What is the Windows User Account Control (UAC)

The User Account Control (UAC) is a security component that enables users to perform common tasks as non-administrators (called standard users in Windows Vista), and as administrators without having to switch users, log off, or use Run As. User accounts that are members of the local Administrators group run most applications as a standard user. By separating user and administrator functions, UAC helps users move toward using standard user rights by default.

When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user’s group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users’ computers without notifying the users. (This is sometimes referred to as a "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator’s access control data to infect core operating system files, and in some instances, become nearly impossible to remove.

The primary difference between a standard user and an administrator is the level of access that the user has over core, protected areas of the computer. Administrators can change the system state, turn off the firewall, configure security policies, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks, and they can only install per-user software.

Impact during installation or other tasks

Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows 7 or Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.

After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task. When a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.

That is very important because registering components (products installations, QC/ALM component downloads) as well as other tasks, are not a per-user install, it’s an everyone install, all user profiles access a common mode.

In order to install HP products, for example QuickTest Professional, Service Test, Quality Center, etc or using this installation method user must have administrator rights and disable the UAC.

To temporarily turn off the UAC option, do the following:

  • For Microsoft Windows Vista and Windows Server 2008:

1. Log in as an administrator.

2. From Control Panel, select User Accounts > Change Security Settings, and clear the Use User Account Control (UAC) to help protect your computer check box.

3. Restart the machine, so changes take effect

  • For Microsoft Windows 7 and Windows Server 2008 R2:

1. Log in as an administrator.

2. From the Control Panel, select User Accounts > User Accounts > Change User Account Settings.

3. In the User Account Control Settings window, move the slider to Never notify.

4. Restart the machine, so changes take effect

More information on the User Account Control (UAC) can be found in the following Microsoft document:

http://technet.microsoft.com/en-us/library/cc709691%28WS.10%29.aspx#BKMK_WhatIs

Task impacted by UAC as ON

Most Common

  • Product Installation / Uninstallation
  • Repair or Modify(install/uninstall add-in)
  • Install Patches / Hot-Fixes
  • Every time QC / ALM components must be downloaded.

Others

For client products such as QTP, ST or UFT, there may be other tasks affected, however it is best end-user to check minimum permissions requirements

Internet Explorer, Protected Mode and UAC

When using Internet Explorerto connect and start downloading the client components for Quality Center (QC) / Application Lifecycle Management (ALM) you get the configurations and limitations from Internet Explorer which are different from other applications.

Since the client installation of QC / ALM is not run directly as an isolated application, the UAC is not involved directly, instead of using UAC to restrict write access to securable objects such as processes, files, and registry keys with higher integrity levels we use the Protected Mode feature from Internet Explorer.

When you run the installation from Internet Explorer it is require to disable the Protected Mode or add the URL to the Trusted Sites.

If further information is required on the Protected Mode for Internet Explorer you can check the following link pointing to a Microsoft KB article:

http://msdn.microsoft.com/en-us/library/bb756991.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s