Tech Talk Blog : Reflections on User Account Control and Virtual Store Redirection

Saturday, 11 November 2006 4:58 PM mitch

Reflections on User Account Control and Virtual Store Redirection

In the "Windows Vista Security Enhancements for Developers" session that I have been presenting over the past few weeks (in Sydney, Brisbane and Perth so far) one of the topics for conversation has been User Account Control (the UAC team blog). UAC is one of those things that people are either happy to "live with" or, they really hate it - but I think that if more people really understood it then they would be happier with the solution that is provided.

Whilst doing the second delivery of the talk in Brisbane the audience turned a little hostile and I was having trouble moving forward with the session. I'm sorry to say that this may have been down to the way I presented it and its an observation that Coatesy made afterward. When I presented the session in Brisbane I was pretty confrontational about the things that UAC wouldn't allow you to do, and I said things like "UAC won't let you run as Admin anymore without explicitly elevating processes".

The problem with that is if that is all you take away from the session then you've missed (or rather I failed to communicate) the fact that bundled with UAC is a new technology called Virtual Store redirection which actually makes some applications that require administrative rights on Windows XP actually work under Windows Vista with a standard user account.

Let's say that I am logged in as a standard user in Windows Vista and I run up "MyProgram.exe" which requires rights to write to the "C:\Program Files\MyProgram" directory. Under Windows XP the application would get an "Access is denied." message from Win32 and quite possibly crash. However, on Windows Vista it will just silently work.

On closer inspection you would notice that whatever files it intended to write to the "C:\Program Files\MyProgram" directory didn't actually make it, instead Windows Vista redirected that output to "C:\Users\[username]\AppData\Local\VirtualStore\Program Files\MyProgram". This technique allows applications to function normally but not compromise the security of the system.

Why is writing to a common area like "C:\Program Files" so dangerous?

Glad you asked. If you can write program code or data to anywhere in the C:\Program Files directory, and another user invokes that code then you could potentially use that to elevate your rights through another user (they execute some trojan code that you drop down).

Virtual Store Redirection effectively allows applications that exhibited dangerous behaviour to work safely - with the bonus of not requiring administrator rights.

Virtual Store Redirection is a Temporary Measure

Virtual Store Redirection was implemented to maximise compatibility of applications moving into the more secure Windows Vista environment without the need to recompile application code, it isn't perfect, but it is a sensible compromise - the most extreme compatibility scenario is using Virtual Machines.

Making Applications UAC Aware

If you end up in a situation where you have to recompile your code because you are adding new functionality then you can actually take the next step in Windows Vista compatibility and make your application UAC aware. UAC aware applications don't need Virtual Store Redirection because they declare up front whether they require administrative rights, or whether they can run as a standard user.

This is done by compiling up an old-school resource file and building it into the executable via the Properties page.

If you want to do this in your application I have prepared resource files for the two different configuration alternatives (Require Administrator/As Invoker).

When you compile in the "RequireAdministrator.res" file Windows knows that pop up a concent dialog asking the user if they want to elevate their credentials to run the program. On the other hand, if you use the "AsInvoker.res" file Windows takes it as if the program definately doesn't require administrative rights and will run just fine with standard user rights - even without Virtual Store Redirection.

Upon reflection I've found UAC to be OK - even as a developer, and knowing how it works makes a big difference between being a victim and actually making the right decision for my users. For Perth I changed my delivery of the content to point out the fact that users are actually better off as standard users in Windows Vista than they were in Windows XP, and that seemed to keep the temperature down.

Comments

# re: Reflections on User Account Control and Virtual Store Redirection

Tuesday, 14 November 2006 8:26 AM by bne-attendee

Mitch, was there in the Brisbane with UAC, and heard the discussion first hand. The point you made about writing to All Users was very valid, but you might like to mention that all developers should consider writing (or atleast testing) their applications in LUA mode.

This has been a recommendation for developers for some time, even thou we like to have 'full control'. If you need full control, its suggested that you keep a cmd window open as administrator, and run programs from there.

A developer would want to have a very complelling reason to write to All Users (or program files) as a standard user. And sharing information between users isn't really an excuse (which was brought up in bne), thats what a database is for.

# re: Reflections on User Account Control and Virtual Store Redirection

Thursday, 16 November 2006 2:21 PM by mitch

Hi bne-attendee :)

Thanks for coming to my session. LUA is a bit of a contentious issue, I was actually cold on the idea myself, but after actually using it really just fades into the background. I'm more concerned about end user security for the 90% case - and most of the time they won't even see a UAC dialog.

New Comments to this post are disabled