UAC - How do I configure this to bring some sanity to my desktop?

Discussion in 'Windows Vista Security' started by Joseph Geretz, Feb 19, 2007.

  1. I'm just starting to work with Vista. My profile: I am a developer, 20 years
    experience in general, working with Windows for about the past decade.
    Basically, I know what I am doing.

    Tell me why it is a 'good thing' for me to have to confirm every time I want
    to open up the Services window, or the Computer Management window (just to
    cite a couple of immediately evident examples). OK, so once out of every 50
    times is a mistake - big deal, I'll simply close the window. What I'm seeing
    now is the opposite workflow; now every one of the 49 times I really want to
    open this window, I need to answer the prompt to confirm. This is VERY
    ANNOYING to say the least.

    I have to believe that there's some way this can be disabled. Is there any
    way of configuring a user account not to have to put up with this?

    Thanks!

    - Joe Geretz -

    P.S. I am using Vista in order to get our product ready for Vista. However,
    from what I see so far, I have absolutely *no* desire to move either myself
    personally, or my team of developers at work, from Windows XP on to Vista.
    What for? A cute clock? I wonder how many others are out there of the same
    mindset. Microsoft, are you listening?
     
    Joseph Geretz, Feb 19, 2007
    #1
    1. Advertisements

  2. Hello,

    There is one program you can use called TweakVista to edit UAC, and turn it
    off.

    Hope that helps

    --

    Have a nice day,

    Jonathan Yaniv
    Microsoft Windows LiveT Butterfly Expert

    Visit the ButterflySays Blog at
    http://spaces.msn.com/ButterflySays/
     
    Jonathan Yaniv, Feb 19, 2007
    #2
    1. Advertisements

  3. Joseph Geretz

    Max Guest

    Control Panel/User Accounts <Turn User Account Control on or off>
     
    Max, Feb 19, 2007
    #3
  4. Joseph Geretz

    gls858 Guest

    Or you can just google turn off UAC.
    Here's just one.

    http://www.petri.co.il/disable_uac_in_windows_vista.htm
     
    gls858, Feb 19, 2007
    #4
  5. Jonathan Yaniv, Feb 19, 2007
    #5
  6. Hi,

    After last discussion between Joanna Rutkowska and Mark Russinovich
    (currently Microsoft) I'm really confused too, why it is so indespensible
    feature ;-)

    Change UAC behavior ... secpol.msc -> Security Settings -> Local
    Policy -> Security Options:
    UAC: Behavior of the elevation prompt for administrators ... - and set it on
    Elevate without prompting value

    Marcin Domaslawski
     
    Marcin Domaslawski, Feb 19, 2007
    #6
  7. Thanks guys!

    What I don't understand is, how come the OS is unable to discriminate
    between a request which is rooted in a direct user interaction (i.e. mouse /
    keyboard) vs a request which is emanating from some other software process.
    If MS is serious about implementing security without really annoying the
    user, it seems to me that making this distinction is critical.

    BTW, why is one prompt deemed to be sufficiently secure? Maybe the first
    prompt should be followed by a second prompt; Are you really, really sure???

    Have you seen the latest concept car for 2008? When you turn the key in the
    ignition, you get a prompt on the dashboard asking if you really want to
    start the car. Sheeesh!

    (You can tell I'm not too impressed with this new OS at first glance.
    Consider our position. We have a software product which has installed and
    run fine on every Windows OS from '95 through XP. But with the release of
    Vista; suddenly - problems :-\ )

    - Joseph Geretz -
     
    Joseph Geretz, Feb 19, 2007
    #7
  8. Jonathan Yaniv, Feb 19, 2007
    #8
  9. Joseph Geretz

    David Craig Guest

    Why 'first glance'? This OS has been released since November. It was in
    beta for much long than that. Supposedly the UAC screen is a special
    environment just as the Ctrl-Alt-Del attention key sequence in that Windows
    knows it is going directly to the keyboard and mouse and not a hook that
    could be faking input.
     
    David Craig, Feb 19, 2007
    #9
  10. Joseph Geretz

    Jesper Guest

    What I don't understand is, how come the OS is unable to discriminate
    If you're a Windows Developer you should know about Window Messages.
    They could. And they would break all software automation tools and half the
    event handlers in the world, including much of the OS.
    Good idea.
    When cars can be started programmatically by a guy in Uzbekistan you will
    see that.

