User Account Control

If you're running Vista and you are logged on with an Administrator account (but not the Administrator account) and you double click on the Personal Edition of User Profile Wizard, Vista will darken ominously and throw up the following User Account Control prompt:














Whaddaya mean IF you started this program? You mean you don't know? Your supposed to be a ten billion dollar Operating System for crying out loud!

Now let me say right away that User Account Control (UAC) is a good thing. I'm as guilty as the next Tech of running with permanent Administrator permissions, so the additional level of security that UAC provides is only to be welcomed. However, I'm not convinced by the way Vista implements it.

If you are not logged on with an Administrator account, UAC makes more sense. When you run an application that requires Administrator credentials, you are prompted to enter those credentials.



If you are logged on with the Administrator account, then you are not prompted at all. The same goes if you are logged on with the Domain Administrator account - although again, not just any Domain Admin account, which makes me think that UAC might just be looking for the Administrator RID in the user SID. (In other words, a SID that ends in 500.)

If you are logged on with a different Administrator account UAC makes a lot less sense. Take what happens when you right-click on a program or shortcut and select "Run as Administrator." What happens is that you get the exact same If you started this program, continue message. This is crazy. If the purpose of UAC is notify you when you need elevated permissions, why prompt you for what you've just explicitly requested?

Deleting files from a folder where you "only" have access via membership of the Administrators group is a real mess. Once you hit the delete key you get the normal confirmation "Are you sure you want to move these items to the recycle bin?" dialog box. Click Yes, and you are presented with a "Destination Folder Access Denied" dialog box asking you to confirm the operation. When you click "Continue" UAC kicks in, the screen darkens, and you see the UAC dialog saying "Windows needs your permission to continue." Click "Continue" again, and you get the "Are you sure you want to move these items to the recycle bin?" dialog box AGAIN. I defy anyone to tell me that this is a well thought out software design.

On OS X things are, as ever, slightly different. For example, changing the Mac's power saving options requires Admin permissions. Even if you are logged in with an Admin account, you still have to go through a second level of authentication to make the changes: first by clicking on the padlock:

Then by re-entering your credentials:


Is this a better solution? I'm not sure, but it does seem less disruptive than pausing the entire desktop.

Odd as it may seem, given that Vista took five years to develop, it is difficult not to conclude that UAC hasn't had enough development time. Anyone who tested the different Vista Betas will know that UAC went through many changes: Vista's release may well have just come too early for UAC to be the finished article.

However, we've got the UAC we've got, so we have to get on with it. As developers of administrative utilities it does provide us with a challenge. Vista allows developers to mark their applications (via the application manifest) with one of three execution levels:

• asInvoker - The application runs with the same token as the parent process. (No UAC prompt.)
• highestAvailable -The application runs with the highest privileges the current user can obtain. (No UAC prompt.)
• requireAdministrator - The application runs only for administrators and requires that the application be launched with the full token of an administrator. (UAC prompt.)

One of the features of the Corporate Edition of the Wizard is that you can provide the name of local administrator account and an encrypted password on the command line so that the Wizard can be started from the security context of a standard user account; for example, from a user's logon script. Marking User Profile Wizard with "requireAdministrator" won't work. If we did that, when the Wizard was called from the user's logon script they would be prompted to enter Administrator credentials. Not good. So we have to mark User Profile Wizard to run with the "asInvoker" execution level. This is fine, but it does mean that we have to handle the situation where the Wizard is run in GUI mode or where no Administrator credentials are passed on the command line. Generally, we just throw up a warning:

However, where User Profile Wizard is installed from the setup program, we can do something else. If you right-click an executable on Vista, choose Properties, and then click on the "Compatibility" tab, you have the option of setting the privilege level to run as Administrator. If you check the box, Vista writes the file path to the HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers registry key with the value "RUNASADMIN." This is what the User Profile Wizard Corporate Edition Installer does. It means that when you start the Wizard from the Start menu, Vista runs it with elevated privileges.

So every thing's fine, right? Er... no. Let's rewind to where we wanted to run User Profile Wizard using the Administrator credentials on the command line. If we just use any Administrator account, what's going to happen? Well, we're going to see the UAC prompt at the top of this post all over again.

Under the covers, User Profile Wizard uses the CreateProcessWithLogonW Windows API function, which in turn relies on the "Secondary Logon" Service. CreateProcessWithLogonW requires that you specify a valid username and password, so - again - why the UAC prompt?

