Sorry for the lack of updates from me for the past few days as I was out of town for work. There are some issues waiting for me to take care of but I figured I should post something today. Since Windows Vista, there is a security feature built-in to Windows called User Account Control which is supposed to help prevent potentially harmful programs from making changes to your computer. One example is if you try to open registry editor (regedit) with UAC enabled, a User Account Control window will open asking you “Do you want to allow the following program to make changes to this computer?”
However if there is a program or even a virus that automatically tries to secretly make changes to your registry such as adding a new value to HKLM autorun, then it will be automatically blocked. It will only work if you disable UAC or right click on the program/virus and select Run as administrator. The same thing goes for copying of files. If you manually copy a file to the the root of your C: drive, Program Files, Windows, the action is temporarily denied with a “Destination Folder Access Denied” window saying “You’ll need to provide administrator permission to copy to this folder”. Only after clicking the Continue button will allow the file to be copied. So if a virus tries to hide by copying itself to another location such as Windows, the action is automatically blocked keeping your computer safe.
Sad to say, I recently found out that UAC can be easily bypassed even on the latest Windows 7.
This is what most viruses do. When run, they surely add an auto startup location where it will be activated automatically when Windows is booted up. There are many auto startup locations and one of the best tool to reveal them is Sysinternals Autoruns. Be VERY careful in using Autoruns because disabling the wrong option can cause Windows to be unbootable. Next the virus copies itself to a deep location on the hard drive to avoid detection. Then probably it does other things such as downloading more viruses and installing on your computer, and disabling access to msconfig, regedit, cmd, task manager and etc…
If you think that the UAC in Windows 7 is able to block all, then you are wrong. Somehow Microsoft has left a few holes in the UAC feature allowing virus/software to add to auto startup and dropping the files somewhere on the hard drive even with UAC enabled. This is probably for the convenience for third party software installations but can be abused.
The registry path below is one of the most common way that a software or malware adds itself to autostartup. Since it is HKCU, the program only starts up on the specific user and not all. HKLM is however blocked when UAC is enabled.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The “Application Data” or %appdata% folder is mostly used by software to store its data for the logged on user. One of such example is Mozilla Firefox profiles are stored in Application Data folder.
C:\Users\Raymond\AppData\Roaming\ (Vista and 7)
C:\Documents and Settings\Raymond\Application Data\ (XP)
Here is a screenshot of a remote administration tool trojan that is able to copy itself to Application Data folder and adds a startup to HKCU run.
User Account Control in Windows 7 does keep your computer safe in some level but not totally. I personally disable UAC because I prefer not to be bugged by the annoying warning windows every time I access the registry, install software, configure settings and etc. But for not so experienced users, they should definitely keep UAC enabled.
Hint: You should periodically check the Giveaway page for any upcoming software license giveaways :)
The biggest single advantage sudo has over Windows UAC is authentication; each time sudo is invoked you must authenticate. UAC just requires a mouse click. Now how is that secure?
ESPERO QUE FUNCIONE
Thanks!
Even though I am now on Linux exclusively since long, when I used Windows, I used SuRun which I rate better than any of the so called feeble attempts by Windows to emulate sudo.
Very good and very useful. And i think that a UAC has been improved since vista or so i was told but not much of improving? Many thanks for sharing this with us Raymond.
I am using Norton Antivirus 2010 and Comodo Firewall should i have another protective program and which?
@Jonathan I totally agree, i have a very fast laptop, but find the greyin’ of the screen annoying everytime im doing something but it was designed to be like that. also i have it on the second setting as well. I trust it because i run stuff that coulld be harmfull in Sandiebox on VMWare Workstation. I dont think having UAC disabled it a good idea and i think everyone should have it on not making the screen grey at least.
@blue, I’ve been trying to say this all along to people but I don’t think they’re listening when we say we want something like sudo. You might want to look into some of the Windows Sudo programs. Just a possible idea, I’m personally looking at them right now.
Every time I use Linux, I wonder why I must bother with the kind of command line misery that Linux devotees seem to relish.
Every time I use Windows, I wonder why Ballmer & Crew cannot give us the simple UAC present in Linux.
Is it asking too much to have one operating system that offers the security of Linux and the ease of Windows? (and no, the answer is *not* the Mac, who’s only saving grace is that no one uses the darned thing).
Nice,but i have to agree with jonathan.
Anyway since you can inspect your application data quite easyly and you can block all autoruns and there are a lot of good tools out there….and you should NEVER disable UAC..again this is a threat only,when or if you let it become a threat.
Thanks Raymond. Will Winpatrol help in detecting these user level auto start entries?
@Raymond : I have tried using malware creators before, and also on win 7, like you showed. they work like charm !
though i am not able to understand what exactly is the vulnerability that these tools exploit ?
Is it that they fool the digital signatures or some way to directly access the kernel calls?
I have used a C program to create a file in C:\ in vista, and it worked with UAC enabled …
Thanks for the information Raymond!
Thank for this usefull information.I will more carefully about startup program to protect my notebook from virus or spyware.
Thank you
Wow! Nice
Ray, I think you should join the MS team. I’m sure they’ll want this information
Raymond, you state that you have UAC disabled, however in Win 7 you can disable the warnings, but not the whole program. Now I agree that UAC can be annoying, but even according to MS, it was designed to be that way on purpose! I personally have it set to to the second setting(do not gray the screen) and I consider myself to be a very experienced user.
Nice information, Raymond, it seems we have to careful while installing some unknown files, thanks for providing us nice information…