Imagine your office has different areas. Some areas, like the seating area, pantry, meeting rooms, you can go into anytime. But the server room? You need special permission for that. The IT admin holds the key, and only they can decide who gets to enter. User Access Control (UAC) is like that—it asks, “Are you sure you’re allowed in here?” before letting you access certain features on the computer.

User Access Control (UAC), introduced in Windows Vista, is a security mechanism in Windows designed to prevent unauthorized changes to the system. It enforces the principle of least privilege, ensuring that users operate with only the permissions they need, reducing the risk of malware infections, accidental system modifications, and privilege escalation attacks.

How does UAC enforces the principle of least privilege?

UAC works by separating standard user privileges from administrative privileges. When a user logs in, Windows assigns them a security token that defines their privileges. If the user is an administrator, they receive two tokens: a standard user token and a filtered admin token (without admin rights by default). All processes, including the desktop environment and Explorer.exe, run using the standard token unless explicitly elevated. This ensures that administrative privileges are only used when necessary, reducing the risk of unauthorized system modifications.

Further, every process in Windows is assigned an integrity level, which determines what system resources it can access. Standard processes run at Medium Integrity Level, while elevated processes run at High Integrity Level. This separation prevents lower-privileged processes from modifying higher-privileged ones, mitigating privilege escalation attacks. UAC enforces these integrity levels to prevent malware from silently gaining elevated access.

That’s all good…but what if I need elevated privileges?

When an application or action requires elevated privileges (such as modifying system files, installing software, or changing security settings), Windows generates a User Account Control (UAC) prompt. This prompt is managed by Consent.exe. The UAC prompt provides details about the requesting application, including its publisher and the action it wants to perform, helping users make an informed decision.

A prompt can be of multiple types depending on user privileges. Consent prompts appear for administrator accounts, asking them to allow or deny the request. Credential prompts appear for standard users, requiring them to enter an administrator's credentials. The prompt’s background color can also be different based on the application's trust level: blue/gray for Windows system apps, yellow for signed applications, and red for unverified or potentially risky apps.

What if I login remotely, will UAC still restrict my access?

When a user from the local Administrators group connects to a remote computer using commands like net use \\remotecomputer\Share$, they are not granted full administrative privileges. UAC prevents elevation, meaning the user cannot perform administrative tasks remotely. To gain full admin rights, they must log in interactively using Remote Assistance or Remote Desktop, if available. However, when a domain user who is a member of the Administrators group remotely logs into a system, they operate with a full administrator access token by default. In this case, UAC does not apply, allowing them to perform administrative tasks without restrictions.

This behavior is controlled by the LocalAccountTokenFilterPolicy registry setting located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a DWORD value of 0 (default) enforces UAC remote restrictions whereas setting the value to 1 disables remote restrictions, allowing full administrative access over the network.

Is UAC a security boundary?

A security boundary is a well-defined separation between different security levels that prevents unauthorized access or privilege escalation across that boundary. In the context of UAC, Microsoft explicitly states that UAC is not a security boundary. This means that while UAC helps mitigate accidental or unauthorized privilege escalation by requiring user consent for administrative actions, it does not provide a strict separation between standard and administrative privileges.

Since UAC is not considered as a security boundary, Microsoft does not classify UAC bypasses as security vulnerabilities.

Can I control how often UAC prompts me?

Users can set different notification levels for UAC, which control how and when UAC prompts appear:

1. Always notify – The highest security setting, where UAC prompts appear for all system changes and administrative tasks, even when initiated by Windows processes.

2. Notify only when apps try to make changes (default) – UAC prompts appear when third-party applications request elevation, but not when the user makes system changes.

3. Notify only when apps try to make changes (without dimming the screen) – Similar to the default setting, but without the secure desktop feature that dims the screen. This is less secure, as malicious programs could potentially spoof the prompt.

4. Never notify (UAC disabled) – Disables UAC completely, allowing all processes to run with administrative privileges without requiring user approval. This setting significantly increases security risks.

What’s the deal with UAC hijacking my desktop?

When a UAC prompt appears, the entire screen dims, and the prompt is displayed in a separate, privileged desktop session. This desktop session is known as Secure Desktop. Secure Desktop is a special, isolated desktop environment that runs at a higher integrity level than the standard user desktop. It runs with System Integrity Level, preventing standard or even elevated user processes from interacting with it. If the user does not interact with the prompt for a period of time, it automatically returns to the standard desktop, reducing the risk of unattended elevation requests.

I have a legacy application that is not UAC compliant. How does UAC deal with them?

Many older applications assume they have administrative privileges and attempt to write to restricted locations like C:\Program Files or HKEY_LOCAL_MACHINE. UAC includes a virtualization feature that redirects these write attempts to a per-user location, such as C:\Users\Username\AppData\Local\VirtualStore, ensuring compatibility without compromising security. This allows legacy applications to function correctly without requiring full administrative rights. One important thing to note is that this feature works only for 32-bit Windows applications.

I don’t like UAC. How do I disable it?

UAC behavior can be customized using Group Policy (gpedit.msc) or directly via the Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System). The main registry value that controls UAC is EnableLUA, a DWORD value that determines whether UAC is enabled (1) or disabled (0). Other registry settings, such as ConsentPromptBehaviorAdmin and PromptOnSecureDesktop, control the type of elevation prompt displayed and whether the secure desktop feature is enabled.

Red Team Notes
- UAC enforces least privilege by running all users, including administrators, with a standard access token unless elevation is explicitly requested.
- Elevation prompts and Secure Desktop protect administrative actions by requiring user consent and preventing malware from tampering with prompts.
- UAC settings and behavior can be controlled via registry keys.
- UAC is not a security boundary.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

References

• How User Account Control Works

• Description of User Account Control and remote restrictions in Windows Vista