The wonderful allow/deny message

Discussion in 'Windows Vista Security' started by Tickle, Mar 12, 2007.

  1. Tickle

    Tickle Guest

    My girlfriend and I wanted to get new PC's this year and felt it would be a
    good way to try out Vista Home Premium. We get the machines home (Acer
    Aspire AMD 4200+ Geforce4 chipset machines), go thru the horribly arduous
    setup process, and start installing our programs. I soon find out that in
    order to run Lineage 2, A VERY popular Massive Multiplayer Online Roleplaying
    Game, I have to give it Administrations rights to the machine - which I feel
    is normal as I had to do the same thing with ProcessGuard on my XP machines.
    I next find out I must do the same with another very popular program, Fraps,
    which is a Framerate, Screencapture, Video recording utility which has been
    out for YEARS which under ProcessGuard only needed global keyboard/mouse
    hooks. After doing this, upon every reboot of Windows I am forced to tell
    windows to allow Fraps to start. Upon every startup of Lineage 2 I am forced
    to do the same thing. Why should I have to do this when I told vista they
    have Administration rights? Why didn't Microsoft put an "Always do this
    action" checkbox in the Popup notification? Not everyone is a novice computer
    user and for those of us who are power users and can setup security on our
    machines this is very annoying and shortsighted on Microsoft's part. I dug
    thru the help trying to find a way to register the above programs so they
    would be in the "known programs" list but couldn't find anything. I tried
    finding help on disabling the annoying popup from certain programs but
    couldn't find anything. Yes I agree more security is nice but on the other
    hand I don't feel I should have to tell my PC TWICE I want it to do
    something. This annoying lack of customizable security forced me to purchase
    2 copies of windows XP-pro (more money wasted IMHO) so I can remove Vista
    from these machines.

    Basically these items need implemented:

    1) An "Always do this action button" added to the warning popup

    2) Customizeable levels of Administration rights for programs (I'm sure
    someone in Microsoft has seen/used ProcessGuard and knows what I mean)

    3) An easy way to register programs as "safe to run in Administration mode"

    Thank you,

    Very annoyed Vista Ex-user (I may be back after SP1 or 2
    come out)

    ----------------
    This post is a suggestion for Microsoft, and Microsoft responds to the
    suggestions with the most votes. To vote for this suggestion, click the "I
    Agree" button in the message pane. If you do not see the button, follow this
    link to open the suggestion in the Microsoft Web-based Newsreader and then
    click "I Agree" in the message pane.

    http://windowshelp.microsoft.com/co...fc&dg=microsoft.public.windows.vista.security
     
    Tickle, Mar 12, 2007
    #1
    1. Advertisements

  2. I agree that the "how to install" info in Vista sucks. But have you tried
    right mouse clicking on the icon on the desktop/prog file and in the
    compatibility tab, clicking on "run as admin" and then on "run as XP sp2"?
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks, Mar 12, 2007
    #2
    1. Advertisements

  3. Tickle

    David Hearn Guest

    Expecting applications written years ago to work correctly with a
    completely different security model is unrealistic. If it shouldn't
    require admin privs, then it shouldn't use/request them.
    Because that would be a major loophole in the UAC process. UAC is there
    to warn people of tasks which require administrative access. If UAC is
    enabled, there is *no* work around, no backdoor, no way of elevating a
    process without UAC prompting. Once that requirement has been set in
    stone, the concept of always starting as admin, or having a "Always do
    this" option in a dialog is automatically discounted.
    That's because there is nothing an end user can do to have a 'known
    programs' list. Each application is treated separately. If an
    application requires admin privs, then it should say so in its manifest
    and you'll get a UAC prompt on startup. If it doesn't require admin
    privs, then again, state this in its manifest and you won't get UAC
    prompts (but you won't get admin privs either).
    No, you told it once for each application. That's not telling it to do
    something twice.
    (in your opinion)
    Unlikely to happen.
    How granular do you need? Either you trust an application to do things
    on your behalf (ie. as admin), or you don't.

    Right click on file, select properties and then tick the "Always run as
    Administrator" option. This will result in UAC always asking when you
    double click the icon.

    D
     
    David Hearn, Mar 12, 2007
    #3
  4. Tickle

    Tickle Guest

    Thank you for not even bothering to read/understand what I was saying.
    Lineage2 has required Admin rights ever since they added gameguard. Fraps has
    always required a global keyboard/mouse hook to operate correctly,
    unfortunately Windows Vista doesn't let me customize the rights so I am
    forced to give it global admin rights.

    " Because that would be a major loophole in the UAC process. UAC is there
    to warn people of tasks which require administrative access. If UAC is
    enabled, there is *no* work around, no backdoor, no way of elevating a
    process without UAC prompting. Once that requirement has been set in
    stone, the concept of always starting as admin, or having a "Always do
    this" option in a dialog is automatically discounted."

