Home / server / Questions / 749344
Accepted
Luke Puplett
Asked: 2016-01-16 02:35:04 +0800 CST

UAC - When set to "Never notify" do I still have a dual token?

  • 772

UAC can be set to never notify, but that's not the same as not having UAC at all.

What I mean is, does the OS still create a dual token for admin users but just auto-elevate everything?

The difference is important since various file-system ops will still behave differently to say, Windows NT 4.0.

For example, when Explorer sees a folder with only Administrators:Full-Control it often prompts that you don't have access and elevates, then auto-adds your user into the ACL.

That's what I seem to observe, and I really don't like it. By setting UAC to not prompt, I assume this elevate-and-modify-ACL will just happen, but its still screwing with my ACLs.

In general, since UAC, I seem to spend so much time not having rights to things and messing around with ACLs whereas in the NT 4.0 days, life was simple, the ACL was the truth.

I "get" UAC for my mother-in-law, but on a server, where experts roam?!

windows

1 Answers

  1. Best Answer

    This isn't a healthy attitude to have, in my opinion. Even experts make mistakes. Also, there are thousands of server admins in the world who I wouldn't exactly call "experts." You don't hear many *nix admins saying things like, "man, what BS, I'm an expert, I shouldn't have to sudo!"

    But anyway, on to your question.

    First of all, you ask, (paraphrased) "if I disable UAC, will I still have a restricted token?"

    Well that depends. Who are you? Not everyone on the system will have a restricted token. Only users who log on to the system who are members of privileged groups such as Administrators, Domain Administrators, etc., or who have sensitive privileges such as SeTcpPrivilege, etc., will be given restricted tokens in addition to their full token during logon.

    Please reference Windows Internals, 6th Ed. Part I Chapter 6 for a full list of exactly which groups and what privileges are checked before a restricted access token is generated.

    A quote from the aforementioned book:

    If one or more of these groups or privileges are present, LSASS creates a restricted token for the user (also called a filtered admin token), and it creates a logon session for both. The standard user token is attached to the initial process or processes that Winlogon starts (by default, Userinit .exe) .

    Note If UAC has been disabled, administrators run with a token that includes their administrator group memberships and privileges.

    And also, from Chapter 2 (emphasis is mine):

    Upon a successful authentication, LSASS calls a function in the security reference monitor (for example, NtCreateToken) to generate an access token object that contains the user’s security profile. If User Account Control (UAC) is used and the user logging on is a member of the administrators group or has administrator privileges, LSASS will create a second, restricted version of the token . This access token is then used by Winlogon to create the initial process(es) in the user’s session .

    You can test this for yourself using whoami /priv. With UAC on, log on as a user who is a member of the Administrators group. In a non-elevated command prompt, you will see that the list of privileges is much shorter in the non-elevated command prompt, implying the existence of two separate tokens for the same user:

    UAC ON

    Now turn UAC off (or set to "Never Notify",) reboot the machine, and attempt the same test. You will notice now that there is no difference between a standard and an elevated process. No more restricted access token.

    • 2