    Let me guess: your product requires admin privs?
     
    Jesper, Feb 19, 2007
    #10
  11. Joseph Geretz

    Scott Guest

    You've got this "me too" stuff down pat.
     
    Scott, Feb 19, 2007
    #11
  12. Consider our position. We have a software product which has installed and
    Wrong. Unless registering an ActiveX executable requires admin privileges. I
    guess just the term 'admin privs' itself is arbitrary. Who decides what
    requires and what doesn't?

    The bottom line is that for just about a decade, we've been registering an
    ActiveX executable as part of our installation with no problem. All of a
    sudden, Vista decides that a simple action: MyActiveX.exe /RegServer
    shouldn't be trusted. And why not?

    So when you talk about possibly breaking existing code, I'm not exactly
    ready to break out the violins. Because in my case, my code has actually
    been broken.

    - Joe Geretz -
     
    Joseph Geretz, Feb 19, 2007
    #12
  13. Joseph Geretz

    Jesper Guest

    Folks, let's not forget what UAC is and what it isn't. To recap:

    What UAC is not:
    1. A security solution in and of itself. UAC will not stop malicious code
    that you chose to execute from taking over your system. It cannot stop that.
    2. A license to act with impunity because something is protecting you. You
    still need to practice safe computing habits
    3. There to annoy the crap out of you. It should come as no surprise to
    anyone that Microsoft doesn't sell a lot of copies of its software if it is
    so annoying nobody will use it.

    What UAC is:
    1. The first step on a long road to make Windows usable by standard users.
    The whole objective of UAC is to enable standard users to run normal tasks
    without being admins. If a user is an admin, so is any malware they happen to
    run. That cycle has to break at some point
    2. A lot more than the annoying dialogs. There are a lot of things under the
    hood of UAC, including service hardening and integrity levels, which are
    there to protect the integrity of the OS against modification. It is not
    perfect in Vista, but it is far better than it ever was.
    3. Low-rights applications. UAC enables applications to run with far reduced
    privileges, making attacks much harder through these low-privileged
    applications. Only Internet Explorer uses that at the moment, but others will
    follow.
    4. Application factoring. Many tasks in the OS have been factored out to
    allow an ordinary user to either perform the task itself, as in the case of
    the new privilege to change time-zone, or to permit elevation for only a
    portion of the task as opposed to the entire task. For instance, you can look
    at the system properties as a regular user, and you only have to elevate if
    you want to change them.
    5. A way to elevate tasks that need elevated while enabling the user to do
    most of their work unelevated. If developers cooperate and start writing
    applications that actually work with least privilege UAC provides a way to
    safely perform administrative tasks in those applications. If developers do
    not cooperate, but instead recommend that everyone turn off UAC then we will
    be back to exactly the same situation we were in with all previous versions
    of Windows, where malware spreads rapidly because everyone is running as an
    admin and can install anything they accidentally click on. They will lose all
    the isolation, including all the low-rights applications.
     
    Jesper, Feb 19, 2007
    #13

  14. Because you don't read a book starting at page 34 then jump back to
    page 10, then go to page 58.

    Frankly I couldn't care less, but it does exhibit a certain rudeness
    from those that do it. I mean come on, how long does it take anybody
    to scroll down to the botton of a post? One second, two, three?
     
    Adam Albright, Feb 19, 2007
    #14
  15. Joseph Geretz

    Jimmy Brush Guest

    Hello,

    Registering an ActiveX control does require admin permission. It is a global
    change to the system, since the ActiveX control is usable machine-wide.

    Microsoft decides what is administrator vs. what is not. However, it is a
    simple policy at its root: Anything that modifies the state of the system or
    any user account that isn't the current user account, must run with admin
    privileges.

    Your installer should be running with admin privs by default anyway (since
    installing a program that is usable from all user accounts is an
    administrative action) - you shouldn't be having a problem registering an
    activex control.

    If using MSI, the customaction must be set to do not impersonate so that it
    will run with admin powers (this is covered extensively on MSDN).


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 19, 2007
    #15
  16. Its also a crock. Vista is beyond just buggy it is dumb! How this
    version of Windows ever made it out the door untested as it is in the
    real world amazes me. I could spend the entire day detailing all the
    dumb things I've seen Vista do that never happened in XP.

    For example I use Agent, a extremely capable and rock solid stable
    news reader that worked in all prior versions of Windows without ever
    burping. I was going to comment on what you said while I was copying
    the contents of a DVD to one of my hard drives. A simple, quick
    task... or what should be and used to be in XP.

    For starters Vista started up the process and tells me it will take 18
    minutes to transfer a little under 4GB using a LG 16X burner to a SATA
    750 GB hard drive. Absurd in itself since it takes less than 6 minutes
    to "burn" a full DVD with this LG burner. That's not my complaint.

    As I started to type here in Agent, I saw that Windows had slowed to a
    crawl. Literally I got as far as typing It in 'Its also a crock' and
    it took another 15 seconds for Windows to let me type the letter 'a'
    in the next word, also. I immediately when to Task Manager to see
    what's going on. The CPU load was only 2% and less then 40% of my
    memory was in use. Geez... what the #$%%# is Windows doing behind the
    scenes to slow me down to a crawl like this when all I'm doing is
    writing plain text and doing a simple file transfer to seperate
    drives?

    Now to what you said. My opinion, UAC is GARBAGE. Period. As I said in
    previous posts I did a install in place. Part of my previous install
    on XP Pro was Partition Commander. Worked fine. Once I was up and
    running in Vista I tried to click on my desktop shortcut to this
    application. No matter what, Vista nagged and nagged that it needed
    Administrative rights. Well damn it, I looked at its security tab and
    see it HAD not only administrative rights, but "everyone" plus user
    permission for me as user right down the board for the all the
    functions of this application.

    Still, Vista would not let me run this application. I deleted it from
    add/remove in Control Panel and installed it again fresh from within
    Vista. It installed fine. No complaints. Then same problem trying to
    actually use it. Same stupid error, you don't have Administrative
    rights. I'm the ONLY user of this PC. I of course have full
    administrative rights. Doesn't matter. I next switch user to
    Administrator and log in as that. Doesn't help. I next go to Windows
    Explorer and locate the folder where this application is in and again
    check the security tab. It is as it is suppose to be. Doesn't matter,
    won't run no matter what. Ditto for looking at the root folder. Same
    problem. Finally I throw up my arms in disgust and just turn UAC off.
    Ever since, Partitition Commander works fine.

    Microsoft has gone from running everything wide open in previous
    versions of Windows to now foolishly blocking common functions and
    services in Vista that average users and power users alike are going
    to scream bloody murder over and for good reason. It doesn't work as
    advertised. The "help" is poorly written and has glaring omissions on
    this topic and leaves you guessing what you're suppose to do to solve
    it. If anybody thinks this is an "improvement" they have a weird sense
    of humor.
     
    Adam Albright, Feb 20, 2007
    #16
  17. Joseph Geretz

    Jimmy Brush Guest

    Hello,

    I think many expert-level users (especially us programmer types) misread
    UAC. We tend to think of it as protecting us from ourselves.

    "WHAT? What do you mean DO I WANT IT TO RUN! I *clicked on it*, jeez!
    *smack* Stupid computer..."

    So ... you want to know why these annoying, useless prompts are a good
    thing. OK, let me give it a shot.

    I will try to explain what made UAC necessary and what UAC does to fix the
    problem, and I hope that will best explain to you, as a technical person,
    how it is a good thing.

    Many moons ago, in the olden days, long before Vista, there were architects.
    And these architects decided that there shall be security in the operating
    system implemented in the form of PRIVILEGES.

    Performing actions (such as changing the system time or accessing a
    resource) on the computer shall be a privilege. And rights to perform
    privileges shall be assigned to USER ACCOUNTS. And user accounts shall be
    the ONLY THING to which privileges may be assigned.

    Now ... there needs to be some way for the phsical USER logged in to a user
    account to actually USE those privileges.

    To do that, we need APPLICATIONS. Users shall use their privileges by
    running and interacting with applications. In fact, applications shall act
    as the user's complete and total proxy. All actions performed by an
    application shall be assumed by the OS to have been initiated and performed
    by the user.

    And, since the USER ACCOUNT is the only thing that is assigned privileges,
    ALL APPLICATIONS THAT THE USER RUNS shall inherit the privileges assigned to
    the user account, so that the user may use the applications that they run to
    perform any action that they are allowed to perform.

