Microsoft's efforts to make User Account Control (UAC) more user friendly in Windows 7 have made the operating system less secure, according to Windows blogger Long Zheng.
Introduced in Windows Vista, UAC is designed to give users more control over security, but many people found the tool to be over-zealous in warning about apparently trivial 'threats'.
Microsoft has revamped the feature in Windows 7, revising the default setting in a bid to reduce the "unnecessary or duplicated prompts in Windows".
However, the changes to UAC have paved the way for "a simple but ingenious override" that disables UAC without any action on the part of the user, according to Zheng's I Started Something blog.
Zheng pointed out that UAC's default setting in Windows 7 is to 'Notify me only when programs try to make changes to my computer' and 'Don't notify me when I make changes to Windows settings'.
UAC distinguishes between a third-party program and a Windows setting with a security certification, and control-panel items are signed with this certificate so they don't issue prompts if a user changes system settings, he wrote.
However, in Windows 7, changing UAC is considered a "change to Windows settings", according to Zheng. This, coupled with the new default UAC security level, means a user will not be prompted if changes are made to UAC, including if it was disabled.
With a few keyboard shortcuts and some code, Zheng said he can disable UAC remotely without the end-user knowing.
"With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that - emulate a few keyboard inputs - without prompting UAC," he wrote. "You can download and try it out for yourself here, but bear in mind it actually does disable UAC."
Zheng also posted what he said is a workaround for the problem on his blog.
Microsoft said on Friday through its public relations firm that it was looking into the problem and did not have an immediate comment.