• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Disabling UAC

Recommended Posts

billyea    198
Why does every proponent of UAC always have to put in their two cents when that is never what the OP asked. Please, enough with the judgemental attitude already. Just accept that many just do not like it and will not use it. UAC/AV guys are like the non-smokers of the Vista world.

Thanks for the tip though, my buddy ran that and sure enough he had it installed as well. I abhor most system optimizers though so not surprised it gunked something up.

I think it's because most UAC proponents think that the UAC haters don't actually know the full purpose of it, which goes beyond just prompting you. In fact, they think that most people who hate UAC just hate the prompts, and those can be shut off via TweakUAC without affecting some of the underlying security measures.

Share this post


Link to post
Share on other sites
|Rapture|    18
Clearly, I am not. The biggest challenge with UAC isn't getting power users / IT people to use it - they're more likely to see the benefits. In fact, it's a highly demanded feature from them.

Here is me scratching my head then saw...

the company I work for, Microsoft

Explained it all.

I have no need for that level of security on my Vista laptop. It would be like sitting on top of my house with a shotgun every night.

Also, seeing the benefits and benefiting from something are two very different things.

Share this post


Link to post
Share on other sites
revvo    21

All the guy did was ask how to disable it, not why it shouldn't be disabled. XP doesn't have anything like this and works great. UAC is a failed attempt at copying sudo from linux and yes it is very annoying.

UAC needs more flexibility instead of asking me ARE YOU SURE everytime for every slightest change.

Share this post


Link to post
Share on other sites
Mordkanin    225
instead of asking me ARE YOU SURE everytime for every slightest change.

That's not at all how UAC works. In fact, it's a lot closer to sudo than you apparently think. It's all about controling the context of processes before they start, just like sudo.

Share this post


Link to post
Share on other sites
Guest   

UAC is fine as long as applications is written with UAC in mind. I guess it's gonna take time for developers to work around UAC. If you know what are you doing...disable UAC. In a year UAC pop up will barely happen....

Share this post


Link to post
Share on other sites
Brandon Live    232
All the guy did was ask how to disable it, not why it shouldn't be disabled. XP doesn't have anything like this and works great. UAC is a failed attempt at copying sudo from linux and yes it is very annoying.

UAC needs more flexibility instead of asking me ARE YOU SURE everytime for every slightest change.

Huh? UAC is like "sudo" but easier to use. Whereas the typical "sudo" setup (or, say, the Mac) requires you to enter your password, UAC saves time by simply asking Continue / Cancel in a secure fashion. Other OSes have to ask for a password because they don't have the equivalent of UIPI and Secure Desktop, so they can't trust that a click on "continue" actually came from the user. Thus, the password requirement.

So UAC is basically a much smarter, user-friendly version of "sudo."

Also, UAC never ever asks "Are you sure?" That's not its purpose. UAC says, "Hey, this application wants to start with an escalated privilege level. Should I let it?"

Furthermore, UAC prompts are extremely rare. Some legacy applications will cause them to show up more frequently, but those should be pretty rare as well since most popular ones are covered by File/Registry redirection or app-compat shims.

Explained it all.

Explained what exactly?

I have no need for that level of security on my Vista laptop. It would be like sitting on top of my house with a shotgun every night.

That's a useless analogy. Turning off UAC is like having an alarm system installed at your house but never turning it on. Someone spent all this time installing this great system for preventing break-ins, and it is wasted because you can't be bothered to enter the code when you come home.

Also, seeing the benefits and benefiting from something are two very different things.

So you never go on the internet? Don't use Firefox or Internet Explorer? Or Outlook or Thunderbird or AIM or any other applications that could be vulnerable to remote code execution exploits? Not other computers connected via LAN either?

I guess if your computer never comes into contact with software or data from other machines... then maybe you wouldn't benefit quite so much. However, I find that to be extremely unlikely.

Share this post


Link to post
Share on other sites
revvo    21
Huh? UAC is like "sudo" but easier to use. Whereas the typical "sudo" setup (or, say, the Mac) requires you to enter your password, UAC saves time by simply asking Continue / Cancel in a secure fashion. Other OSes have to ask for a password because they don't have the equivalent of UIPI and Secure Desktop, so they can't trust that a click on "continue" actually came from the user. Thus, the password requirement.

So UAC is basically a much smarter, user-friendly version of "sudo."

Also, UAC never ever asks "Are you sure?" That's not its purpose. UAC says, "Hey, this application wants to start with an escalated privilege level. Should I let it?"

During the setup of my computer when I received it, UAC drove me nuts instead of "helping me". Maybe if I activate now it won't go berserk but I never saw a need for this in XP or 2000 so I don't see a need for this in Vista.

Besides, how is UAC smarter? There is zero flexibility. It either asks you everytime or it doesn't. sudo at least begins a session that expires after a while and is never needed when changing anything in your account. The user is the one who has to be smarter to avoid installing crapware but the end-users will get annoyed by UAC and either ask someone who knows computers everytime it pops up "SHOULD I RUN IT" or will always say allow and eventually get infected.

i guess once you give an extra layer of security/protection to someone, ppl think that without it, they are doomed and can't live without it.

Share this post


Link to post
Share on other sites
RaisinCain    0

The guy WORKS for Microsoft- what'd everyone expect?

Share this post


Link to post
Share on other sites
Mordkanin    225
During the setup of my computer when I received it, UAC drove me nuts instead of "helping me". Maybe if I activate now it won't go berserk but I never saw a need for this in XP or 2000 so I don't see a need for this in Vista.

Massive amounts of elevation are normal during any computer's setup phase, regardless of your OS.

Besides, how is UAC smarter? There is zero flexibility. It either asks you everytime or it doesn't. sudo at least begins a session that expires after a while and is never needed when changing anything in your account

Developers can sign apps to automatically request elevation at startup, or not request it, and do virtualization, or whatever fits their app's profile, all without the user having to manually deal with it. However, the user can at any point force an app to run as an Admin.

When sudo begins a session, are you not in a command prompt? You can do the exact same thing in Vista. Just start an elevated command prompt, and voila! Every single program launched from there will have elevated privledges, exactly the same as UAC.

And UAC is not required for changing anything related to your user account (Except regedit, for some stupid reason. They should really have done a task manager type deal with regedit, allowing you 'relaunch' it as an Admin from inside the program.) It only comes into play with things you could otherwise not do as a "Limitted" user. And even then, it lets you do more than a limitted user, thanks to registry and file system virtualization.

Share this post


Link to post
Share on other sites
revvo    21
When sudo begins a session, are you not in a command prompt? You can do the exact same thing in Vista. Just start an elevated command prompt, and voila! Every single program launched from there will have elevated privledges, exactly the same as UAC.
Yes and no. I know that if you launch system-related programs in Gnome (probably KDE and XFCE too), a window prompts asking you for your sudo password and the same thing happens, a session is created which expires after "x" minutes, a time length which you can modify in /etc/sudoers. That's far less annoying than saying allow 20 times and it's just as secure because you just typed in the password for admin rights so you know you're doing the changes, not anyone or anything else.

Share this post


Link to post
Share on other sites
+LogicalApex    1,747
How exactly is click "Continue" to one dialog (which you probably hardly ever see) a "drawn-out process?"

UAC does make life a living hell a lot of times...

I have a 80GB external HD that I use from my previous XP system... UAC loves to pop up to delete folders, open folders, move files, etc... I've been through a maze of hitting UAC prompts 20 or 30 times in a minute dealing with files on that drive...

Depending on what you're doing UAC can very very much get in your way... I've said it a zillion times before UAC needs work... In the VERY LEAST MS needs to make the UI presentation a lot better. The way if flickers the screen is simply to hard on the brain... It should be doing a gradual fade transision and not a hard slamming flicker... I understand the intent is to get your attention, but the fact the rest of the screen is blacked out does that fine...

But I should stop making this another UAC improvement thread...

Try using group policy to knock it out as mentioned here...

http://blogs.msdn.com/tims/archive/2006/09/20/763275.aspx

Share this post


Link to post
Share on other sites
whocares78    0
Ok. Therein lies the problem. Thinking you're "no idiot when it comes to computers", therefore, you don't need UAC is completely the wrong idea. UAC is not about preventing you from doing dumb things to your computer, or second guessing your actions (Though it does help every now and then when you do attempt to do dumb things....call it an added bonus.). UAC is about giving running applications the least access to your computer that they need to function.

That said, I have no idea why it's doing what its doing, I just felt you should be aware that turning off UAC is a spectacular way to shoot yourself in the foot with Vista.

