The Great UAC Debate!

[Linkinfamous]

I have moved these threads to this post so the debate can continue. Let's keep the debate civil. Anyone flaming, flame baiting or trolling will be dealt with.

Thanks,

Frank

Before people say this is a bad move, why do I have mine disabled and I don't encounter any problems this feature claims to protect against? It's excatly the same as running XP.

Just because a previous version of the OS doesn't have a security feature doesn't mean you should blindly turn it off. New security features are generally put in for a damned good reason: They make the system more secure.

Giving every running process Administrative privileges has probably been the single greatest security problem that Windows has ever had. UAC fixes this.

Anyway, you shouldn't be encountering UAC that often beyond the initial period where you're installing all your software and stuff. Which programs are giving you trouble?

Edited January 19, 2008 by bmaher
added comment (frank) | added poll (bmaher)

[+allan MVC]

BTW, I've also disabled UAC on my Vista systems. It's a personal choice and one which should not cause problems as long as you use some degree of common sense.

[majortom1981]

I like uac. IT lets me know what the programs are doing. IF program developers got off their butts and made the programs right in the first place then it wouldnt even make uac pop up.

[brandnewfantx]

I leave my UAC on. Doesn't bug me one bit. If there is a program I use that always needs Run as Admin, then I do "Right Click on EXE then properties-> Compatibility Tab -> Check "Run this program as an administrator"->Apply-> OK. "

Over all I would have say alot of these UAC pops really do need to be addressed at the developer level...

[abcdefg]

I like uac. IT lets me know what the programs are doing.

Have they updated UAC?

Last time I used Vista it was more like Just say yes once and what happens next is not under your control.

UAC is just a band-aid. Proper solution would be isolating OS from everything else as well as possible.

Wanna install game? -> Admin rights -> possible deletion of data or rootkit and UAC does nothing.

When does Microslo... sorry, Microsoft move away from current installing scheme where security and portability of programs is a nightmare?

[Popcorned1]

How does installing a game end up to a rootkit or data loss ? If you had it enabled you would not have to deal with the problem of that crap screwing up your computer. UAC does something, it stops potentially dangerous programs from running with administrator privlieges so they cannot cause havoc.

^ You seem like the person who cannot wait to give bashing to Microsoft.

As a personal experience to UAC, once you get over the intial stage of installing all your software and games I rarely see it.

[abcdefg]

How does installing a game end up to a rootkit or data loss ? If you had it enabled you would not have to deal with the problem of that crap screwing up your computer. UAC does something, it stops potentially dangerous programs from running with administrator privlieges so they cannot cause havoc.

Have you ever downloaded&installed anything from the internet?

I'm sure you have. Can you say 100% certainly that there hasn't been anything harmful in that code you gave full privileges to do whatever it wants?

No.

The problem is that there's no point giving some simple install unneeded privileges but currently you have to.

You can do installs without risking anything important but not without third party applications.

It's not that UAC is annoying, it's the lack of security even though it's continuously praised here.

[Popcorned1]

Have you ever downloaded&installed anything from the internet?

Are you talking about those dodgy warez releases that you can never trust or trusted applications ? Applications I got from the internet are Windows Office 2007 (www.theultimatesteal.co.uk), Opera, Firefox, Intype, ApHeMo, W.A.M.P. , etc ... You get the idea of that. I am certain reputable companies are not going to go out their way to put malicous code into their applications. Of course the rare opportunity might arrise where a hacker will exploit it. <- Which is where UAC will stop the attack.

The problem is that there's no point giving some simple install unneeded privileges but currently you have to.

That is a developers problem so until they change their coding habits, it wont change.

[Panacik]

That's the UAC (User Account Control) at work. Some people have it disabled because of it's annoyance nature. I have mine disabled. If you want to disable it, click on your user picture in Start Menu. On the window that come up, click the last link that says Turn User Account Control on or off, untick the box there and click OK.

Before people say this is a bad move, why do I have mine disabled and I don't encounter any problems this feature claims to protect against? It's excatly the same as running XP.

BTW, I've also disabled UAC on my Vista systems. It's a personal choice and one which should not cause problems as long as you use some degree of common sense.

Carefull guys, a few people on the forums will flame you and go right out on a moan about it if you tell people to disable UAC, even if you are correct in what you are saying.

I know this because i said i disabled it before and people went crazy!

[Marcel T]

Like I always say, if the UAC elevation prompts p*ss you off, grab TweakUAC and switch UAC to quiet mode.

[devHead]

Well, I have had UAC disabled for some time now, but not primarily because I found it annoying after initially installing Vista. Rather, some things I simply couldn't get to run correctly. For example, the Task Manager replacement from Sysinternals can not be used as a task manager replacement with UAC enabled. Period. I've tried many ways to make it so and it just doesn't work.

I also get prompts running WinRAR with UAC enabled, since it has to be run with Admin Privileges.

I'm one of those kind of guys who likes to keep my Start Menu > Programs list neat and tidy. But in the "All Users" group, trying to create a new folder and move other Program group folders to it results in repeated UAC prompts. For making folders! I have a Router Firewall, Defender, and Windows Firewall running. I don't download warez or download questionable software; and I have never had any problems without UAC.

[jmc777]

Well, I have had UAC disabled for some time now, but not primarily because I found it annoying after initially installing Vista. Rather, some things I simply couldn't get to run correctly. For example, the Task Manager replacement from Sysinternals can not be used as a task manager replacement with UAC enabled. Period. I've tried many ways to make it so and it just doesn't work.

Are you talking about the task manager replacement in Process Explorer? It's working fine here on my system with UAC enabled.

I also get prompts running WinRAR with UAC enabled, since it has to be run with Admin Privileges.

What version of WinRAR are you using? I'm going to take a guess and say it's an old version, because Vista compatibility was added in version 3.70.

I'm one of those kind of guys who likes to keep my Start Menu > Programs list neat and tidy. But in the "All Users" group, trying to create a new folder and move other Program group folders to it results in repeated UAC prompts. For making folders!

The clue is in "All Users"; you're making a system-wide change, and that's why you're getting a UAC prompt.

[ViperAFK]

Well, I have had UAC disabled for some time now, but not primarily because I found it annoying after initially installing Vista. Rather, some things I simply couldn't get to run correctly. For example, the Task Manager replacement from Sysinternals can not be used as a task manager replacement with UAC enabled. Period. I've tried many ways to make it so and it just doesn't work.

I also get prompts running WinRAR with UAC enabled, since it has to be run with Admin Privileges.

I'm one of those kind of guys who likes to keep my Start Menu > Programs list neat and tidy. But in the "All Users" group, trying to create a new folder and move other Program group folders to it results in repeated UAC prompts. For making folders! I have a Router Firewall, Defender, and Windows Firewall running. I don't download warez or download questionable software; and I have never had any problems without UAC.

I have always had UAC enabled and have NEVER gotten a prompt from winrar. There is something wrong if you are, winrar shouldn't need admin privileges, I've never seen it prompt on any computer.

[Brandon Live Veteran]

Have you ever downloaded&installed anything from the internet?

I'm sure you have. Can you say 100% certainly that there hasn't been anything harmful in that code you gave full privileges to do whatever it wants?

No.

The problem is that there's no point giving some simple install unneeded privileges but currently you have to.

You can do installs without risking anything important but not without third party applications.

It's not that UAC is annoying, it's the lack of security even though it's continuously praised here.

You seem to be confused about what UAC is there to protect you against. UAC is not designed to stop you from downloading and installing malware that horks up your machine. That's the job of Windows Defender and anti-virus software (and the warnings from the browser, to some extent).

UAC is there as a mitigation of attacks against everyday applications, like Outlook / AIM / Firefox / whatever. The goal of UAC is that if such an application is hijacked by any kind of remote code execution exploit, the damage the attacker can do is constrained based on the privilege level of the application.

In the case of IE, UAC means that IE can't even read from or write to the disk outside of specific locations. So it really can't do anything to hurt your system if someone takes it over. That's why every attack against IE in Vista so far has been a non-issue. Other apps that run with "normal" privileges (Firefox, Outlook, whatever) can still do damage to your personal files if hijacked, but at least they can't affect other users on the system or damage the system itself.

It's pretty frustrating when people like you advise others to disable UAC when you don't even understand how it works, or what it's for.

[rtk]

It's pretty frustrating when people like you advise others to disable UAC when you don't even understand how it works, or what it's for.

I'm hoping future versions will not have an option to disable UAC, any insider info on that possibility?

[abcdefg]

You seem to be confused about what UAC is there to protect you against.

No, I'm not confused at all

UAC is not designed to stop you from downloading and installing malware that horks up your machine. That's the job of Windows Defender and anti-virus software

Seeing how poor job anti-crap software generally does that's quite weak defense line.

the damage the attacker can do is constrained based on the privilege level of the application.

Exactly, that's why using admin credentials for installing is bad.

Other apps that run with "normal" privileges (Firefox, Outlook, whatever) can still do damage to your personal files if hijacked, but at least they can't affect other users on the system or damage the system itself.

No they can't if you use small amount of time fine tuning permissions and have automatic back-ups for files/folders you need to modify constantly.

It's pretty frustrating when people like you advise others to disable UAC when you don't even understand how it works, or what it's for.

Holy cow!

I didn't advise to do anything with UAC. Just criticized Windows' general security concepts. Look again.

I'm just glad that there are solutions like VMware and Thinstall so you don't have those installers throwing crap around your HD possibly compromising security.

[Frank]

Posts Moved

I have moved these posts to this thread because the thread they came from was not about UAC but rather a support issue. Let's keep the debate civil. Anyone flaming, flame baiting or trolling will be dealt with.

