Q&A Understanding UAC prompt/ alert usefulness

Kingdiamond

Level 1
Thread author
Nov 18, 2021
17
Hallo all..

I'm just b trying to understand about User Account Control prompts.
First of all UAC will be activated under Standard User Account? Is the same as SUA?

For beginner, it's it a good idea to use UAC prompts? It will be another layer of security?
Will there be too many prompt due to legitimate system process taking place and end up confusing me?

OK, let's say, if i am just surfing website doing high risk video streaming in sandboxed environment, . and not don't anything else, no other programs running... if there is UAC prompt, i should cancel it right? Even if by cancelling it may cause video to stop running due to possible malware?


If I'm to open other program such as photoshop, in order to avoid UAC prompt confusion, i shouldn't be browsing at the same time, so that any UAC that happens due to system changes can be allowed.
And i shouldn't be connected to Internet when I'm opening other program.

Does that make any sense?


I do understand UAC PROMPT is not 100 % foolb proof against malware, its abit like anti-exe, but its better to have it activated as another layer of protection?
 

Andy Ful

Level 78
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
...
First of all UAC will be activated under Standard User Account? Is the same as SUA?
Technically, UAC warns the user when the process wants to get higher than standard privileges, and if allowed, the process runs without changing the user context.
Let's assume that you have a default admin account ("King" user) and SUA ("Alice" user).
So if you started the process with standard rights as "King" and accepted UAC prompt, then the process will run with high privileges also as "King".

The above is not possible on SUA, because this account cannot host the processes running with higher privileges. If you will start the process from SUA as "Alice", you will see the prompt for Administrator credentials ("King" user credentials). After inserting the credentials, the process will run as "King" with high privileges even when the process window still runs on the "Alice" desktop with standard privileges.

For beginner, it's it a good idea to use UAC prompts? It will be another layer of security?

It can be useful if you are not a happy-clicker. Most administrative processes and scheduled tasks do not run on SUA but silently run on administrative accounts.

Will there be too many prompt due to legitimate system process taking place and end up confusing me?

No.

OK, let's say, if i am just surfing website doing high risk video streaming in sandboxed environment, . and not don't anything else, no other programs running... if there is UAC prompt, i should cancel it right? Even if by cancelling it may cause video to stop running due to possible malware?

If you do it on SUA then you can rarely see the UAC prompt, mostly when one of your applications needs high privileges to auto-update. So, you can safely choose to cancel. This choice will not cause any harm. It is also good to look at the details about which process wants to elevate, and there is no need to hurry with allowing elevation.

If I'm to open other program such as photoshop, in order to avoid UAC prompt confusion, i shouldn't be browsing at the same time, so that any UAC that happens due to system changes can be allowed.
And i shouldn't be connected to Internet when I'm opening other program.

This is not necessary. If you are busy doing something then simply choose to cancel the UAC prompt. You can note the process that wants to elevate and take a closer look at this later.

I do understand UAC PROMPT is not 100 % foolb proof against malware, its abit like anti-exe, but its better to have it activated as another layer of protection?

UAC set to MAX, will prevent most UAC bypasses. So, most malware will not be able to get high privileges silently. Many malware samples will try to do it, and then you will be alarmed about possible infection. If you use a popular web browser and do not use applications that frequently update, then you will see the UAC prompt rarely. The applications from Microsoft Store can auto-update without UAC prompt.
 

Kingdiamond

Level 1
Thread author
Nov 18, 2021
17
Technically, UAC warns the user when the process wants to get higher than standard privileges, and if allowed, the process runs without changing the user context.
Let's assume that you have a default admin account ("King" user) and SUA ("Alice" user).
So if you started the process with standard rights as "King" and accepted UAC prompt, then the process will run with high privileges also as "King".

The above is not possible on SUA, because this account cannot host the processes running with higher privileges. If you will start the process from SUA as "Alice", you will see the prompt for Administrator credentials ("King" user credentials). After inserting the credentials, the process will run as "King" with high privileges even when the process window still runs on the "Alice" desktop with standard privileges.



It can be useful if you are not a happy-clicker. Most administrative processes and scheduled tasks do not run on SUA but silently run on administrative accounts.



No.



If you do it on SUA then you can rarely see the UAC prompt, mostly when one of your applications needs high privileges to auto-update. So, you can safely choose to cancel. This choice will not cause any harm. It is also good to look at the details about which process wants to elevate, and there is no need to hurry with allowing elevation.



This is not necessary. If you are busy doing something then simply choose to cancel the UAC prompt. You can note the process that wants to elevate and take a closer look at this later.



UAC set to MAX, will prevent most UAC bypasses. So, most malware will not be able to get high privileges silently. Many malware samples will try to do it, and then you will be alarmed about possible infection. If you use a popular web browser and do not use applications that frequently update, then you will see the UAC prompt rarely. The applications from Microsoft Store can auto-update without UAC prompt.
Andy, very big appreciation for the detailed reply. I think i know alot more from your reply.

