ANS: "What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was

Discussion in 'Windows Vista Administration' started by Jimmy Brush, Jul 31, 2006.

  1. Jimmy Brush

    mayayana Guest

    Indeed. Rube Goldberg would be pleased to have you as
    an apprentice.
    I don't want to scare you unduly, but how
    do you know it's Windows showing you that UAC prompt,
    and not one of your famously ubiquitous malware programs
    hooking the mouse input? Hopefully in SP2 Microsoft will
    start taking security seriously and offer a retina scan
    confirmation using external hardware. In the meantime
    it might be best if we all try to keep our clicking to a
    minimum. :)
     
    mayayana, Dec 22, 2007
    1. Advertisements

  2. Jimmy Brush

    Jimmy Brush Guest

    What difference would a fake UAC prompt make, for the majority of users
    running as an administrator with the default configuration of just
    continue/cancel?

    Clicking a fake continue button on a fake UAC prompt does not increase the
    privilege level.
     
    Jimmy Brush, Dec 23, 2007
    1. Advertisements

  3. Jimmy Brush

    Steffer Guest

    I am trying to install office 2007. The launcher says that it must be run by
    an administrator. When I right click on this file in the dvd drive there is
    no choice that says run as administrator. Now what??
     
    Steffer, Jan 23, 2008
  4. Jimmy Brush

    Not Me Guest

    Login to an account that is a member of the administrators group.
     
    Not Me, Jan 23, 2008
  5. Right Click on the setup.exe file and choose the Run as admin option
    available there. This will solve your problem.
     
    ~Alex~.:MVP Windows Shell/User:., Jan 23, 2008
  6. Jimmy Brush

    personalnjc Guest

    Anyone who reads all of the posts regarding UAC and believes that all of this
    information is helpful is frozen in computing of 1991. Are you all not aware
    of how stupid it is at this point in time to have to repair a user account by
    using all of this mumbo jumbo? And has anyone tried it? You don't have
    permissions to overlay folders in the new user account when you try to copy
    one over. And if thd Admin account is gone you have to go through that
    reinstall disk VOODOO using various techniques that should have been
    outlawed, much less suggested. VISTA is a disaster. I have never had this
    many problem with any other operating system. I'd rather use Windows 95 than
    VISTA.
     
    personalnjc, Feb 7, 2008
  7. Jimmy Brush

    Marge T Guest

    What must I do to uninstall adobe Reader8.1.2 . I am told there is not
    sufficient access to uninstall same, that I need to contact a`systems
    administrator.How do I do that, what are my steps?
     
    Marge T, Mar 23, 2008
  8. Jimmy Brush

    Bob Guest

    All of that nonsense can be eliminated by running UAC in “quiet†mode.
     
    Bob, Mar 23, 2008
  9. This is a fallacy! If UAC cannot notify the user that a program is trying to
    gain global access to the system, then it is effectively 'disabled'. This so
    called 'quite mode' setting just changes a UAC registry setting to
    'automatically elevate everything without prompting'. This means that when
    you click to open a file, it is 'assumed' that you already know that the
    file will have unrestricted access to your computer.

    The main thing that UAC does is to detect when a program or application
    tries to access restricted parts of the system or registry that requires
    administrator privileges. When a program does this, UAC will prompt the user
    for administrative elevation. Without this prompt, UAC cannot warn the user,
    which means that it is effectively disabled.

    Some people will tell you that using "quiet mode" will still let IE run in
    protected mode, but this just isn't true. Without the UAC prompt, a
    malicious file that runs from a website can run, without restrictions, and
    silently.

    Another issue is that with UAC prompt disabled, some legitimate procedures
    will just silently fail to work properly, with no notification, if you are
    logged on with a Standard User account, since the application cannot notify
    you that administrative privileges are required.

    Even the developer of the TweakUAC utility includes this statement about his
    product.
    "if you are an experienced user and have some understanding of how to manage
    your Windows settings properly, you can safely use the quiet mode of UAC."
    In my opinion, if you are an experienced user, the last thing you would want
    to do is turn off the UAC notification.

    If you 'are' an experienced user, then you would already know how to
    temporarily bypass the UAC prompt to perform just about any procedure in
    Vista, such as running programs from an elevated command prompt, or using an
    elevated instance of windows explorer.

