UAC - How do I configure this to bring some sanity to my desktop?

Discussion in 'Windows Vista Security' started by Joseph Geretz, Feb 19, 2007.

  1. Joseph Geretz

    David Craig Guest

    If you have a program that requires admin access, you can create your own
    external manifest for it and have it automatically invoked with UAC
    prompting. The companies that produce software should separate their
    executables into those normal users can use and those that need to perform
    an admin activity. It is not that difficult. Maybe in future Windows
    versions they will allow an executable to invoke the UAC prompt only when it
    needs to do so. There are some indications that Microsoft has been choosing
    a course that will make it difficult for small developers to enter the
    market. Doing 64-bit device drivers has become much more difficult.
     
    David Craig, Feb 20, 2007
    #21
    1. Advertisements

  2. Joseph Geretz

    David Craig Guest

    ActiveX is the stupidest thing designed since Windows 3.x & 9x where they we
    just shells over DOS. It is an executable that has access to any part of
    the system that access controls don't stop. UAC may help some in that
    Internet Exploder is placed into a limited box, but I am not certain how
    much power activeX controls can obtain. The fact that they are used by
    Windows/Microsoft Update to replace and modify OS files indicates they
    possess too much power for my liking. Yes, I want an update that is easy to
    use, but I want it to be a little harder than before.
     
    David Craig, Feb 20, 2007
    #22
    1. Advertisements

  3. to do that now. it probably would have worked if you had right-clicked it
    Why should an Administrator have to specify 'Run as Administrator'? And once
    having done that, don't you think the OS should 'remember' that setting so
    that every time I don't have to go through the same song-and-dance? My
    goodness, before I turned off UAC just opening up the Services windo was a
    whole debate!

    - Joseph Geretz -
     
    Joseph Geretz, Feb 20, 2007
    #23
  4. If you always wrote programs that assumed they had administrator
    What exactly does this mean to a VB6 developer??? Sure I remember coding
    GetPrivMode in COBOL back on the HP3000 but where's the applicability in
    terms of the standard VB6 devleopment we've been doing over the past decade?

    - Joe Geretz -
     
    Joseph Geretz, Feb 20, 2007
    #24
  5. ActiveX is the stupidest thing designed since Windows 3.x & 9x where they
    Wow! I guess you missed the whole COM vs CORBA thing during the mid-late
    90's where MS was swearing up and down that COM/ActiveX was the greatest
    thing since Windows 3.1!!!

    So now ActiveX is just supposed to go quietly into the night? Well, it is
    going, but it's going to take some time and meanwhile we ActiveX developers
    would like to be able to install our applications on Vista. We didn't create
    this whole ActiveX / Registry mess (the Registry, yeah another great idea -
    I bet the guy who invented the Registry worked lead on the Vista development
    group) we just work with it for a living.

    - Joe Geretz -
     
    Joseph Geretz, Feb 20, 2007
    #25
  6. This is a partially incorrect statement. Yes, the system knows that you
    Problem in a nutshell. If an OS can't tell when I explicitly ask for
    something, then it needs to be torn down and rebuilt so that it can.

    - Joseph Geretz -
     
    Joseph Geretz, Feb 20, 2007
    #26
  7. Joseph Geretz

    David Craig Guest

    You can install your activeX programs on Vista. If you have a signed
    activeX "control" (more B.S. - it is a program) and a signed .msi file it
    can be installed with only one prompt or maybe less but I don't do apps
    myself. I need to learn a little about how to do manifests, but it appears
    to be a manual process that is a real pain to get one created. I guess they
    could have made it more obscure. Why not a manifest editor in VS2005 that
    just lets you choose what you need if it is side-by-side and what
    priviliges. Life could be better and simpler and less confusing for those
    of us who only dabble in apps. Drivers are so much easier.
     
    David Craig, Feb 20, 2007
    #27
  8. Joseph Geretz

    David Craig Guest

    How can you do automated testing? There are some reasons for having the
    ability to replay a sequence of inputs to test applications. You can't hire
    enough people and write enough test scripts to test every old bug so
    automation is necessary to make sure a previously fixed bug hasn't
    reappeared. I know with drivers we frequently add tests for bugs that have
    been fixed to make sure a change doesn't get dropped or someone forgets that
    that approach was a failure and try to resurrect it.
     