This forum is a great place for me to understand alot more about systems and protections.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,761
UAC set to MAX, will prevent most UAC bypasses.
Personal, I can't recall seen any bypass for the MAX ( Always Notify ) setting. :unsure: I do know it existed several for the other levels.

Microsofts documentation on what it is and how to use it, is recommended for those that don't know or want to grasp more.
 

Andy Ful

Level 78
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
Personal, I can't recall seen any bypass for the MAX ( Always Notify ) setting. :unsure:
There were a few bypasses. One of them was discussed in my old thread, but currently is blocked by Microsoft Defender. Currently, I do not know for sure if such an unpatched bypass exists. Unfortunately, I cannot test the latest bypass:
https://blog.0patch.com/2021/12/free-micropatches-for.html

It does not work on my test computer anymore (but worked a few days ago). From the video test, it follows that this bypass worked on SUA, so it should work also on an admin account with UAC on MAX.

Edit.
I confirmed that with disabled Defender, one of the known UAC bypasses still works with UAC on MAX.
 
Last edited:

Andy Ful

Level 78
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
The common way to bypass UAC MAX is by exploiting scheduled task (or service) that already runs with admin rights. The design of the default admin account cannot be efficiently defended, because the non-elevated and elevated processes can run on the same account. The design of SUA is much better.
 

Andy Ful

Level 78
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
An example can be the Disk cleanup scheduled task (SilentCleanup). It can be run by the Users group and runs the cleanmgr.exe :
%windir%\system32\cleanmgr.exe /autoclean /d %systemdrive%

If one will run manually cleanmgr.exe from the Explorer by using "Run as administrator", then UAC prompt is shown, and cleanmgr.exe runs as a child process of explorer.exe.
If one opens the task scheduler and will run the SilentCleanup task (right-click ---> Run), then the task will run silently (no UAC prompt) with high privileges and the parent-process tree is as follows:
svchost.exe >> taskhostw.exe >> cleanmgr.exe

1639084960141.png


Edit.
This behavior is normal because the task scheduler process already runs with high privileges. But, if one could exploit the SilentCleanup task, then the behavior would be the same (no UAC prompt on MAX UAC settings).
 
Last edited:

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
772
Windows admin accounts have some extra powers that SUAs don’t have, a lot of them are for backwards compatibility reasons and don’t trigger UAC elevation prompts. About a year ago there was a way to defeat ransomware protected folders by creating DOS drive letters and then using a UNC URI to access them, which wouldn’t correctly be shown to an AV engine as an access to your documents. That was something that an admin account can do regardless of UAC levels but a SUA could not.

Personally I don’t think UAC MAX is a good protection mechanism for doing highly untrusted things like you mentioned. Zero day exploits against system services are becoming more and more prevalent and if you truly are operating on content that you cannot trust, I would recommend taking similar precautions as what our members here do for the Malware Hub where they are detonating malware (virtual machine or similar containment and perhaps even something on the host side to monitor for unexpected changes)

Higher UAC levels can come close to the benefits of a SUA but I find the higher UAC levels to be pretty disruptive for daily usage.
 

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
772
That is because you use administrative tasks frequently. My wife and a few friends use SUA for years and can see something elevating a few times a year.:)
True. It is usually just a few not well optimized apps where their tray icon to do stuff like change GPU performance level requires UAC escalation. App developers simply don’t seem to care to optimize for that.
 

Andy Ful

Level 78
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,796
There is a nice article about UAC on the Microsoft website:

The authors use the term "built-in UAC elevation component" which is present both on Admin and SUA.

With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token.

As I noted in my first post, this component can do different things on Admin and SUA:
  • On SUA, it cannot show the UAC consent prompt and shows the UAC credential prompt instead. The user has to insert the valid credentials of any valid Administrator (there can be several different Administrator accounts on one computer). If approved, then the elevated process will run in the context of the Administrator account (the process changes the user context from SUA to this Administrator).
  • On the Administrator account, the UAC consent prompt is shown and the elevated process will run without changing the user context. This behavior can be changed by UAC policy and the credential prompt can be shown also on the Administrator account.
So, it is possible to set UAC settings to show the same UAC prompt on SUA and Admin. But still, there will be a difference in security. On the Administrator account, the standard and elevated processes can run on the same user account and this is not possible on SUA.

When people use the term "UAC bypass", they usually think about process elevation without changing the user context and without showing the UAC prompt. This is possible only on Admin and not possible on SUA.
Such bypasses are not considered by Microsoft as serious threats because UAC on Admin is not considered by Microsoft as a security boundary (whatever it means).
When elevating from SUA to Admin, we have not only the UAC bypass but also account-separation bypass. This is a much more dangerous thing.
 
Last edited: