
displays the message “An unidentified program wants access to your
computer.”
Prompting on the secure desktop can be used to further secure the
elevation process. The secure desktop safeguards the elevation process
by preventing spoofing of the elevation prompt.
