From: Kan Yabumoto firstname.lastname@example.org
To: XXCOPY user
Subject: XXCOPY on Windows Vista --- living with UAC
It is no surprise that the corporate world has been in the usual
"Wait-and-see" mode since the introduction of Windows Vista this
January. It may be just me, but the transition from XP to Vista
seems to be slower than any of previous Windows' version updates.
Aside from the cosmetic changes, the most notable enhancement in
Vista is the new User Account Control (UAC) scheme. Because of
its importance and pervasiveness, everyone needs to take time and
examine what UAC is all about and how it affects our use of the
computer, especially in XXCOPY's operations.
In this article, I will try to summarize the UAC-related issues
that are relevant to XXCOPY operations in my own words.
In essence, the UAC scheme tries to improve the system security
by erecting a boundary between the standard (regular) system
resources and the administrative (vulnerable) resources.
One of the most informative articles on the subject that I have
seen so far is "Inside Windows Vista User Account Control"
written by the widely respected author, Mark Russinovich of
Winternals. Although very technical, it is a very good reading
for those who want to run XXCOPY on Windows Vista.
Too busy to learn UAC?
For those who refuse to pay the due in learning the UAC scheme,
there is a simple way to avoid the UAC-related hassles and get
on the business of using Vista (and XXCOPY on it) --- at least
for now and to revisit the issue when there is more time:
Just disable the UAC settings. Here's how.
Control Panel > User Accounts > Turn User Account Control on or off
uncheck the following check box:
[ ] Use User Account Control (UAC) to help protect your computer
then, click [OK] and reboot the system. That is it!
Of course, disabling UAC means that you are giving up the improved
security that the UAC scheme promises. It sounds a bit scary.
But, using the Vista without UAC would not be any worse than
running a previous version of Windows.
When you disable the UAC setting, XXCOPY will work just fine.
All the headaches associated with the UAC scheme will go away.
You can even stop reading this page here because the rest of
this article is relevant only when you enable UAC on Vista.
Make sure that you revisit this article when you turn on UAC.
Then again, why Vista?
Unless your new computer arrived with a pre-installed Vista,
it may be wise to wait a little longer if not for all the third-
party Vista support infrastructure become available. For one
thing, Vista does demand considerably more system resources
(faster CPU and more memory) to sustain the same level of
responsiveness of the previous version of Windows.
Lastly, if you are like most of us who need to live with Windows
in the foreseeable future, you will eventually have to face
the tune of Vista (and UAC). So, let's get on with it, now.
UAC's view of things:
The UAC scheme is to force a user in the Administrator group
to operate in Standard User mode most of the time and to grant
the administrative rights only to programs that need them with
an explicit user prompt on a case-by-case basis. The idea is
to minimize the exposure of the critical system resources to
malware and viruses by shielding the vulnerable parts from most
of the programs.
If you are a standard (non-administrator) user, you can't modify
the protected resources on the disk (the root directory, the
"Windows" and "Program Files" directories).
One important thing to recognize is that UAC implements its
policy on a program-by-program basis. UAC classifies programs
into there types:
1. Legacy programs that do not declare as Vista-compatible.
2. Programs that do not change administrative resources.
3. Programs that may change administrative resources.
All Vista-compatible programs need to provide a "manifest"
(an XML document) where the requirement for administrative
privileges is declared. (XXCOPY of Ver 2.96.0 or newer has
a embedded manifest within the program for user convenience.)
Unfortunately, an application program such as XXCOPY.EXE cannot
acquire the administrative privileges on an As-Needed basis.
Therefore, whether or not your XXCOPY command modifies the
protected directories (such as the root directory), UAC will
intervene and prompt you for your acknowledgement that you
are knowingly invoking the "high-risk" program. In order to
serve those who do not intend to modify files that require
administrative privilege, we decided to package a version of
XXCOPY for the standard (non-administrative) user that does
not elevate the privileges, namely, XXCOPYSU.EXE.
Using UAC's classifications (see above), various versions of
XXCOPY can be categorized as follows:
1. XXCOPY.EXE (legacy) // old version (v.2.9x.x or earlier)
2. XXCOPYSU.EXE // the standard-user version of XXCOPY
3. XXCOPY.EXE // the full-capability XXCOPY program
The UAC scheme also classifies resources in the computer into
1. regular resources // any program can modify
2. admin resources // only privileged programs can modify
The regular resource (files in ordinary directories or entries
in ordinary areas in the system registry) can be modified by
any class of programs without restrictions. The great majority
of files on your disk follow this scenario.