    And so, it was. And for a time, all was good in the world.

    Until, one day, terrible applications were created. These applications did
    not consume the privileges assigned to the user account ON BEHALF OF THE
    USER, as intended by the design of the system ... Instead, these vicious
    programs used the privileges of the user FOR THEIR OWN MALICIOUS PURPOSES.
    They evaded user detection and control, took control of the computer AWAY
    FROM THE USER, and generally interfered with the normal operation of things,
    preventing the user from working with the computer in the way that was
    intended.

    These horrible programs even talked to and convinced the system and other
    non-malicous programs to carry out their terrible deeds.

    Suddenly, applications could no longer be trusted to be a good-faith agent
    of the user. And a dark age was entered. E-mail attachments were fearfully
    deleted, screensavers suspect, and a billion dollar industry was created to
    scan for, detect, block, and remove known malicious applications.

    ENTER UAC (User Account Control)

    "Something has to be done!", cries the architects. Applications aren't
    fitting the role we designed for them, they are breaking our model!

    Applications *MUST* be controlled by USERS (UAC), not the other way around!

    And so the architects changed the security model in two main ways:

    1- The system now ENFORCES that applications are, IN FACT, carrying out
    privileged actions at the request of the user.

    In UAC's current form, this is expressed as the infamous UAC prompt. The
    system is saying, "Hey, this program says that *YOU* are trying to do
    something that could damange the computer. What's the deal here, is this
    true?"

    This isn't to protect you from YOURSELF. It is to protect you from
    applications that run on your computer (whether you started them or not). It
    protects you from malicous applications that may execute without you
    knowingly starting them. It ALSO protects you from malicious programs that
    try to run other programs to take control of your computer.

    This is why you can't "trust" a specific administrative application such
    that it doesn't prompt; if you could, malicous applications could use those
    trusted programs against you.

    Right now, the UAC prompt is the *only* way the system can tell that YOU
    started an action.

    Remember, the system is architected such that it assumes that all programs
    are carrying out your actions. Programs act as YOUR proxy, and the system
    has no way to differentiate between your actions and applications' actions,
    since to the system, these are the same thing.

    The only way it can be 100% certain is by asking you.

    A common question that creeps up at this point, especially from developers,
    is "The system knows when I click my mouse button to start a program - why
    does it need to prompt?"

    This is a partially incorrect statement. Yes, the system knows that you
    clicked the mosue. But the system DOES NOT KNOW that you intended to start a
    program.

    Remember, APPLICATIONS control how you use your privileges, NOT the system.
    The system forwards your input (mouse clicks and whatnot) to APPLICATIONS.
    Applications are like a black box to the system - it has no idea what an
    application will do with the mouse click. It doesn't know whether a mouse
    click will end up deleting a file or sending an e-mail. This is why it must
    ASK YOU if an applications request permission to do a privileged action, if
    you actually intended for it to do so.

    2- The system now allows you to control HOW MUCH of your privileges each
    application is given

    The system now recognizes that all applications that you run do not NEED to
    use all of the privileges assigned to your account. This creates a much more
    secure environment, where code that runs only operates with as much
    privilege as it needs; this prevents the code from causing as much damange
    if it misbehaves and protects against programs using other programs to
    escalate privilege.

    I think everyone recognizes that internet explorer does not need to be able
    to format your hard drive. IE isn't a tool that the user can use to format
    the hard drive; hence, there is no logical reason that it should have this
    privilege, EVEN THOUGH THE USER MAY BE ABLE TO PERFORM THAT ACTION.

    This idea of least-privilege code is a very powerful concept.

    Unfortunately, as discussed previously, Windows has always assigned
    privileges to users, and has always assumed that all applications running
    inside of the user account have the same privileges.

    As a result, Windows is not architected to enforce seperation of privilege
    between applications, and it is possible for an application to escalate its
    privilege to that of a higher privileged application running on the user's
    desktop just by talking to it (this is known as a shatter attack).

    UAC prevents this type of "shatter attack" by isolating different privileged
    applications and preventing them from talking to each other. This is a
    stepping-stone solution (and is more of a hack than anything), however, as
    Windows really needs to be re-architected in order to natively support this
    seperation of privilege.

