How to declare a program as "trusted"

How can I declare a program I know as "trusted" so that UAC does not always
ask me for authorization to run it?
Thanks for suggestions

You can't. It would defeat the purpose of uac. What would stop programs from
changing this setting them self?

--
Kerry Brown
Microsoft MVP - Shell/User
www.vistahelp.ca/phpBB2


"petermcwerner" <> wrote in message
news:3CEBEAD8-69C2-42AF-BA0C-...
> How can I declare a program I know as "trusted" so that UAC does not
> always
> ask me for authorization to run it?
> Thanks for suggestions

Hello,

> For instance by asking for my password. Can't UAC distinguish between my
> input as user and what the program tries to do?

Once you've pre-approved an application to run elevated without consent, the
cat is out of the bag. Other programs can run that program and bypass their
privilege restrictions.

Imagine the case where you mark the command prompt as
always-elevated-without-prompt. Other programs could start a command prompt
and then run some payload from that elevated command prompt with full
privileges - without you knowing about it - thus defeating the purpose of uac.

As for your second point, YES Windows can be made to tell whether you are
performing UI - but it CANNOT know what you intend to do with the UI.

To use my command prompt example, Windows could be modified so that a
program could only launch the elevate-without-prompting command prompt when
you say click a button. But, a malicious program could pop up a message box
saying you won a thousand dollars and only offer one button, OK, for the user
to click on to dismiss the dialog - and when the user clicks that button, WAM
the payload would be executed.

Windows CAN tell when you are doing UI ... Windows CANNOT tell what you
intend to accomplish by performing the UI, nor what an application will do
with said UI.

- JB

Are you using one of the Beta builds or RTM?
UAC has steadily gotten better.
I rarely see it in RTM and have left it enabled.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org


"petermcwerner" <> wrote in message
news:3CEBEAD8-69C2-42AF-BA0C-...
> How can I declare a program I know as "trusted" so that UAC does not
> always
> ask me for authorization to run it?
> Thanks for suggestions

I'm in the same boat here. I mark a program as trusted and was getting
pop-ups everytime I used it (inclueding I.E. 7) I got so tired of it that I
just shut down the uac and have been pop-up free ever since...
BTW: I'm running vista rc1(bummer) missed the boat on rc2......And stuck
waiting for vista to hit the stores...
--
Just when you thought you had the top of the line system...You find out that
you have to upgrade yet again. The pain gasp!!
The suffering!!
Until Payday!!!


"Jupiter Jones [MVP]" wrote:

> Are you using one of the Beta builds or RTM?
> UAC has steadily gotten better.
> I rarely see it in RTM and have left it enabled.
>
> --
> Jupiter Jones [MVP]
> http://www3.telus.net/dandemar
> http://www.dts-l.org
>
>
> "petermcwerner" <> wrote in message
> news:3CEBEAD8-69C2-42AF-BA0C-...
> > How can I declare a program I know as "trusted" so that UAC does not
> > always
> > ask me for authorization to run it?
> > Thanks for suggestions
>
>

You now have a system that anyone can use to access the computers and
servers protected by the VPN. Why use a VPN at all? Just put your
company's data on an open IP address so the world can do whatever they want
with it.

"bhorn2001" <> wrote in message
news:27A0724A-6363-418C-ACF5-...
>I am running RTM and have turned it off because of one program. I need my
>VPN
> client to start with windows but it won't so I have turned off the UAC.
>
> Brad
>
> "Jupiter Jones [MVP]" wrote:
>
>> Are you using one of the Beta builds or RTM?
>> UAC has steadily gotten better.
>> I rarely see it in RTM and have left it enabled.
>>
>> --
>> Jupiter Jones [MVP]
>> http://www3.telus.net/dandemar
>> http://www.dts-l.org
>>
>>
>> "petermcwerner" <> wrote in
>> message
>> news:3CEBEAD8-69C2-42AF-BA0C-...
>> > How can I declare a program I know as "trusted" so that UAC does not
>> > always
>> > ask me for authorization to run it?
>> > Thanks for suggestions
>>
>>

Hello,

You can make/change the manifest to tell Windows how much privilege the
specific application needs; however, this won't allow you to always trust an
application. If you specify in the manifest that the application needs
administrator privileges then the system will prompt with UAC.


- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

You can change the Windows integrity level as I understand and am currently
working with. Let me know if this makes sense to everyone:

http://www.minasi.com/vista/chml.htm

Check out the above link.

Users can change the integrity level of an object if they have the SeRelabel
Priveledge.

You can remove, edit and change the Windows integrity levels via this
command line program and write a new SDDL to the file. You can read the
mandatory levels with the vista command line tool ICacls ( I can run this
command from either an elevated command prompt or just the regular command
prompt, and I have been able to view Mandatory labels). You just need read
permission for the object in order to view the mandatory label.

Here is an example:

c:\users\wosully\appdata\locallow OSULLIVAN\wosullyF)
OSULLIVAN\wosullyOI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMF)
NT AUTHORITY\SYSTEMOI)(CI)(IO)(F)
BUILTIN\AdministratorsF)
BUILTIN\AdministratorsOI)(CI)(IO)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(N
--
MCSE: Security, CCNA, A+, Network +, Security+


"Jimmy Brush" wrote:

> Hello,
>
> You can make/change the manifest to tell Windows how much privilege the
> specific application needs; however, this won't allow you to always trust an
> application. If you specify in the manifest that the application needs
> administrator privileges then the system will prompt with UAC.
>
>
> - JB
> Microsoft MVP - Windows Shell/User
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/
>

The integrity level of an object controls what applications can modify that
object. Changing the integrity level of an .exe would control what
applications can modify the actual .exe file, not what integrity level the
application runs at.

Of course, if you are a programmer and researched it enough you could
probably make a program that implements some sort of "trust always"
functionality, but this functionality is not built in to windows and I
believe it would be doing a great disservice to users to make such a program.

--

- JB

Hello,

What applications do you run all the time that requires administrator
privileges? I would guess that either they really should not need admin
privileges, or they could be redesigned to reduce or eliminate prompts .

I think once the Vista-compatible applications are released, this will be
much less of a problem.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/