    David Craig, Feb 20, 2007
    #28
  9. How can you do automated testing?

    I didn't say that your run of the mill application would need to
    discriminate between physical and 'virtual' inputs. But the OS should be
    able to. And your comment regarding automated testing tools is demonstrates
    the exception which perhaps proves the rule. Recognizing and clamping down
    on the ability to 'impersonate' user input would mean that 1% of all
    applications which are automated testing tools (and the like) would need to
    comply with more stringent requirements. The result would be that 99% of all
    other types of apps would run in a more secure environment.

    But that evidently isn't the Microsoft vision. Their implementation
    basically concedes that their OS is so unsafe that their only choice is to
    ask the user every time he presses a button - 'hey, did you really want to
    do that'?
     
    Joseph Geretz, Feb 20, 2007
    #29
  10. Since you snipped everything you were replying to I can only guess
    you're responding to me.
    UAC is PART OF THE SYTEM designed by Microsoft. You're talking
    gibberish. If it actually was directly under your control it could be
    useful. The implementation is flawed. This is very noticeable when
    transferring applications from a older version of Windows to a new one
    where UAC takes it upon it self to either give or reject permissions
    where previously XP may have been and likely was set up differently.
    The result can be a hodgepodge of messed up settings where UAC
    decides, again on its own, this application is ok to have permission
    to do blah, blah, but oh, not this one. How anyone can suggest this is
    progress or a good idea is beyond me.

    The concept is good, but the implementation is awful. A correct way to
    proceed would be like many firewall applications behave when you first
    install them. You install a firewall who's job it is to sit between
    you and the Internet. Its purpose is to act as a traffic cop either
    allowing or blocking access to incoming and outgoing applications that
    wish access to the outside world. The UAC does no such thing, it just
    does WHAT IT WANTS as in the example I gave. You then can't change the
    behavior IT, not you, assigned. Again, that's not progress, that's
    stupidity.
    That's a understatement. In typical Microsoft fashion it not only is
    clumsy, it often doesn't allow you to fix it, aside from turning this
    "feature" off. Again, that's a step backwards, not forwards.
    No, Vista's UAC is BROKEN and it breaks applications that worked in
    previous versions of Windows and even breaks applications that are
    suppose to be "Vista Ready". That blame falls squarely on Microsoft's
    shoulders for not tesing compatibility BEFORE dumping Vista on the
    unsuspecting masses that didn't expect the new version of Windows to
    in effect prevent much of a user's software from funcioning. If you're
    lucky at worst you get a nag screen you can click through. Often, you
    can't easily control your own applications, Microsoft attempt to be
    your mommy if you ask it to or not. Thanks, but no thanks.
    So what you're saying is in spite of Windows being in "development"
    for twenty years the Microsoft software engineers STILL haven't got a
    version that actually works as advertised. Somehow that just don't cut
    it with me. How much more time you think they will need? Just imagine
    if this was any other industry. They would be laughed out of business.

    At the core of many of Windows inbreed problems is the newest version
    of Windows builds on the previous version in part in order to have
    backward compatibility. That's a double edge sword at best. Whatever
    is wrong or a clumsy "feature" of Windows gets carried into the next
    version and in time (surely 20 years is enough) the result is a
    hodgepodge of patched code, bloated code and code that barely works
    and sometimes don't under certain situations. I see UAC as a clumsy
    attempt to try to "fix" a lot of ills that's always infested Windows
    and made it a easy target to hackers. The bottom line is Windows has
    always been a sloppy, ill tested hodgepodge of sometimes it works,
    someitmes it don't bloated coding.
    You think? Well kid, you're dead wrong. I have some vintage Windows
    3.1 era software running just fine on Vista. That kind of blows a
    giant hole in your arguement I would think.

    For example Windcode (a joiner/splitter) version 2.7.3 copyright
    1993-96 Snappy Software. Back then there was no UAC, no NTSF, nothing
    like that. Your argument that "it wasn't requesting administrator
    rights. Programs HAVE TO DO THAT now" is also faulty since you can
    turn off UAC and it works fine and it doesn't need the rights, what it
    needs is to accept the rights you tell it the application HAS or
    needs. Vista sometimes simply won't let you, graying out the boxes
    that is suppose to make it possible or even removing any boxes. I
    would call that a bug. You I suppose will try to call it a feature.
    That's default double talk for Microsoft failings. They rarely admit
    to having bugs in their software.

    Further you seem confused. The question isn't was the program working,
    rather Vista kept refusing to initalize it because of some half-ass
    rights it ALREADY had if you can believe what Vista is showing under
    the security tab for the application in question. That to me says
    Vista is dumb. Very, very dumb.
    No, because Vista halted it dead in its tracks at the application's
    splash screen with the warning box on top of it preveing you from
    doing anything other than to curse Windows for being so damn dumb.
    ROTFLMAO! Read what I just said again. Slowly.
    More double talk.
     
    Adam Albright, Feb 20, 2007
    #30
  11. Bingo!

    That's the impossible dream. Windows has now become a monster. A OS is
    suppose to sit quitely in the background and respond the the owner's
    commands. Maybe too many members of the Vista Development team got a
    hold of the Patroit Act and decided Windows should now do what it
    wants, throw out all the rules and if your don't like, tough luck.
     
    Adam Albright, Feb 20, 2007
    #31
  12. Joseph Geretz

    Jimmy Brush Guest

    Well, that applies to every OS out there now, depending on how you define
    'OS' :).

    But I do agree with you.
     
    Jimmy Brush, Feb 20, 2007
    #32
  13. Joseph Geretz

    Jimmy Brush Guest

    He shouldn't have to right-click and click Run As Administrator.

    The application should request permission automatically.

    As for "why can't it remember", see my reply to the original poster (its a
    whopper of a post but I think it explains things completely).
     
    Jimmy Brush, Feb 20, 2007
    #33
  14. Joseph Geretz

    Jimmy Brush Guest

    As I keep saying, the (main) problem isn't that the input isn't trusted,
    although that is part of the problem. Even if the input was known to come
    from the user, it still wouldn't let the OS know what the user is intending
    to do. The job of the OS isn't to ACT on input; it is to forward input to
    applications. Until now, the OS hasn't had a reason to need to know what the
    user wants to do when they make an input.

    Microsoft's OS isn't unsafe - the applications that run on it are.

    These statements are true of ALL operating systems (right now).

    UAC in its current form is born out of necessity. I think future versions of
    UAC will be much more pleasant to work with, and offer much more visible
    benefits.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 20, 2007
    #34
  15. Joseph Geretz

    Jimmy Brush Guest

    How do you figure that giving the user so much more control over the
    computer than ever before is likened to the patriot act?


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 20, 2007
    #35
  16. Joseph Geretz

    Jimmy Brush Guest

    In an environment that I would envision, the system would be able to tell
    that the user is intending to send fake inputs to other applications, in
    contrast to an application that would attempt to do this without the user's
    knowledge or intent.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 20, 2007
    #36
  17. Joseph Geretz

    Jimmy Brush Guest

    UAC is PART OF THE SYTEM designed by Microsoft. You're talking
    Applications that don't prompt for admin permission DON'T GET IT - they run
    as if a standard user had executed them. This IS PROGRESS. Applications that
    don't need admin privileges have no business running with them, even if the
    user is an administrator.

    In its current form, here's how UAC works:

    1) The application tells Windows how much privilege it needs to run (either
    nothing special, as much as possible, or have to have administrator). If an
    app doesn't tell Windows what privilege it needs, Windows assume the app
    doesn't need any special privileges.

    2) If the user wants to be prompted for the privileges the app requests,
    they will be prompted, and the app will only be run if the user wants it to

    As you can see, there is no magic or hocus-pocus going on. The amount of
    privilege an application receives is decided by the APPLICATION and the
    USER - *Windows has no say in it at all*.

    If a non-administrative application doesn't work correctly when running as a
    standard user, then that's the developer's fault for not programming their
    application correctly.

    If an administrative application doesn't correctly indicate to Windows that
    it needs admin privileges, than the user will have to explicitly give it
    such privilege by right-clicking it and clicking run as administrator.

    UAC does not decide what privilege to give an application - it forwards the
    application's request of privilege to the user and defers to them to approve
    or deny, depending on the settings the user has specified.
    UAC is not a firewall. To liken it to a firewall would be incorrect - they
    are conceptually two very different things.

    You CAN change the behavior of UAC, and UAC does what the USER and the
    APPLICATION decide on doing.
    Again, application compatability issues exist in all new versions of an OS.
    This will pass, as it always does, as compatible apps are released.
    First you complain about the LACK of application compatibility, and then you
    complain about the EXISTANCE of it? I am confused. Microsoft walks a thin
    line between application compatability and adding new features, just like
    every other OS and application manufacturer.
    LOL. You're right. I meant to say "Programs that NEED ADMINISTRATIVE
    PRIVILEGES have to do that now." Which probably applies to the software you
    were trying to run.

    You seem confused as to what the security tab represents. It does not
    represent what privileges are assigned to the application.
    I believe the application was the one issuing the error, not Windows, most
    likely because it needed you to give it administrator permission (right
    click -> run as administrator).



    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Feb 20, 2007
    #37
  18. LOL! That's the biggest whopper I've seen posted here yet. If
    Microsoft's OS was "safe", why does Microsoft constantly issue
    "SECURITY" updates, CRITICL patches and Service Packs for Windows?
    SP2 was 250MB in size!
    Translation: Microsoft has thrown in the towel accepting its Windows
    versions are so buggy and primed to be easy hacker targets the only
    thing it can do short of weekly "critical updates" is constantly
    challenge much of the software on your system by asking moronic
    questions like are you sure you want to do this or that which do
    little other than to offer a sense of false security.
    So that's just your way of saying that the current form of UAC sucks
    big time and is more of a nussiance than a help and accept that the
    vast majority of users after seeing what a total mess it is and how
    clumsy it is to work with will simply turn it off.
     
    Adam Albright, Feb 20, 2007
    #38
  19. If you read the entire Patriot Act you'll see the Bozos in Congress
    who most freely admit they NEVER READ IT before voting on the bill and
    making it law, takes away or infringes on Constitutional guarantees
    like the protection against unwarranted searches or due process in our
    legal system. In case you don't know, it is now "legal" for the police
    to search your home without warrant or even advising you they were
    there afterwards. It is now "legal" to be simply suspected of
    terrorist activity and be taken away to a undisclosed place and held
    there without benefit of legal council or even having formal charges
    made. That should scare the crap out of all Americans.

    In a similar vain, Microsoft, the 800 pound gorilla, has decided it,
    not you, determines how to restrict use of your software, without your
    input.

    If you think this is giving users "so much more control" you're
    delusional pal. In the example I gave I clearly detailed how Microsoft
    prevented me from running software installed on XP and capable of
    running on Vista (it is right now with UAC turned off) after I did a
    install in place which obviously as you know keeps your installed
    software. NOTHING I do allows me to change the permissions on some of
    MY software. The so-called security tabs are either grayed out the
    boxes to check options are missing totally.

    If you continue to defend such moronic practices as "good things" I
    think we will have some interesting discussions in the future.
     
    Adam Albright, Feb 20, 2007
    #39
  20. A quick note: If you register your ActiveX controls in HKEY_LOCAL_MACHINE in
    the registry then normally that will require admin privileges, because
    modifying HKEY_LOCAL_MACHINE changes the state of the system for all users.

    However, you should instead be able to register controls for the current
    user only in HKEY_CURRENT_USER which won't require admin privileges and thus
    no UAC prompting will be required.

    Dave Wood
     
    Dave Wood [MS], Feb 20, 2007
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.