How can I optimise UAC on Vista 64?

Discussion in 'Windows Vista Security' started by Quentin, Aug 15, 2008.

  1. Quentin

    Quentin Guest

    Vista 64 SP1, fully patched.

    When UAC kicks in, it's a real pain. Not that it kicks in but the way it
    kicks in. The screen dims and the system is unresponsive for a couple of
    seconds - just long enough for me to notice and then a bit longer. Then the
    UAC prompt comes up. I'd like to remove the screen dimming and change it to
    the sort of warning prompt you get when you try to run an ActiveX control or
    Java applet. Can I do this?

    Note that I don't want to disable UAC just modify the behaviour.
     
    Quentin, Aug 15, 2008
    #1
    1. Advertisements

  2. Quentin

    Mr. Arnold Guest

    I think you're out of luck.
     
    Mr. Arnold, Aug 15, 2008
    #2
    1. Advertisements

  3. I think you're up sh** creek without a paddle.
     
    Paul Montgomery, Aug 15, 2008
    #3
  4. Quentin

    midway64 Guest

    XdN Tweaker has an option for turning Secure Desktop off (what th
    "blackness" is called). It works in both 32 and 64 bit flavors and yo
    can get it here

    http://http://xenomorph.net/?page_id=33

    There is also a way of doing it by modifying a registry entry but thi
    is easier

    --
    midway6

    [Desktop] Acer Aspire M5620 | Intel Core 2 Quad Q6600 2.40GHz | 4GB RA
    | Vista64 HP SP1
    [Laptop] Acer Aspire 5570z | Intel Pentium Dual Core T2080 1.76GHz
    2GB RAM | Vista32 HP SP1
     
    midway64, Aug 16, 2008
    #4
  5. Quentin

    Kerry Brown Guest

    Kerry Brown, Aug 16, 2008
    #5
  6. It takes a snapshot of your current screen, darkens it, and switches
    to a secure desktop with the darkened screenshot as background.
    Then it displays the prompt. It is not just fluff, it is a security measure.

    You are probably not able to change this easily.
     
    FromTheRafters, Aug 16, 2008
    #6
  7. Quentin

    Mr. Arnold Guest

    Yeah, that's a nice set of tools there. I like the UAC black screen disable.

    It's a keeper, thanks. :)
     
    Mr. Arnold, Aug 16, 2008
    #7
  8. Disabling the secure desktop feature of the UAC prompt
    doesn't exactly "optimize" UAC - in fact it disables UAC
    for any malware program smart enough to take advantage
    of that change. Sure, maybe it is unlikely that a malware
    program exists that can do this, but if enough Vista users
    take this option - I'm sure some will be written.
     
    FromTheRafters, Aug 16, 2008
    #8
  9. Quentin

    Mr. Arnold Guest

    You need to provide some proof here that disabling that black screen is
    disabling the security functionality you speak about.
     
    Mr. Arnold, Aug 16, 2008
    #9
  10. Quentin

    Kerry Brown Guest

    http://technet.microsoft.com/en-us/library/cc709628.aspx

    Here's the relevant excerpt:

    "Securing the Elevation Prompt

    The elevation process is further secured by directing the prompt to the
    secure desktop. The consent and credential prompts are displayed on the
    secure desktop by default in Windows Vista. Only Windows processes can
    access the secure desktop. In addition to the recommendations for
    administrators and standard users, Microsoft also strongly recommends that
    the User Account Control: Switch to the secure desktop when prompting for
    elevation setting should be kept enabled for higher levels of security.

    When an executable requests elevation, the interactive desktop (also called
    the user desktop) is switched to the secure desktop. The secure desktop
    renders an alpha-blended bitmap of the user desktop and displays a
    highlighted elevation prompt and corresponding calling application window.
    When the user clicks Continue or Cancel, the desktop switches back to the
    user desktop.

    It is worthwhile to note that malware can paint over the interactive desktop
    and present an imitation of the secure desktop, but when the setting is set
    to prompt for approval the malware does not gain elevation should the user
    be tricked into clicking Continue on the imitation. If the setting is set to
    prompt for credentials, malware imitating the credential prompt may be able
    to gather the credentials from the user. Note that this does also does not
    gain malware elevated privilege and that the system has other protections
    that mitigate malware from automated driving of user interface even with a
    harvested password."
     
    Kerry Brown, Aug 16, 2008
    #10
  11. Quentin

    Mr. Arnold Guest

    Mr. Arnold, Aug 16, 2008
    #11
  12. Quentin

    Kerry Brown Guest


    Disabling the secure desktop isn't necessarily a bad thing as long as you
    understand the implications of doing so. It is automatically disabled when
    you RDP to a Vista box for instance.

    As the secure desktop is enabled by default it's very unlikely malware would
    be coded to look to see if it was disabled and take advantage of that fact.
    What percentage of users would be able to figure out that it could be
    disabled and then figure out how to do it? How many of those would just say
    "Interesting, but so what" then leave it enabled? Although you would be
    relying on security by obscurity I think it's very unlikely disabling secure
    desktop would actually cause you any harm. Security is all about assessing
    risk and managing a balance between mitigating that risk and performing a
    task without too many hurdles. For me the increased security of secure
    desktop more than makes up for the slight inconvenience it causes.

