Windows administration
At a glance: Running as a standard user File and registry virtualisation Elevating account status
Inside Windows Vista User Account Control
Mark Russinovich
User Account Control next issue, I discuss the problems UAC solves and describe the architecture and implemen- (UAC) is an often tation of its component technologies. These technologies include the refactoring of op- misunderstood feature erations that previously required adminis- trative rights, lightweight virtualisation to in Windows Vista. In my help programs run correctly without admin- istrative rights, the ability for programs to previous TechNet articles explicitly request administrative rights, and isolation of administrative processes from on Windows Vista non-administrative processes running on the same user desktop. kernel changes, available UAC’s goal at www.microsoft.com/uk/ UAC is meant to enable users to run with standard user rights, as opposed to adminis- technetmagazine, I didn’t trative rights. Administrative rights give us- ers the ability to read and modify any part cover UAC because I of the operating system, including the code and data of other users – and even Windows felt it merited its own itself. Without administrative rights users cannot accidentally (or deliberately) modify article. In a two-part system settings, malware can’t alter system security settings or disable antivirus soft- series, concluding ware, and users can’t compromise the sen-
32 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine
32_36_Vista.desfin1.indd 32 9/8/07 15:23:19 sitive information of other users on shared ing the system time. A laptop user who wants computers. Running with standard user to configure the local time zone so that their Prior to rights can therefore reduce urgent help desk appointments show correctly in their calen- calls in corporate environments, mitigate the dar when they travel must have the ‘Change Windows impact of malware, keep home computers the system time’ privilege (internally called running more smoothly and protect sensi- SeSystemTimePrivilege), which by default is Vista, the tive data on shared computers. only granted to administrators. UAC had to address several problems to Time is commonly used in security pro- Windows make it practical to run with a standard user tocols like Kerberos, but the time zone only account. First, prior to Windows Vista, the affects the way that time is displayed, so usage model Windows usage model had been one of as- Windows Vista adds a new privilege, ‘Change sumed administrative rights. Software devel- the time zone’ (SeTimeZonePrivilege), and had been one opers assumed their programs could access assigns it to the Users group, as seen in Figure and modify any file, registry key or operat- 1. This makes it possible for many corpora- of assumed ing system setting. Even when Windows tions to have their laptop users run under NT introduced security and differentiat- standard user accounts. administrative ed between accesses granted to administra- Windows Vista also lets standard users tive and standard user accounts, users were configure WEP settings when they connect rights guided through a setup process that encour- to wireless networks, create VPN connec- aged them to use the built-in Administrator tions, change power management settings account or one that was a member of the and install critical Windows updates. In ad- Administrators group. dition, it introduces Group Policy settings The second problem UAC had to address that enable standard users to install printer was that users sometimes need administra- and other device drivers approved by IT ad- tive rights to perform such operations as in- ministrators and to install ActiveX® controls stalling software, changing the system time from administrator-approved sites. and opening ports in the firewall. What about consumer and line of busi- The UAC solution to these problems is ness (LOB) applications that do not run cor- to run most applications with standard user rectly in standard user accounts? While some rights, obviate the need for administrator software legitimately requires administrative rights all the time and encourage software rights, many programs needlessly store user developers to create applications that run data in system-global locations. Microsoft with standard user rights. UAC accomplish- recommends that global application installers es these by requiring administrative rights that expect to run with administrative rights less frequently, enabling legacy applications create a directory under the %ProgramFiles% to run with standard user rights, making it directory to store their application’s exe- convenient for standard users to access ad- cutable files and auxiliary data and create ministrative rights when they need them and a key under HKEY_LOCAL_MACHINE\ enabling even administrative users to run as Software for their application settings. if they were standard users. When an application executes, it can be run- ning in different user accounts and it should Running as a standard user therefore store user-specific data in the per- A full audit of all administrative operations user %AppData% directory and save per-user during the development of Windows Vista identified many that could be enabled for standard users without compromising the security of the system. For example, even corporations that adopted standard user ac- counts for their Windows XP desktop sys- tems were unable to remove their travelling users from the Administrators group for the sole reason that Windows XP does not differ- entiate changing the time zone from chang- Figure 1 The ‘Change the time zone’ privilege
