We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Insecure UAC exposes Windows 7 users

Simple script disables Microsoft security

Microsoft's efforts to make User Account Control (UAC) more user friendly in Windows 7 have made the operating system less secure, according to Windows blogger Long Zheng.

Introduced in Windows Vista, UAC is designed to give users more control over security, but many people found the tool to be over-zealous in warning about apparently trivial 'threats'.

Microsoft has revamped the feature in Windows 7, revising the default setting in a bid to reduce the "unnecessary or duplicated prompts in Windows".

However, the changes to UAC have paved the way for "a simple but ingenious override" that disables UAC without any action on the part of the user, according to Zheng's I Started Something blog.

Windows 7 UAC

Zheng pointed out that UAC's default setting in Windows 7 is to 'Notify me only when programs try to make changes to my computer' and 'Don't notify me when I make changes to Windows settings'.

UAC distinguishes between a third-party program and a Windows setting with a security certification, and control-panel items are signed with this certificate so they don't issue prompts if a user changes system settings, he wrote.

Windows 7 review

Windows 7 forum

However, in Windows 7, changing UAC is considered a "change to Windows settings", according to Zheng. This, coupled with the new default UAC security level, means a user will not be prompted if changes are made to UAC, including if it was disabled.

With a few keyboard shortcuts and some code, Zheng said he can disable UAC remotely without the end-user knowing.

"With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that - emulate a few keyboard inputs - without prompting UAC," he wrote. "You can download and try it out for yourself here, but bear in mind it actually does disable UAC."

Zheng also posted what he said is a workaround for the problem on his blog.

Microsoft said on Friday through its public relations firm that it was looking into the problem and did not have an immediate comment.


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Best Photoshop Tutorials 2014: 10 inspiring step-by-step guides to creating amazing art,...

IDG UK Sites

Mac tips tricks & hacks: 10 things you didn't know your Mac could do