• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

UAC, it may be annoying,

Recommended Posts

SunnyB    0

My wife and daughter (computer illiterate) need UAC. I do not.

Common sense and half a brain tell us that we shouldn't just

click something just because it's there. Most new users don't

have those two things regarding computers.

Vigilantism should be allowed against malware writers and websites

using them. Forced "hand removal by hasksaw" should be

legalized against the vermin propagating computer malware.

Share this post


Link to post
Share on other sites
Sniper101    0

I like UAC if you know how to use it right, :| If you think its hell now you should have experienced beta 2, wow wasn't that annoying the 10 steps to removing an icon of the desktop :p

Share this post


Link to post
Share on other sites
*John*    0

Personally, I love UAC, and would never dream of turning it off :)

Share this post


Link to post
Share on other sites
null_    4
Personally, I love UAC, and would never dream of turning it off :)

Agreed. Once you have your computer set up (drivers and applications installed), you should really not run into any UAC consent prompts during every day usage, and the only time you should see one is if an ActiveX control needs to be installed or if an application update installer requires administrative privileges. It's really not that much of a hassle.

Share this post


Link to post
Share on other sites
Mordkanin    225
My wife and daughter (computer illiterate) need UAC. I do not.

That's a horrible idea from a computer security standpoint. There's no justification for running with Admin access all the time. It's like running *nix/BSD as root, people just don't do it because it's dumb.

Share this post


Link to post
Share on other sites
»X«    1

I saw it every single time I opened a zip or rar in winrar. So when I downloaded a batch of 10 zips/rars you can imagine how annoying that was.

Share this post


Link to post
Share on other sites
Kristian    4

Then you should download your zips to folders that don't need elevated access. I never ever see any prompts for elevation when opening/downloading zips/rars

Share this post


Link to post
Share on other sites
null_    4
I saw it every single time I opened a zip or rar in winrar. So when I downloaded a batch of 10 zips/rars you can imagine how annoying that was.

It sounds like you are using WinRAR 3.62 which has a known issue which invokes User Account Control consent prompts every time it is run. Have you tried upgrading to the lates 3.70 beta release or downgrading to 3.61? Neither of these releases have the issue that is specific to 3.62.

Share this post


Link to post
Share on other sites
freak_power    0

In a year UAC is going to be fine. Game/App developers will learn how to write application around UAC, so UAC doesn't pop up like crazy. Since, we are talking about security Windows Defender has a strange behavior. It gives you bunch of warning in event viewer about system and tasks performed by Windows. I don't understand why would Windows task be harmful. Of course it's not, but i think warning message is not necessary there.

Share this post


Link to post
Share on other sites
Dashel    542
That's a horrible idea from a computer security standpoint. There's no justification for running with Admin access all the time. It's like running *nix/BSD as root, people just don't do it because it's dumb.

Security and usability are always conflicting forces. What is the #1 'security' annoyance of WinXP? Spyware, which isn't exactly the focus of UAC, we have defender for that.

2003 SERVER doesn't have UAC...and its a SERVER. Funny that this new crusade starts at the desktop. Just prevent old-school 'drive-by' installs in IE (the major issue with WinXP) and leave the rest alone. Thanks. UAC is impotent in dealing with the majority of consumer driven problems, installing ****ty apps.

Communicator, disable UAC.

Share this post


Link to post
Share on other sites
freak_power    0

Windows Vista is evolution step from Windows XP/2003 Server. Well, we need a new operating system from the scratch including new file/folder organization, file system, the way OS communicates with apps and games, hardware etc. Microsoft needs to get rid of registry and that alone will fix 60% of all Windows problems. UAC is nothing but attempt to fix security problems in Windows XP. Well the things should be patched from the core. I still don't understand why IE is integrated into operating system, for example?

Share this post


Link to post
Share on other sites
gigapixels    99
Security and usability are always conflicting forces. What is the #1 'security' annoyance of WinXP? Spyware, which isn't exactly the focus of UAC, we have defender for that.

2003 SERVER doesn't have UAC...and its a SERVER. Funny that this new crusade starts at the desktop. Just prevent old-school 'drive-by' installs in IE (the major issue with WinXP) and leave the rest alone. Thanks. UAC is impotent in dealing with the majority of consumer driven problems, installing ****ty apps.

Communicator, disable UAC.

Your argument about 2003 Server not having UAC is moot since UAC is a brand new feature for Vista. If we don't see it on Longhorn Server, then you'll have a point.

