Microsoft introduced Windows User Account Control (UAC) with the release of Windows Vista in 2006, and it was one of the features that stuck around after Vista’s demise. UAC is a built in security feature that prevents programs from running without permission. In many cases, malware could be installed on a computer without user intervention. Malware could be installed by opening an infected email, visiting an infected web site, or even sharing infected removable storage media (floppy disks and USB flash devices, for example).
UAC theoretically provided some protection against malware infections by preventing software from running without administrator permissions. If a program tried to install on a computer, UAC would pause the installation and request administrator approval. In some cases, the administrator username and password may need to be used if a non-administrator user is logged in at the time. UAC serves another purposes of limiting users from installing unauthorized software – some of which could be infected with malware. Admittedly, UAC can be an intrusive pain in the neck, but it does provide some protection and should be left turned on to one degree or another.
The UAC interface can be accessed on the Control Panel as follows:
- Win7: click Start > Control Panel > User Accounts > Change User Account Control settings.
- Win8: click Start > down arrow > Control Panel > User Accounts > Change User Account Control settings.
- Win10: Click the Cortana search box and type “Control Panel”. When Control Panel opens, click User Accounts > Change User Account Control settings.
I’m using my Win7 VM for these screen captures, but the interface and pop-ups are similar in Win7, Win8, and Win10.
There are four UAC levels, as shown in the following screen captures, shown from strictest to most lenient. The second capture shows the default level. You can change between the levels by moving the vertical slider and then clicking the “OK” button. Changes to the UAC level will likely require a reboot to implement the level of security.
“Always notify me” displays a pop-up warning any time a user tries to make changes to Windows settings (like changing UAC) or install software. The screen will be locked with the security desktop (dimmed screen) until the user acknowledges the pop-up by either allowing or blocking the installation. This is the safest / strictest, but also the most intrusive level
“Notify me only when programs try to make changes to my computer” is a little less intrusive. It doesn’t display the security pop-up when you try to make changes to Windows settings, but still shows it when software installation is initiated. The screen will be locked with the security desktop (dimmed screen) until the user acknowledges the pop-up. I recommend staying with the default level in most cases.
“Notify me only when programs try to make changes to my computer (do not dim my desktop)”is similar to the previous level and shows it when software installation is initiated; however, the security desktop (dimmed screen) is not used. I normally use this level because I want the protection of UAC without the intrusiveness of the security screen.
“Never notify me” is the most lenient and most unsafe level to use. It disables UAC and leaves the computer vulnerable. Malware may be able to install itself without any form of user or administrator intervention.
The next few screen captures show the UAC pop-up and security screen at the different levels.
This is a screen capture of the security pop-up with the grayed out / dimmed security desktop:
This is a screen capture of the security pop-up without the grayed out / dimmed security desktop:
This is a screen capture with UAC turned off. As you can see, there's not alert pop-up; the program installation simply begins.
In all three cases, I was attempting to install an update for CCleaner without specifically using administrator permissions.
The basic security pop-ups are similar in Win7, Win8, and Win10; however, MS added two new pop-ups for Win10. Win10 now has a pop-up advising that UAC blocked an unsafe program. This pop-up does not allow users to approve or disapprove the installation; it just blocks the installation altogether. The second pop-up prompts for confirmation to install a program from an unknown publisher. Legitimate software installations – in most cases – won’t prompt this alert, but it happens from time to time if Windows doesn’t recognize the developer or security signature. This alert will prompt the user whether or not they want to allow the installation to continue. The three levels are shown in the following image (borrowed from Wikipedia). From top to bottom: blocked app, app with unknown publisher, app with a known/trusted publisher:
That’s Windows User Account Control in a nutshell. UAC is intended to provide an additional layer of protection against malware and it does that fairly well. Turning it off isn’t recommended, even though it can sometimes seem overly intrusive. Dealing with UAC, though is MUCH easier than dealing with a malware infection – take it from someone who spent close to a week removing hundreds of malware infections from a single workstation (at work, not my own). You can read more online starting with the sources I listed below.
As always, I'm open to questions and constructive comments. Your feedback is welcome.
Sources:
In last week’s article, I addressed upgrading from Win7 to Win8/8.1 even though it’s not very likely that people will want to do that at this point. This week’s article covers the more likely upgrade from Win7 or Win8/8.1 to Win10.
Microsoft required that users have Win7 SP1 or Win8.1 installed for the free upgrade to Win10. The Service Pack 1 upgrade and the Win8.1 upgrade were both available via Windows Update. The upgrade to Win10 was also delivered via Windows Update over the Internet. The free upgrade offer completely expired the fall of 2017. You can still upgrade directly to Win10 From Win7 and Win8/8.1, but you have to acquire the installation medium and purchase a license. You can purchase Win10 directly from MS online. See these articles from Microsoft for more information:
Upgrading to Win10 is a fairly simple process, but – like all OS upgrades – it’s somewhat time-consuming. Prior to performing an in-place upgrade, I like to make sure that all my personal data is backed up to an external HDD and that all the latest updates are installed on the computer.
