Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Windows 7 beta UAC completely vulnerable to malware

31 Jan 2009   #1

Win 10 Pro 64
Windows 7 beta UAC completely vulnerable to malware

TG Daily - Windows 7 beta UAC completely vulnerable to malware

Chicago (IL) - An almost unbelievable flaw in Windows 7 beta and Microsoft's User Account Control (UAC) feature - the one designed to keep all of the annoying messages seen in Vista away from its users - allows its protection to be defeated by any malware which happens to infect the system. The malware needs only to send a series of false keystrokes from a Visual Basic script to activate the UAC dialog, move the slider bar to the disable position, and then save the changes. After that, the program can access protected functions or even reboot the system, thereby gaining full total system access on restart.

This type of security breach has been in use for as long as there have been PCs. In the old DOS days, a terminate and stay resident (TSR) program could invoke the system BIOS functions, wait for the password screen to appear then start issuing interrupt 16h instructions (which send fake keystrokes). Doing so would mimic the effect of a user pressing keys on a keyboard, and old DOS programs like Sidekick used to do this as part of their feature in order to provide DOS with copy-and-paste-like functionality, as well as pop-up abilities like a calendar, calculator, etc. Sidekick would intercept and send its keystrokes in this way.

Over the years, similar techniques were employed to bypass security in later operating systems. Such programs could repeatedly try various password combinations, for example, at very high speed one right after the other. Early on system designers began to realize this weakness and developed the "three strikes and you're locked out" policy. But today in Microsoft's upcoming flagship operating system to be released later this year, Windows 7, such antiquated attempts aren't even necessary.

Windows uses a message-based communication system internally. When a user presses a keystroke on the keyboard, the keyboard controller identifies which key was pressed (or released) and sends a signal to the motherboard, which then issues a hardware interrupt signal to the CPU. The CPU stops what it's doing (processing a spreadsheet, drawing some graphics in a game, whatever it is), and then retrieves the keystroke - sending it to the appropriate software algorithm (an internal keyboard handler). Such a handler allows keys to be remapped, intercepted, and all kinds of other things which allow for abilities macros, etc. But ultimately, the keystroke message, such as "KEY 'X' IS DOWN WHILE THE RIGHT-SHIFT KEY IS PRESSED," are sent to the appropriate program (or, more precisely, the appropriate "window" in Windows).

This newly discovered "flaw" is actually not a flaw at all (see below). It employs something similar by using the "SendKeys" function in Visual Basic which mimics the process explained above in today's Windows operating systems. When a window receives a keystroke sent by SendKeys, the program assumes it came through legitimate channels and is really a valid key. There is no testing which takes place to find out if it was programmatically inserted into the queue, or if it was the result of a real keypress.

As a result, using only keystroke commands issued by a malware program, in Windows 7 beta it can activate the UAC, move the slider bar to the "disable messages" position, close the dialog and then proceed through the system doing whatever it wants to in the background without the user ever knowing that their system's been compromised - because they don't see any popups as their UAC setting should've indicated.

The discoverer wrote some simple code (which can be downloaded from his page) and also notes that this is apparently a Microsoft-purposed design feature of Windows 7, as related inquires appearing on Microsoft's beta page are all marked "closed."

My System SpecsSystem Spec
31 Jan 2009   #2


Nice. Now we're gonna get a rash of complaints that UAC is too easy to disable.....
My System SpecsSystem Spec
01 Feb 2009   #3

Windows 7 Ultimate Vista Ultimate x64

There is one thing you might notice from this sort of attack and that is the request for a restart which you get if you disable UAC, so it's still not able to make any changes until that restart and by that time the user would know something was up.
My System SpecsSystem Spec

01 Feb 2009   #4
Microsoft MVP

Vista and now 7 in 32 and 64 bit.

I think it's the Anti Microsoft gang at work again. This is not ground breaking news. Like many readers of these pages, I have entered into long threads discussing the merits of the UAC in Vista. I have been, in most cases, the more cynical. It has not been a brain aching task for any hacker to totally disable the UAC in Vista, without the knowledge of the user. The only difference was that any user who was aware, might wonder (in Vista) why the popups had suddenly stopped. The worst UAC hacker in Vista or 7 is probably the user. It was so was to turn off in Vista and now is so easy to denigrate in 7. Keep your antvirus and anti spyware rolling!
My System SpecsSystem Spec
03 Feb 2009   #5

Windows 7 Build 7100 (x64)

What ever happened to the command-line change that was possible in Vista?
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
My System SpecsSystem Spec
11 Apr 2009   #6

Windows 7 build 7048

That would require elevation to work (requiring a prompt)
My System SpecsSystem Spec
11 Apr 2009   #7

Windows XP

Someone could argue "hey! XP doesn't have UAC at all"!

However, UAC is now giving people a false sense of security.
My System SpecsSystem Spec
11 Apr 2009   #8


Actually, it is doing the exact opposite - it is not giving them a false sense of security but annoying them to no end so they %$^@$%^@$% disable the damned thing....
My System SpecsSystem Spec
12 Apr 2009   #9

Windows 7 build 7048

Yeah! So what if 7 malware can disable UAC?
a) In XP, you were secure without UAC
b) It's doing you a favour :)
My System SpecsSystem Spec
12 Apr 2009   #10

Windows 7 x64 Build 7068

I think its a good tool for users who know a little but not a lot. If something really funky comes up asking for permission to install or run, and that user doesn't know it, and clicks it away...Then harm has been prevented.

Me being a power user, I disable it, because even if I do run a program that ends up being a virus...I know I can clean it out.
My System SpecsSystem Spec

 Windows 7 beta UAC completely vulnerable to malware

Thread Tools

Similar help and support threads
Thread Forum
Malwarebytes Anti-Malware 2.0.3 Beta Test
Malwarebytes Anti-Malware 2.0.3 Beta Test For those interested we have released the next public beta of our software. We would like to request that users test the new beta and post your feedback so that we can continue to improve the product. ...
System Security
a-squared Anti-Malware 5.0 - Public Beta has arrived
Emsisoft has announced public Beta of their well know A-squared Anti Malware v. 5.0! Main upgrades include full 64-bit support, Real time (on access) scanner, GUI streamlining ans some usability feature updates. And more: a-squared Anti-Malware 5.0 - Public Beta has arrived - Emsi Software...
System Security
Download Windows Virtual PC Beta and XP Mode Beta
Windows Virtual PC provides the capability to run multiple Windows environments such as Windows XP Mode from your Windows 7 desktop. To download Windows Virtual PC and the Windows XP Mode environment, please follow the steps below. For information on how to set up Windows Virtual PC and Windows XP...

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 21:13.
Twitter Facebook Google+