User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft’s Windows Vista operating system. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase in privilege level. In this way, only applications that the user trusts receive higher privileges, and malware should be kept from receiving the privileges necessary to compromise the operating system. By default the user in Vista is still an administrator but it runs in a low privileged environment and you can elevate your rights only when necessary.
To me, UAC is just a pain in the neck security feature. Even if I am an admin, the UAC nag screen keeps popping out in every changes I make on the system. So the first thing that I do after installing Vista is to disable the User Account Control for my account. To my surprise I received a comment from Vibhanshu asking if there is another UAC tool for Windows XP because SmartUAC is crashing his computer. I think that SmartUAC is a badly coded unstable software, not a rogueware…
If you’re like Vibhanshu looking for another UAC tool for Windows XP, you can try suDown.
An old Unix rule is that you don’t use an administrator level (root) account for your everyday work. Unix based operating systems has two utilities to handle these kind of situations: “su” (abbreviation for substitute user) and “sudo” (short for superuser do). You can use “su” to quickly change your active user to another one and execute commands with the other user’s context. The runas command of Windows is quite similar to “su”. The other Unix command “sudo” is a bit different in that it allows a permitted user to execute a command with superuser privileges but with his own context.
suDown tool is to make using low privileged accounts in Windows XP easier which is an effective security layer against harmful virus, worm, trojan or spyware software. If some malicious program manages to get past your security programs or break in through an unpatched security hole of your web browser, email client or operating system it still finds itself in an unfriendly low privileged environment where the possibilities of replicating and doing harm are quite limited.
The latest suDown v2.21 requires .Net Framework version 3.5 SP1 installed or the context menu will not appear. Once suDown is installed, you must choose trusted users to add to the Sudoers group. You can do that by right click on My Computer and select Manage. Expand Computer Management (local) > System Tools > Local Users and Groups > Groups. Double click on the “sudoers” group, click the Add button and type in the user name. If you are not sure of the user name, go to Users and the list of users are listed there.
There are two ways to run a program with administrator privileges. From right click context menu or command line from cmd. The user account’s password will be required.
Once the correct password is entered, the suDown client calls the suDown service, which temporarily escalates the user’s group permissions to the Administrators’ Group, but only for the specific program being run. Thus while a user may normally only need basic User group permissions, he can easily use suDown when he needs administrative rights for tasks such as installing a new program, changing system settings, or removing old software. Do take note that you must restart your computer after adding your own user account to sudoers group to take effect. To remove an account from sudoers group, you’ll need go to Control Panel > Administrative Tools > right click on Computer Management, select “#sudo Computer Management.lnk” and enter your user account password.
The difference between suDown and “Run As…” is that suDown launches programs under your account profile – not an Admin account. This means that the launched programs see your Documents & Settings folders, Desktop, Start menu, etc. suDown also caches the password so you don’t have to keep entering it as you would with Run As… The password for the Administrator account can stay secret, as the user needs only his own password to use suDown.
Here is a short video demo demonstrating the advantages of using a low privileged user environment by intentionally infecting
two freshly installed Windows XP SP2 environment with a well-known malware program. I’ve also tried infecting my own computer with Bha.dll.vbs worm and my system (with suDown installed) was protected from the damages. However, the worm managed to add “Hacked by Pokemon” on my Internet Explorer’s title bar which is not a big deal since there’s no real damage and can be easily removed from registry.
Symantec is in the midst of developing Norton User Account Control tool but it is not an UAC for XP as it can only be installed in Vista.
Related posts: