• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Disabling UAC

Recommended Posts

Mordkanin    225

whocares78, you obviously don't understand what a zero-day exploit it. 0-day means it was exploited BEFORE the patch was released or the vulnerability even known about by the software vendor (UAC helps with all software, not just Microsoft's stuff).

Here's a past list of vulnerabilities that were, in fact, 0-day:

http://casescontact.org/advisories_list.php

Everything from Thunderbird to Photoshop to Foxit Reader has an entry on that list.

as far as i remember the ani vulnerability wasn't a wormwas it?? and i patched the day the update was relased, um how am i vulnerable again.

The ANI vulnerability was used in some cases to download a trojan, so it was very dangerous. It allowed for installation of files into your computer. UAC would obviously stop it if it tried to throw stuff in your system.

UAC is crap. It doesn't stop anything. It is another feeble attempt at Microsoft security. Quit with the FUD Brandon.

Obviously you haven't bothered to actually READ anything he wrote. It has stopped exploits, there is absolutely no denying that.

There is also absolutely no denying that a huge part of the reason why *nix has been more secure in the past has been a constant tendancy for users to not run as root.

That's not FUD, well, maybe the F part, but anyone whose computer is connected to the internet should be fearful of the risks that that brings.

Edited by MioTheGreat

Share this post


Link to post
Share on other sites
g33kb0y    2
It has stopped exploits, there is absolutely no denying that.

You're absolutely right. Unfortunately, I think most people's hatred for UAC is derived more from the frequency of prompts and their sometimes (seemingly) illogical nature. For example, try creating a new directory in Program FIles -- any branch in the hierarchy. You're prompted twice for the creation of a directory, and two more times to name it. To me, there's a much better way to handle that kind of operation and streamline it into a single prompt.

I think Microsoft made the right move with UAC, but I sure as hell hope they tweak it as time progresses.

Share this post


Link to post
Share on other sites
Brandon Live    232
You're absolutely right. Unfortunately, I think most people's hatred for UAC is derived more from the frequency of prompts and their sometimes (seemingly) illogical nature. For example, try creating a new directory in Program FIles -- any branch in the hierarchy. You're prompted twice for the creation of a directory, and two more times to name it. To me, there's a much better way to handle that kind of operation and streamline it into a single prompt.

I think Microsoft made the right move with UAC, but I sure as hell hope they tweak it as time progresses.

Microsoft is very committed to making UAC a better, less intrusive experience. For that particular example, ask somebody running SP1 ;)

UAC is crap. It doesn't stop anything. It is another feeble attempt at Microsoft security. Quit with the FUD Brandon.

Clearly you don't know what FUD means. FUD doesn't mean "something I dislike," "an opinion differing from mine," or "rational arguments that make my emotional position look childish."

UAC is not must have feature. Heck a lot of XP users don't have UAC and they don't really have problems with security.

Yeah, cause no one ever complained about XP's level of security :rolleyes: You don't think stealth malware installations account for a significant portion of spyware/adware/crapware on people's machines?

Share this post


Link to post
Share on other sites
Brandon Live    232
LMFAO zero day exploits are virtually non existent, do you even know what that means. can you even name ONE??

Non-existent? Riiiight. Apparently this entire enormous security industry really exists for nothing, because no one ever attacks unpatched vulnerabilities... right. If you don't have a clue what you're talking about, perhaps you should read these forums and refrain from posting until you can grasp the simplest concepts.

edit: i did a googel and found one zero day exploit, it was for IE, hardly worth worrying about.

I'm sure the people attacked by that (and dozens or hundreds of other 0-day exploits against Windows applications) would feel differently.

zero day exploit means that MS (ort software manufacturer) release a patch which gets reverse engineered by the hackers and an exploit is released the same day, you do realise how hard that is.

Haha, that's a good one. Like I said, don't post when it's obvious you haven't got a clue.

why does it matter who i am, who the hell are you, you arent helpping anyone, you are telling them not to turn it off and arguing about the fact he wants to, if you were helping you would have told him how to disable it simple as that. you can put me on your ignore list i really don't care

I think enough people know who I am. I spend a good chunk of my free time on this forum and others helping people. Fortunately, some people do appreciate it, otherwise I wouldn't bother.

as far as i remember the ani vulnerability wasn't a wormwas it?? and i patched the day the update was relased, um how am i vulnerable again.

It was the same sort of attack as Blaster or any other remote code execution exploit. The payload hardly matters. In this case it was used to distribute spyware/adware before the patch was released.

in general it may be wise to leave it on but really a knowledgable IT guy knows how to keep a system clean, and if it does get messed up can easily fix it, just like we have been doing for the last 5 odd versions of windows

No actual, competent IT person would ever say something like that. You're telling me that your strategy would be something like: "It's okay Mr. CEO, don't worry about our systems getting infected by that 0-day exploit that deletes important data, cripples our machines making it impossible for the company to get work done, or steals private user data like credit card numbers. Sure, our competitors won't get hurt by it because they run with UAC on it and I turned it off because it's annoying. But seriously, it's okay. I know how to run a virus scanner on it afterward, no biggie."

Share this post


Link to post
Share on other sites
Minifig    40

I say we tell him how to turn it off and if it borks his computer up it borks it up.

If it doesn't he's happy, if it does, we warned him.

Tough stale cookies for him.

Share this post


Link to post
Share on other sites
Dashel    542
It's okay Mr. CEO, don't worry about our systems getting infected by that 0-day exploit that deletes important data, cripples our machines making it impossible for the company to get work done

That is the point I think Brandon, you are applying Corporate paranoia to home users and casual business, where the security risk is quite different and rarely mission critical (Who honestly cares about the workstation in a small to mid-size environment?!). All security software is a drag on the user and resources so there will always be a tangible benefit to not running it no matter how Henny Penny you frame your argument. We truly acknowledge and accept the minor risk of not slogging up our PCs with it.

Edited by Dashel

Share this post


Link to post
Share on other sites
Joel    26

Which is more annoying, UAC or searching for why it keeps turning back on?

That is the point I think Brandon, you are applying Corporate paranoia to home users and casual business, where the security risk is quite different and rarely mission critical (Who honestly cares about the workstation in a small to mid-size environment?!). All security software is a drag on the user and resources so there will always be a tangible benefit to not running it no matter how Henny Penny you frame your argument. We truly acknowledge and accept the minor risk of not slogging up our PCs with it.

So, if you lost all of your data that would be OK because at least you didn't have a resource drain while the data still existed?

Share this post


Link to post
Share on other sites
notuptome2004    154

i run with UAC on and have no issues with it and for as long as i been using windows vista ultimate i have not found UAC that intrusive hek it barely pops up for me and when it does that is fine i can deal with it . now i have done some test in the past with vista i have used vista as an admin with and without UAC and with UAC being a Admin rights for my system it helped just alot to stop some things but i was still vulnerable as being a Admin and stuff so then i tested with it off and well my experience was more like XP very not secure tho i had anti spy/virus and everything . now i have tested and am now a standard user not an Admin and well nothing i have had happen as an Admin with UAC on or Off has affected me. so in the end UAC does alot of work to keep your Pc safe and it don't matter if your a Noob or a 1 billion year computer tech, it helps your system in so many ways from all exploits.

Now just waiting on SP1 to make the experience 2x better then it already is

Share this post


Link to post
Share on other sites
FATILA    4

UAC is a resource drain? Guess your realtime av and perhaps software firewall/malware scanner is as well then. Might as well turn them all off to streamline the experience ;).

Share this post


Link to post
Share on other sites
Brandon Live    232
That is the point I think Brandon, you are applying Corporate paranoia to home users and casual business, where the security risk is quite different and rarely mission critical (Who honestly cares about the workstation in a small to mid-size environment?!). All security software is a drag on the user and resources so there will always be a tangible benefit to not running it no matter how Henny Penny you frame your argument. We truly acknowledge and accept the minor risk of not slogging up our PCs with it.

Yeah... who cares who has your credit card number and bank account passwords. It's not like your social security number,which you probably type to get to your bank account, is very important, right?

Share this post


Link to post
Share on other sites
+LogicalApex    1,747
Yeah... who cares who has your credit card number and bank account passwords. It's not like your social security number,which you probably type to get to your bank account, is very important, right?

I'm still not convinced UAC gives enough information to prevent these kinds of situations anyways... A typical user scenario can go like this...

1. User clicks a link in his email promising him the chance to see some x-rated video of some super star

2. Once user is at the site it asks him to download this "viewer" application and he'll be all good to watch the video.

3. The web page informs him that he'll see a UAC prompt and just hit continue and all will be well...

4. Since he wants to see the video he hits continue to the UAC prompt... Now the program has free reign to do whatever it likes...

The user's saved bank account passwords and files relating to personal information have been uploaded to some remote server and he's S.O.L... UAC, or anything, could not have protected him; beyond plain old education...

Although, this scenario isn't likely to play out that way since the theft of bank account information, et. al, is now mainly done with Phishing scams... Bypassing "the box" altogether...

Share this post


Link to post
Share on other sites
+Zag L.    695

Actually Frazell, your situation may be possible in FireFox but not IE if UAC is enabled and the site isn't a trusted site. When IE is running with UAC on the browser is running in sandbox mode thus the program only has free range as far as that isolated process is concerned.

Share this post


Link to post
Share on other sites
Mordkanin    225
I'm still not convinced UAC gives enough information to prevent these kinds of situations anyways... A typical user scenario can go like this...

1. User clicks a link in his email promising him the chance to see some x-rated video of some super star

2. Once user is at the site it asks him to download this "viewer" application and he'll be all good to watch the video.

3. The web page informs him that he'll see a UAC prompt and just hit continue and all will be well...

4. Since he wants to see the video he hits continue to the UAC prompt... Now the program has free reign to do whatever it likes...

The user's saved bank account passwords and files relating to personal information have been uploaded to some remote server and he's S.O.L... UAC, or anything, could not have protected him; beyond plain old education...

Although, this scenario isn't likely to play out that way since the theft of bank account information, et. al, is now mainly done with Phishing scams... Bypassing "the box" altogether...

That scenario is not what UAC is going to protect him from.

What UAC will protect the user from is someone sending an email that exploits a bug in whatever email client the user uses, or whatever browser the user uses, etc. (There have been many that do just that to automatically execute code).

It'll probably protect the more tech savvy users from stupid mistakes, yes. But on people who don't know what they're doing, it'll mostly just protect them from automatically running exploits, things the User doesn't have to actually do to run into trouble.

Share this post


Link to post
Share on other sites
0sit0    165

I wont bother reading everything... ill just say that when my cousins had windows XP they used to call me every now and then because their computers were "slow". (filled with spyware) now with vista not even once! why? lets just say its magic! :sorcerer: (thank you UAC) :D

Share this post


Link to post
Share on other sites
Brandon Live    232
I'm still not convinced UAC gives enough information to prevent these kinds of situations anyways... A typical user scenario can go like this...

1. User clicks a link in his email promising him the chance to see some x-rated video of some super star

2. Once user is at the site it asks him to download this "viewer" application and he'll be all good to watch the video.

3. The web page informs him that he'll see a UAC prompt and just hit continue and all will be well...

4. Since he wants to see the video he hits continue to the UAC prompt... Now the program has free reign to do whatever it likes...

The user's saved bank account passwords and files relating to personal information have been uploaded to some remote server and he's S.O.L... UAC, or anything, could not have protected him; beyond plain old education...

Although, this scenario isn't likely to play out that way since the theft of bank account information, et. al, is now mainly done with Phishing scams... Bypassing "the box" altogether...

Mio is correct. As I've said dozens of times here - UAC isn't meant to protect you from that sort of attack. If you're going to choose to run untrusted code on your box, your box is already owned.

What UAC and Protected Mode IE protect you from is this scenario.

1. User receives and e-mail that exploits an Outlook vulnerability, and his machine is rendered unusable, data from all user accounts is stolen or lost.

It also protects especially well against this scenario:

1. User browsers IE to a malicious website

2. User magically has spyware installed on his machine.

This sort of attack was very common against Windows XP, especially for users who browsed to sketchy websites (warez / pirating sites are the biggest culprits, probably followed by "free porn" type sites), and even moreso for those whose systems weren't fully patched.

With Protected Mode IE, even if there's a vulnerability found in IE7 (or a more general Windows vulnerability - like the .ANI cursor one), attacks are severely limited because they can't do anything outside of the Low Integrity "sandbox" that IE is confined to.

Basically what happens when one of these vulnerabilities is hit is that the application (IE, Outlook, AIM, whatever) becomes a zombie under the control of the attacker, executing whatever instructions they feed it. But if the application can't do things like affect other users (or in the case of Protected Mode IE, even read the filesystem) to begin with, it's still bound by those restrictions when it is hijacked.

Vista uses this same "protected mode" technique (running things at Low Integrity) in many other places, including the content indexing pipeline - so that indexing a malicious file or e-mail attachment won't trigger an attack, which has been a problem for Google Desktop before since they don't do this (see last year's WMF vulnerability). Same goes for previewers in Explorer, and there will be more uses of it in the future.

Turning off UAC disables all of that, leaving you more vulnerable in countless ways.

Edited by Brandon Live

Share this post


Link to post
Share on other sites
billyea    198

One thing I wonder is why stuff like Protected Mode IE had to be integrated into the same system as the prompts, and covered under the umbrella term UAC. If someone turns off UAC looking to just turn off the prompts, a ton of other security features just flick off and their computer is now vulnerable? That's not very good design.

Yes, I know there's TweakUAC, not everyone else does though.

Share this post


Link to post
Share on other sites
Brandon Live    232
One thing I wonder is why stuff like Protected Mode IE had to be integrated into the same system as the prompts, and covered under the umbrella term UAC. If someone turns off UAC looking to just turn off the prompts, a ton of other security features just flick off and their computer is now vulnerable? That's not very good design.

Yes, I know there's TweakUAC, not everyone else does though.

Without UAC there is no notion of "integrity levels" for objects. Since Protected Mode IE runs IE as a "low integrity" process - it pretty clearly depends on UAC.

Share this post


Link to post
Share on other sites
WindowsOnIMac    0
Have you tried TweakUAC, or the relevant registry key it relates to? It enables you to leave UAC on but hide the popups which is all people hate about UAC in the first place. It's a godsend for me, the perfect compromise!

It's a tiny program and can be found on Google.

Not quite, bravadon. UAC also keeps many non-vista programs from:

a) Installing

b) Starting it even if it will install

c) In addition to the idiotic suspension of the Desktop to enter necessary administrative permission. I have no idea why they did that (other than they just don't trust their customers to realize when they're not already using an account with full admin rights.

How condescending of Microsoft.

Apple, condescending as it is toward its customers, doesn't suspend EVERYTHING so a limited user can enter an Admin username/password. By the way, my account supposedly has "full control" over the computer, including so-called "Special Permissions" (They won't even REMAIN on my account if I set them, BTW), yet I STILL have to go and change permissions on the ENTIRE HD to be able to "control everything." And even then, there are many files/folders I STILL can't control. You know this is true, I know this is true, ANYONE who can THINK knows this is true.

Screw this "limited Admin" account. Hell, man, I'm the darned "OWNER", as well as having OWNERS rights, as WELL AS being a member of the Admin Group -- of this machine, and STILL cant control it any time I desire. This is NOT "Full Control", as Microsoft claims.

Try opening any folder under "C:\Documents\username\My Documents", on a freshly-installed Vista, even with FULL ADMIN rights, and then tell us how Microsoft gives us "Complete Control". Shoot, you will be unable even to open your OWN folders, including My Music, My Documents, My Pictures, UNLESS you open "C:\Users" first and access your files from there. So much for "full control".

Donald McDaniel

Share this post


Link to post
Share on other sites
Mordkanin    225
a) Installing

Uh, yeah. I certainly don't every program I run to have "Admin" privledges (Think apps that use the internet for a rather blatantly obvious example of why), or to have full reign of my \Program Files\ and \Windows\ directory. It's all about LUA.

b) Starting it even if it will install

Only if the app is poorly coded, or wants to make system wide changes.

c) In addition to the idiotic suspension of the Desktop to enter necessary administrative permission. I have no idea why they did that (other than they just don't trust their customers to realize when they're not already using an account with full admin rights.

The secure desktop prevents things from falsifying input on the UAC prompt. It's a security feature. You can disable it, probably to no ill effect, as the fact that it's on by default will make exploiters ignore it.

Apple, condescending as it is toward its customers, doesn't suspend EVERYTHING so a limited user can enter an Admin username/password.

Apple requires you to enter your password. Vista doesn't, thanks to a number of security features that make it safe not to require it (UIPI, the Secure Desktop, etc.)

I mean, you could rig it to require password entry, and disable the secure desktop, and it'd be just like Apple's setup. However, I think the Secure Desktop + No password is easier, and just as secure.

Try opening any folder under "C:\Documents\username\My Documents", on a freshly-installed Vista, even with FULL ADMIN rights, and then tell us how Microsoft gives us "Complete Control". Shoot, you will be unable even to open your OWN folders, including My Music, My Documents, My Pictures, UNLESS you open "C:\Users" first and access your files from there. So much for "full control".

Those folders don't actually exist. The "My Documents", etc. folders were all replaced by "Documents" and such. I believe the C:\users\username\my whatever\ folders might just be there to help out poorly coded programs that didn't properly query for special folder paths. I could be wrong though, I've never actually looked into it, but that's the only reason I can think of for them to be there.

By the way, my account supposedly has "full control" over the computer, including so-called "Special Permissions" (They won't even REMAIN on my account if I set them, BTW), yet I STILL have to go and change permissions on the ENTIRE HD to be able to "control everything." And even then, there are many files/folders I STILL can't control. You know this is true, I know this is true, ANYONE who can THINK knows this is true.

That's because some subfolders do not inherit their ACLs from their parents, with good reasons. I can't possibly think of a reason why you'd want to give a user account Full Control of the entire system drive. That's for TrustedInstaller and Administrators.

And I daresay that if you actually knew what you were doing you would be able to take full control of your drive with two lines typed into an elevated command prompt. But in addition to being able to that, if you knew what you were doing, you wouldn't ever do it, as you'd probably break something horribly in the process (Messing with ACLs in the \Windows\ folder is just asking for things like Windows Updates to fail to install in the future.)

Edited by MioTheGreat

Share this post


Link to post
Share on other sites
NEVER85    248
Uh, yeah. I certainly don't every program I run to have "Admin" privledges (Think apps that use the internet for a rather blatantly obvious example of why), or to have full reign of my \Program Files\ and \Windows\ directory. It's all about LUA.

Only if the app is poorly coded, or wants to make system wide changes.

The secure desktop prevents things from falsifying input on the UAC prompt. It's a security feature. You can disable it, probably to no ill effect, as the fact that it's on by default will make exploiters ignore it.

Apple requires you to enter your password. Vista doesn't, thanks to a number of security features that make it safe not to require it (UIPI, the Secure Desktop, etc.)

I mean, you could rig it to require password entry, and disable the secure desktop, and it'd be just like Apple's setup. However, I think the Secure Desktop + No password is easier, and just as secure.

Those folders don't actually exist. The "My Documents", etc. folders were all replaced by "Documents" and such. I believe the C:\users\username\my whatever\ folders might just be there to help out poorly coded programs that didn't properly query for special folder paths. I could be wrong though, I've never actually looked into it, but that's the only reason I can think of for them to be there.

That's because some subfolders do not inherit their ACLs from their parents, with good reasons. I can't possibly think of a reason why you'd want to give a user account Full Control of the entire system drive. That's for TrustedInstaller and Administrators.

And I daresay that if you actually knew what you were doing you would be able to take full control of your drive with two lines typed into an elevated command prompt. But in addition to being able to that, if you knew what you were doing, you wouldn't ever do it, as you'd probably break something horribly in the process (Messing with ACLs in the \Windows\ folder is just asking for things like Windows Updates to fail to install in the future.)

100% agreed. I'm glad someone understands how UAC and Vista in general works, instead of the uninformed bashing of it that's prevalent in this thread.

Share this post


Link to post
Share on other sites
Brandon Live    232
Not quite, bravadon. UAC also keeps many non-vista programs from:

a) Installing

b) Starting it even if it will install

Actually, disabling UAC has caused more of these such problems than UAC itself. In fact, I have never seen nor heard of a program that requires you to disable UAC. Not one. However, for a long time Adobe Reader wouldn't install properly if you had UAC disabled. A sidebar gadget I wrote wouldn't work properly with UAC disabled because it registered a per-user activeX control, and fixing that was a bit ugly.

c) In addition to the idiotic suspension of the Desktop to enter necessary administrative permission. I have no idea why they did that (other than they just don't trust their customers to realize when they're not already using an account with full admin rights.

How condescending of Microsoft.

Judging somebody based on your own ignorance is unwise. UAC prompts are shown on the Secure Desktop to protect you and your computer. Without switching to the Secure Desktop, the consent or credential dialogs are more vulnerable to attack (especially the consent dialog for admin users, I've seen examples and they probably aren't what you'd think of).

Apple, condescending as it is toward its customers, doesn't suspend EVERYTHING so a limited user can enter an Admin username/password.

Right, but Apple doesn't care about security. They also don't have a consent dialog so they don't have to verify that the input is coming from the user, isn't being altered, and that the user is seeing the dialog as intended.

By the way, my account supposedly has "full control" over the computer, including so-called "Special Permissions" (They won't even REMAIN on my account if I set them, BTW), yet I STILL have to go and change permissions on the ENTIRE HD to be able to "control everything." And even then, there are many files/folders I STILL can't control. You know this is true, I know this is true, ANYONE who can THINK knows this is true.

Obviously you don't understand how UAC works. If you are a member of the Administrators group, you don't actually "get" any access you inherit from that group unless you are elevated. However, if your user account or the Users group has access, then you don't need to elevate.

Taking ownership and/or full control of an entire hard drive, if it is your system drive, is a particularly disaterous idea. Security is just one problem - if you take ownership and access away from important system accounts (like SYSTEM, TrustedInstaller, etc) you could render your machine unusable, break certain features, or cause stability problems.

Screw this "limited Admin" account. Hell, man, I'm the darned "OWNER", as well as having OWNERS rights, as WELL AS being a member of the Admin Group -- of this machine, and STILL cant control it any time I desire. This is NOT "Full Control", as Microsoft claims.

A "limited account" by definition is not a member of the Admin Group. If it is, it's an Admin, and by default you will never have to enter credentials, just click "continue" if you wish to let an application run with Admin privileges (which should be pretty much never).

Try opening any folder under "C:\Documents\username\My Documents", on a freshly-installed Vista, even with FULL ADMIN rights, and then tell us how Microsoft gives us "Complete Control". Shoot, you will be unable even to open your OWN folders, including My Music, My Documents, My Pictures, UNLESS you open "C:\Users" first and access your files from there. So much for "full control".

Well that's obviously a load of crap. There is no directory at "C:\Documents" or even "C:\Documents and Settings" - that directory has been renamed to "C:\Users". If you're trying to access it via the wrong path, obviously it isn't going to work.

There is a hidden symlink set up for compatibility purposes, but it won't show up in the UI, no links in the Start Menu or anywhere else will take you there, and obviously you aren't meant to go there.

Share this post


Link to post
Share on other sites
WindowsOnIMac    0
That's not funny nor an example... but okay. Besides, do you really think the military doesn't have protocols to require confirmation when someone is given the highest clearance (or let's say, authorization to arm nuclear weapons, etc)?

Anti-whatever software can't protect you from an attack that exploits a flaw in some application you run. It can identify and maybe even block viruses or malware that someone tries to install via that exploit, but it can't do anything about the exploit itself. Even then, such software is reactive. It can't stop something that hasn't been identified and analyzed. UAC creates a very substantial firewall of sorts that prevents exploited programs from doing serious damage - even from completely unknown attack vectors, against virtually every application you run.

I do not find fault with UAC, per se.

But I CAN'T STAND that SHUTTING OFF of the Desktop until admin permissions are given. I also CAN'T STAND doing it for the SAME programs time and time again.