I’m installing the upgrade on my Win8.1 VM, but the process is almost identical for Win7. Since I’m working on a VM, I also want to take a snapshot in case the upgrade tanks. Most users won’t have to worry about this since they’ll likely be upgrading a physical computer rather than a VM.
Once the backups and updates are complete, it’s time to start the upgrade. Start by inserting the installation media into the USB port or optical drive. You may have to open File Manager / Windows Explorer and double-click on the installation medium to launch the installer.
Is many cases, MS has stopped selling installation DVDs and primarily provides installation packages as Internet downloads. If someone has access to directly download the ISO, they can unpack it and create their own installation medium on a DVD or USB flash drive as I addressed in a previous article (see list below for more details).
Microsoft’s preferred method to upgrade to Win10 is to use their upgrade tool found on this page: Download Windows 10. This is the method I’ll use. It allows you to create an installation medium, or save the installation package as an ISO.
Downloading the ISO or creating an installation media is free, but you have to purchase a license. You’ll have about 30 days to run your PC on Win10 before you’re forced to enter a license. In the meantime, you might not be able to install Windows Updates.
Creating Bootable Media for the Win10 Upgrade
Click on the “Download tool now” button and you should see pop-up asking if you want to run or save the file. I chose “Save”.
After the tool download completes, you’ll be asked if you want to run it. Click “Run”.
You’ll may be presented with a User Account Control (UAC) pop-up asking you to verify that you want to allow the program to run. Click “Yes” and the download process will begin. You should be able to safely close your web browser at this point without it terminating the connection.
The next step is to read and accept the license terms. Click “Accept” to continue the upgrade setup.
After a few minutes, you should see a screen that asks if you wish to upgrade the PC you’re on, or if you want to create an installation media to upgrade another computer. At this point, I’m going to choose the option to create an installation media. I’ll come back to the upgrade process later.
If your other PC meets the same architecture standards as the one you’re on, you can keep the default settings. If you uncheck the box below the menu, you can opt to download the 32-bit version of Win10, the 64-bit version, or both. I’m going to select “Both” and click “Next”.
The next screen asks if you want to save it as an ISO, or create a bootable USB flash drive. If you opt to create an ISO, the tool will download and save a single archive file that contains the entire Win10 installation package (similar to a Zip file). You can follow the steps in my previous article “Create a Bootable Media to Install or Re-Install Your Operating System”, 29 Apr 18 to create a bootable flash drive later. If you opt to create the USB flash drive, this tool will take care of that for you. I’m going to choose the USB flash drive option and click “Next”.
The next screen presents you with a list of attached USB drives that you can use to create your installation media. As you can see, I have a 64GB flash drive attached. I clicked on that and then clicked “Next”. After the download, the tool will verify the integrity of the download, and then will create the installation media. This process will take a while, so now would be a good time to get a cup of coffee and watch an episode (or three) of "Friends" on Netflix. Once the process completes, click the “Finish” button. The tool will cleanup residual temporary files and close.
Using the MS download tool has failed almost every time I’ve tried to create an installation flash drive. It took me several tries to do it today and I ended up creating it directly from my laptop rather than from within the Win8.1 VM. You may want to use the tool to download the ISO and then use my other method (using Rufus) to create the installation media.
Once I was ready to launch the installation setup, I re-mounted the USB device, opened Windows Explorer / File Manager, double-clicked on the E: drive, and then launched setup.exe. I right-clicked on it and selected “Run as administrator”. I confirmed my choice when UAC popped up.
When Setup launches, I leave the default option to download and install the updates during the upgrade. I do not check the box to help make the installation of Windows better. Setup will check for updates, “get a few things ready”, and then you’ll be prompted to accept the License Agreement.
Setup will check for updates again and download those that are applicable.
After a few more checks, Setup will be ready to start the installation process. You may run into some driver compatibility issues. This one is minor, so I accepted it and Setup gave the green light.
Once you click the “Install” button, the upgrade process should be almost identical to the clean install process in article “Installing and Configuring Windows 10”, 20 May 18.
Using the Download Tool to Perform the Upgrade
As I mentioned earlier, the Download Tool offers the options of downloading the installation package to create an installation media, or to directly upgrade the current computer. Once you get to the option to choose to upgrade the current computer or create the installation media, leave the default option checked and click “Next”. Setup will begin downloading the installation package. You may as well watch another episode of “Friends” at this point because the download may take a while.
There are several points during this process where the steps vary from the installation media method, but everything turns out the same in the end.
Setup will verify the integrity of the download and create a local temporary copy of the installation media.
Once the download completes, Setup runs a brief cleanup, and then the installation process begins.
Setup will check for updates and restart.
The next step is to accept the License Agreement.
Setup will check for updates again.
After you click “Install”, Setup should ask you what you want to keep of your current files and settings. Make your selection and click “Next”.
After a few more checks, Setup will be ready to start the installation process. You may run into some driver compatibility issues. This one is minor, so I accepted it and Setup gave the green light.
Once you click the “Install” button, should be almost identical to the clean install process in article “Installing and Configuring Windows 10”, 20 May 18.
Next week's article will probably be fairly short. It'll be covering User Account Control (UAC).
As always, I'm open to questions and constructive comments. Your feedback is welcome.
Sources:
