The Great UAC Debate!

[Brandon Live Veteran]

So what happens if I download some freeware app and UAC tells me that 'This app wants to access your computer'?

If I click Deny - it closes.

If I click Allow - it'll be able to do what it wants. Since I obviously want to run the program since I dbl-clicked it - I'll most likely click allow anyway, due to the fact that there are no details.

Where's the 'Details' button?

There is a "details" button. It tells you the command line that is being invoked with High integrity level.

If you want to run something, and you trust it not to damage your system, then yes - you will click yes and the application will be able to run. However, most applications do not require administrator privileges to run, so UAC allows you to run them with more limited access. Then when the application (IE, Firefox, AIM, Outlook, Thunderbird, whatever) gets attacked through a vulnerability in its code, it is prevented from doing significant damage and in many cases will fail altogether.

UAC isn't about preventing untrustworthy applications from being installed. It is about preventing trusted everyday applications from being hijacked via remote code execution exploits. It's what lets IE run in its Protected Mode sandbox, which has stopped every single IE vulnerability against Vista so far from being effective. It's what lets the shell run previewers in Low integrity level to prevent malicious files from targetting vulnerabilities in previewers.

In the most sophisticated case, the attack would result in a UAC dialog appearing out of nowhere. For example, you clicked on an e-mail message or accepted an IM request and a UAC dialog appeared out of nowhere. Hopefully, you would click "cancel."

[Ryan R]

Well - with faster CPUs on the market and users being able to run so much stuff at the same time - there's less [what's the word] 'area' that you can call 'nowhere' from which a UAC prompt is triggered? Hopefully you get what I'm saying.

I'll wait for a reply then unsub from this thread.

[+Nik Louch Subscriber²]

My experiencew with UAC:

Setup a few Vista PC/Laptops over Christmas. UAC kicked in at times I would expect it it - anything installing or changing the system in a more than trivial way. A simple "Yes" or "Yes and don't remind me again" and job done.

It DID NOT get in the way of "average" usage of the systems.

Will I leave it enabled? Yes - it seems to be a nice common-sense interface to a good layer of protection.

Your choice? Sure, leaving UAC on or off is up to each user - however I have a real problem with trolls jumping into every forum pushing their "Disable UAC" agenda on users who could benefit from its protection.

[Linkinfamous]

Well - with faster CPUs on the market and users being able to run so much stuff at the same time - there's less [what's the word] 'area' that you can call 'nowhere' from which a UAC prompt is triggered? Hopefully you get what I'm saying.

I'll wait for a reply then unsub from this thread.

Sorry, not following what you're trying to say.

[Marcel T]

Why is it still true that if a file has any type of "installer" text in the filename, it prompts for elevation even if not needed? (as described in this article from almost a year ago, with quotes from Mark Russinovich).

Also, wasn't Mark Russinovich quoted as saying UAC will in the near future be made malware's b*tch. Well, not those words exactly, actually "malware will thrive, even with Vista's UAC".

[Linkinfamous]

Why is it still true that if a file has any type of "installer" text in the filename, it prompts for elevation even if not needed? (as described in this article from almost a year ago, with quotes from Mark Russinovich).

That's done because older installers are not going to be signed, and will start without Admin privileges, then just fail in the middle of setup.

Also, wasn't Mark Russinovich quoted as saying UAC will in the near future be made malware's b*tch. Well, not those words exactly, actually "malware will thrive, even with Vista's UAC".

It's because malware will have to either piggyback on installers, which users will be elevating without question, or get used to running without Admin privileges. It's not going to stop malware, that's not its job, and malware authors will quickly adapt to running with limitted privileges (It's not like you need to be an Admin to send out spam, or anything)

[primexx]

Just got a new computer, and for the first time since Beta 2 I've left UAC enabled on there.....and **** its a pain in the ass. It prompts you for everything, and you also never know if a program will fail because it's not configured properly to either elevate or run in user mode. Granted, the latter isn't UAC's problem, it's still annoying on the part of the applications themselves. I ended up disabling secure desktop because the flicker was giving me a headache, I'll probably keep the prompts though since it's going to be used on untrusted networks.

[Linkinfamous]

If you 'just got a new computers', then you've only just been doing software installation and system setup. Obviously there's going to be a lot of elevation during this time, like any other OS.

[FlibbyFlobby]

I like UAC personally (though I went through an initial period of annoyance). Anything that brings Windows more in line with the Linux security is a good thing in my opinion.

I would like to see more UAC improvements in the future. A level between consent and credentials would be nice. For example if I'm moving files in "Program Files" a consent box would be appropriate I feel; however if I'm running an installer for something I'd prefer to have to give my credentials to proceed. It would also be nice to be able to run an elevated explorer window (this would be better than a consent box), like how you can with Nautilus on Linux. I guess you can do this with a shell prompt but it would be nice. It would also be quite handy when prompted to be able to keep the elevated status for a set period of time (say a minute or too), again like on some Linux distros.

Overall UAC is great though. There's little reason to turn it off. :)

[Linkinfamous]

I would like to see more UAC improvements in the future. A level between consent and credentials would be nice. For example if I'm moving files in "Program Files" a consent box would be appropriate I feel; however if I'm running an installer for something I'd prefer to have to give my credentials to proceed.

The only problem with something like that is that there's really no difference in the privileges being given to the process (Either explorer or the installer), so there's really no point in doing that from a security standpoint. If you're going to be allowing explorer to launch elevated processes with a simple consent dialog, there's no point in the credentials dialog, because you can get explorer to do pretty much anything you want for you.

[Litespeed]

I use UAC on both my Vista machines. The ONLY time I could see turning it off is when you're re-installing your PC. Being prompted every few minutes gets old really fast. However, I've found that over time you see less and less prompts.

The one thing that I wish MS could do would be to speed up the loading of the consent process. Even on my fast PC at work, it still takes a second or two to load the UAC prompt. If they could make it instant, it would seem much less intrusive.

EDIT: Apparently, it's not a good idea to disable the secure desktop.

Edited January 21, 2008 by Litespeed

[FlibbyFlobby]

The only problem with something like that is that there's really no difference in the privileges being given to the process (Either explorer or the installer), so there's really no point in doing that from a security standpoint. If you're going to be allowing explorer to launch elevated processes with a simple consent dialog, there's no point in the credentials dialog, because you can get explorer to do pretty much anything you want for you.

I agree with you to an extent. In Linux if I had to work with files outside my home directory I would use this way sometimes over a command prompt because it was easier and quicker. The problem is, where do you draw the line with security? Do you lock out things like this because the user might accidentally install something malicious/do something wrong, or trust they know what they are doing with an elevated file manager window? Perhaps Windows just isn't mature enough in a security sense to handle this yet; home users still need time to adapt too. Conversely Linux is better suited in both respects. It's just where I think UAC could go in the future tbh. :)

[primexx]

If you 'just got a new computers', then you've only just been doing software installation and system setup. Obviously there's going to be a lot of elevation during this time, like any other OS.

Well, from my usage habit on the current computer, I play around with UAC protected stuff on a daily basis, even after the initial installation of programs.

[Dashel]

I disagree. By running your machine in a blatantly insecure manner, you are opening up your box to become a DoS or e-mail spamming bot that will affect me personally. Further, it would stop people (like several on this thread) who disable UAC on other peoples machines, or who advise others to out of ignorance.

It's not going to stop malware, that's not its job, and malware authors will quickly adapt to running with limitted privileges (It's not like you need to be an Admin to send out spam, or anything)

I think this is where people get confused about UAC. For something that gets in the way of the user it is a hassle if we can't see a tangible reason to enable it. "UAC is there as a mitigation of attacks against everyday applications" isn't exactly on the high list for most users or administrators. Malware is, whether it is true or not, the reason that most people I talk with that even know what UAC stands for keep it on (as in not that extra box they have to hit yes to from time to time).

