How will Windows Vista's User Account Control (UAC) work?

This is the second part of a three part response to a comment made by Matt in his comment regarding the least privilege model in Windows Vista.

Part 1 was: Let's review how privilege is used in Windows NT, XP, 2000 and 2003:

The access control mechansim described in Part 1 is equally applicable to Windows Vista. User Account Control is feature of Windows Vista that changes the way privilege is used in the operating system.

In former versions of Windows users have the same level of privilege throughout their interactive session. In my experience the vast majority of home and business users login with administrative credentials. Windows XP "Home Edition" happily requests "your name" during installation and helpfully creates an account for you. The resulting account has full administrative privileges.

Sadly the user is not made aware that this is the case nor are they encouraged to create an "I just want to surf the web and send a few emails" account. Malicious software loves users who have administrative credentials. So much mischief is possible without the user being even slightly aware of what's going on. I explain far more about this scenario and how to deal with it in this post.

Thankfully Windows Vista is different :-)

You can change the behaviour I'm about to describe though I STRONGLY ENCOURAGE YOU TO GO WITH THE DEFAULT on this one. By default all users (except the built in "Administrator" account" in Windows Vista run with least privilege. Regardless of what administrative groups you're in and what explicit privilege you've been granted YOU OPERATE THE SYSTEM WITH LEAST PRIVILEGE.

When you log onto the system all none "standard user" privileges are stripped from your access token. If you attempt an operation that requires privilege you'll receive one of two possible experiences.

If you have a privileged account then you'll receive an interface prompt as shown below. You'll be asked to give your permission to use your additional privilege - this is termed "elevating privilege".

The reason for interacting with the user in this way is to make them conciously aware that a privileged operation is being attempted. Accidentally triggering the installation of malicious software (such as a Worm / Virus / Rootkit / Spyware) should (assuming your machine is free of malicious software to start with) result in an elevation request.

If you have a standard user account (i.e. no additional privileges) then you'll receive an interface prompt like the one shown below. In this case you'll have to enter the credentials of an administrative user OR persuade a person with such credentials to enter them on your behalf.

If you're a home user (I'm surprised you've read this far!) then you can get away with a single account unlike in Windows XP where I recommend using a standard user account for most activities and a privileged one for concious machine configuration - click here to read more about setting this up for Windows XP.

Note: Former names for User Account Control include Least User Access (LUA), User Account Protection (UAP), Federated(?) Account Control Technology (FACT). Many of the interesting white papers use the names LUA and UAP - their content is accurate - it's purely been wressling over the name.

Further Note: The graphics and information described in this post relate to pre-release versions of Windows Vista - it's highly unlikely though possible that the described functionality could change in the final version.