UAC in Windows 7 Should be Slightly Less Annoying

[Rob Williams]

From our front-page news:

When talking smack about Windows Vista, one of the most common aspects to pick on is the User Control Panel, or UAC for short. Even I've whined about it. Mostly, I think it's for good reason, and I think few could argue that. Microsoft themselves have even stated they went a little bit overboard, but they are quickly learning which improvements to make, so it should only improve in the future.

Though, according to the latest update in their Windows 7 blog, the improvements might not be here next month, or even next year - or until Windows 7. The blog goes into quite good detail regarding what UAC is all about, and what purpose it really serves. It goes as far as to delve into usage statistics as well, and surprisingly, the amount of UAC 'pop-ups' has drastically declined in the past year - although that might not be that surprising.

Their research further goes on to show that the number of applications to require a prompt has gone way down, which is a sign that the developers are being smarter when coding their application. The number was cut in half after the beta ended, and in half again since between the launch and now, so it's certainly getting better. For Windows 7, the outlook is looking even better, but I'm still confident it will be the very first thing I disable. Call me a rebel.

Now that we have the data and feedback, we can look ahead at how UAC will evolve—we continue to feel the goal we have for UAC is a good one and so it is our job to find a solution that does not abandon this goal. UAC was created with the intention of putting you in control of your system, reducing cost of ownership over time, and improving the software ecosystem. What we’ve learned is that we only got part of the way there in Vista and some folks think we accomplished the opposite.

Source: Engineering Windows 7 Blog
​

 

[Rory Buszka]

Here's what Microsoft needs to build into Windows 7: They need to build in a secure hardware layer for the user's keyboard and mouse. That way, when a user does something that would ordinarily cause UAC to instantly clamp down, the operating system could have some way of being reasonably sure that the PC's operator did, in fact, initiate that process, and not some rogue program on the PC trying to start other programs. Then, if a user initiates such an action, the operating system would not need to prompt the user for further confirmation.

There should be the flexibility for a program to deactivate the secure hardware layer and take control of the mouse pointer or keyboard entry, but when the secure layer is deactivated, standard UAC policies for user prompts would be in effect.

 

[Rob Williams]

The secure hardware layer sounds like a good idea, but there always seems to be some gotchas that come out of nowhere, which is why we keep hearing about these technologies, but none ever seem to come to market. We reported about such a technology used in online gaming at last year's IDF, and even at the time, they told us that the product would likely never see the light of day.

While I do think it's a solid idea that might be possible, I do see a few scenarios where a technology like that could become confused. Take pop-ups on certain websites, for example. I am not sure if this is still the case with this website, but Dictionary.com and many others have code specifically used to get around pop-up filters. Because Firefox and others stop pop-ups you didn't ask for from showing up, if you click somewhere in the website, like a search bar, it will pop-up. Why? Because it thinks the pop-up was triggered by your mouse click.

I see that kind of scenario from being a tough one to get around. Even deeper, how is it that Vista would know for sure that you didn't ask for something to happen? Take a simple Adobe installer for example. You authorize it once, and it downloads the real installer and then goes ahead to launch itself. That could be a false positive... Vista might see that as an installer you didn't ask for and take it upon itself to close.

These examples are a little odd, but I do think there's a reason we haven't seen such technology many times before. As I mentioned, Intel is working hard to figure out a technology like this... I should follow-up to see if it's still being worked on or if it was scrapped. If it was scrapped, it would be nice to know why, since that same technology could be used in this same situation.