Dev Center - Desktop >
Why can the Windows 7 Professional/Ultimate Guest account bypass the UAC and still install or uninstall certain applications?

问题 Why can the Windows 7 Professional/Ultimate Guest account bypass the UAC and still install or uninstall certain applications?

  • Monday, August 20, 2012 5:39 PM
     
     
    Sign In to Vote
    0

    PLEASE NO GENERIC REPLIES!
    ANSWER ONLY IF YOU HAVE FIRST READ, UNDERSTOOD, AND TESTED THE SCENARIO FOR YOUR SELF!
    If I am wrong, then please state that this IS IN FACT normal behavior in Windows 7 Professional and Ultimate.
    If I am right, then please explain how in the world has this slipped past Microsoft QC and test engineers, and if it is going to be fixed soon (with maybe an update?)?
    Again, please NO generic, copy & paste, non-related answers!
    Thank you very much.

    So far I have tested this on several different Windows 7 PCs, both brand (HP, Dell, etc.) and custom built, all with the same results.

    Have been trying to prevent guest users from installing or uninstalling applications on several Windows 7 Professional PCs at a hotel.
    Started with a clean install of Win7+SP1 with the latest drivers, etc. Also applied all available Windows Updates. Created a password for user Admin. Activated the "Guest" account. Restarted and logged in a few times with both accounts (Admin, and Guest) to make sure all settings are applied. Here's the issue:

    Simulating a guest user scenario, restarted and logged in as Guest, downloaded Firefox, clicked "Run", system asked for Admin password, clicked on "No" (to mimic a guest user not knowing the Admin password), the password prompt dialog box closed and the installer STILL INSTALLED the program (Firefox)!!
    Went into Control Panel > Programs, and attempted to uninstall, the system prompted for the Admin password, again clicked "No" to mimic a guest user not having the Admin password (and therefore theoretically should not be able to uninstall), but the system never the less DID UNINSTALL the program!!

    Tried the same install/uninstall scenario with Google Chrome, Opera, etc. with same results!
    Also, tried the same scenario on other PCs with Windows 7 Professional and Ultimate, and still got the same results! So it's not just this machine.

    So far I have managed to successfully install the following in Guest account, even by clicking "No" to the Admin password (and yes, even with with UAC set at the highest level! Hello! Microsoft? Any body there?!):
    - Mozilla Firefox
    - Google Chrome
    - Opera Browser
    - Netscape Navigator (installer started, DID make some changes, but then exited incomplete)
    - Nitro PDF reader Add-on for Firefox
    - A bunch of toolbars and search bars and other garbage advertising bars!

    It seems all applications can still install and/or uninstall in Guest account, regardless of the Admin password response of "No"!!

    So the question is: Why can the Guest account still install or uninstall applications in Windows 7? Isn't the Guest account supposed to NOT be able to install or uninstall applications? If not true, then what's the point of having a Guest account, if it still can install and uninstall applications and make changes to the system like an Admin?!

    Please do not provide indirect or unrelated "how to get around it" answers such as "disable the Guest account and create another Limited account" or "use parental control" or such. The question is not how to get around it... the question is:
    - Why can the Guest account still install or uninstall applications even after you click "No" to the Admin password prompt?

    Thank you.

     

All Replies

  • Monday, August 20, 2012 9:49 PM
     
     
    Sign In to Vote
    0

    Try the IT pro forums at http://social.technet.microsoft.com/Forums/en-us/categories. This forum is for helping people in writing their software, not for using someone else's software, including Microsoft's.

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP

     
  • Tuesday, October 23, 2012 8:27 AM
     
     
    Sign In to Vote
    0

    Hi manuseif,

    Many programs are able to install to the user's own directory and will do so when they detect that the program didn't get Admin approval and can't be installed to the system-wide program area. In these cases, no changes are being made to system files and do not affect other users.

    So, try these out:

    1. Check to see where the program is actually installed to.
    2. If you Switch to another user, can the other user see the program the Guest just installed?
    3. Install a program, log out of the Guest account, and log back in to the Guest account again. Are the installed programs still there? They shouldn't be; when a Guest logs in (again), Windows clears all changes made by the previous Guest login.