Why ask every time? An unidentified program bla...

Discussion in 'Windows Vista Security' started by Peerke, Nov 3, 2006.

  1. Peerke

    Peerke Guest

    Sorry but this is very annoying. Installed a program witch needs more then
    the normal access (like drivers etc.). Get the question at first startup and
    say its ok, I know the program. Ok thats good, but...

    You see I install and configure as admin but I'm working(!) with the normal
    user account. That is the way to do things. Everybody knows this ;-). So now
    I get the question every time and I know its a good and harmeless program.
    You know I've installed it!

    Looked and checked the administrator thing, no change, looked at defender
    and find none.

    Isn't there a (easy, not the manifest thing) way to say Hey Vista it's my
    computer and I installed this program so from now on you don't ask me for my
    credentials anymore, yes!

    Would be nice.
     
    Peerke, Nov 3, 2006
    #1
    1. Advertisements

  2. Peerke

    Jimmy Brush Guest

    Hello,

    Unfortunately, the program will need to be changed by the manufacturer in
    order to allow this. With UAC enabled, there is no way a program can run
    with administrator permission without prompting you for permission.
     
    Jimmy Brush, Nov 3, 2006
    #2
    1. Advertisements

  3. Peerke

    PeterG Guest

    Have you tried disabling the UAC control?
     
    PeterG, Nov 4, 2006
    #3
  4. Peerke

    DF Guest

    This is not about UAC asking permission to perform an administrative action,
    it's about Vista asking 'do you want to run this program' every single time -
    you should be able to say 'yes' or 'no' AND 'Don't ask me again.

    This looks to me like MS is doing a self protection thing again - this is
    not about security, it's about MS saying to developers 'you have to do what
    we want or we'll make life difficult for you'. How do developers stop this
    happening - do you have to use 'official' MS development tools by chance?
     
    DF, Nov 4, 2006
    #4
  5. Peerke

    Jimmy Brush Guest

    This looks to me like MS is doing a self protection thing again - this is
    You are incorrect.

    The reason you cannot "always" run a program as an administrator is for a
    very GOOD reason - and it is to protect the USER, not microsoft.

    If you think about it a little bit, you will understand. The purpose of UAC
    is to ensure that programs cannot run with admin permissions without user
    consent. Allowing a program to ALWAYS run with admin permission without
    prompting the user creates a security vulnerability, because Windows does
    not know the difference between the USER starting a program and a PROGRAM
    starting a program. (This specific issue has been discussed in depth in
    other threads - solving this problem is NOT TRIVIAL).

    In practice, allowing a USER to always run a program as admin *ALSO* allows
    any non-privileged (possibly rogue) program to run PRIVILIGED programs that
    the user has approved.

    So far, nobody in this forum has came up with a solution that would allow
    ONLY the USER to run elevated programs that bypass UAC, but NOT programs.
    The closest we have came would be allowing this UAC bypass feature for
    programs started from the Start menu / Desktop / Explorer windows only, but
    in allowing this behavior there are serious negative security consequences
    making this solution impractical.

    So, if Windows cannot tell the difference between a user starting a program
    and a program starting a program, then ...

    If the "always run as admin" behavior was implemented, then a rogue program
    would be able to start a program with this attribute set and then trick this
    program into performing privileged actions on its behalf.

    Imagine the case where a user has set the command prompt to always run as
    admin - I'm sure this would be a common scenario, since most users that use
    the command prompt probably do so to perform administrative functions. Now,
    with this scenario set up, any rogue program would be able to start the
    command prompt, which runs with admin privileges without prompting, and say
    pass it an argument telling it to format the hard drive. The rogue program
    has effectively bypassed UAC by proxy - it is using other programs to
    effectively carry out the functions that it is unable to do directly.

    If Microsoft were to have enabled this "always run as admin" behavior as you
    suggest, they would have shipped Windows Vista with a HUGE security flaw, as
    I have described, which, by the time Vista hits store shelves, would have
    been exploited by malware authors, and the security afforded by UAC by that
    time would pale in comparison to that which it offers now.
     
    Jimmy Brush, Nov 5, 2006
    #5
  6. Peerke

    Peerke Guest

    This discussion is not about running a program as an administrator. I agree
    with Jimmy about that. Ordinary users do not normally run programs as an
    administrator, so this has to be secured. But…

    1) Sometimes I need programs that are not frequently upgraded. It means I
    have to long to wait before I can use it with Vista. Also I don’t think it’s
    the right way to say “hey, if you will use this program, that is running good
    in XP, in Vista it need updatedâ€. I’m not talking about a win 98 program.
    2) I will not turn off UAC. I think its good feature.
    3) DF is right. It’s about asking over and over again without the
    possibility to say “Don’t ask me againâ€.