    How in the hell could adding an "always do this" checkbox compromise
    security?
    I am the Administrator, I told windows to give the programs admin rights,
    Why should I have to keep telling Windows they have those rights? The
    checkbox requires user input as does the annoying popup box. If someone can
    force a toggle to be set whats to stop them from forcing admin rights on
    anything? I have NEVER,EVER had my machines comprimised with ProcessGuard
    running on them, which has an "Always do this action" checkbox BTW. Vista
    already KNOWS the programs I gave admin rights to should start that way, I
    shouldn't have to tell it I want it that way over and over and over again.

    "That's because there is nothing an end user can do to have a 'known
    programs' list. Each application is treated separately. If an
    application requires admin privs, then it should say so in its manifest
    and you'll get a UAC prompt on startup. If it doesn't require admin
    privs, then again, state this in its manifest and you won't get UAC
    prompts (but you won't get admin privs either)."

    How the heck am I supposed to edit a programs manifest? I am not a
    programmer nor do I have access to said programs source code. Apparently
    Vista checks programs very differently than any previous incarnation thus
    older programs don't have the required data in their manifests, however, I
    TOLD windows to give the said programs Admin rights. Why keep repeating this
    over and over?

    "No, you told it once for each application. That's not telling it to do
    something twice."

    Yes I am. Double click program, then click the stupid allow button, or in
    the case of Fraps, start on windows startup, open the stupid little taskbar
    box then click allow - that's twice, count em, 1,2.

    "How granular do you need? Either you trust an application to do things
    on your behalf (ie. as admin), or you don't."

    Why shouldn't I be allowed to be "granular" as you put it. I have used
    ProcessGuard for years and have set varying levels of security for each and
    every program on my XP machines. If a program only requires mouse hooks then
    I give em just those privileges. Lineage 2 is the only program Other than
    Diagnostic programs I have ever used that requires full admin access to run -
    mostly because of that crappy gameguard. None of my other most used programs
    need direct memory access, or the ability to modify files, or install drivers
    etc. so why give them those rights?

    "Right click on file, select properties and then tick the "Always run as
    Administrator" option. This will result in UAC always asking when you
    double click the icon."

    What do you think I am some little kiddy moron? How do you think I got the
    stupid little box I am complaining about. I am talking about some sort of
    global manifest that windows can access either online or locally so it knows
    that this popup box isn't required. This UAC that Microsoft has added is a
    major thorn in my side. If I could find a way to to turn it off and install a
    program that makes more sense I would. This is why I am going back to XP
    (which I didn't start using till SP2 was stabilized). I have full control
    over what the programs are/are not allowed to do, Not windows. Windows
    machines will always be targets of hackers, spammers, bots, and spyware. It
    is just a matter of time before someone finds a way around this so called
    "better security". Any PC owner with a inkling of a clue can install programs
    to protect their machines that are many, many times better that what has been
    included in any incarnation of Windows, Including this one. Windows always
    has been and always will be (apparently) bloatware which is designed to dumb
    down the user and give them a false sense of security. I for one wish I could
    get a version of Windows that would just be what it should be - an operating
    system. Let the user decide what level of security they need, what programs
    they want, what firewall they want, what antivirus they want, what spywqare
    blocker they want......oh wait - that sounds like Linux.....to bad Lineage no
    longer runs on Linux.

    BTW Susan, compatibility mode doesn't override that stupid popup. Tried it
    before I posted here.
     
    Tickle, Mar 14, 2007
    #4
  5. Tickle

    Jimmy Brush Guest

    Because if you "always trust" a program to run with admin rights, you are
    *also* trusting EVERY OTHER PROGRAM ON YOUR COMPTUER to run that program
    with admin rights.

    That UAC prompt is there to make sure *you* are starting a program, not some
    other program.

    For example, if you trust format.exe to run, it is implied that you only
    trust it to run *when you expect it to run*. You wouldn't want malware using
    format.exe without you knowing about it, would you?

    The prompt is how windows determines that you initiated an administrative
    action as opposed to a program.
    What keeps a malicous program from starting a program that has been trusted
    to install device drivers and instructing that program to install a
    malicious device driver?

    With UAC, this is preventing by prompting you EACH TIME an administrative
    program starts - so if you are not expecting an administrative program to
    start, you can stop it from happening.

    I agree with you here, that it should be granular. And I hope one day UAC is
    as granular as processguard. But UAC makes certain assurances that
    processguard cannot.

    These include:

    - That *you* initiated an administrative action, vs. some program without
    your knowledge initiating it
    - That processes that do not run privileged, *cannot* (even by proxy) obtain
    such privilege.

    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Mar 19, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.