Elevations Are Now Blocked in the User's Logon Path
Hi, Jim Hong, Program Manager on UAC, here again to tell you about a new change in the UAC user experience coming in RC1. Applications that start when the user logs on and that require elevation are now blocked in the logon path.
Without blocking applications from prompting for elevation in the user's logon path, both standard users and administrators would have to respond to a User Account Control dialog box on every log on. While this potentially becomes an annoyance for administrators, it is an unusable UI for standard users who cannot drive the UAC elevation prompt without having an administrator around to provide credentials. Furthermore, we advise users to be wary of prompts that appear without them taking an explicit action -- and prompts generated at startup go against that advice.
In RC1 and later, Windows Vista notifies the user if an application has been blocked by placing an icon in the system tray and providing a notification balloon during the startup sequence. See Fig. 1 for a visual of what this might look like:
In many cases, users can operate their computers normally without the software that was skipped. However, in cases where the skipped application may be needed, users can then right-click this icon to run the applications that were blocked as they logged on. The user can elect to manage which startup applications are disabled or removed from this list by double-clicking the tray icon and bringing up the default application that controls Startup programs.
The areas where these applications are blocked from are:
• Per-user Startup Folder
• Per-user RUN Key
• Per-machine Startup Folder
• Per-machine RUN Key
Independent Software Vendors who wish to have part or all of their software suite run during the startup process are encouraged to architect their applications to run AsInvoker so that all users (that is, administrators and standard users) can run the software without the need for a UAC elevation.
A couple of exceptions to note: First, setup applications that need to complete their setup after a reboot should be putting their application in the RunOnce key. This key gets consumed by the next Administrator account that logs on, and the setup will continue without the need for an elevation. (This key can only be set by a program running with elevated privileges.) Second, applications that require UAC elevation that gets pushed out via the POLICY\RUN keys will not get blocked at logon. Therefore, they will run and will either result in the Secure Desktop prompt or appear in the taskbar as a blinking button that will require user input before the desktop switch occurs.
This feature will really help users with streamlining the logon path so that they can start using their Vista PCs quickly, with as little distraction as possible. Users maintain control of these UAC elevations. This reinforces the UAC theme of putting admin elevation under the user's control.
Comments
Anonymous
August 23, 2006
What about logon scripts?Anonymous
August 23, 2006
One minor note: There is no such thing like a "system tray". See http://blogs.msdn.com/oldnewthing/archive/2003/09/10/54831.aspxAnonymous
August 23, 2006
In response to the first question:
I created a short batch file that just ran a whoami /all>report.txt and put it in the "Logon" area of my local group policy, then logged off and back on. The whoami output showed that my account (a local admin) has all of its SIDs and privileges, so ... I'm guessing because I only have 5472 ... that unless the later build applies the split token, then everything in the logon script will run with full permissions and privileges.Anonymous
August 24, 2006
Starting with Windows Vista RC1, which should be here in the not too distant future, you will see a new...Anonymous
August 24, 2006
Original source: Elevations Are Now Blocked in the User's Logon Path Hi, Jim Hong, Program Manager onAnonymous
August 24, 2006
PingBack from http://systemcenter.wordpress.com/2006/08/24/elevations-are-now-blocked-in-the-users-logon-path/Anonymous
August 28, 2006
Very nice! Was starting to get annorying!Anonymous
August 31, 2006
I just noticed these blog posts related to Windows Vista security that may interest y'all.
Built-in...Anonymous
August 31, 2006
PingBack from http://heterogeneous.wordpress.com/2006/09/01/miscellaneous-windows-vista-security-stuff/Anonymous
September 04, 2006
I am confused, my applications are installing an icon in Programs->Startup folder and none of these are requesting admin password to continue on startup under Admin/Standard or Guest accounts??Anonymous
September 05, 2006
We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account...Anonymous
September 05, 2006
The comment has been removedAnonymous
September 06, 2006
"I am confused, my applications are installing an icon in Programs->Startup folder and none of these are requesting admin password to continue on startup under Admin/Standard or Guest accounts??"
Dan,
UAC will only block those apps that require admin privilege at startup. If your app does not require elevated privileges, it will continue to startup without any intervention.
HTH,
JimAnonymous
September 06, 2006
The comment has been removedAnonymous
September 07, 2006
We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account...Anonymous
September 09, 2006
I don't find this intuitive at all. The balloon's wording leads me away from the solution of how to unblock a startup program. See: http://gcoupe.spaces.live.com/blog/cns!6AA39937A982345B!2498.entryAnonymous
September 13, 2006
The comment has been removedAnonymous
September 13, 2006
I mean using menifest I could elevate my application. I need a way to shift to medium level, programmatically. Unfortunately I don't see any API exposed for that matter.Anonymous
September 14, 2006
Hello. I am a Japanese beta tester.
Using automatic translation, please forgive, even if there is strange English.
I am using InstallShield 12 of Macrovision.
http://www.macrovision.com/products/flexnet_installshield/index.shtml
It has Update Service function. This function offers that automatically update function, even if application does not have.
It registers with HKLM/Software/Microsoft/Windows/CurrentVersion/Run. And the character "InstallShield" is included in file description.
