What is UAC Virtualization? Benefits and Pitfalls

Roxana González May 16, 2022
- 6 min read

 

UAC stands for “User Account Control”. This is a field of software management that isolates the operating system’s core components from potentially damaging changes. It refers to the level of access that in Unix-like systems is called “root” and in Windows systems is known as Administrator privileges.

User Account Control was initially rolled out as part of Windows Vista to allow only admin accounts to give and take away these permissions. It is sort of a “protected mode”.

The most frequent encounter that users of Windows get with UAC occurs when they try to install a new piece of software. That popup message asking for authorization is the public face of UAC.

User Account Control lets user-installed software run in the user area of the drive and only software installed by the Administrator account gets access to system resources. 

Windows UAC rules are meant to protect installed program files and registry settings from being modified or damaged by users or programs that should not have access to them; and Keep each user's files, and settings separate from other users. 

By default, only users with Administrator privileges have access to machine major settings. Microsoft implemented these rules by carefully limiting default permissions on folders under the Program Files folder tree, the Program Data folder tree, the Windows folder tree, and the Users folder tree. In addition, permissions to registry keys are carefully limited so that standard users will not be allowed to modify any settings that can affect other users

The issue with UAC is that it had some problems with legacy software, meaning software that has been around for a long time, but it is kept because it is important to fulfill a business need. 

So what is UAC virtualization?

After UAC, some of these legacy programs were not capable of automatically writing to folders and directories, therefore, Microsoft had to find a way to resolve this issue. 

The solution for such a problem was UAC Virtualization, which is the process of fooling an app into thinking that it’s writing to a user path instead of a system one.

In other words, UAC virtualization provides the services that the software needs to run in a user account without breaking the strict system isolation of UAC.

Registry virtualization is the application of UAC virtualization to the system registry. The purpose of this feature is to block access to global registry entries while enabling software that requires such access to continue to function.

Windows 10 and Windows 11 include file and registry virtualization technology for apps that are not UAC-compliant and that require an administrator's access token to run correctly. 

As per the official Microsoft blog: “When an administrative app that is not UAC-compliant attempts to write to a protected folder, such as Program Files, UAC gives the app its own virtualized view of the resource it is attempting to change. The virtualized copy is maintained in the user's profile. This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant app.”

Benefits of UAC virtualization

The implementation of UAC virtualization was a necessary step in order to bridge the introduction of User Access Control. It should be noted that UAC virtualization was the solution to enable software applications to work on pre-Windows Vista operating systems. 

Security lies at the core of this solution, as UAC virtualization creates an abstraction layer to prevent unauthorized software and users from making changes to the core Windows components.

This layer writes to the user accounts instead of the core components and global registry variables, which reduces the impact of malware. Besides, it prevents the effects of other unauthorized changes.

It is also worth noting that when using UAC, Internet Explorer and other web browsers do not run with administrator privileges, which helps protect against browser and other application vulnerabilities

Potential pitfalls when using UAC Virtualization

UAC virtualization doesn’t apply to all software. There are some limitations to bear in mind: 

  1. 32-bit Only: User Account Virtualization is only available on 32-bit apps. Since all AMD64 compatible programs were written after the UAC system was introduced, none of these can be written in a manner that would manipulate system files the way programs before UAC Virtualization did. 
  2. Permissions: The user must have write access to the files within the original file path. Any attempt to write to any files with read-only permissions could lead to errors and the software will crash.
  3. Non-Admin: For UAC Virtualization to apply, the user can’t be running the app as administrator.  UAC Virtualization only works when running the app as a standard user account.
  4. Disabled By Default: To take advantage of UAC Virtualization, you have to enable it, as it isn’t turned on by default.  To enable it you should go to Control Panel, then scroll to find Configuration/ Policies/ Windows Settings/Security Settings, Local Policies and Security Options. 

 

Then scroll to the bottom of the Security Options Policy window. The last policy is called “User Account Control: Virtualize file and registry write failures to per-user locations”. Select the ‘Define this policy setting’ checkbox and change the button to “Enabled”

UAC virtualization is still needed for systems that run on operating systems introduced before Windows Vista. But as time goes by, and updates keep coming along, these systems become less used and therefore UAC virtualization becomes less needed and more irrelevant.

What are the side effects of disabling UAC virtualization?

When disabling UAC virtualization, the system becomes more vulnerable to malicious programs. Also, some applications may not work well with standard user accounts.

When an application attempts to write to a directory, but the user doesn’t have permissions to write in such a directory, it will change the path, in order to attend that service request, and this will cause problems. 

Frequently asked questions

What happens when UAC virtualization is enabled?

UAC Virtualization was created to allow legacy applications to continue to function in the new UAC environment, by having a way to automatically re-route file access requests from the old program path target to the user data path.

Is it possible to disable UAC virtualization?

Yes, it is possible to disable UAC but it is not recommended. If you disable the UAC Virtualization,  some applications may not work well for standard users. When an application attempts to write to that directory, but the user doesn’t have permissions to write to that directory, it will change the path

You could disable the UAC Virtualization in the Task Manager. If the UAC Virtualization is checked, you could click it to select change virtualization. 

Is it recommended to disable User Account Control on Windows Server?

Under certain constrained circumstances, disabling UAC on Windows Server can be an acceptable and recommended practice. These circumstances occur only when both the following conditions are true, as explained by Microsoft:

  1. Only administrators are allowed to sign in to the Windows server interactively at the console, or by using Remote Desktop Services.
  2. Administrators sign in to the Windows-based server only to do legitimate system administrative functions on the server.

Does UAC interfere with Process Monitor?

Microsoft's Process Monitor can be used for tracing newly created processes. Process Monitor requires Administrator rights, so starting it may result in the Windows UAC prompt asking whether to start this application or not.

What is registry virtualization?

Registry virtualization is the application of UAC virtualization to the system registry.

Does UAC virtualization affect the system’s performance?

No, UAC virtualization doesn’t impact the system’s performance because it doesn’t require additional resources. 

How can I run programs as administrator without UAC prompt?

You can run apps as administrator without getting the UAC prompt when logged in to an administrator account. The trick to bypass UAC is to create a scheduled task, with higher privileges, for each program you want to run, and then invoke the scheduled task item manually using schtasks.exe.

How can I change UAC settings? 

- Press Windows+R

- Type Control Panel. Then select OK.

- Select User Accounts. Then click User Accounts (Classic View).

- Select Change user account control settings. (Note: If you are prompted by UAC, select Yes to continue).

- Move the slider and set it  to Never Notify and select OK to turn UAC OFF

- Set to Always Notify and select OK to turn UAC ON.  If you are prompted by UAC, select Yes to continue.

- Finally, restart the computer

How can I disable UAC in Windows XP?

There is no UAC in Windows XP, since it is a feature that was introduced, years later, in Windows Vista. 

If you see a pop-up window that prevents you from making changes to the system settings and installing programs, for example, that's because you are not using an Administrator account. 

What is the Windows Registry?

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry.

Read other articles like this : IT General, uac virtualization

Evaluate InvGate as Your ITSM Solution

30-day free trial - No credit card needed

Get Started