[Linkinfamous]

Exactly, that's why using admin credentials for installing is bad.

Windows Installer 4.0 is fully capable of installing applications without requiring Admin credentials. I am a little dissapointed that I haven't seen anything take advantage of this capability, though, and I'll admit that I haven't even looked into where it stores the binaries (Maybe the user's AppData\Local folder?)

No they can't if you use small amount of time fine tuning permissions and have automatic back-ups for files/folders you need to modify constantly.

Uh, what? That copy of Firefox is running with the exact same privileges to your system as Explorer is. So unless you've either used icacls to rig all your applications to run with a Low IL like IE does (At which point you'd lose the ability to save files/settings properly because the only application I know of that has been designed to operate like that is Internet Explorer 7), or have taken to completely managing every document you have from elevated command prompts, there's no amount of permission tuning that you can do to keep a hijacked process from mucking with your user's files.

As for backing up, yes, you should back up. However, there should be safety measures in place to help prevent anything malicious from actually forcing you to need to use those backups. Hence, we get things like Protected Mode IE, or for the system files: processes that don't run with a High IL by default.

Edit: Oh goodie. I've got the first post in te "Great UAC Debate!" I feel so very special, or something.

[bl4ck5un]

I don't think anything is up for debate this will not influence every Vista owner in the world. It's down to personal preference, if you know what you're doing (100%) of the time disable it, if not don't. Also comes down to knowledge, if you're say... a 30 year old technology noob you wont know how to use UAC, therefore it does its job.

[Linkinfamous]

I don't think anything is up for debate this will not influence every Vista owner in the world. It's down to personal preference, if you know what you're doing (100%) of the time disable it, if not don't. Also comes down to knowledge, if you're say... a 30 year old technology noob you wont know how to use UAC, therefore it does its job.

:pinch:

That's not the point of UAC. That's not even close.

Ok, yes, it will, on occasion, stop you from doing something stupid. But that's not really it's 'greater' purpose.

As Brandon said above:

UAC is there as a mitigation of attacks against everyday applications, like Outlook / AIM / Firefox / whatever. The goal of UAC is that if such an application is hijacked by any kind of remote code execution exploit, the damage the attacker can do is constrained based on the privilege level of the application.

There is absolutely nothing you can do, experienced or otherwise, to prevent a lot of the things that exploit holes in software. Don't proclaim yourself to be a power user, and shut off the best tool Windows gives you to control the privileges that you give running processes upon execution.

[0sit0]

and at the end of the day people do whatever they want to... why do we need another one of these topics? lol

What Microsoft should do like abcdefg said is change the way programs run on windows. Of course that would mean most programs wouldnt work but oh well... at least programs would run in a more secure environment, and it could make installing programs easier without the need of registry etc.

[Express]

Task Manager replacement from Sysinternals can not be used as a task manager replacement with UAC enabled. Period.

Is wasn't working until November '07. It works with the latest version of Process Explorer. You can now replace taskmanager without any UAC issues.

[Frank]

... why do we need another one of these topics? lol

Because they seem to be popping up every time UAC is mentioned in a support thread. If people want to debate it, debate it here. Stay out of the Vista Support Forum where users need help, not other users coming in and going back and forth whether it is right or wrong.

[+allan MVC]

I'm really not sure why this is such a big deal. People who want UAC enabled should leave it enabled. Those who want it disabled (myself included) should disable it.

Next :)

[Brandon Live Veteran]

Seeing how poor job anti-crap software generally does that's quite weak defense line.

Defense line? How else do you suggest any OS protect against their users installing crap? If the user decides to do something (and they have Administrator access), they are damn well going to do it. It doesn't matter what OS they're on or what dialog box you show them. If the user chooses to run code that isn't trustworthy, there's not much you can do beyond what Defender and programs like it already do.

Exactly, that's why using admin credentials for installing is bad.

Huh? Application installations generally require admin privileges by design. Administrators don't want their users installing applications without their permission (or at all, really). Application installs generally affect the entire machine.

If you're a developer and you want to write something that installs in user-owned directories and doesn't touch anything system-wide, you're free to do so and let users install it without admin credentials. There is obviously nothing stopping you.

No they can't if you use small amount of time fine tuning permissions and have automatic back-ups for files/folders you need to modify constantly.

Again you are speaking from ignorance. If UAC is disabled, there is no way for one application to have different levels of access than another application. If UAC is disabled, any application can take ownership of any file on any drive of the system, and do with it as it pleases. Any application can manipulate, read data from, or inject code into any other application in the user's session.

Fortunately, thanks to Vista and UAC, that is no longer the case (unless you choose to make it that way).

Holy cow!

I didn't advise to do anything with UAC. Just criticized Windows' general security concepts. Look again.

You shouldn't criticize that which you do not understand.

Edited January 19, 2008 by Frank
Lets keep it civil.