Guide | How To Why UAC should be taken seriously

The associated guide may contain user-generated or external content.
W

Wave

Thread author
Hello everyone,

Today I will be talking about User Account Control (UAC) – why people shouldn’t underestimate it and leave it disabled and how it can potentially save you from becoming infected by malicious software.

[DISCLAIMER]
I have intentionally set the font size to 3 because this thread is very long and with the normal font size it may actually be even more of a pain to go through... I highly recommend you zoom in once in your browser, and it will appear much nicer to read the text (as opposed to reading it without zooming in once or as it is by default).

If you find any false information/mistakes in this thread then please let me know so I can fix them.
[/DISCLAIMER]


Why you should leave it enabled
I regularly see people complaining about how UAC failed to protect them or how they became infected (after disabling UAC) and then complaining about how Windows security is awful – the truth is that the built-in Windows security can be exceptionally good if used correctly and it can be a huge life saver. The problem isn’t the actual protection features (in this case UAC) but how some people use it… They expect it to sit in the background and automatically catch out zero-day malware… News flash: UAC was never designed/intended to do something like this, it is really there to give programs privileges they wouldn’t normally have by default (gives them more power over your system which can allow them to do deadly things they wouldn’t be able to do without these privileges) under the consent of the user operating the machine.

Commonly, the people you find lurking on online forums posting comments similar to, “Windows security sucks”, “Windows is awful for protection”, “Microsoft need to understand us and add some protection mechanisms”, “It’s important to use a third-part AV and not rely on Microsoft protection otherwise you’ll become infected”, “Windows Defender sucks”… (list can go on with similar comments), will be the same people who either disable features like UAC altogether (and not even run them on the minimum to be enabled) or aimlessly go around granting programs they have never even heard of before administrator privileges on their system…

Well, in my opinion, everyone should leave User Account enabled – it’s a very useful security feature built-into Windows (Windows Vista and upwards) and it’s been improved throughout the Windows editions (vulnerability patches, enhanced security additions). If you use it correctly, then you will be much safer than without it… You may be asking yourself, “how exactly do I use it correctly?”, and the answer to that is very simple and can be shortened into one sentence: ONLY ALLOW A PROGRAM TO RUN WITH ADMINISTRATOR PRIVILEGES IF YOU TRUST IT 100%.

I’m famous for letting my imagination run wild and coming up with scenarios which will admittedly most likely never happen to you, but are still very possible (e.g. if I wanted I myself could carry out the scenarios myself). Therefore, I will leave some examples of what could happen with UAC disabled which would have been prevented if UAC was being used properly:

1. New Unknown Malware (NUM – yes, I did just make this up, call it a “Wave term”) attempts to load a driver via the Service Manager which will allow it to bypass all security product self-protection mechanisms, shut them down and clean them off the system (like a custom uninstallation but silently without the user being aware), download more malware on the system (ransomware, password stealer, botnet, etc) and conceal it via rootkit techniques. If the sample/s are Fully Undetectable, then most on-demand scanners would be more likely hopeless than not unless they have great hook/DKOM detection and repair in this situation. Whereas in the situation of UAC being used properly, this NUM sample will fail to carry out these actions unless the user willingly allowed it to run with admin privileges before doing their research.

2. Currently Known Malware (CKM) is not detected by a security product installed on their system (e.g. maybe they temporarily disabled the real-time protection or the product they are using just doesn’t have a detection for that specific sample for whatever reason) which when executed will create a new task via the Windows Task Scheduler to allow itself to start-up with administrator privileges without future UAC prompts at boot (and after it has administrator privileges after the next reboot, it will download more malware to the system and store them in protected directories, OR patch other installed programs being held within protected directories, since the CKM would have access to these areas since it’d be elevated now). Whereas in the situation of UAC being used properly, this CKM would fail to execute these malicious actions properly.