Share this post


Link to post
Share on other sites
TurboTuna    9
Security and usability are always conflicting forces. What is the #1 'security' annoyance of WinXP? Spyware, which isn't exactly the focus of UAC, we have defender for that.

2003 SERVER doesn't have UAC...and its a SERVER. Funny that this new crusade starts at the desktop. Just prevent old-school 'drive-by' installs in IE (the major issue with WinXP) and leave the rest alone. Thanks. UAC is impotent in dealing with the majority of consumer driven problems, installing ****ty apps.

Communicator, disable UAC.

servers do not have it because they arnt ment to have a user clicking/using it. They are designed to be left on and serve their purpose.

Share this post


Link to post
Share on other sites
Dashel    542

You miss my point. If this is such a vital security technology how come it premiers in a desktop OS first? Why was this not a server feature that they trickled down to the desktop?

Turbo, if that were true then why again shouldn't 'power users' not disable this off the bat? Brandon argues that it even protects us admins from doing something critically stupid or preventing things happening that we don't know about. What better place to protect us than on mission critical servers? Who cares about a desktop? If it gets pooched..reimage.

Nix has it because historically it is a server OS so people masochistic enough to run it as a workstation inherited it. Not the other way around. Even though my nix servers are just left on and serve their purpose, I still have to logon as root.

Maybe I'm just confused but it seems to me that apologists want it both ways. Either its a user created issue for 'mommies and daddies' or its a global system security blanket. Which is it? If its the first then if you are competent enough to know how to maintain your box its irrelevent. If its the latter see my point above.

Edited by Dashel

Share this post


Link to post
Share on other sites
RootWind    0
You miss my point. If this is such a vital security technology how come it premiers in a desktop OS first? Why was this not a server feature that they trickled down to the desktop?

Microsoft isn't exactly evolving naturally at this point, this is everything and the kitchen sink at once.

Turbo, if that were true then why again shouldn't 'power users' not disable this off the bat? Brandon argues that it even protects us admins from doing something critically stupid or preventing things happening that we don't know about. What better place to protect us than on mission critical servers? Who cares about a desktop? If it gets pooched..reimage.

Nix has it because historically it is a server OS so people masochistic enough to run it as a workstation inherited it. Not the other way around. Even though my nix servers are just left on and serve their purpose, I still have to logon as root.

Maybe I'm just confused but it seems to me that apologists want it both ways. Either its a user created issue for 'mommies and daddies' or its a global system security blanket. Which is it? If its the first then if you are competent enough to know how to maintain your box its irrelevent. If its the latter see my point above.

Isn't it technically the same thing? U (User) AC is the client implementation of a security policy, which requires user interaction by nature. The server implementation would be the same underlying permission systems except it will be all set in group policy without active authorization.

Share this post


Link to post
Share on other sites
y_notm    8
You miss my point. If this is such a vital security technology how come it premiers in a desktop OS first? Why was this not a server feature that they trickled down to the desktop?

I don't even understand why your asking this question. It's a scheduled feature of both Longhorn Server and Windows Vista, it was included in both from the start, the only reason you see it in Vista first is that's the way things were scheduled. Both have essentially the same underpinnings, including UAC, LHS just needed a bit more time to bake the server oriented features.

Moreover, UAC is a more client-targetted form of security. Once a server is set up, services manage what's going on, and users aren't typically installing new software with potential malware in them or browsing the internet. So why should it have "trickled down" from a server release in the first place?

Share this post


Link to post
Share on other sites
»X«    1
It sounds like you are using WinRAR 3.62 which has a known issue which invokes User Account Control consent prompts every time it is run. Have you tried upgrading to the lates 3.70 beta release or downgrading to 3.61? Neither of these releases have the issue that is specific to 3.62.

Thanks for the heads up! Ill look into it.

Share this post


Link to post
Share on other sites
bradavon    1
Did you know that you can reach a webpage containing malware and even if you don't make contact with the webpage such as clicking on a clickable area, in the background it is currently installing it. With Windows Vista, no longer that issue! UAC will pause your work and prompt you if you want to continue, if you click cancel, it will return you to your desktop with the webpage powerless of infecting you.

That's more the fact IE7 is now running as a Limited User than UAC, there is no reason IE7 ever needs access to secure locations so a prompt isn't really necessary, just block it. Especially when if it were to popup in IE7 99% of people will click Continue. You can have this very same functionality without turning UAC on:

http://msdn2.microsoft.com/en-us/library/ms972827.aspx

Why doesn't it have a "Do not prompt me for this type of operation again" you ask? Well Windows Vista only knows you by your account and if someone remotely gets access to your account and creates a new folder in a location protected or renames all your folders, it won't prompt them because they are on your account where you told UAC to not prompt you.