TechNet Magazine September 2007 33
32_36_Vista.desfin1.indd 33 9/8/07 15:23:22 Windows administration
settings in the user’s registry pro- file under HKEY_CURRENT_USER\ Software. Standard user accounts don’t have write-access to the %Program Files% directory or HKEY_LOCAL_ MACHINE\Software, but because most Windows systems are single-user and most users have been administra- tors up until Windows Vista, apps that incorrectly save user data and settings to these locations work anyway. Windows Vista enables these legacy applications to run in standard user ac- counts through the help of file system and registry namespace virtualisation. When an application modifies a sys- tem-global location in the file system or registry and that operation fails be- Figure 2 Task Manager shows virtualisation status cause access is denied, Windows redi- rects the operation to a per-user area; when the application reads from a sys- tem-global location, Windows first The effects of virtualisation checks for data in the per-user area and, if none is present, permits the read at- You can change the virtualisation status of a process by selecting Virtualization tempt from the global location. from the context menu that appears when you right-click it in Task Manager. For the purposes of this virtualisa- Figure A shows the behaviour of a command prompt when its virtualisation tion, Windows Vista treats a process status changes. It starts out with virtualisation disabled because it has a as legacy if it’s 32-bit (versus 64-bit), Windows Vista manifest. Because it’s running with standard user rights, it is unable to create a file in the \Windows directory, but after it becomes virtualised with Task Manager it appears to create the file successfully. When Vista enables its virtualisation returns to its disabled state it can’t find the file, which is actually in the user’s virtual store. legacy apps to run in standard user Virtualization Disabled Virtualization Enabled accounts through virtualisation
is not running with administrative Virtualization Disabled rights and does not have a manifest file indicating that it was written for Windows Vista. Any operations not originating from a process classified as legacy according to this definition, in- cluding network file sharing accesses, are not virtualised. A process’s virtual- isation status is stored as a flag in its token, which is the kernel data struc- Figure A Virtualisation status change ture that tracks the security context of a process, including its user account, group memberships and privileges.
34 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine
32_36_Vista.desfin1.indd 34 9/8/07 15:23:32 You can see the virtualisation status of a process by adding the Virtualisation column to Task Manager’s Processes page. Figure 2 shows that most Win dows Vista components, including Desktop Window Manager (Dwm .exe), Client Server Runtime Subsystem (Csrss.exe) and Explorer, either have virtualisation disabled because they have a Windows Vista manifest or are running with administrative rights and hence do not allow virtualisation. Internet Explorer (iexplore.exe) has vir- tualisation enabled because it can host multiple ActiveX controls and scripts and must assume that they were not Figure 3 Compatibility Files button indicates virtualised files nearby written to operate correctly with stan- dard user rights. The file system locations that are of the profile when the account has a virtualised for legacy processes are roaming profile. %ProgramFiles%, %ProgramData% If you navigate in Explorer to a di- and %SystemRoot%, excluding some rectory containing virtualised files, specific subdirectories. However, any Explorer displays a button labelled file with an executable extension, Compatibility Files in its toolbar, as including .exe, .bat, .scr, .vbs, and shown in Figure 3. Clicking the but- others, is excluded from virtualisa- ton navigates you to the correspond- tion. This means that programs that ing VirtualStore subdirectory to show update themselves from a standard you the virtualised files. user account fail instead of creating Figure 4 shows how the UAC File private versions of their executables Virtualization Filter Driver (%System that aren’t visible to an administrator Root%\System32\Drivers\Luafv.sys) running a global updater. To add addi- implements file system virtualisation. tional extensions to the exception list, Because it’s a file system filter driver, enter them in the following registry it sees all file system operations, but it key and reboot: only implements functionality for op- User