3. Zero Day Malware (ZDM) will attack the Master Boot Record when executed (well this sample will) (infect it) so when your system attempts to boot up, it won’t be successful. The MBR is responsible for loading the OS kernel into memory (kernel loader) and if the MBR has been infected then it will either allow malware to become active before the main OS is or it will allow malware to prevent the system from being able to boot into that OS altogether. Sometimes the MBR will load another loader which will be the kernel loader… But that is irrelevant, the point is that the malware can leave the system unbootable without repair options being carried out. Whereas in the situation of UAC being used properly, this ZDM would fail horribly to do this.

4. Dumb Malware From A Dumb Developer (DMFADD) will set hooks on the keyboard to log all the keystrokes typed by the PC user (e.g. via Win32 functions like user32.dll!SetWindowsHookExW which are genuinely used for good purposes within Windows itself (e.g. when you drag Windows and it minimises all other windows, this is accomplished via Windows utilising this function itself, sadly it’s abused by malware for keylogging)) and will also go further by injecting into other running processes to obtain additional details (e.g. from text controls on the GUI of the targeted programs). However, in the case of UAC being active, this may work to an extent but not properly – firstly, the keyboard hooking will definitely be successful without UAC consent (if it’s enabled), however if the targeted programs for injection are running with a higher privilege than the malware (e.g. as administrator themselves due to being trusted and secure based off research), then the malware running with standard rights won’t be able to inject into the trusted programs running with higher privileges! (it won’t even be able to open a handle to them, thus preventing them from being attacked by injection attacks for example).

That being said, I cannot express enough that YOU are the first line of defence when it comes to keeping your system/personal data secure, NOT your protection software. There is absolutely nothing that any protection software can do to keep you 100% safe if you are a click-happy user, careless and don’t pay attention to what you are doing/what’s going on. Even if you are using Default Deny (via Anti-Executable), if you decide to allow a program permission to run, then how can you push blame onto the Anti-Executable software for you becoming infected? It’s the same logic with UAC… If you willingly provide consent for a program to run elevated (with administrator privileges) then you as the user are responsible for becoming infected, you will be the one at blame deep down.

Of course there are scenarios when zero-day attacks may bypass protection features such as UAC (e.g. via a zero-day exploit) and this will allow malicious software to gain additional privileges in the background (silently) without your consent, however at the end of the day, you need to think back to how you ended up becoming attacked in the first place… Were you visiting untrusted websites? Were you using an outdated browser which may have currently-patched known vulnerabilities still out in the open for exploitation (due to using an old version)? Were you executing new downloads you were unsure of being safe or not without doing research first (e.g. scanning at VirusTotal/MetaDefender, even a Google search would benefit you)?

I tried to lighten the mood a bit with the “Wave terms”, however I wouldn’t use them if I were you, they were just there for joke purposes… They don’t really exist in the security world, I completely made them up on the spot for the purpose of this thread. :p

Of course there is a lot more to UAC than I mentioned, however I think I got my point across.

Stay safe and I hope this helped educate someone,
Wave. ;)
 

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
Thanks for sharing your knowledge :)

And don't you suggest to use standard account ? I always use it ( and max UAC)

Unfortunately I saw some videos where , even if you click " no" in UAC popup, the ransomware( and maybe other malwares ) start encrypting : why ?

Thank you
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I do take UAC seirously.
I also know that UAC is not as solid as some would have you believe.
UAC bypasses are becoming more and more prevalent, but on the same token
I too was hammered with the fear of turning it off, the only software I have found
that allows for this is VoodooShield. It adds strength to UAC and is a suitable UAC
surrogate. Now I do not condone that all users should disable UAC "I am not saying that"
I am saying that with VS as my UAC surrogate I feel safer knowing that I will be notified just as UAC does
but I will also have to enter a password to approve a UAC triggered request, and I like the added
security that affords me. UAC is a must if your not using VS don't get me wrong, I see its value
but I also know of its weaknesses and VoodooShield buffers those weaknesses so I can enjoy
a more secure PC.
EDIT: Also with VS and a set password, any time I try to access an admin level sys tool like, Regedit, CMD, Powershell, ect. I am required to enter a password even for things like entering Services, device manager, and system settings, so see those are also secured from being auto triggered. No password = No Access, so I don't have as much to fear from them being triggered from a malicious process that may have slipped past UAC.