With a Firewall installed you'd have to grant them access in the first place, this job is better suited by a Firewall which even Vista has already.

You raise some interesting points their original poster but pretty much all of them are better suited by your Firewall which already prompts you when something is trying to do something it shouldn't granted. It won't prompt every action you cite but for me anyway I know full well what the implications are of changing a system file before I do it.

If it popped up only when something serious was about to happen I'd gladly leave it on but it pops up all the time. I like tinkering with Control Panel and the File System (I go into both regularly), you get enough prompts as it is. I had to confirm to 3 times delete a folder a hotfix had left behind, that's overkill. Firstly the normal confirmation fine I like that, then as it's a system folder another one, then finally UAC kicked and another confirmation before it's finally deleted.

UAC wouldn't be so bad if the whole screen didn't go black, that's overkill.

UAC is vital and long overdue for newbies/business but for experienced users it's just a pain in the neck, assuming it doesn't stop malicious code which I'm sure it doesn't, and even then security software is there for that anyway (which you are going to run regardless).

I'm as protected on the web by using that DropMyRights program above (without UAC prompts), any application I choose is forced to run as a limited user (perhaps even lower than Protected Mode) so even if malicious code got in it couldn't do much.

You've written an interesting post though which puts it into context well, something that can be lacking in such discussions.

I have to say this statement is wrong.

Imagine you are a User with a basic knowledge of the working of computers (e.g. you know enough to get your daily tasks completed) Security has always been a big issue. UAC is intended to make you think about what you are running. Should I allow this program to run, should it have admin access?

True but most users aren't going to have a Scooby Doo what Admin mode is let alone does and will just click Continue. The locking down of system folders is a good one, most users will have no idea how to revert this. I would be nicer if they made it a bit easier to reverse though.

Agreed. Once you have your computer set up (drivers and applications installed), you should really not run into any UAC consent prompts during every day usage, and the only time you should see one is if an ActiveX control needs to be installed or if an application update installer requires administrative privileges. It's really not that much of a hassle.

That depends what you do with your PC does it not. I regularly go into Control Panel and/or System folders. It's just how I use my PC.

I think it's useful for people who don't know / always get spywares, etc somehow into their system

Unless I'm mistaken it won't stop spyware or viruses as it's designed to prompt newbie users "are you sure you want to do this". It won't stop malicious code getting in, that's not what it's for (except for IE7's protected mode). Even if it does popup when a program is run when maybe it shouldn't the Firewall will catch this anyway and it has some intelligence to boot.

Edited by bradavon

Share this post


Link to post
Share on other sites
bradavon    1
Services aren't blocked by UAC. I assume you mean some kind of helper app that has to run at startup.

DropMyRights also works with Startup apps opened from the Registry or Startup group, not only that but any program opened from within a program it opens inherits it's permissions (so clicking on a URL from WL Messenger into IE7 will also be a Limited User).

That's a horrible idea from a computer security standpoint. There's no justification for running with Admin access all the time. It's like running *nix/BSD as root, people just don't do it because it's dumb.

Disabling UAC doesn't immediately make you an Admin user, unless I'm mistaken? You still cannot gain access to system folders with or without it (you can modify registry permissions but some security software has this covered). Unix/BSD are business OS's Vista is not necessarily so, effective security software should stop anything malicious getting in.

I'd say Business and Newbies need it, if you know what you're doing there should be no real harm disabling it. Provided you follow other security (and less intrusive) security measures.

Indeed. Shutting off UAC kills more than just the consents.

Such as please? I'm aware it disables Protected Mode but does it disable anything else? Protected Mode can be achieved without UAC easily enough.

Edited by bradavon

Share this post


Link to post
Share on other sites
BajiRav    2,137
Such as please? I'm aware it disables Protected Mode but does it disable anything else? Protected Mode can be achieved without UAC easily enough.

System folder & registry virtualization.

Share this post


Link to post
Share on other sites
bradavon    1

Thanks. That is possible cause for concern as folder and registry virtualization looks neat. MS have said they'll remove it from future versions of Windows OS's but I guess for now it is a good idea.

Hmmm I'll have to give this some thought. I've not started configuing my Administrator account yet so it's no big deal to create a new user with UAC enabled. Still the UAC prompts are so annoying, hmmm unsure.

Cheers

Edited by bradavon

Share this post


Link to post
Share on other sites
geoken    0

I hardly ever see UAC prompts anymore. The times I do see them (once or twice every couple of days) aren't really a big deal. Personally, I think adding a cumulative .8 seconds to my workflow over the course of a week is a more than fair price for the security and peace of mind that comes with knowing nothing can run secretly in the background.

