Finding programs with UAC issues

The comments on my latest ZDNet post, Fixing Windows Vista, Part 2: Taming UAC, have been interesting.

First, to address a question from my buddy Dwight Silverman, who notes that he wrote about the "fade to black" tweak back in March 2007 and I said it was a bad idea. I still don’t recommend it unless the behavior is so annoying that you’re considering disabling UAC completely. Shutting off the Secure Desktop is better than shutting down UAC completely. As I note in the Talkback section, one of my Windows Vista Inside Out co-authors has a Lenovo notebook that is dog slow at the Secure Desktop transition. On that system and that system only, he is willing to disable Secure Desktop. Of course, I’m sure he’d rather have a video driver that works properly. (Lenovo, are you listening?)

One question that has come up a couple times in the TalkBack section over there is how you can tell whether a program is misbehaving in regards to UAC. One common mistake programs make is trying to write to a system location, such as the Windows or Program Files folder. You get to do this when you first install a program, which is why you have to approve a UAC consent dialog box when you run a program’s installer. But if you see this button in Windows Explorer, you know that there’s a UAC issue:



What happened in this case is that I ran the program and it tried to save a setting file in its Program Files folder. (I noticed yesterday that IrfanView does this as well, saving its options in a file within its Program Files subfolder.) That’s a huge no-no. The Program Files folder is a system folder that contains executable code. Those setting files should be stored in the user’s own profile. If you need to change the settings for all users, you need to elevate the program with an administrator token and then write the files to the ProgramData folder.

So what happens when a program tries to write to a protected location? Under XP, as a standard user, the write would fail, which might cause the program to fail as well. [Update: In the comments, Diego suggests that I make clear here that this failure is the reason most people have to run as admin under XP. Which in turn makes them vulnerable to escalation of privilege attacks. Point taken.] In Vista, the files are virtualized, written to a folder called VirtualStore, which is under your user profile, where you have all rights. If you click the Compatibility Files folder, you can see what that program is trying to do. [To continue the thought… This virtualization is what makes it possible to run as a standard user under Vista, even when the program assumes you’re running as admin.] 

To see the full contents of the folder in Vista, click Start and type %localappdata%\virtualstore. (Be sure to include the percent signs.) When you press Enter, you see a window like this  showing every file and folder that has been virtualized:


On this system, both Nero and SageTV insist on writing to locations that would be fine as an administrator under XP but won’t work as a standard user in XP or Vista (remember, an administrator account in Vista runs with a standard token and only gets to flex its administrator token after you click OK to a UAC consent dialog box).

Now that you know where to look, I’m curious: what programs are you seeing in the VirtualStore folder on your Vista system?

15 thoughts on “Finding programs with UAC issues

  1. “remember, an administrator account in Vista runs with a standard token and only gets to flex its administrator token after you click OK to a UAC consent dialog box”

    Is this true if you turn off UAC?

  2. No, if you turn off UAC, then the system behaves like XP. An account in the Administrators group has an admin token and gets full rights to change or trash anything in the system. With UAC on, the security token for an account in the administrators group is split. During normal operation, it runs with a standard token, as if it were a standard user account. When a program requests elevation, it displays a UAC dialog box, and if you give your consent then the operation uses the admin token to perform the operation.

  3. Understood.

    Hmmmm, maybe I’ll give UAC one more go. I assume that UAC is covered in more detail in the new book. When are we going to see it on the shelves? shows a date of June 8, 2008, while Chapters in Canada shows a date of May 14, 2008.

  4. I honestly don’t know when the book will be on shelves. We’re usually the last to know! UAC is covered in more detail in the new book, but the coverage in the original edition was pretty decent so I am not sure we changed much in this edition.

  5. I’ve got all kinds of crud in this directory, some of it from apps I’ve uninstalled. My list:
    Call of Duty 2
    Adobe Reader 8
    Adobe Photoshop Elements 5
    CDex 1.70B2
    PACE Anti-piracy (I hate this stuff. No idea what it does or what program it’s associated with).
    DxO Optics Pro v4
    Flickr Uploadr
    JRiver Media Center
    Microsoft Money Plus
    Mozilla Thunderbird
    TaxCut 07
    Windows Live Messenger

    Any idea how to clean this stuff up for programs that have been uninstalled or for new versions of the current software that no longer need the old entries?

  6. Ed,

    I think a lot of people will miss a big point with the wording of this sentence

    “Under XP, as a standard user, the write would fail, which might cause the program to fail as well. ”

    The problem is that is easy to miss the meaning of “standard user” an dits implications for the random person. You could be cleared by adding something like

    “, which is the reason why people are forced to run as admin in XP”

  7. Carl, you should be able to temporarily move anything from this folder (that’s the whole point of putting it in your profile). I would move it all to a different folder and then try running each program on the list to see if they re-create the files or choke. If they choke, put the folder back and try running it again.

  8. Adobe Reader (Which I’ve uninstalled – Now Use Foxit Reader)
    Adventure Game Studio – Which I’ve Uninstalled
    Daz Studio – Uninstalled
    Free FLV Converter – Uninstalled
    Mozilla Prism – Uninstalled
    Typing of the Dead – Unistalled
    Stardock Object Dock – Uninstalled

    Question: Why are only programs that I’ve uninstalled (except flashget) here?

  9. Chustar, I can only assume that all the programs you are now running are UAC compliant. Maybe the same things that made them fail at UAC also made you want to replace them!

  10. Adobe 8.0
    Dora Backpack
    AutoGK (Uninstalled)
    Flexible Renamer
    WinAmp Plugin out_sqr

  11. Interesting post. My virtual store includes:
    Adobe Reader
    And games (THQ, Ubisoft, Square)

  12. Adobe
    Alwil Software
    Microsoft Streets & Trips
    Runtime Software
    Windows Live
    Windows Live Writer

    Notice a few Microsoft programs are included. Two folders for Live and Writer is in both of them. peace, mjh

  13. Personally, I have zero files in the virtualstore right now. A few directories (Adobe being the big one), but zero actual files.

Comments are closed.