If I'm not mistaken, having UAC off makes Limitted accounts more of a PITA to use, so it's much more likely to assume that they're not using a limitted account if they have it off.

you got to be kidding me. everyoine i know with vista turns it off, and we had to turn it off in our test area so we could actually do some testing, rather than just constantly click UAC promts, let people do what they want, if they f&*k it up then thats their problem.

p.s. you are mistaken from what i know, having it enabled is way more of a pain in the ass

Share this post


Link to post
Share on other sites
Brandon Live    232
UAC does make life a living hell a lot of times...

I have a 80GB external HD that I use from my previous XP system... UAC loves to pop up to delete folders, open folders, move files, etc... I've been through a maze of hitting UAC prompts 20 or 30 times in a minute dealing with files on that drive...

It's not UAC's fault if your folder permissions are not set correctly. If you have permission to read/write the drive, you will never see a UAC prompt.

Depending on what you're doing UAC can very very much get in your way... I've said it a zillion times before UAC needs work... In the VERY LEAST MS needs to make the UI presentation a lot better. The way if flickers the screen is simply to hard on the brain... It should be doing a gradual fade transision and not a hard slamming flicker... I understand the intent is to get your attention, but the fact the rest of the screen is blacked out does that fine...

The switch to Secure Desktop isn't supposed to flicker... if it does, there's something wrong with your video driver. The intent of Secure Desktop is not at all to get your attention. It is to ensure that only the user can click on the continue button and that they know where they are clicking (ie. no app is manipulating the screen or the cursor). I agree it's annoying though, and run most of my systems with it off. It is less secure having it off, but only a little and attackers are less likely to expect you have SD disabled since it's on by default.

Share this post


Link to post
Share on other sites
whocares78    0
Because an administrator must have the control of what the users can install on the system, otherwise all users are able to install every program without the control of a central authority. Keep in mind that Windows is a multiuser operating system.

umm you can let users install only certain applications, you can give them install permissions so they can only install, but not do any other admin. it is entirely dependant on the requirements of the job. hell all my users have local admin, i let them becasue they all know what they are doing, and also can't do their job without local admin. and yeah i don't want to spend hours figuring out what to open up so they can do whats needed without local admin

If you knew what you were doing, you would leave it on. Only novices who don't understand how their computers work turn it off.

What method are you using to disable it? The big button in control panel?

LMFAO

this is just TOOOOOOOOOOOO funny only novices turn it off, i better stop writing cause you really are clueless and i don't want to get in trouble

Share this post


Link to post
Share on other sites
franzon    7
It should be doing a gradual fade transision and not a hard slamming flicker...

you have flicker problems probably because you have a graphics card incompatible with Aero (are you using the basic theme?). I also had this problem, but it has been fixed as I bought a Geforce 6200 AGP 256MB Aero capable.

Buy an Aero capable graphics card and the screen transition will become very fast with no flicker.

Edited by franzon

Share this post


Link to post
Share on other sites
+LogicalApex    1,747

I had to post I guess...

Huh? UAC is like "sudo" but easier to use. Whereas the typical "sudo" setup (or, say, the Mac) requires you to enter your password, UAC saves time by simply asking Continue / Cancel in a secure fashion. Other OSes have to ask for a password because they don't have the equivalent of UIPI and Secure Desktop, so they can't trust that a click on "continue" actually came from the user. Thus, the password requirement.

So UAC is basically a much smarter, user-friendly version of "sudo."

Also, UAC never ever asks "Are you sure?" That's not its purpose. UAC says, "Hey, this application wants to start with an escalated privilege level. Should I let it?"

What do you mean UAC never asks are you sure? That is the very nature of what a UAC prompt is... It is a "Hey this program wants "elevated" permissions. Are you sure that is OK?"

Furthermore, UAC prompts are extremely rare. Some legacy applications will cause them to show up more frequently, but those should be pretty rare as well since most popular ones are covered by File/Registry redirection or app-compat shims.

It all depends on the individual user and thier usage senario... I keep UAC on because I like the ActiveX virtualization feature since the only thing I load IE up for is when a site needs ActiveX. It is a comfort to know they can't actually touch my drive... But that doesn't mean I don't get UAC prompts all day... Sadly I do... If the user doesn't make changes to their system a lot then they probably don't, but you can't predict for a user what is rare for them and what isn't...

