Are you a Windows user? If you answered yes, then you know that when you try to install a new program or open software for the first time that you’re usually asked for your permission. This is User Account Control or UAC in action. So what exactly is UAC virtualization?
UAC virtualization is a workaround so legacy programs can continue to be used as Windows upgrades its software. Through virtualizing UAC permissions, the app thinks it’s writing a system path when it’s really a user path.
Although it all sounds good, UAC virtualization has its proponents and detractors. In this guide, we’ll talk about the pros and cons so your Dallas company can decide whether UAC virtualization is the best choice for you.
What Is UAC Virtualization?
To reiterate what we touched on in the intro, UAC is short for User Account Control. For most Windows users, the most they see of UAC is as an execution prompt that comes up when trying to install new software or upgrade a program.
The prompt may say something like “Do you want to allow the following program to make changes to this computer?” Then the prompt will tell you what the program name is as well as the verified publisher.
If you click the yes button, then the program will continue installing or upgrading. If you click no, then installation ceases.
Microsoft began using UAC for Server 2008 and Windows Vista so only administrative accounts could make decisions on changes that could impact an entire system. This would stop the software from writing to system paths, which is securer than how Windows was doing things in the Windows XP days.
Since a new software or an upgraded version couldn’t access system paths, that meant system files such as Program Files or Windows System 32 were off-limits.
As we mentioned earlier though, what sounded great wasn’t really, at least not in totality. Yes, UAC made the new Windows operating systems more secure, but it also broke some things, especially legacy applications that were accustomed to only writing to system paths.
Thus, the need for UAC virtualization arose.
The Move to UAC Virtualization
Virtualization is a computing term that means to digitize something or virtualize it. That can include computer network resources, storage devices, and even computer hardware.
What UAC virtualization does is change the writing access of the software, giving it a user path container instead of the system path. In other words, rather than locate the program files and begin writing to those, virtualizing UAC creates a copy of the important program path files.
What Are the Pros and Cons of UAC Virtualization?
As great as it would be if UAC virtualization automatically fixed everything related to legacy programs built in the 1990s and 2000s, that’s not exactly what happened. UAC virtualization was supposed to be a temporary measure until software developers could get their software compliant enough that it wasn’t trying to access system files when updating.
Yet in the most current version of Windows, you still have UAC virtualization as an option. That’s why we thought we’d take this section to discuss its pros and cons.
- Allowed Legacy Programs to Continue
Imagine if the thousands of programs and apps created by software developers before the mid-2000s had to disappear because Microsoft wanted to make a critical security update to the latest edition of Windows.
It almost happened, but UAC virtualization stopped it. That’s not to say it’s perfect, as you’re about to see, but virtualizing permissions allowed legacy programs to continue. Interestingly, we have to go back to the fact that Microsoft has not phased out UAC virtualization despite having every intention to do so.
This at least allows us to still enjoy legacy software and apps to this day.
- Prevents Potentially Dangerous Updates to the Computer
Listen, sometimes when you’re really busy, you can misclick. Maybe your better judgment leaves you and you download an app that you otherwise would realize that you shouldn’t. By having to click through the UAC prompt, it forces you to stop for a second and think about what you’re doing.
If you realize that hey, what you’re about to install to your work computer could be malware, you can always reject the prompt and delete the downloaded file. Your computer will be fine and your lapse in judgment doesn’t have to be revealed to anybody.
- Easy to Use
If you can’t tell the difference between application paths and program files, you don’t have to. UAC virtualization behaves by a certain set of rules you don’t have to dictate. For example, by using the Application Manifest XML file, the UAC will choose one of three access levels to run an application.
The highestAvailable option is for the user’s greatest level of privilege. The asInvoker option gives the user token access in their current context. The requireAdministrator option is when the UAC prompt pops up.
Otherwise, you don’t even know that UAC virtualization is working behind the scenes. Plus, when you do see the prompt, all you have to do is click yes or no, which is very simple.
- Not on by Default
For as beneficial as UAC virtualization can be, it’s interesting how Windows does not have the feature turned on by default. We’ll talk later about how to enable it, but newer Windows models give you the option to go without. This can be dangerous depending on the types of files you’re downloading and running.