    The last problem I have with this so-called 'quiet mode' is that it
    dissuades developers from programming their applications to run in a least
    user privilege environment.
     
    Ronnie Vernon MVP, Mar 23, 2008
  10. Jimmy Brush

    Bob Guest

    Ronnie
    Even with the prompt enabled it still requires the user to be knowledgeable
    of the application UAC is prompting about. Once elevation is allowed UAC
    does not protect the user. Clicking allow becomes nothing more than an
    annoying additional click which in many cases becomes automatic.
    Additionally, the most common way a PC becomes infected is by downloading
    something from the net and even with the UAC prompts disabled you still
    receive a security warning when you attempt a download.

    Personally, when I decide to run something I don't have a need to be asked
    to confirm it. If I didn't want to run it I would not have clicked on it in
    the first place.

    The bottom line is UAC does no more than protect the user from himself, and
    even that still requires the user to be knowledgeable.
     
    Bob, Mar 24, 2008
  11. Jimmy Brush

    Guest Guest


    Sorry, Bob, but I agree with Ronnie. The so-called "quiet" mode is nothing
    more than disabling the built-in warning system. UAC actually works.

    Troubleshooting my nephew's pc over the weekend, set in "quiet" mode, I
    found a worm and three everyday ordinary virus hits. Apparently, after
    tweaking the UAC, the worm disabled the AV enough to allow a virus to
    auto-install, three different times, in just under a month.

    His excuse? Clicking the little box when he installed a couple games was too
    annoying.
     
    Guest, Mar 24, 2008
  12. Bob

    <inline>

    It it only annoying until you run into something unexpected. Right after
    Vista was first released, we went through all of the debates about users
    getting to the point where clicking on the prompt became an 'automatic'
    response.

    One user told us about a utility that he downloaded and installed and he got
    the expected 'security warning' about the file not having a digital
    signature. He clicked to run the file anyway and the utility installed. He
    then got a message to 'click here' to configure your personal settings. He
    then received this prompt.

    http://i196.photobucket.com/albums/aa86/rvmv/UACPrompt2.jpg

    Without UAC, he never would have been aware of the second file being
    installed, since he had already permitted the program to run. Needless to
    say, he decided that he would leave UAC on.

    Only in specific instances, such as an installation file that does not have
    a digital signature attached. The security warning does nothing to protect
    against 'drive-by' downloads that run automatically. Most of the smaller
    software developers will not bother with a digital signature, simply because
    it is time consuming and expensive for them.
    It's not about you deciding to run a program, it's about 'isolation', it's
    about 'integrity levels', it's about what background actions the program
    will take when you do run it. Have you ever wondered why an application,
    that does nothing more than make images look better, needs full and
    unrestricted access to every part of your computer?
    This is the whole point of UAC. The only way that a malicious program can be
    installed is if the user gets complacent and stops paying attention to what
    they are doing.

    When Vista is first installed, a user will typically see a ton of UAC
    prompts as they install all of their software programs and utilities, but
    these will gradually become more rare. Windows has to overcome almost twenty
    years of being a 'push button' operating system before it will attain any
    semblance of a 'secure' operating system. The education of users as well as
    developers will take some time. UAC and other security 'hardening'
    procedures are not going to 'go away'.

    When the majority of developers see the benefits, and start following the
    Microsoft developer guidelines for coding their programs and applications to
    run in a 'least user privilege' environment, UAC will become a prompt that
    is rarely seen. The vast majority of windows software should not even need
    to initiate a UAC prompt.

    Take a few minutes to read the following article. It will give you a better
    understanding, and show you the underlying reasons and goals of UAC.

    The Long-Term Impact of User Account Control:
    http://technet.microsoft.com/en-us/magazine/cc137811.aspx
     
    Ronnie Vernon MVP, Mar 24, 2008
  13. Jimmy Brush

    Bob Guest

    Ronnie

    I had previously read the article.

    The quote that stands out to me is "UAC does not, nor is it intended to,
    stop malware"

    In the example you give the user would have received a prompt even if UAC
    was disabled providing he was running Windows Defender.
    "If potentially harmful software tries to run or install itself on your
    computer, Windows Defender notifies you and helps you choose how to take
    action."