Awesome share Wave, thank you.
 
Last edited:

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
I do take UAC seirously.
I also know that UAC is not as solid as some would have you believe.
UAC bypasses are becoming more and more prevalent, but on the same token
I too was hammered with the fear of turning it off, the only software I have found
that allows for this is VoodooShield. It adds strength to UAC and is a suitable UAC
surrogate. Now I do not condone that all users should disable UAC "I am not saying that"
I am saying that with VS as my UAC surrogate I feel safer knowing that I will be notified just as UAC does
but I will also have to enter a password to approve a UAC triggered request, and I like the added
security that affords me. UAC is a must if your not using VS don't get me wrong, I see its value
but I also know of its weaknesses and VoodooShield buffers those weaknesses so I can enjoy
a more secure PC.
Awesome share Wave, thank you.

If your only point of concern is the PW: use a standard account , so you have to enter a pw almost every app you launch
 
D

Deleted member 178

Thread author
Unfortunately I saw some videos where , even if you click " no" in UAC popup, the ransomware( and maybe other malwares ) start encrypting : why ?

What level of UAC? what type of account? how come the ransomware is on the system? does smartscreen was enabled and gave an alert about the ransomware?

Any Windows built-in security feature shouldn't be taken separately, they complement each other. The mistake of many "self-proclaimed experts" is that they think that each feature is independent. They are not.

I do take UAC seirously. I also know that UAC is not as solid as some would have you believe. UAC bypasses are becoming more and more prevalent

Because UAC isn't supposed to block malwares, only elevation requests; if a malware doesn't need elevation , UAC won't react. that is it. UAC don't care if the process is legit or not, it just care about its signature and elevation request.

I too was hammered with the fear of turning it off, the only software I have found that allows for this is VoodooShield. It adds strength to UAC and is a suitable UAC surrogate.

VS shouldn't be a surrogate but only a complement.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Thanks for the feedback Umbra, you know the respect and admiration I have for you
and a few other members ;)
I just find a better peace of mind letting VS captain this ship.
Your right UAC does not care about Malware but VS does, and it protects "all" elevation requests
with password protection weather it is a legit process or not. I love the added security that affords me.
UAC is slightly over rated, and while a good part of the Windows approach to securing my system
it is hardly bullet proof. At times I do set it to minimum, But with VoodooShield present I do at times
disable it. I have yet to suffer any exploitation or infection with it disabled and I suspect I won't anytime
soon. I set it to minimum at times when I may be venturing into dangerous terratory or untrusted beta software.
 
D

Deleted member 178

Thread author
. Sorry If I am wrong, probably it was the wrong videos

yep i think it was the wrong one :D

to have a serious UAC bypass, we must have:

1- a remote script, or executable that pass Smartscreen check without raising any suspicion (if Smartscreen pop but can't tell if the file is legit, the attempt failed, because no one should allow a "suspicious" file )
2- a FUD malware (encrypted or wrapped into an app) , that seems legit to the user.
3- the said malware must bypass Windows Defender (shouldn't be hard , i admit ^^ )
4- malware must ask for higher privileges, if not, this is not a bypass because UAC isn't supposed to react.
5- once the malware is executed, UAC must not react.

If those 5 points are made, then it is a bypass.
 

Ana_Filiz

Level 4
Verified
Well-known
Aug 23, 2016
193
One question though: how can I know what kind of privileges needs a new software that i want to install? Maybe i say no to a legitimate software or yes to an unlegitimate one. I mean, ok i understand the purpose of UAC but what shall i do when i receive a prompt for a software that seems legitimate and in fact it is not or vice-versa? That's why i rely on VS because this software at least it tells me something based on its AI. So, let's think a bit. :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top