uac Microsoft’s Windows 7 blog has an interesting post about UAC (User Account Control). Ben Fathi, vice president for core OS development, reveals some data from Vista’s Customer Experience Improvement Program about UAC and describes how Microsoft intends to change Windows 7 UAC. This is the essential information Microsoft gathered in one year (May 07 - May 08, Aug 07 - Aug 08):

Latest posts by Michael Pietroforte (see all)
  • The number of applications and tasks generating a prompt has declined from 775,312 to 168,149
  • The number of sessions with one or more UAC prompts has declined from 50% to 33% of sessions with Vista SP1
  • Windows itself accounts for about 40% of all UAC prompts
  • Windows components accounted for 17 of the top 50 UAC prompts in Vista and 29 of the top 50 in Vista SP1
  • In one lab study we conducted, only 13% of participants could provide specific details about why they were seeing a UAC dialog in Vista

I think it was expected that the number of UAC prompts would decline for three reasons:

  • Many disabled either UAC or just the prompts
  • Microsoft improved UAC with Service Pack 1
  • Software publishers adopted their applications

Mr. Fathi doesn’t say anything about the number of machines that have the UAC prompts disabled. I think this would be the most interesting data. Another reason why the number of prompts has declined could be that most users have configured their desktops by now. However, I think this argument is not valid, because Vista adoption is still growing fast.

Another number I am missing is the times UAC actually prevented malware from being installed on Vista. I have been using Vista since its beta release on several machines and, thus far, all UAC prompts were only “false positives.” But perhaps I’m not a good example, because malware very seldom manages to reach my computers. At least, my anti-virus software hasn’t triggered an alarm for ages.

I still don’t believe that prompts of any kind really improve security, because most users click them away without really being aware of it. Microsoft’s data confirms this. Also, UAC might lull users into a false sense of security. Not all malware requires admin privileges. Thus, UAC might reduce security in some cases if users believe that everything is okay as long as there is no UAC prompt.

I think Microsoft is quite aware of all this. It is no secret that UAC was mostly introduced to force developers to write secure software. No software publisher wants to annoy users with constant UAC prompts. This approach obviously worked. Hence, we admins should be very thankful to Microsoft. UAC is one of the major reasons why Vista got bashed heavily. It didn’t just annoy many customers with its prompts; it also broke many applications. Microsoft must have known this. But UAC is a long-term project. When more software vendors adopt their applications, it will improve security significantly in the long run. Hence, this was a necessary step Microsoft had to take even though it costs them market share now.

Most interesting certainly is how Microsoft will change UAC in Windows 7. Unfortunately, Ben Fathi isn’t quite specific here:

  • Reduce unnecessary or duplicated prompts in Windows and the ecosystem, such that critical prompts can be more easily identified
  • Enable our customers to be more confident that they are in control of their systems
  • Make prompts informative such that people can make more confident choices
  • Provide better and more obvious control over the mechanism

The first point is clear. But it remains to be seen whether there still is much room for improvement after Vista SP1. I don’t understand the second point. I don’t think security prompts will ever increase confidence in anything. More informative prompts might be helpful in some cases, but since most users don’t read UAC prompts anyway, this won’t change much with to regard to the user experience. The last point could be the most interesting one from an administrator’s point of view. I wished Mr. Fathi had revealed a little more here.

Subscribe to 4sysops newsletter!

What I am really missing is a feature that allows me to exclude certain apps and users from UAC. Basically, I want all the features that sudo has under Linux. A su command that allows an admin to turn off UAC temporarily without hassle is also on my wish list. However, I doubt somehow that Microsoft will fulfill my wishes in Windows 7.

3 Comments
  1. Christoph 13 years ago

    You know, in the end, even IT departments with homogenous OS structure might be well advised to migrate, if only partially, to Vista+Server2008 first and adapt to all the new "goodies" and internal changes coming with this transition.
    The step from XP+2K3R2 to Win7+whatever server version (speculation: 2008 SP2 with special scheme changes for W7) is determined for W7 environments could proove to be a lot more difficult and generate a lot more administrative work in the end.
    There I said it.

  2. I absolutely agree. Most people who want to skip Vista think that they can save time and money this way. I think this is only true if you can avoid buying new computers. However, in most cases this strategy doesn’t work because old computers with XP also tend to become slow over time. Usually, one has to upgrade applications for which the old XP computers are not powerful enough.

  3. Dan Gilbert 13 years ago

    I tried using UAC. I just couldn't do it. I run too many scripts and have enough legacy programs that need to run as an administrator. UAC was getting too many false positives and even worse was completely blocking several scripts from even running. Until UAC has the ability to selectively exclude individual programs/files I will not be able to use it.

    I used WinSudo for quite some time under XP and believe that something along those lines for Vista would be a MUCH better option for true LUA experience.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account