    Re: "Have you ever wondered why an application,
    that does nothing more than make images look better, needs full and
    unrestricted access to every part of your computer?"

    I don't know why you say that. I run Photoshop Elements and afaik it doesn't
    need unrestricted access to every part of my computer.
     
    Bob, Mar 24, 2008
  14. Jimmy Brush

    Colo2008 Guest

     
    Colo2008, Mar 24, 2008
  15. That's correct, the primary job for UAC is to allow a user to run with a
    Standard User (Limited User in XP) token and still have the capability to
    elevate a program or procedure with administrator privileges on demand.
    However, as a side benefit, if you get an unexpected UAC prompt, this can
    warn you that a process you did not start is trying to access a restricted
    part of the OS.
    Windows Defender can only stop 'known' malware. It checks a database that is
    updated often when a new threat is discovered. Defender is not an anti-virus
    program.

    Neither Defender nor UAC are designed to replace a good anti-virus program.
    This is because photoshop elements is probably designed to work properly, or
    the part of the program that requires admin privileges has been Virtualized
    by UAC. I have even heard of word processors that get a UAC prompt when they
    are started.
     
    Ronnie Vernon MVP, Mar 25, 2008
  16. Jimmy Brush

    Bob Guest

    Exactly...and we both know it's best to have at least two anti-spyware
    programs in addition to an AV program.

    " Windows Defender can only stop 'known' malware. It checks a database that
    is updated often when a new threat is discovered. Defender is not an
    anti-virus program.
    Neither Defender nor UAC are designed to replace a good anti-virus program."
     
    Bob, Mar 25, 2008
  17. Jimmy Brush

    ScottK Guest

    I think I missed the answer to the question, "UAC is annoying how do I turn
    it off?" I am doing a copy and replace, small directories, which are each
    located with in separate .zip files that I need to copy and replace from My
    Documents to another drive. Having to do 6 to 8 mouse clicks for each of two
    dozen directories is NOT FUN. Again, How do I turn it off?
     
    ScottK, Mar 28, 2008
  18. Jimmy Brush

    Bob Guest

    To disable UAC prompts NOT UAC aka "Quiet Mode"

    Run Regedit and navigate to

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

    Change the value of ConsentPromptBehaviorAdmin from "2" to "0".

    -------
    *Report back, please*
    [When responding to posts, please include the post(s) you are replying to so
    that others may learn and benefit from the issue]

    [How to ask a question]
    http://support.microsoft.com/kb/555375
     
    Bob, Mar 28, 2008
  19. Jimmy Brush

    Kayman Guest

    On Thu, 27 Mar 2008 19:41:01 -0700, ScottK wrote:

    Give it some time and be a little bit more patient. The mouse clicking
    frequency will lessen eventually.
    1. Do not work in elevated level; Day-to-day work should be
    performed while the User Account Control (UAC) is enabled. Turning
    off UAC reduces the security of your computer and may expose you to
    increased risk from malicious software.
    2. Familiarize yourself with "Services Hardening in Windows Vista".
    3. Keep your operating (OS) system (and all software on it)
    updated/patched.
    4. Reconsider the usage of IE.
    5. Review your installed 3rd party software applications/utilities;
    Remove clutter.
    6. Don't expose services to public networks.
    7. Activate the build-in firewall and tack together its advanced
    configuration settings.
    7a.If on high-speed internet use a router as well.
    8. Routinely practice safe-hex.
    9. Regularly back-up data/files.
    10.Familiarize yourself with crash recovery tools and with
    re-installing your operating system (OS).
    11.Utilize a real-time anti-virus application and vital system
    monitoring utilities/applications.
    12.Keep abreast of the latest developments - Sh!t happens...you know.

    The least preferred defenses are:
    Myriads of popular anti-whatever applications and staying ignorant.

    Peez of pith, really :)
     
    Kayman, Mar 28, 2008
  20. Well i want to know , not if I should turn the (A program needs your
    permission to continue) message. but how to turn it off. I tried running the
    program as administrator but its still not working. i want to avoid going to
    the process of having that message that always end up making programs that
    use the same message (A program needs your permission to continue) ran. I
    want to turn it off so it wont close the other programs. thanks for your help
     
    Aaron Martinez, Jun 28, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.