That's a useless analogy. Turning off UAC is like having an alarm system installed at your house but never turning it on. Someone spent all this time installing this great system for preventing break-ins, and it is wasted because you can't be bothered to enter the code when you come home.

Your analogy is equally, if not more, flawed... In the case of an alarm system the person would have requested its installation... I didn't exactly request UAC :p

So you never go on the internet? Don't use Firefox or Internet Explorer? Or Outlook or Thunderbird or AIM or any other applications that could be vulnerable to remote code execution exploits? Not other computers connected via LAN either?

I've never gotten myself infected with anything during my own usage of my machine in the 9 years I've used Windows... My little brother managed to get a bunch of crap installed on my laptop over the weekend that resulted in a format for me... With UAC on... But that wasn't a UAC fault it was mine for letting him roam unfethered on my machine. If a user is promised the chance to see a carrot UAC, nor any security app, can stop them from trying to see that carrot... No matter how many times the computer says it is bad for them.

I guess if your computer never comes into contact with software or data from other machines... then maybe you wouldn't benefit quite so much. However, I find that to be extremely unlikely.

I'm not sure UAC would help protect a user from anything other than an app somehow magically ending up on their machine and trying to start... If the user downloaded the program and a UAC prompt comes up they are going to hit yes 99.9999% of the time. After all, if they didn't trust the program would they have downloaded it in the first place?

Share this post


Link to post
Share on other sites
whocares78    0
The guy WORKS for Microsoft- what'd everyone expect?

i thought MS employees were supposed to be smart. clearly he aint that bright a spark.

Share this post


Link to post
Share on other sites
+LogicalApex    1,747
It's not UAC's fault if your folder permissions are not set correctly. If you have permission to read/write the drive, you will never see a UAC prompt.

The switch to Secure Desktop isn't supposed to flicker... if it does, there's something wrong with your video driver. The intent of Secure Desktop is not at all to get your attention. It is to ensure that only the user can click on the continue button and that they know where they are clicking (ie. no app is manipulating the screen or the cursor). I agree it's annoying though, and run most of my systems with it off. It is less secure having it off, but only a little and attackers are less likely to expect you have SD disabled since it's on by default.

I'm not convinced the flicker is a graphics driver issue... It acts the same on every one of my machines...

My desktop had an ATI Radeon X1900Pro did it... Upgraded that to a GeForce 8600 GT does it... My new i1520 with an Nvidia 8600M GT does it... Vista 32 and Vista 64...

It doesn't do a soft fade transition (a soft fade would be how XP did when you hit shutdown in the start menu) instead it does a very fast and hard flicker... If I weren't supposed to be sleeping I'd get it on video...

Share this post


Link to post
Share on other sites
Brandon Live    232
During the setup of my computer when I received it, UAC drove me nuts instead of "helping me". Maybe if I activate now it won't go berserk but I never saw a need for this in XP or 2000 so I don't see a need for this in Vista.

Setting up your new computer is clearly the exception, not the rule.

Besides, how is UAC smarter? There is zero flexibility. It either asks you everytime or it doesn't. sudo at least begins a session that expires after a while and is never needed when changing anything in your account.

What do you mean? As I said, it's smarter because in conjunction with other features (UIPI, Secure Desktop) it is able to ensure that the authorization to continue is coming from the user - thus negating the need for you to confirm your password every time. UAC is never needed for changing anything that is specific to your account. It is only required if you are changing something that affects the entire system, another user account, or an object (file, folder, registry key, etc) that you do not have permission to access.

The user is the one who has to be smarter to avoid installing crapware but the end-users will get annoyed by UAC and either ask someone who knows computers everytime it pops up "SHOULD I RUN IT" or will always say allow and eventually get infected.

UAC has absolutely positively nothing to do with users installing crapware. UAC does not require that you ever click "cancel" in order for it to protect you. UAC is not a feature that allows you to run programs as an admin. If you're using UAC, you already are an admin - and you already could do that. What UAC allows you to do is run most or all of your programs with fewer privileges. If an application is limited to only the access it needs in order to function, you significantly limit the damage it can do if hijacked by a remote code execution exploit.

i guess once you give an extra layer of security/protection to someone, ppl think that without it, they are doomed and can't live without it.

