When UAC is turned on, each user runs with a standard user token no matter what their normal privileges are. Standard user tokens use the "least user access principle," which means that each operation is performed with no administrative access rights. When an operation requires administrative rights, a special prompt is displayed to provide it. If you are an administrator, you simply click Allow or Disallow, but when you are a standard user, you have to provide the name of an administrative account as well as its password to authorize the operation.
This means that it is now much easier to run locked-down systems because everyone, even administrators, can work with a standard user account. When prompted, administrators can provide their high-privilege credentials -- whereas users will never see this prompt in the first place if you configure your settings properly. This helps keep systems secure at all times. But running without administrative rights will often break poorly-written applications, because they try to write in locations that are not available to users with standard access rights. This is the case for many legacy applications.
Solution: Several solutions exist. Vista's virtualization of both the file and registry may help by redirecting application components to user-writable areas of the system. Applications can be rewritten to correct their behavior. Applications can also be virtualized through third-party tools such as Microsoft SoftGrid Application Virtualization, Altiris Software Virtualization Solution, or Thinstall Virtualization Suite. This lets the application run in a sandbox, isolating it and preventing it from making changes to the system. Or the application can be supported by a tool such as Altiris Application Control Solution or BeyondTrust Privilege Manager. Both tools provide elevated access rights on the fly when users run a legacy application that does not work with UAC.
Incidentally, one great way to identify potential issues with UAC is to run the application through the LUA Buglight tool. LUA Buglight (LUA stands for "Limited User Access") is a free tool developed by Aaron Margosis, a senior consultant with Microsoft Consulting Services. Basically, LUA Buglight scans an application as it runs to identify any activities that require administrative rights. Once these activities are identified, you can correct the code, correct the application's configuration, or try running it in a compatibility mode. Aaron's blog also provides a lot of information on potential solutions for running applications in "non-admin" mode.
If you find this all really frustrating, you can, of course, disable UAC through the Group Policy settings, but we would certainly not recommend that you do so. Everyone should be running as a standard user -- even in Windows XP. It isn't always easy, but it is possible and definitely more secure.
Problem: Another change that will break some applications is Windows Resource Protection (WRP), which is Windows System File Protection on steroids. WRP protects both the file system and the registry from unauthorized changes to the system. When an application tries to write to protected areas of the system, it fails. Many legacy applications will do this because they were never written with system protection in mind.
Solution: Try running the application in compatibility mode or correct the application if you have access to the source code.
Problem: Session 0 is the core session the operating system kernel operates within. In previous versions of Windows, applications were allowed to operate in Session 0, but any application that would fail while operating at this level would cause the entire operating system to fail.
In Vista, Session 0 is now reserved for operating system functions only. Services that operate at this level and try to display user interfaces will fail because Session 0 no longer supports any such interfaces.
Solution: Vista will try to automatically redirect these interfaces to user sessions, but this may not work. The best way to correct these issues is to update the application to use global objects instead of local objects and display all interfaces in user mode.
