Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Why UAC is important and how it can protect you
Message
<blockquote data-quote="Deleted member 21043" data-source="post: 398761"><p><span style="font-size: 12px">Hello everyone!</span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Today I am going to explain what User Account Control actually is, and how it can potentially protect you from malicious software. The reason I am creating this thread is because not everybody thinks UAC actually helps you in any way (and believes it is just annoying), but in reality it can actually protect you from a lot of malicious software. It is a great feature in Windows, however it requires the user to do some thinking when using it to make it effective and powerful.</span></p><p><span style="font-size: 12px"></span></p><p><strong><u>1. What is UAC?</u></strong></p><p><span style="font-size: 12px">UAC stands for User Account Control. It's job is to prevent a program from making changes to your system/successfully performing specific tasks without authorization from the user. If a program is trying to do something which is a system-related change, it will require administrator rights.</span></p><p></p><p><strong><u>2. How does UAC work?</u></strong></p><p><span style="font-size: 12px">UAC works by preventing a program (which is executing - it's process) from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be "elevated", compared to the programs running which are not running as administrator.</span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Some things which cannot be done without administrator rights:</span></p><ul> <li data-xf-list-type="ul"><span style="font-size: 12px">Registry modifications (if the registry key is under e.g. <strong>HKEY_LOCAL_MACHINE</strong> (since it affects more than one user) it will be read-only)</span></li> <li data-xf-list-type="ul"><span style="font-size: 12px">Loading a device driver</span></li> <li data-xf-list-type="ul"><span style="font-size: 12px">DLL injection</span></li> <li data-xf-list-type="ul"><span style="font-size: 12px">Modifying system time (clock)</span></li> <li data-xf-list-type="ul"><span style="font-size: 12px">Modifying User Account Control settings (via Registry, it can be enabled/disabled but <strong>you need the correct privileges</strong> to do this)</span></li> <li data-xf-list-type="ul"><span style="font-size: 12px">Modify protected directories (e.g. Windows folder, Program Files)</span></li> <li data-xf-list-type="ul"><span style="font-size: 12px">Scheduled tasks (e.g. to auto-start with administrator privileges)</span></li> </ul><p><span style="font-size: 12px">- and other things. </span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Previously in the past, there have been ways to bypass User Account Control. However, Microsoft shortly patched these exploits up as soon as they could to prevent further spread of abuse from malware writers with the exploit. To this day, if you do not have the update installed which patched this exploit, you'll be vulnerable to that exploit. Malware writers may still be intrigued by the exploit (new malware writers), despite it being old and low chance of real use since there are many sensible people who keep their systems updated. The exploit was for Windows 7 systems. Then again, nothing is full-proof. </span></p><p><span style="font-size: 12px"></span></p><p><strong><u><span style="font-size: 15px">3. Why UAC protects you from threats like rootkits, bootkits and other types of malicious software</span></u></strong></p><p><span style="font-size: 12px">The reason User Account Control protects you from threats like rootkits, bootkits and other types of malicious software is because depending on what the malicious software will need to do to actually get started in performing any actions, it may be required to be elevated (and it may needed administration priveleges whilst it's working to do something even if it isn't ran as administrator to start with).</span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Rootkits need a way to be loaded (whether they are kernel-mode or user-mode rootkits). If it's a kernel-mode rootkit, it will need it's loader to load it's device driver onto the system to start working. If it's a user-mode rootkit (e.g. used DLL injection to function), it will require administrator priveleges to function properly with all processes. Without administrator rights, the device driver cannot be loaded (even if it's digitally signed), and the user-mode rootkit won't work properly since it won't have the permissions.</span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Bootkits won't be able to work without the user confirming a UAC alert. The reason for this is not because of the bootkit itself working, but because it again, needs a loader just like a rootkit. From Windows Vista and upwards (UAC was introduced in Windows Vista), a device driver is required to make modifications to the Master Boot Record. Unless the loader has administrator rights, it will not be able to load the device driver onto the system for the damage to be done.</span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">The general trojans you find might not be able to function properly. Let's say a trojan wanted to drop an execute into System32, it won't be able too unless it has administrator rights. Same applies to if it wanted to remove files from System32 (or any file in the Windows folder). If a trojan wanted to patch a program which is stored in Program Files, it will be unable to do this without being executed with administrator rights.</span></p><p><span style="font-size: 12px"></span></p><p><strong><u><span style="font-size: 15px">4. UAC requires the user to think</span></u></strong></p><p><span style="font-size: 12px">UAC won't just automatically block malicious software, the purpose wasn't to determine if a program is malicious or not. It's down to the user just as much. If a program is going to be executed with administrator privileges, the user will be alerted and will need to provide confirmation. </span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Make sure you trust the program and have done your research before you grant it administrator privileges on your system. Ignoring this suggestion may just result in software you thought was legitmate and safe, to doing a lot of bad - a quick Google search can be handy. For example, if you go on Google and search: "Antivirus Pro 2015 rogue", you see a lot of search results which suggest you do not want to allow this program to run on your system at all, let alone with administrator rights. The administrator of this forum actually made a post on uninstallation guide to this rogue Antivirus software: <a href="http://malwaretips.com/blogs/antivirus-pro-2015-removal/" target="_blank">http://malwaretips.com/blogs/antivirus-pro-2015-removal/</a></span></p><p><span style="font-size: 12px"></span></p><p><strong><u><span style="font-size: 15px">Extra notes:</span></u></strong></p><p><span style="font-size: 12px">- Users are alerted with the confirmation window via a program called "consent.exe".</span></p><p><span style="font-size: 12px">- If a program is granted to be ran with administrator privileges by the user, it can create a scheduled task to make it auto-start as administrator without the UAC alert being displayed (so without the user being aware via confirmation).</span></p><p><span style="font-size: 12px"></span></p><p><span style="font-size: 12px">Cheers. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /></span></p></blockquote><p></p>