Would you feel uneasy about leaving your car unlocked in a parking lot in the middle of the city? I would. Running a web browser with admin privileges feels about the same these days.

When you have a single solution that would have prevented Blaster, Code.Red, Sasser, Slammer, and dozens of other worms - all without the user ever clicking on anything... it seems pretty silly to pass it up.

Share this post


Link to post
Share on other sites
whocares78    0
When you have a single solution that would have prevented Blaster, Code.Red, Sasser, Slammer, and dozens of other worms - all without the user ever clicking on anything... it seems pretty silly to pass it up.

you mean a singel easy solution like KEEPING WINDOWS UP TO DATE.

or altrernativel USING A FIREWALL

all those worms only affected unpatched machines. and guess what all with only the user clicking the windwos update icon, although i am sure you were still in primary school when half of them were released, so can forgive you for not knowing what your on about.

have any recent worms we shoudl be worried about??

Edited by whocares78

Share this post


Link to post
Share on other sites
Brandon Live    232
you mean a singel easy solution like KEEPING WINDOWS UP TO DATE.

Have you never heard of 0-day exploits? Just because you've never been hit by one personally (or don't know it), doesn't mean it won't ever happen to you. Also, lots of businesses can't keep their systems up-to-date without some lag time to test the updates in their environment (with custom LOB apps, etc), which can take days or weeks.

or altrernativel USING A FIREWALL

Clearly, a firewall has absolutely nothing to do with a remote code exploit in your browser or chat client and isn't going to help.

all those worms only affected unpatched machines. and guess what all with only the user clicking the windwos update icon, although i am sure you were still in primary school when half of them were released, so can forgive you for not knowing what your on about.

Excuse me... Who are you again? I'm here to help people. If you want to disagree with me or voice a different opinion then fine. But making such terribly immature and, frankly, dimwitted insults isn't the way to do it. It is, however, a good way to get on my ignore list.

have any recent worms we shoudl be worried about??

The .ANI vulnerability was a good example of UAC / IE Protected Mode doing its job. There have been and will continue to be others. You're much better off being prepared than not.

Share this post


Link to post
Share on other sites
Guest   

UAC is not must have feature. Heck a lot of XP users don't have UAC and they don't really have problems with security. I mean if it annoys you like it does me disable it and end of story, not a big deal to talk about.

Share this post


Link to post
Share on other sites
whocares78    0
Have you never heard of 0-day exploits? Just because you've never been hit by one personally (or don't know it), doesn't mean it won't ever happen to you. Also, lots of businesses can't keep their systems up-to-date without some lag time to test the updates in their environment (with custom LOB apps, etc), which can take days or weeks.

LMFAO zero day exploits are virtually non existent, do you even know what that means. can you even name ONE??

edit: i did a googel and found one zero day exploit, it was for IE, hardly worth worrying about.

zero day exploit means that MS (ort software manufacturer) release a patch which gets reverse engineered by the hackers and an exploit is released the same day, you do realise how hard that is.

last i checked the average was like 20 days. but i expect it may be down to around 10 now (edit: it's down to about 7, hey i was close)

why does it matter who i am, who the hell are you, you arent helpping anyone, you are telling them not to turn it off and arguing about the fact he wants to, if you were helping you would have told him how to disable it simple as that. you can put me on your ignore list i really don't care

as far as i remember the ani vulnerability wasn't a wormwas it?? and i patched the day the update was relased, um how am i vulnerable again.

in general it may be wise to leave it on but really a knowledgable IT guy knows how to keep a system clean, and if it does get messed up can easily fix it, just like we have been doing for the last 5 odd versions of windows

Edited by whocares78

Share this post


Link to post
Share on other sites
billyea    198

Right now what I'm hearing is mostly "it wasn't in XP, so therefore it's useless in Vista" This makes sense.

If you know what you're doing, if you know the common sense rules, if you're willing to take the same risks as running XP, and possibly a lot more risks, then fine, disable UAC. Just don't run around saying it's a useless feature for everyone with a brain, because it certainly isn't, and many exploits have required the acceptance of a UAC prompt before they even work.

Share this post


Link to post
Share on other sites
RaisinCain    0

UAC is crap. It doesn't stop anything. It is another feeble attempt at Microsoft security. Quit with the FUD Brandon.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.