    I do not (and do not need to or want to) run this program as administrator.
    I only checked the admin checkbox to see if this is a way to lose the
    returning question. It did nothing so I turned off again.

    By the way, if I run this program under an account with administrator rights
    (not the administrator) the question is also there every time only I do not
    have to provide my credentials. As an ordinary user I have a choice between
    providing the credentials for this user or providing administrator
    credentials. Either way, it makes no difference in running the program. So
    what’s the use?
     
    Peerke, Nov 6, 2006
    #6
  7. Peerke

    Jimmy Brush Guest

    Also I don’t think it’s
    Unfortunately, this is the case a lot of times. :)
    So, if I (now) understand correctly ... the program is prompting, and you do
    NOT want it to pompt because you do NOT want to run it as an administrator?

    I don't think I've ran accross this problem before. If the program was
    DESIGNED for Vista, it should have a manifest telling Windows to always run
    it as an administrator (and this would be the correct behavior, since you
    have to assume the application knows what it's talking about); however, if
    it was NOT designed for Vista (as should be the case), it should NOT
    automatically prompt you.

    Try this:

    - right-click your program's .exe file
    - click properties
    - click compatability
    - click Show settings for all users
    - Make sure the run as admin box is unchecked
    - Click OK twice
     
    Jimmy Brush, Nov 6, 2006
    #7
  8. Peerke

    Peerke Guest

    Yes I know, but it will be a long time from now until all programs run
    smoothly in Vista. Das this mean we will live for some years with prompting
    programs? Administrators will soon banned UAC.
    Yep! I don’t mind the prompt (once!) if necessary and no, I do not want to
    run this program as an administrator.
    Officiously the program is not (right now) designed for Vista but that
    doesn’t mean it will have to prompt me every start. It only complains about
    an unidentified program from an unidentified publisher. Well let me identify
    and work with it.
    I have. Did not work. Still prompted every start as user including typing
    the password as well as administrator without having to provide a password

    Maybe it has something to do with the fact I start the computer with hitting
    F8 to allow unsigned drivers (is this the only way to allow unsigned drivers
    to be running?)? Because this is also necessary to be able to run the program.
     
    Peerke, Nov 6, 2006
    #8
  9. I think that for large corporations that they can create a manifest for a
    program and sign it with their key to permit it to run more easily. Most
    will require that the provider seperate the admin requiring functions from
    the normal usage.

    Just think about the major shifts that have occured in the Apple market.
    Complete changes of the operating system and multiple processor changes. I
    think a complete shift might assist the Windows world in many ways, but
    Microsoft is afraid that it might allow their customers to see the
    possibilities of Apple and Linux.
     
    David J. Craig, Nov 6, 2006
    #9
  10. Peerke

    Robert Moir Guest

    Because, of course, if a 'don't ask me again' mechanism existed, it
    definately wouldn't be the first thing that virus, trojan, worm and spyware
    writers exploited as soon as they got you to run their installer, would it?
     
    Robert Moir, Nov 11, 2006
    #10
  11. Peerke

    denlong Guest

    I Couldn't get Jimmy's instruction at the bottom of his post to do anything
    as the box was not ticked in the first place.
    However, it did work after I first ticked the "run as admin" box. and exited
    the properties dialog and tried to run the offending program which of course
    was not allowed to start up.
    I then redid Jimmy's instructions and unticked the "run as admin" box and
    hey presto my unidentified program started up.
    I haven't tried doing a restart yet - but let's not spoil the joy of the
    moment with such trivia.

    Best of Luck - denlong (Devon UK)
     
    denlong, Feb 12, 2007
    #11
  12. Peerke

    justaguy Guest

    I use a number of small unsigned utilities for overclocking and monitoring
    that all needed to be rid of the dreaded pop-up. Besides the admin rights,
    going to the main properties page for the .exe, clearing the read-only box
    and clicking the UNBLOCK box at the bottom that usually exists for unsigned
    apps fixed them all. Just to be sure, I did the same for the few .sys and
    ..dll that had the UNBLOCK button associated with these utils. It worked and
    I have no idea why I never noticed this before. Good hunting.
     
    justaguy, Feb 13, 2007
    #12
  13. Peerke

    denlong Guest

    Just to let you know it is still working after several start-ups.

    Denlong
     
    denlong, Feb 14, 2007
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.