    UAC gives us a few more tools to help manage that balance. All of the
    settings that the UAC tweak tools provide were built into Vista to help
    people manage UAC. I do agree that some of them give you nice GUI way to do
    it though.
     
    Kerry Brown, Aug 16, 2008
    #12
  13. All of the official documentation I have read about UAC funtionality
    indicates that this is so. As far as whether or not it is a good idea to
    circumvent this part of UAC - some users don't need UAC at all and
    even that extreme is okay with me. They can enable and unhide the
    most privileged user account and do without it, but it should be an
    informed decision.
     
    FromTheRafters, Aug 16, 2008
    #13
  14. Quentin

    Quentin Guest

    Bother. At least, is there any way of making it faster? If the d*mn thing
    came up straightaway, it would be much less of a bother.
     
    Quentin, Aug 16, 2008
    #14
  15. Why don't you read the rest of the threads in this posts?
     
    Junk Yard Dog, Aug 16, 2008
    #15
  16. Quentin

    Flight Guest

    You know, many users would not even think of disabling UAC if it had one
    extra option: to remember what was accepted. Just like the way good
    firewalls do. But now, if you have to use an application that has to be
    checked by the UAC, and you have to use it many times a day, then you have
    to tell the UAC every time again that it is OK. That's the ONLY reason that
    users wish to disable the UAC.

    You can state that this would be less secure but then I ask: what's worse,
    using UAC with such a function, of not using UAC at all? Here I see a
    tendency that I found in other cases too: Microsoft seems to think that all
    users are stupid idiots. The simplest things are "secured" with questions
    like: are you sure you want that? I always think then: yeah, I am not an
    idiot, stupid! Now you get the situation that users click Yes without even
    reading it, because it is overused. That's why I started to use Buzoff
    (basta computing) to have it automatically done in cases where this question
    is simply too stupid to think about.

    If Microsoft would start to look at users as normal behaving people, the
    real security issues would be much more accepted.
     
    Flight, Aug 17, 2008
    #16
  17. The "real reason" for UAC is supposeldly to nudge software developers
    to write Vista-compatible apps, not to burden users with a barrage of
    prompts.

    Yeah, riiiiiiiiight.
     
    Paul Montgomery, Aug 17, 2008
    #17
  18. Quentin

    Flight Guest

    Whatever reason they give, it is the user who gets headaches of this. They
    refuse to look from our point of view.
     
    Flight, Aug 17, 2008
    #18
  19. Quentin

    Flight Guest

    Exact. Looks like we have to do all the work for him.
     
    Flight, Aug 17, 2008
    #19
  20. Quentin

    Mr. Arnold Guest

    I can't go with that:

    1)Aa personal FW/personal packet filter is not a firewall.
    2) The Application Control in personal FW(s)/packet filters has no business
    trying to control applications running on the machine, because that can
    easily be defeated, nothing but snake-oil in the solution.
    3) If UAC accepted a remembered prompt for approval for an actual malware
    solution ok-ing it, then it's always going to be run with no challenge, just
    like Application Control in PFW(s) -- snake-oil.

    No, you miss a key point of UAC. Since Admin is locked down to Standard user
    with two secuirty tokens representing Full Admin Rights and Standard Admin
    rights (discussed in the link below), when a situation arises that promps
    for Full Admin rtghts such as malware about to be installed, then the user
    as a signal that something may be wrong.

    http://technet.microsoft.com/en-us/library/cc709691.aspx

    Now, take the examples in the link below of a user clicking on something as
    Full Admin rights running on Win NT, Win 2k, or Win XP. What's going going
    to happen? I'll tell you. The machine is going to be compromised, with a
    user sitting there clicking with Full Admin rights. As opposed to Vista with
    UAC enabled, Admin is locked down to Standard user, and Admin user is
    prompted/challenged for Full Admin rights to do it, which they can see
    something is about to happen.

    http://www.eweek.com/c/a/Security/Hundreds-Click-on-Click-Here-to-Get-Infected-Ad/

    You can apply the same principles above when an Admin user is clicking on an
    unknown email attachment with malware in it that wants to install itself on
    the machine.
    They are treating users like normal people that will not practice safehex
    computing, and they will click on everything under the Sun not knowing that
    malware is about to install itself. With UAC enabled and they click, they
    got a chance of seeing that something may be wrong when prompted to allow or
    disallow or give that Admin User-id and PSW if the user is a Standard user
    with only a Standard user security token.

    I don't see this is really being any different than when a user has to give
    that Root Full Admin rights user-id and psw on Linux when root full admin
    rights are required.

    One doesn't have a ton of applications that require full admin rights to
    run. I think I have maybe 4 applications I use that use full admin rights in
    order to run. And I am not running those applications all the time, so I get
    very little prompts from UAC. The rest can run with Standard user rights.
    One doesn't get prompted when the application only needs Standard rights to
    run, unless you have Run As Administrator enabled on every
    application/program, *you* did it, and you are being prompted all over the
    place when you shouldn't be.
     
    Mr. Arnold, Aug 17, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.