You may want to check out our tips on how to elevate UAC privileges correctly in Vista and how to write installers with UAC, both of which are also based on Cowan's talk.
In the days of Windows XP, all users were by default administrators on their machines. This gave developers a lot of flexibility, but it also meant that malware could work without users knowing that anything was happening. Starting with Vista, Microsoft is encouraging people to use computers in standard user mode as much as possible, and even administrator-level users operate with standard user permissions by default. If a program needs administrator privileges, Windows pops up the UAC prompt to elevate it. In essence, Vista has replaced the administrator user mode with a standard user mode that's allowed to temporarily elevate to administrator.
UAC is meant to be a transitional system in Vista for applications that were written for Windows XP, Cowan said. In fact, it's disabled in 64-bit versions of Windows; the reasoning is that developers who are advanced enough to write 64-bit code shouldn't need the "training wheels" UAC provides, Cowan said. It's also not a good idea to ignore UAC and assume that users will turn it off, he said: contrary to conventional wisdom, about 88% of Vista users keep UAC on, according to Microsoft's customer usage data.
You're also going to be under pressure from competitors to eliminate UAC prompts. The number of unique applications that cause UAC prompts is going down, from almost 800,000 in August 2007 to fewer than 200,000 a year later, Cowan said.
The best approach to UAC is to write programs that don't need it. In fact, some large enterprises require you to write programs that work in standard user mode, Cowan said. "If your app doesn't work as standard users, they are not your customer," he said.
Elevating to administrator levels makes you a target for malware, Cowan said. If your code has vulnerabilities but runs in standard user mode, hackers won't be able to use it to gain access to the rest of the machine, so they're more likely to find another program that can gain them that access; if your code has vulnerabilities but runs in administrator mode, it is that other program.
You can ensure your code runs in standard user mode by putting marking your manifest with "asInvoker" and staying away from what Cowin called "the tender bits" of the OS, like DLLs and registry keys. It's often acceptable to read such resources, but opening them in read-write mode will often trigger a UAC prompt, Cowin said; be more specific than GENERIC_ALL when specifying access masks.
Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.
This was first published in December 2008