Mode erations from legacy processes. You can HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\Luafv\Parameters\ see that it changes the target file path Legacy Application Windows Vista Application ExcludedExtensionsAdd for a legacy process that creates a file Use a multi-string type to delimit mul- in a system-global location, but does tiple extensions and do not include a not for a process running a Windows Write to \Windows\App.ini leading dot in the extension name. Vista application with standard user Modifications to virtualised directo- rights. The legacy process believes that Kernel Mode ries by legacy processes redirect to the the operation succeeds when it really Luafv.sys user’s virtual root directory, %Local created the file in a location fully ac- AppData%\VirtualStore. For example, cessible by the user, but default per- if a virtualised process that is running missions on the \Windows directory Write to on my system creates C:\Windows\ deny access to the application written \Users\
TechNet Magazine September 2007 35
32_36_Vista.desfin1.indd 35 9/8/07 15:23:36 Windows administration
there are numerous exceptions, such Figure 6 shows how registry vir- as the following: tualisation is implemented by the
HKLM\Software\Microsoft\Windows Configuration Manager, which man- HKLM\Software\Microsoft\Windows NT ages the registry in the operating sys- HKLM\Software\Classes tem kernel, Ntoskrnl.exe. As with file Only keys that are commonly mod- system virtualisation, a legacy process Figure 5 The Reg.exe utility shows ified by legacy applications, but that creating a subkey of a virtualised key is virtualisation flags don’t introduce compatibility or in- redirected to the user’s registry virtu- teroperability problems, are virtualised. al root, but a Windows Vista process is Windows redirects modifications of denied access by default permissions. User Mode virtualised keys by a legacy application to a user’s registry virtual root at HKEY_ Legacy Application Windows Vista Application CURRENT_USER\Software\Classes\ Some apps require VirtualStore. The key is located in the Write to HKEY_LOCAL_MACHINE user’s Classes hive, %LocalAppData%\ additional help to Microsoft\Windows\UsrClass.dat, which, like any other virtualised file run correctly with Kernel Mode Access Denied data, does not roam with a roaming Ntoskrnl.exe user profile. standard user rights Instead of keeping a fixed list of vir- Write to tualised locations as Windows does for In addition to file system and reg- HKEY_CURRENT_ USER\Software\ the file system, the virtualisation status istry virtualisation, some applications Classes\VirtualStore\ Machine\Software\App of a key is stored as a flag, REG_KEY_ require additional help to run cor- DONT_VIRTUALIZE, in the key itself. rectly with standard user rights. For The Reg.exe utility can show the flag example, an application that tests the and the two other virtualisation-relat- account in which it’s running for mem- Registry ed flags, REG_KEY_DONT_SILENT_ bership in the Administrators group FAIL and REG_KEY_RECURSE_ might otherwise work, but won’t run Figure 6 Registry virtualisation FLAG (Figure 5). When REG_KEY_ if it’s not in that group. Windows Vista DONT_SILENT_FAIL is set and the therefore defines a number of applica- key is not virtualised (REG_KEY_ tion-compatibility shims so that such DONT_VIRTUALIZE is set), a legacy applications work anyway. The shims application that would be denied ac- most commonly applied to legacy ap- cess performing an operation on the plications for operation with standard key is instead granted any access the rights are shown in Figure 7. Corporate user has to the key rather than the ones IT professionals can use tools like the the application requested. REG_KEY_ Application Compatibility Toolkit RECURSE_FLAG indicates if new sub- (ACT, from technet.microsoft.com/ keys inherit the virtualisation flags of windowsvista/aa905066.aspx) and its the parent instead of the default flags. Standard User Analyzer (SUA) utili- ty, or Aaron Margosis’s LUA Buglight (blogs.msdn.com/aaron_margosis/ Figure 7 Common user shims archive/2006/08/07/LuaBuglight.aspx) Shim Purpose to identify the shim requirements ElevateCreateProcess Changes CreateProcess to handle ERROR_ELEVATION_ for their LOB applications. They as- REQUIRED errors by calling the Application Information Service to prompt for elevation. sign shims to an application using the Compatibility Administrator, also part ForceAdminAccess Spoofs queries of administrator group membership. of ACT, and then deploy the resulting VirtualizeDeleteFile Spoofs successful deletion of global files and directories. compatibility database (.sdb file) to their
LocalMappedObject Forces global section objects into the user’s namespace. desktops via Group Policy. Note that, if required, virtualisation can be com- VirtualizeHKCRLite, Redirects global registration of COM objects to a per-user VirtualizeRegisterTypeLib location. pletely disabled for a system using a lo- cal security policy setting. ■
36 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine
32_36_Vista.desfin1.indd 36 9/8/07 15:23:40