It's as if Microsoft were not trusting their customers with their OWN machines.

I have news for Microsoft: I OWN THIS MACHINE! If I want it WIDE-OPEN, that is MY prerogative, not Microsoft's.

(not that I do).

Even Apple, notorious for their condescending attitude and behavior toward their customers, doesn't do this. It simply puts up a popup asking for higher privileges, and LEAVES THE DESKTOP ALONE.

The suspension of the Desktop and dimming of the screen which happens when UAC takes over and demands higher privileges (even though my account supposedly has "full control") are completely unnecessary, and, as it is to most others, completely ANNOYING.

Come on, Microsoft, we are no longer those people who used MSDOS 1.0. We are now a little more computer-savvy than you want us to be or think we are now or were then.

Wake up and recognize that we are ADULTS here. STOP treating us like children.

Venting finished (on this particular idiocy of Microsoft's).

Donald McDaniel

Share this post


Link to post
Share on other sites
Brandon Live    232
The suspension of the Desktop and dimming of the screen which happens when UAC takes over and demands higher privileges (even though my account supposedly has "full control") are completely unnecessary, and, as it is to most others, completely ANNOYING.

Come on, Microsoft, we are no longer those people who used MSDOS 1.0. We are now a little more computer-savvy than you want us to be or think we are now or were then.

Wake up and recognize that we are ADULTS here. STOP treating us like children.

Venting finished (on this particular idiocy of Microsoft's).

How is this "treaing you like children?" The switch to Secure Desktop is necessary if you want to ensure that the prompt is secure. I would think, if anything, that it is treating you more like an adult.

Believe me, nobody here likes the experience of a "system modal" dialog like those elevation prompts. Nobody likes the transition, either. But we're grown-ups, we know that it's there to protect us from attackers who don't care about being "nice" and will happily abuse your system if you give them the chance. There's a lot of work being done to make the experience better, and in the next version I think it's safe to say it will be. Even SP1 has improvements to the number of prompts you see. In the meantime, you can turn it off (and you don't have to turn off UAC to turn off the Secure Desktop switch), and accept the risk.

Share this post


Link to post
Share on other sites
Guest xiphi   
The suspension of the Desktop and dimming of the screen which happens when UAC takes over and demands higher privileges (even though my account supposedly has "full control") are completely unnecessary, and, as it is to most others, completely ANNOYING.

The suspension of the Desktop is COMPLETELY necessary. If you want to see why, download Synergy. It's a perfect example as to why Secure Desktop is needed. Try to remotely use an elevated application with it, or get past UAC with it- it won't happen.

Share this post


Link to post
Share on other sites
billyea    198
I do not find fault with UAC, per se.

But I CAN'T STAND that SHUTTING OFF of the Desktop until admin permissions are given. I also CAN'T STAND doing it for the SAME programs time and time again.

It's as if Microsoft were not trusting their customers with their OWN machines.

I have news for Microsoft: I OWN THIS MACHINE! If I want it WIDE-OPEN, that is MY prerogative, not Microsoft's.

(not that I do).

It has nothing to do if Microsoft trusts you or not, in fact the only iffy point about if they trust you or not is WGA, but that's irrelevant at the moment. It is simply providing you with a way where the dialog provided is one YOU can trust.

And it does do it for the same programs because programs can CHANGE. Outlook for example, may become corrupted by a malicious email you downloaded.

Having a vulnerable machine will, eventually, compromise other machines that this one has contact to, because viruses spread, thus making it those people's prerogatives as well.

Even Apple, notorious for their condescending attitude and behavior toward their customers, doesn't do this. It simply puts up a popup asking for higher privileges, and LEAVES THE DESKTOP ALONE.

Then apple's method is inherently insecure.

The suspension of the Desktop and dimming of the screen which happens when UAC takes over and demands higher privileges (even though my account supposedly has "full control") are completely unnecessary, and, as it is to most others, completely ANNOYING.

They are completely unnecessary until you get a malicious program that tries to fake a UAC dialog. I don't know if they exist yet, but they certainly will. It's microsoft's job to make sure that you can trust their OS to prevent these kinds of things.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.