My guess is that it will be a while before any of our customers will be doing a major domain migration of Vista workstations. However, for the record, to avoid the UAC prompt when running User Profile Wizard from the command line on Windows Vista, you have a number of options. Firstly, you can specify the actual local Administrator account. Secondly, you can run the Wizard from a management application like SMS, Marimba, or ZENworks. Thirdly, if the machine is already joined to a domain, you can run User Profile Wizard from a script via a Group Policy. Finally, there is a fourth option: but I'll keep that for another post.

Wow! Is Vista really a $10bn Sedan?

So, what do you think of Vista? The reviews of Vista I've seen usually start with how good it looks - which is understandable. It does look good - especially if you can run the Aero desktop and you get the glass title bars and Flip 3D.

Ok, Flip 3D is a bit of a gimmick. But it does put the "Wow" in The "Wow" starts now and shows up in just about all of Microsoft's marketing. For anyone who doesn't know, Flip 3D is the updated task switcher - what you get when you hit alt+tab. (To get the 3D version you winkey + tab instead.) That's right... the task switcher.

Flip 3D gives a glimpse of what a 3D User Interface might look like. Don't be fooled by the marketing though: Vista is not it. What's more, there no indication that Microsoft are pursuing any such radical redevelopment of the Windows User Interface. It wasn't always that way. Flip 3D is the impoverished descendant of an illustrious ancestor: the Microsoft Research TaskGallery project. The ghost of TaskGallery still haunts their website here. Anyone interested should read this article on The Register website dated 22nd January 2001 entitled Windows to go 3D… but not in Whistler. (Whistler was the codename for XP if, like me, you're hazy on Windows code names.)

The User Interface on Windows, on OS X, on Linux, on Solaris, is defined by the same desktop model that was developed by Xerox at PARC 30 years ago. Why is that? Familiarity, certainly, but you would think someone somewhere would take the desktop model on. Aren't there hundreds of millions of people around the world just as familiar with the 3D "User Interface" of the first-person shooter? User Interface development isn't simply about making computers easier and more intuitive to use. The User Interface defines not just how you do things, but what you can do.

Vista is far less radical than, say, Windows 95 was when it was launched. It might be hard to believe now, but Windows 95 was genuinely innovative; it brought 32bit computing and preemptive multitasking into the mainstream, allowing you to run multiple applications at the same time. Admittedly it took a while for processor speeds and memory sizes to reach a level where running multiple applications was easy, but the possibility was there in the Operating System. Windows 95 changed what you could do with a Personal Computer.

Perhaps we've reached the point where Operating Systems have become like cars: each new model does the same basic job that the previous model did, except just a bit more efficiently. Here in the UK, the car maker Audi is showing a TV ad which ends with the line, "To date, NASA have filed 6,509 patents. To get to the A6, Audi have filed 9,621 patents." And? They've built a car. It does the things cars do: start, stop, get stuck in traffic, that kind of stuff. If we have reached the point where Operating Systems have become like cars, it isn't because there's no other choice.

At the UK business launch of Vista, Microsoft's UK managing director Gordon Frazer said Vista cost $10bn to develop. Let me just spell that out for you: 10,000,000,000 dollars. Now if I gave you $10bn (and the source code for XP) and told you to go away and design an Operating System, is Vista what you would come back with? If you start Vista and go to the "Welcome Centre" and then click on "What's new in Windows Vista" what is it that Microsoft themselves want to tell us? The top three are Search from within folders. Organize files in new ways. Keep devices in sync. Is that what they mean by Wow?

There's probably a serious point to be made about competition here - or the lack of it. It's not that (near) monopoly suppliers don't invest in developing their products; it is more that they don't know what to invest in. AMD and Intel are a good example. If it wasn't for AMD we wouldn't have multi-core 64bit processors on the desktop, and Intel would be spending even more millions still trying to perfect Itanium, the processor no one wants. With Linux suppliers desperately trying to make the Linux desktop look as much like Windows as possible (otherwise, the argument goes, no one will switch - when the opposite is more likely to be true - there's no reason to switch) there is little competition to drive innovation.

This is not to say that Vista is a bad operating system - far from it. Vista is a seriously good operating system. It's just that it is a deeply conservative, risk adverse, play-it-safe operating system. Vista doesn't change anything.

One of the things both users and developers have to get used to in Vista is User Account Control (UAC). Next time I'll go into the changes we're making in User Profile Wizard to handle it.