[QUOTE="Deleted member 21043, post: 398761"] [SIZE=3]Hello everyone! Today I am going to explain what User Account Control actually is, and how it can potentially protect you from malicious software. The reason I am creating this thread is because not everybody thinks UAC actually helps you in any way (and believes it is just annoying), but in reality it can actually protect you from a lot of malicious software. It is a great feature in Windows, however it requires the user to do some thinking when using it to make it effective and powerful. [/SIZE] [B][U]1. What is UAC?[/U][/B] [SIZE=3]UAC stands for User Account Control. It's job is to prevent a program from making changes to your system/successfully performing specific tasks without authorization from the user. If a program is trying to do something which is a system-related change, it will require administrator rights.[/SIZE] [B][U]2. How does UAC work?[/U][/B] [SIZE=3]UAC works by preventing a program (which is executing - it's process) from carrying out any tasks which involve system changes/specific tasks. The operations which will not work unless the process attempting to carry them out is running with administrator rights. If you run a program as administrator, it will have more privileges since it would be "elevated", compared to the programs running which are not running as administrator. Some things which cannot be done without administrator rights:[/SIZE] [LIST] [*][SIZE=3]Registry modifications (if the registry key is under e.g. [B]HKEY_LOCAL_MACHINE[/B] (since it affects more than one user) it will be read-only)[/SIZE] [*][SIZE=3]Loading a device driver[/SIZE] [*][SIZE=3]DLL injection[/SIZE] [*][SIZE=3]Modifying system time (clock)[/SIZE] [*][SIZE=3]Modifying User Account Control settings (via Registry, it can be enabled/disabled but [B]you need the correct privileges[/B] to do this)[/SIZE] [*][SIZE=3]Modify protected directories (e.g. Windows folder, Program Files)[/SIZE] [*][SIZE=3]Scheduled tasks (e.g. to auto-start with administrator privileges)[/SIZE] [/LIST] [SIZE=3]- and other things. Previously in the past, there have been ways to bypass User Account Control. However, Microsoft shortly patched these exploits up as soon as they could to prevent further spread of abuse from malware writers with the exploit. To this day, if you do not have the update installed which patched this exploit, you'll be vulnerable to that exploit. Malware writers may still be intrigued by the exploit (new malware writers), despite it being old and low chance of real use since there are many sensible people who keep their systems updated. The exploit was for Windows 7 systems. Then again, nothing is full-proof. [/SIZE] [B][U][SIZE=4]3. Why UAC protects you from threats like rootkits, bootkits and other types of malicious software[/SIZE][/U][/B] [SIZE=3]The reason User Account Control protects you from threats like rootkits, bootkits and other types of malicious software is because depending on what the malicious software will need to do to actually get started in performing any actions, it may be required to be elevated (and it may needed administration priveleges whilst it's working to do something even if it isn't ran as administrator to start with). Rootkits need a way to be loaded (whether they are kernel-mode or user-mode rootkits). If it's a kernel-mode rootkit, it will need it's loader to load it's device driver onto the system to start working. If it's a user-mode rootkit (e.g. used DLL injection to function), it will require administrator priveleges to function properly with all processes. Without administrator rights, the device driver cannot be loaded (even if it's digitally signed), and the user-mode rootkit won't work properly since it won't have the permissions. Bootkits won't be able to work without the user confirming a UAC alert. The reason for this is not because of the bootkit itself working, but because it again, needs a loader just like a rootkit. From Windows Vista and upwards (UAC was introduced in Windows Vista), a device driver is required to make modifications to the Master Boot Record. Unless the loader has administrator rights, it will not be able to load the device driver onto the system for the damage to be done. The general trojans you find might not be able to function properly. Let's say a trojan wanted to drop an execute into System32, it won't be able too unless it has administrator rights. Same applies to if it wanted to remove files from System32 (or any file in the Windows folder). If a trojan wanted to patch a program which is stored in Program Files, it will be unable to do this without being executed with administrator rights. [/SIZE] [B][U][SIZE=4]4. UAC requires the user to think[/SIZE][/U][/B] [SIZE=3]UAC won't just automatically block malicious software, the purpose wasn't to determine if a program is malicious or not. It's down to the user just as much. If a program is going to be executed with administrator privileges, the user will be alerted and will need to provide confirmation. Make sure you trust the program and have done your research before you grant it administrator privileges on your system. Ignoring this suggestion may just result in software you thought was legitmate and safe, to doing a lot of bad - a quick Google search can be handy. For example, if you go on Google and search: "Antivirus Pro 2015 rogue", you see a lot of search results which suggest you do not want to allow this program to run on your system at all, let alone with administrator rights. The administrator of this forum actually made a post on uninstallation guide to this rogue Antivirus software: [URL]http://malwaretips.com/blogs/antivirus-pro-2015-removal/[/URL] [/SIZE] [B][U][SIZE=4]Extra notes:[/SIZE][/U][/B] [SIZE=3]- Users are alerted with the confirmation window via a program called "consent.exe". - If a program is granted to be ran with administrator privileges by the user, it can create a scheduled task to make it auto-start as administrator without the UAC alert being displayed (so without the user being aware via confirmation). Cheers. ;)[/SIZE] [/QUOTE]
Insert quotes…
Verification
Post reply
Top