- Only Works for 32-Bit Apps
Another caveat is that your program must be 32-bit. In other words, it runs in a flat address space that’s 32 bits.
In the Windows Task Manager, you can glean this information. First, click the Details tab, then right-click on the column header. Pick the option Select Columns, checking the platform box. Then click the OK button and now you can determine whether your app is 32-bit or 64-bit.
The reason that UAC virtualization is for 32-bit programs only is that AMD64, which is for 64-bit programs, came about after the virtualization was already rolled out. You know by now that UAC virtualization was supposed to be temporary, so trying to upgrade it probably wasn’t high on Windows’ priority list and certainly still isn’t.
- Easy to Screw It Up
Although clicking UAC verification is as easy as choosing yes or no, once you get into more advanced virtualization, making mistakes is a little too easy.
For example, if you don’t have access to the original file’s path files, or if you do but you have read-only permissions, you’ll get an error code trying to virtualize them. Your program could also crash, or the system could.
Is UAC Virtualization Worthwhile for Your Dallas Company?
Now that you’re more familiar with UAC virtualization, including its pros and cons, it’s time to answer an important question. Should your Dallas company use it?
Well, that depends on three matters: whether your company uses legacy programs, which account you’re running software from, and whether your systems are 32-bit or 64-bit.
Let’s discuss the legacy programs first. A legacy program is defined as any old technology or way of doing things. While legacy programs are outdated, they’re still used. Sometimes it’s because the company has no need to update them since the current program meets their needs.
If your Dallas company is uber-modern, then there might not be a legacy program or app in sight on your network. In that case, then using UAC virtualization makes no sense, as preserving important legacy programs is exactly what this form of virtualization was built for.
You can also skip UAC virtualization if you’re using 64-bit apps and programs. As you’ll recall, UAC virtualization does not work for anything but 32-bit programs.
The type of account you use is important too. If you only run your computer from an admin account, then the UAC prompt will never pop up. However, for the other non-admin users, we’d suggest UAC virtualization.
How to Use UAC Virtualization
You’ve talked it over with your key stakeholders and you’ve decided that using UAC virtualization is within your Dallas company’s best interest right now. Since the feature is turned off by default, how do you turn it back on?
Here’s how it’s done.
Step 1: Go to Group Policy
To find the settings to turn on (and off) UAC virtualization, you need to access Group Policy. This feature is for network administrators since the settings here are rather advanced. To get to the Group Policy settings, first you need to find the Local Group Policy Editor.
Press the Windows button and R at the same time on your keyboard. This will open the Run window. Then, in the Open Field, input the command “gpedit. msc” exactly as you see it without the quotes (but keep the extra space). Then press the enter key.
Step 2: Access Local Policies, Then Security Options
Now that you’re in the Group Policy settings, you need to repeat the same steps as before to access the Run window, aka pressing the Windows button and R on the keyboard. This time, input “change security settings” without the quotes.
In the Local Group Policy Editor, choose Security Options.
Step 3: Scroll to the Bottom of the List and Look for User Account Control Settings
Upon doing so, you’ll be greeted by a massive list of policies that can make you a little apprehensive about proceeding. Ignore everything that says Network access and Network security. That means scrolling way down to the bottom of the list.
Towards the very end of the Security Options list, you’ll see the setting “User Account Control: Virtualize file and registry write failures to per-user locations.” Please make sure it says those words exactly, as there are several User Account Control settings above this one. You don’t want to turn on anything that you don’t mean to.
Next to where it says “User Account Control: Virtualize file and registry write failures to per-user locations”, it will state Not Defined. That’s the fancy way of saying that UAC virtualization is turned off.
By choosing the “Define this policy setting” checkbox, you can enable UAC virtualization. Then you’re finished.
UAC virtualization started as a need to keep legacy programs running on newer versions of Windows. You can’t use this form of virtualization on 64-bit programs, and it’s not something you need if you only run Windows in Administrator mode.
That said, UAC virtualization could come in handy at times for your Dallas company, so it’s good to know how it works.