The Windows 7 UAC “Vulnerability”

It is always interesting how some things spin off. The claimed UAC vulnerability in Windows 7 in one of those events. There are numerous blogs which claim that they found a huge vulnerability in Windows 7. The reason for that is that you can change the settings for UAC without getting a UAC prompt.

Let’s have a look at it: A lot of people complained about UAC in Windows Vista – I guess you remember. I heard all these statements “I do not want to get all the UAC elevation prompt just because I change my Windows settings”. We heard you loud an clear. So, we decided to do what you asked us: Not show you an elevation prompt when you change settings in Windows. So the default configuration in Windows 7 looks as shown below:

2009,02,03%20-%20UAC%201[1]

And guess what: We do not notify you when you make changes to Windows settings – UAC being one of those!

However, if you want to go further and put the slider up one level to “Always notify”, the same screen looks slightly different:
2009,02,03%20-%20UAC%202[1] And again, guess what: We notify you when you make changes to the Windows settings – UAC being one of those.

So, basically to give you my view:

  • We did, what you asked us to do: Reduce the number of UAC prompts especially when you change your Windows settings
  • We do what the prompt tells you we are doing

In my opinion, this is not a vulnerability. We can debate now, when we should generally show a UAC prompt but this is a completely different debate than to claim this being a vulnerability. And if you come to me now and say that we should show more UAC prompts, please carefully reconsider your statement before you comment and think about all the Windows Vista discussions.

BTW: I am a big fan and supporter of UAC and think that the team did an outstanding job – already in Windows Vista

Roger