I was reading the other day that the vulnerability found in the 'pwn to own' contest affects every OS and browser which has the quicktime plugin and Java, with the exception of Vista. For those who aren't familiar the exploit automatically runs when a user visits a website with an embeded malicious quicktime file. No user interaction is neccessary (apart from going to the site).

Share this post


Link to post
Share on other sites
y_notm    8
Disabling UAC doesn't immediately make you an Admin user, unless I'm mistaken? You still cannot gain access to system folders with or without it (you can modify registry permissions but some security software has this covered). Unix/BSD are business OS's Vista is not necessarily so, effective security software should stop anything malicious getting in.

Yes, it makes you an admin user, unless you are specifically running as a limited user. This means you have access to write to any folder, including \program files, \windows, and system32. Deleting system files from the latter 2 is a bit harder than in XP, but its still just a takeown away from being able to happen. And not only do you have rights to write to those system folders, you (or a malicious app running with your credentials) can now modify the entire registry or even other users files.

Share this post


Link to post
Share on other sites
bradavon    1

Sorry what does "takeown" mean?

Without UAC you still need to mess around taking ownership/modify permissions to gain full access, which is the same with UAC on anyway. Turning off UAC doesn't mean by default you can gain access to Documents and Settings, cookies, desktop, rename files in system32 (although oddly you can browse it). As it is in XP Admin means that you can open/modify pretty much any folder in Windows.

That's not an admin user. You're neither an Admin user before or after, to be an Admin user as far I use the term you need full access, as it is in XP.

And not only do you have rights to write to those system folders, you (or a malicious app running with your credentials) can now modify the entire registry or even other users files.

Presumably you thought you trusted the program in the first place so you're going to click Continue, if it's a program such as Internet Explorer then there are other ways to run that in Protected Mode without the need for UAC. If you run a trusted program and suddenly it pops with something you didn't expect that would be the same job as your Firewall anyway, which has similar but less intrusive popups.

That and a Limited User shouldn't equate to popups, it should equate to things being locked, with a Full Admin user available if you need it. From what I can gather Vista provides no full Admin user. You need to use the Semi-Admin user and then mess around giving permissions back to yourself.

For most users this is of course long overdue, but for some who regularly mess with system files/control panel it will become a nuisance. You also have to presume malicious code will be able to get in in the first place, running any program in "protected mode" it being IE7, FF2 or even Word is going to prevent this without UAC, your security software should pick up most malicious software. Granted this isn't as secure as the whole kit and caboodle being run from a Limited User but Microsoft has designed that means UAC, which is way overkill to the extreme.

They've gone from way to lax security where everyone's as Full Admin to UAC with prompts every time you open Control Panel and things inside it, to zero full Admin account at all. That wasn't what's needed.

Share this post


Link to post
Share on other sites
y_notm    8
Sorry what does "takeown" mean?

Without UAC you still need to mess around taking ownership/modify permissions to gain full access, which is the same with UAC on anyway. Turning off UAC doesn't mean by default you can gain access to Documents and Settings, cookies, desktop, rename files in system32 (although oddly you can browse it). As it is in XP Admin means that you can open/modify pretty much any folder in Windows.

Yes, it does. You now have access to write to anyones User profile, program files, or the \windows directory, which means under your admin rights a malicious piece of code can plant itself in any of those folders with no problem.

You can't delete, rename or edit things in \Windows (I don't know if this is true of \Program Files, if it is its only for whatever comes with Windows), without using takeown, a command line tool that will grant ownership to the person that runs it, and which can be run from within a malicious program (which is now running with your elevated rights) to grant it access to protected windows files.

With UAC, yes its assumed that you trust any program that you click continue on, but without it, programs can launch silently and do whatever they want (see just about any spyware attack today) without your permission. This is especially true because without UAC, you lose Protected Mode for applications such as IE.

And if you really want a full admin account, reenable the default "Administrator" account that comes in Vista.

Is UAC overkill as you describe it? It depends on how you look at it. Windows was engineered without it in mind, and many actions required administrator rights, which is what your getting prompted for (and which I'd rather be prompted for rather than have silently fail). These actions, are of course, pretty much doing anything outside of your own user account, which makes sense (why should a limited user be able to control service behaviours, for example). As control panel applets and windows itself evolves past UAC 1.0, it will get less annoying, requiring elevation only for the exact specific actions that require it instead of the whole applet.

Edited by y_notm

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.