    I imagine that this is why Mark Russinovich put an exclamation point next to
    this fact - because UAC does not "replace" the security/seperation of
    privilege between USER ACCOUNTS, it ENHANCES IT and in fact *RELIES* UPON IT
    in order to function correctly.

    If you have a user that shouldn't have an admin account, but give them an
    admin account thinking "well UAC is on it doesn't matter" - this is
    INCORRECT and a very INSECURE decision.

    Admin accounts are STILL admin accounts, UAC does not change this! :).

    However, if all user accounts on your computers are assigned the appropriate
    privileges (your users are users, and your administrators are
    administrators), turning UAC on greatly enhances this security by further
    allowing discrimination of privilege to APPLICATIONS based on 1) if the
    application needs a privilege and 2) if the user wants the application to
    have a privilege.

    Wow, this turned out to be a long post, I hope it really gets at the the
    core of UAC - why it exists, what problem its solving, etc.

    I want to really push that UAC works to extend the seperation of privilege
    that already exists between user accounts.

    A user should be assigned only the amount of privileges that they need;
    AFTER that distinction is where UAC lives, and it further EXTENDS and
    FLESHES OUT this sort of concept, by only allowing applications to use the
    amount of privileges that they are designed to use.

    And if those privileges happen to be "administrator"-level privileges, UAC
    confirms that you intended to execute an administrative action when the
    program runs, to protect against programs that would use your privileges
    against you.

    In short: UAC really does give you CONTROL over your computer. That is why
    you should leave it on - because turning it off is really giving up A TON of
    control over what happens on your computer.

    It's not about protecting you from yourself - it's about the system trusting
    YOU (over applications) to decide what happens on your computer, rather than
    trusting applications and ignoring what you want.

    This is a really exciting concept. Right now, UAC is primarily only
    concerned with administrative vs. non-administrative applications, and
    relies on a prompt to tell if you are expecting an administrative action to
    occur.

    But, I can easily see a future where the prompts are not necessary and the
    discrimination of privileges assigned to applications is MUCH more granular
    than admin vs. non-admin.

    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 20, 2007
    #17
  18. Joseph Geretz

    Jimmy Brush Guest

    Hello,

    Ignoring the parts of your posts not related to UAC ...

    Your problem is not with UAC or even Vista, it is with application
    compatability.

    Some programs don't work right when the system changes. UAC definately
    counts as a system change.

    Vista does alot to work around this, but it still ain't perfect. The fact
    is, Vista is different, and that will break things. It's been the same for
    every major OS upgrade, and it will continue to be that way.

    For example, the reason your program in particular wasn't working is
    probably because it wasn't requesting administrator rights. Programs have
    to do that now. it probably would have worked if you had right-clicked it
    and clicked Run As Administrator.

    Windows Vista does not block you from performing common or administrative
    tasks. However, you may have trouble using non-vista-compatible programs to
    perform those tasks.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 20, 2007
    #18
  19. Joseph Geretz

    David Craig Guest

    A. Because you can see the last post and have a good feeling whether the
    thread has degenerated into noise.
    Q. Why is top-posting such a good thing?
     
    David Craig, Feb 20, 2007
    #19
  20. Joseph Geretz

    Kerry Brown Guest

    How then would you secure Windows from the malware plague that is happening
    now? Microsoft has been moving in this direction for the past couple of
    years. All of their programming guidelines, best practices, books on
    programming, MSDN etc. have been talking about it. It isn't news unless you
    have had your head stuck in the sand. It is a very painful change but a
    change was needed. There is no way to secure an OS if everyone can do
    anything at any time. It's almost funny listening to the complaints about
    Vista by programmers. Almost the exact same complaints were made during the
    switch from win9x to XP. If more programmers had thought about security and
    figured out how to program for it (I include Microsoft here) we would still
    be happy with incremental improvements to XP and wouldn't be dealing with
    UAC, reduced registry access, virtual registry, etc.. It all boils down to
    programmers writing programs that run as a standard user. Because not too
    many Windows programmers bothered to figure it out we have a malware plague
    and UAC as the solution. If you always wrote programs that assumed they had
    administrator permissions you are the problem and it's time to change. If
    you didn't then your programs should run just fine in Vista with very minor
    changes.
     
    Kerry Brown, Feb 20, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.