Although it can run on user mode, installer detection function judges this function to be an "installer" for the brand name of "InstallShield." For this reason, elevation is needed for performing and it is blocked.
Since it can operate in user mode, I want to make it operate in user mode, but can it do?
thank you.Anonymous
September 14, 2006
The comment has been removedAnonymous
September 15, 2006
直訴してみたAnonymous
September 15, 2006
直訴してみたAnonymous
September 19, 2006
Special Section: ASP.NET 2.0
[ASP.NET] [Windows Forms and Smart Clients] Dundas Map for .NET...Anonymous
September 22, 2006
The comment has been removedAnonymous
September 26, 2006
Alternatively you could just turn all this off!
In the local security policy you can just set the admins and/or users to automatically elevate privileges - ironically this is even less secure than XP, but at least you need admin privs to set it.
It took me about 5 minutes to find this entry so I've no doubt that a million other people already know about it - I went looking for it after about the 300th time I was asked 'do you want to allow this' when just trying to set up Vista the first time I logged on...Anonymous
November 07, 2006
The comment has been removedAnonymous
November 17, 2006
I just noticed these blog posts related to Windows Vista security that may interest y'all. Built-in AdministratorAnonymous
November 28, 2006
Hi I too am a developer of an app that a) starts up at logon, and b) requires administrator access. So this issue is of great interest (and annoyance) to me. I am trying to understand how to work around this restriction. I noticed this comment up above in the original post: "... applications that require UAC elevation that gets pushed out via the POLICYRUN keys will not get blocked at logon..." Well that sounds vaguely promising, but unfortunately I have no idea what "via the POLICYRUN keys" means. I don't suppose anyone out there can provide a translation? (And I also don't see why Vista can't provide a button the user can click to enable an application to run at startup so they don't get blocked and/or prompted for permission every time. It just seems like such an obvious thing.) Thanks! PhilAnonymous
November 28, 2006
The policy keys are populated by ITPros who wish to push apps out to their users via policy. It's not meant for ISVs to use to force admin elevations at logon. The best mitigation for your application is to remove the administrator privilege requirement for it. The next best method is to run the application AsInvoker and have a separate process that runs as administrator that runs post-startup, preferably user-initiated. Why do you need admin privileges at startup? J.Anonymous
November 30, 2006
PingBack from http://www.leinss.com/blog/?p=95Anonymous
December 11, 2006
If you sign your privilege-elevated application will it still be blocked in the Run path?Anonymous
December 11, 2006
Yes, it will. This isn't so much about how trustworthy your application is, it's about the user experience of all applications and the OS.Anonymous
December 13, 2006
Ok, so what's the best approach for getting something running at login time that requires elevated privileges?Anonymous
December 13, 2006
I have a serious issue with "A couple of exceptions to note: First, setup applications that need to complete their setup after a reboot should be putting their application in the RunOnce key. This key gets consumed by the next Administrator account that logs on, and the setup will continue without the need for an elevation". The problem with this is that as a "standard user", you might get access to the administrator username and password. You start up the .exe, get the prompt, and then install the software. Or so you think. The application must finish its install after reboot. I'd sure like to put that in the RunOnce key. Then, as a standard user, I sign in again. I didn't sign in as an administrator, so my RunOnce doesn't get called at all, and the install never finishes up? Am I misinterpreting something here?Anonymous
December 17, 2006
I just installed Vista, yes looks nice. However under XP I have a much needed program that runs on startup called Powerstrip, now under Vista it won't run. Why isn't there some way for me to authorize this program to run at startup? Is the only way for me to modify the local security policy to set the admin and/or users to automatically elevate privileges (as someone suggested above), and thus forego all protection? This whole thing really has me boiling.Anonymous
January 02, 2007
Bill: You could try adding the program to the scheduled tasks and set it to run at logon. And thus remove it from startup/run wherever it is now.Anonymous
January 31, 2007
PingBack from http://kay-bruns.de/wp/2007/01/31/gehobene-selbstarter-unter-uac/Anonymous
January 31, 2007
PingBack from http://kay-bruns.de/wp/2007/01/31/elevated-autostarts-trotz-uac/Anonymous
January 31, 2007
PingBack from http://kay-bruns.de/wp/2006/11/20/rosen-ende-november/Anonymous
February 04, 2007
The comment has been removedAnonymous
February 20, 2007
The comment has been removedAnonymous
February 21, 2007
Thank you, Aaron. A friend of mine helped me formulating my question with better wording! I do not get why the user is unable to [pre-]approve an application [at install time] to [silently elevate and] run at startup with admin privileges! Example: install a special scheduler for the administrator only (not for other users); the scheduler requires to run at startup silently and requires to elevate silently in order to create volume shadow copies. In Vista, it seems that you can do that only by
- Writing a service.
- Schedule a task, in the new task scheduler, which will run at startup (it seems you can switch on the option to elevate silently in the task properties). thank you.
- Anonymous
March 28, 2007
Windows Vista significantly changed the way applications are handled when the user logs on, now blocking elevations in the user's logon path, which prevents users from running programs on startup that require administrator privileges. Unfortunately, Vist