Sorry for the lack of updates from me for the past few days as I was out of town for work. There are some issues waiting for me to take care of but I figured I should post something today. Since Windows Vista, there is a security feature built-in to Windows called User Account Control which is supposed to help prevent potentially harmful programs from making changes to your computer. One example is if you try to open registry editor (regedit) with UAC enabled, a User Account Control window will open asking you “Do you want to allow the following program to make changes to this computer?”
However if there is a program or even a virus that automatically tries to secretly make changes to your registry such as adding a new value to HKLM autorun, then it will be automatically blocked. It will only work if you disable UAC or right click on the program/virus and select Run as administrator. The same thing goes for copying of files. If you manually copy a file to the the root of your C: drive, Program Files, Windows, the action is temporarily denied with a “Destination Folder Access Denied” window saying “You’ll need to provide administrator permission to copy to this folder”. Only after clicking the Continue button will allow the file to be copied. So if a virus tries to hide by copying itself to another location such as Windows, the action is automatically blocked keeping your computer safe.
Sad to say, I recently found out that UAC can be easily bypassed even on the latest Windows 7.
This is what most viruses do. When run, they surely add an autostart location where it will be activated automatically when Windows is booted up. There are many auto startup locations and one of the best tool to reveal them is Sysinternals Autoruns. Be VERY careful in using Autoruns because disabling the wrong option can cause Windows to be unbootable. Next the virus copies itself to a deep location on the hard drive to avoid detection. Then probably it does other things such as downloading more viruses and installing on your computer, and disabling access to msconfig, regedit, cmd, task manager and etc…
If you think that the UAC in Windows 7 is able to block all, then you are wrong. Somehow Microsoft has left a few holes in the UAC feature allowing virus/software to add to auto startup and dropping the files somewhere on the hard drive even with UAC enabled. This is probably for the convenience for third party software installations but can be abused.
The registry path below is one of the most common way that a software or malware adds itself to autostart. Since it is HKCU, the program only starts up on the specific user and not all. HKLM is however blocked when UAC is enabled.
The “Application Data” or %appdata% folder is mostly used by software to store its data for the logged on user. One of such example is Mozilla Firefox profiles are stored in Application Data folder.
C:\Users\Raymond\AppData\Roaming\ (Vista and 7)
C:\Documents and Settings\Raymond\Application Data\ (XP)
Here is a screenshot of a remote administration tool trojan that is able to copy itself to Application Data folder and adds a startup to HKCU run.
User Account Control in Windows 7 does keep your computer safe in some level but not totally. I personally disable UAC because I prefer not to be bugged by the annoying warning windows every time I access the registry, install software, configure settings and etc. But for not so experienced users, they should definitely keep UAC enabled.