The admin resource includes the root directory, the Windows
directory, the "Program Files" directory and certain areas in
the system registry. When a program attempts to modify a file
in such directories, the result depends upon which of the three
types the program belongs to.
Program Behaviors when UAC is enabled:
In the discussion above, three types of programs were mentioned.
Any of these programs can manipulate files in a directory in the
general resource in the same old way. Nothing special.
The key difference is when files in a directory that belongs to
the admin resource is written or modified, the outcome will vary
depending upon which of the three types the program belongs.
1. A legacy program (e.g., old XXCOPY.EXE) will appear to work
well without showing an error condition. However, the Vista
environment puts the program in a "sand box" where the
program writes the output into a virtualized directory.
In actuality, the Vista environment protects the admin
resource (such as the root directory) by faking the changes.
While the fooled program believes that it made changes in
a file in the root directory, the new file is written in a
2. A regular program without the administrative privilege (e.g.,
XXCOPYSU.EXE) will fail to modify an admin resource (e.g.,
to change a file in the root directory). The UAC-enabled
environment simply refuses to let a program to alter the
contents of admin resource without proper permissions.
3. The invocation of a privileged program (vista-compatible
XXCOPY.EXE) will prompt users for the UAC elevation. If
the log-in user belongs to administrators group, then,
the user prompt can be dismissed by a simple mouse click.
If the log-in user is a standard user, then, it invokes
a "OTS" elevation which asks for the choice of administrator
and his password to proceed. In either case, the administrator
privilege will be granted with the temporary log-in (when
the password is entered correctly) and the remaining execution
of the program will work unimpeded.
The important thing to remember is that the execution of XXCOPY
will prompt you for either a simple mouse-click (if you have the
administrator privilege) or an administrator password (if you
are a standard user) in a UAC-enabled environment.
Types of UAC Dialog Boxes:
If you (the current log-in user) are an administrator, you will
encounter one of the following dialog boxes. It is color-coded
Green: Very Safe, Gray: Generally Safe, Yellow: Need Caution.
A program that comes with Windows (supplied by Microsoft)
You can trust this type of programs (at least in theory).
A third-party program with the publishser's digital signiature
If you are not familiar with the publisher, examine the
publisher's digital signature carefully. It's usually safe.
A third-party program without a digital signiature.
If such a window popped up unexpectedly, you should cancel it.
However, there are cases where a legitimate application comes
without a digital signature.
For a standard user (not logged-in as an administrator), the dialog
boxes will be slightly different. The choice to proceed with the
program requires a special (temporary) log-in as a user with the
The dialog box provides a choice of the log-in user and
a box for password.
Avoiding the UAC-related prompts:
When you run XXCOPY a number of times in a setting, or run
a batch file that repeatedly launches XXCOPY or other programs
that require the UAC-elevation, the prompts caused by the UAC-
enabled environment will not only become a nuisance, but also
prevent an unattended operation.
We suggest that you create a user console (CMD.EXE --- so-called
DOS Box) that is invoked with the elevated UAC privilege.
Once inside the privileged console, all XXCOPY executions will
be carried out with the elevated privilege without a prompt.
XXConsole, a Super Console Generator:
The following command line installs XXCOPY on your computer:
It saves XXCOPY-related files from the temporary directory
(where the downloaded ZIP file is expanded) into the final
destination (typically at \Windows\system32). This procedure
also creates a shortcut icon of the command processor (CMD.EXE)
in the Desktop under the label of XXConsole.
It is to make XXCOPY users' life simpler by a dedicated shortcut
for an administrator console with a regular mouse click.
Note the "Administrator:" label at the top left corner.
Since this window which is created by the command processor (CMD.EXE)
is launched with the administrative privilege, all command-line
executions of the XXCOPY program and all batch file invocations inside
this console window will inherit the elevated UAC setting without
any additional user prompt.
The next technical bulletin explains the XXConsole tool in detail.
[ Table of Contents ]
[ Show as Detached ]
[ >> ]