This article will show you how to use User Account Control like an expert. If you don't know what User Account Control is, read my article about basic user account control first.
For the rest of this article, I will use UAC to refer to User Account Control. Also, when I say "elevate permissions", I'm talking about clicking YES in UAC.
Having knowledge of basic UAC will protect you from having to reinstall windows when you get infected, but you should understand that just because you denied a virus elevated permissions doesn't mean it can't steal your data, or delete your data, or encrypt your data (like the CryptoLocker virus). Anything you run will have read/write permissions to all your documents, music, and pictures, within the user account. What it can NOT see is the files from other user accounts.
This article has 3 parts,
1. Administrator vs Standard
2. Crossing the line
3. Help, I got infected!
1. Administrator vs Standard
If you are familiar with the Windows XP "Limited User", Windows 7 works in a similar way. The "Limited User" has been renamed to "Standard User". If you are not familiar with the "Limited User" concept, just keep reading, this article explains it all from the beginning.
To get to the user management in Windows 7,
click start
type "user"
click "user accounts"
Now click "Manage another account"
In my case, I have 1 user (jshipp) and it is an "administrator". You will probably see different users on your computer depending on it's existing configuration. The Guest account is a special account that is always a limited account. The guest can not be converted to an administrator or deleted, only turned on and off.
An "Administrator" is the opposite of a "Standard User", and these are the only 2 types of accounts in Windows 7 (for the scope of this article). An Administrator is allowed to elevate permissions where a Standard User is not. Here's a comparison of elevated permissions vs non-elevated.
Blue means good, red means bad.
Elevated
|
Non-Elevated
|
|
| Can get infected | YES |
YES |
| Infections can spread to other user accounts | YES |
NO |
| Infections can read data and passwords from other accounts | YES |
NO |
| Infections can require a reinstall of windows to clean | YES |
NO |
| Cost to clean infections | $150 |
$0 |
| Compatible with any program | YES |
NO |
| Allows installing new software | YES |
NO |
| Allows uninstalling software | YES |
NO |
| Allows upgrading software | YES |
NO |
As you can see, each way has it's advantages and disadvantages.
In Windows XP, if you log in with an administrator account, everything you run has elevated permissions. In Windows 7, you always start out with non-elevated permissions, even if you are using an administrator account.
A user with administrator privileges can elevate permissions by simply answering YES to UAC. A Standard User can also elevate permissions, but they need to supply a password for any of the Administrator accounts.
The screen shot above shows what happens when a program requests administrator permissions and you are running as a Standard User. In XP, you would get an "access denied" error and the program would fail to execute properly.
In this case, jshipp does not have a password, and clicking yes would be VERY easy! If you have kids or guests that use your computer, do you think they will think twice before clicking YES here? I doubt it! In Windows 7, creating a "standard user" does no good unless ALL your administrator accounts have passwords.
You should also be aware that UAC can cause compatibility problems with older programs. If the program was created before UAC was heard of, the programmer probably didn't implement the feature that makes windows 7 activate the UAC window. Sometimes you will run across programs that are new enough but the programmer was too lazy to implement it anyway. This is why Windows 7 gives you a way to elevate permissions on any program without the program having to ask. Simply right-click the program or shortcut you are wanting to elevate and click "Run as Administrator".
2. Crossing the Line
The second part of this article explains where Windows 7 draws the line for viruses ability to read/write data.
If a virus is NOT elevated, it can NOT read (or write) data in ANOTHER user account. That's a feature built into windows, and it works extremely good. This feature is time-tested and proven to be effective. It uses a technology called NTFS permissions. (NTFS = New Technology File System). It has been around since Windows NT (which is what they had before Windows 2000). You can think of a user account like a jail for viruses. The user account is able to "contain" the infection where it can't spread to other user accounts. Windows will not allow a virus to "cross the line" into another user account. However, THE VIRUS CAN STILL read, write, and delete data in the infected user's account. This includes passwords that you have allowed your web browser to remember, documents, music, pictures, quickbooks data, etc.
So if you have data you want to keep safe from infections, you might want to create a separate user account and move that data to it. If you can't remember how to create a new user account, go back to the first 3 screen shots in this article. The 3rd screen shot has a "Create a new account" link. Moving the data to it might be the hard part. If you don't know how to move files, you might want to contact me, or find a friend to help. Basically, you want to navigate to C:\Users and you will see a folder for each user account. Under each user folder, you will see folders for documents, pictures, music, videos, etc. You can move any file(s) you like to another users corresponding folder. Then you will need to reset the NTFS permissions, which is done by right clicking the destination folder, properties, security, advanced, change permissions, replace all child object permissions with inheritable permissions from this object.
If a virus IS elevated, it will be able to read, write, or delete ANY file in ANY user account. Can you imagine how disastrous this would be for networks like the Courthouse or Sheriff's Office? When this happens, Windows 7 must be reinstalled, and all programs like Word, Excel, and Quickbooks must be reinstalled. This takes hours.
3. Help, I got infected!
Now, lets say you ran a virus, and did NOT allow elevated permissions, or the virus never triggered UAC. Your user account is infected and you want it clean.
I have created a virus cleaner program that automates the cleaning process. It basically creates a new user account and moves your data to it. Just run it, click next a bunch, and enjoy the $150 you just saved!
Your brain still hungry for more? Read my super duper big time advanced for real article!