D

Deleted member 21043

Hello everyone!

Today I am going to explain what User Account Control actually is, and how it can potentially protect you from malicious software. The reason I am creating this thread is because not everybody thinks UAC actually helps you in any way (and believes it is just annoying), but in reality it can actually protect you from a lot of malicious software. It is a great feature in Windows, however it requires the user to do some thinking when using it to make it effective and powerful.

1. What is UAC?
UAC stands for User Account Control. It's job is to prevent a program from making changes to your system/successfully performing specific tasks without authorization from the user. If a program is trying to do something which is a system-related change, it will require administrator rights.

2. How does UAC work?
UAC works by preventing a program (which is executing - it's process) from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be "elevated", compared to the programs running which are not running as administrator.

Some things which cannot be done without administrator rights:

  • Registry modifications (if the registry key is under e.g. HKEY_LOCAL_MACHINE (since it affects more than one user) it will be read-only)
  • Loading a device driver
  • DLL injection
  • Modifying system time (clock)
  • Modifying User Account Control settings (via Registry, it can be enabled/disabled but you need the correct privileges to do this)
  • Modify protected directories (e.g. Windows folder, Program Files)
  • Scheduled tasks (e.g. to auto-start with administrator privileges)
- and other things.

Previously in the past, there have been ways to bypass User Account Control. However, Microsoft shortly patched these exploits up as soon as they could to prevent further spread of abuse from malware writers with the exploit. To this day, if you do not have the update installed which patched this exploit, you'll be vulnerable to that exploit. Malware writers may still be intrigued by the exploit (new malware writers), despite it being old and low chance of real use since there are many sensible people who keep their systems updated. The exploit was for Windows 7 systems. Then again, nothing is full-proof.

3. Why UAC protects you from threats like rootkits, bootkits and other types of malicious software
The reason User Account Control protects you from threats like rootkits, bootkits and other types of malicious software is because depending on what the malicious software will need to do to actually get started in performing any actions, it may be required to be elevated (and it may needed administration priveleges whilst it's working to do something even if it isn't ran as administrator to start with).

Rootkits need a way to be loaded (whether they are kernel-mode or user-mode rootkits). If it's a kernel-mode rootkit, it will need it's loader to load it's device driver onto the system to start working. If it's a user-mode rootkit (e.g. used DLL injection to function), it will require administrator priveleges to function properly with all processes. Without administrator rights, the device driver cannot be loaded (even if it's digitally signed), and the user-mode rootkit won't work properly since it won't have the permissions.

Bootkits won't be able to work without the user confirming a UAC alert. The reason for this is not because of the bootkit itself working, but because it again, needs a loader just like a rootkit. From Windows Vista and upwards (UAC was introduced in Windows Vista), a device driver is required to make modifications to the Master Boot Record. Unless the loader has administrator rights, it will not be able to load the device driver onto the system for the damage to be done.

The general trojans you find might not be able to function properly. Let's say a trojan wanted to drop an execute into System32, it won't be able too unless it has administrator rights. Same applies to if it wanted to remove files from System32 (or any file in the Windows folder). If a trojan wanted to patch a program which is stored in Program Files, it will be unable to do this without being executed with administrator rights.

4. UAC requires the user to think
UAC won't just automatically block malicious software, the purpose wasn't to determine if a program is malicious or not. It's down to the user just as much. If a program is going to be executed with administrator privileges, the user will be alerted and will need to provide confirmation.

Make sure you trust the program and have done your research before you grant it administrator privileges on your system. Ignoring this suggestion may just result in software you thought was legitmate and safe, to doing a lot of bad - a quick Google search can be handy. For example, if you go on Google and search: "Antivirus Pro 2015 rogue", you see a lot of search results which suggest you do not want to allow this program to run on your system at all, let alone with administrator rights. The administrator of this forum actually made a post on uninstallation guide to this rogue Antivirus software: http://malwaretips.com/blogs/antivirus-pro-2015-removal/

Extra notes:
- Users are alerted with the confirmation window via a program called "consent.exe".
- If a program is granted to be ran with administrator privileges by the user, it can create a scheduled task to make it auto-start as administrator without the UAC alert being displayed (so without the user being aware via confirmation).

Cheers. ;)
 

Piteko21

Level 18
Verified
Inexperienced users shouldn't be allowed to have be able to give administrator privileges to the unknown programs ;)
I agree, shouldn't be allowed but most of the cases they are the only user on their PC and through ignorance end up giving privileges to all .
programs that install.
one of the preventive measures would be to using a guest account or, not give access to such privileges inside the system...
the real difficulty is to distinguish which programs deserve privileges.
 

jamescv7

Level 61
Verified
Trusted
Of course UAC must be understand and supervise by a well known user to a novice level who is trigger to click yes.

Here are few questions that he/she must answer why accept and dismiss the alert of UAC:

1) What is the purpose of the program that you want to execute?
2) Did you download that program?
3) Are you aware that the program execute is well known?
 
D

Deleted member 178

careless user :

1- oh cool , a crack for my game
2- i download it right away
3- i run it

(UAC pop up shows off)

5- what the hell is that UAC windows ? it appears again, so annoying !
6- i don't care that stupid UAC , i want my game cracked.

(user ignore UAC warning, and allow the executable to run, system get cryptomalwarized)

7- holy hell !!! stfu ffu !!!! how can i get infected, windows suxx in security !!

a common situation... who is weak ? UAC or the user?

:D