Geeks With Blogs

News



Microsoft Store

Support This Site


AddThis Social Bookmark Button

Locations of visitors to this page

Subscribers to this feed

TwitterCounter for @sdorman

Creative Commons License


Scott Dorman Microsoft MVP, Software Architect, Developer, Author

Interactive Logon Architecture

Vista changes the logon architecture and replaces GINAs with Credential Providers. Credential providers are easier to write than GINAs and plug in to the logonui.exe. The biggest advantage of Credential Providers (besides being easier to write) are that multiple concurrent providers are supported and can be user selected or event driven.

Credential providers are used to capture elevation credentials and run as first-class citizens of the logon process. Credential providers also do not have the ability to fully replace the logon user interface; rather they can specify what elements are displayed on the interface.

Vista will ship with a password credential provider (which provides the same functionality as the normal Windows logon GINA today) and a smart-card credential provider.

User Account Control (UAC)

User account control has the majestic goal of preventing malware or other malicious process from “owning” a system. In a nutshell, UAC means that almost nothing the user starts will blindly run as an administrator, even if that user is in the Administrators group.

Before everyone starts jumping up and down saying how much they hate the credentials dialogs that pop up everywhere, this can be turned off using the Local Security Policy Editor (secpol.msc), although Microsoft does not recommend doing so.

The problem UAC is trying to control is that the majority of users run as administrators and some applications will only run as an administrator. The solution is that even Administrators run as normal accounts and administrative actions require interactive consent or administrator credentials. Applications that are badly-behaved non-administrative applications get private virtualized views of portions of the registry and file system.

At logon, the LSASS creates both an Administrator and Limited User Account (LUA) version of the Administrator token and links both of them to the logon session. The userinit process (which is the first process created by winlogon) is created with the LUA token.

When an application requests account elevation, it uses the consent.exe application which presents the dialog on a secure desktop (in Session 0) and is a child of the AppInfo service. Consent.exe actually makes a static bitmap copy of the requesting session's desktop and displays that in the background of the secure desktop to provide the “seamless” feel of the request. Because the request runs in Session 0, the requesting application cannot interact with the dialog or influence it in any way.

An application can  be marked for elevation in four ways:

  • In its manifest file
  • In the system’s application compatibility database
  • Heuristic installer detection
  • User explicitly asks for elevation

UAC virtualization is implemented in the kernel and provides virtualization for potions of the file system and the registry. The registry has the virtualization support built-in while the file system support is provided by luafv.sys file system filter driver.

UAC virtualization redirects the following file system locations:

  • \Program Files
  • \Windows
  • \Windows\System32

The exceptions are write protected executables and dynamic link libraries and files that have executable extensions.

The HKLM\Software registry location is also redirected, except for many of the keys under the Microsoft key.

The redirects write to a per-user area of the file system or the registry and any reads look in the per-user area first. The per-user areas are:

  • \Users\\AppData\Local\Virtual Store 
  • HKCU\Software\Classes\VirtualStore

Integrity Levels

Integrity Level (IL) SIDs are now required in the process token. Processes, threads, and tokens always have an IL ACE. Files and registry keys without an IL ACE have an implicit level of medium. Objects created by medium or higher processes are marked as having a medium IL and objects created by low IL processes are marked as low.

The different ILs are:

  • Low - Protected-mode IE
  • Medium - LUA processes
  • High - Elevated processes
  • System - System processes

ILs are checked before DACLs are checked. A thread can only open an object for write access if its IL is equal to or higher than that of the object; however, it can open any object for read access if it is a non-process object. If it is a process, the thread IL must be equal or higher than the process IL.

The Windows subsystem also honors ILs and only query messages can be sent to the windows of elevated processes from LUA processes which helps prevent “shatter” attacks.

Posted on Saturday, June 17, 2006 5:15 PM TechEd 2006 , Vista | Back to top


Comments on this post: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
in some cases the consent.exe fails to render on display and the application that invoked the request for elevation freezes (as it is waiting for your consent)

This is most annoying....
Left by Tanin on Feb 18, 2007 2:09 PM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
> in some cases the consent.exe fails to render on display and the application
> that invoked the request for elevation freezes (as it is waiting for your consent)

This happens to me also (Business). VERY frustrating. Have to logoff/on to get normality back!
Left by Simon on Feb 26, 2007 10:40 PM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
I don't know how the internals of consent.exe work, but I suspect the problem lies in the context switching between sessions. Since the requesting application isn't really aware of what is going on, and can't interact with the UAC session anyway, it has no way of knowing that there is a problem.

Having to logoff/on to get normality back isn't surprising considering what the UAC is doing. Since it crashes in a protected session and there is no way to interact with it, the only option is to logoff.

I don't know how common this issue is, but I suspect it happens fairly often as this isn't the first time I've heard about this type of problem. Hopefully, the "Fiji" service pack will address this problem.
Left by Scott on Feb 26, 2007 11:06 PM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
I find your text about the ILs a little difficult to read, I suspect it's a Biba-like model, i.e. read-up/write-down, right?
Left by Magnus on Feb 27, 2007 10:12 AM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
Yeah consent.exe sometimes sits and waits but you don't know it is sitting and waiting because you can't see anything....
Left by Randommantus on Mar 06, 2007 8:58 PM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
Ok press cntrl alt del and then hit the esc, it should then pop up
Left by RR on Jul 28, 2007 2:33 PM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
Happens to me all the time. I'm starting to think Vista hates me for some reason.
Left by Joe on Apr 19, 2008 11:46 AM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
The more I use Vista, the more I hate it. I have been working with Windows since 3.0 - and for 20 years as a software developer on various platforms. Vista is the worst MSFT implementation yet. I'd rather go back to DOS. The security features aren't even security features - they are mostly liability avoidance and copyright protection. They secure Microsoft, but leave the user just as vulnerable as before - and chew up half your CPU cycles and HD space doing it. It is just not good. Not good.
Left by steve on May 09, 2008 8:34 PM

# re: Windows Vista: Kernel Changes - Has any body seen Gina and what's a UAC?
Requesting Gravatar...
If MS VISTA is so bad, why doesnt someone start a class action suit to make Microsoft REPLACE OUR VISTAS with something that is USEABLE!??

I know i am sick of those windows popping up asking if I will allow this or that! First off, the average user will not know what to do with them anyways, so why ask? We have enough of that with our virus software.

And I for one dont remember allowing the consent.exe and mine seems to be working okay... unless you count JAVA not working properly ! lol

Someone just called me and ask .... what is this CONSENT.exe ... and I said,, let me look it up and see what it is! Well, they didnt want to wait and DENIED IT ... permanently just like I did with the Windows WGATRAY.exe !

Pretty soon we will all be switching to another platform if Microsoft keeps screwing with us all!



Left by Above Average User on Dec 14, 2008 8:06 PM

Your comment:
 (will show your gravatar)


Copyright © Scott Dorman | Powered by: GeeksWithBlogs.net | Join free