Again, I'm not knocking UAC, it serves a legitimate function - to whip application developers in line. It just seems wrong to get all frothy with those who choose to disable it for now. When MS meets its promise to remove all prompts from normal system operations and application vendors get on the same page I think many will revisit it.

[waruikoohii]

I also get prompts running WinRAR with UAC enabled, since it has to be run with Admin Privileges.

WinRAR doesn't need to be run elevated. Are you sure you weren't unzipping to protected folders, or are you sure WinRAR wasn't set to launch as an administrator under the compatibility tab?

I've never had WinRAR try to launch as an admin. I do get a prompt when opening an archive from IE, but that's due to Protected Mode.

I use UAC on both my Vista machines. The ONLY time I could see turning it off is when you're re-installing your PC. Being prompted every few minutes gets old really fast. However, I've found that over time you see less and less prompts.

The one thing that I wish MS could do would be to speed up the loading of the consent process. Even on my fast PC at work, it still takes a second or two to load the UAC prompt. If they could make it instant, it would seem much less intrusive.

EDIT: Apparently, it's not a good idea to disable the secure desktop.

It really depends. UAC is still effective with the Secure Desktop disabled, however, it makes you vulnerable to spoof attacks.

[HawkMan]

I use UAC on both my Vista machines. The ONLY time I could see turning it off is when you're re-installing your PC. Being prompted every few minutes gets old really fast. However, I've found that over time you see less and less prompts.

The one thing that I wish MS could do would be to speed up the loading of the consent process. Even on my fast PC at work, it still takes a second or two to load the UAC prompt. If they could make it instant, it would seem much less intrusive.

EDIT: Apparently, it's not a good idea to disable the secure desktop.

It's not a good idea to turn off UAC when installing the computer and then enabling it again, as you'll install everythgin withou the virtual storage stuff, and then turning it one.

use silent mode during initial install.

[FATILA]

Microsoft have always recommended running with lower privileges, UAC simply gives the user the option to easily run one account and elevate on a per case basis with minimal fuss rather than using "run as" and entering credentials (which is always still an option of course). So really we have the best of both worlds, and I realise this is not normal practice for many Windows home users, but it really is very necessary in the environment most wan connected computers are in today.

[jmc777]

In Vista, when I am doing a fresh, clean install of Vista, I will disable UAC so I can go on installing all my software. Afterwards, I will then turn on UAC for security reasons, and security reasons only.

I've always wondered about this. Would turning UAC off, then installing a program that writes to parts of the file system and registry that are supposed to be off-limits in Vista, then turning UAC back on, result in UAC asking the user to elevate when they attempt to start the program? (Whereas, if they had actually installed the software with UAC on, file and registry virtualisation would have worked around this, so that the program would launch without requiring elevation)

Maybe someone who has experimented with this could comment?

[ViperAFK]

I've always wondered about this. Would turning UAC off, then installing a program that writes to parts of the file system and registry that are supposed to be off-limits in Vista, then turning UAC back on, result in UAC asking the user to elevate when they attempt to start the program? (Whereas, if they had actually installed the software with UAC on, file and registry virtualisation would have worked around this, so that the program would launch without requiring elevation)

Maybe someone who has experimented with this could comment?

When I built my PC and installed vista my arse friend turned off UAC(Even though I didn't want him too, I hate it when people turn uac off on others computers) on me when I was installing stuff and I installed my programs and I turned it back on and everything has been working fine.

[Linkinfamous]

When I built my PC and installed vista my arse friend turned off UAC(Even though I didn't want him too, I hate it when people turn uac off on others computers) on me when I was installing stuff and I installed my programs and I turned it back on and everything has been working fine.

It can cause data loss for anything written to the Virtual Store.

For instance, let's say I have a program that writes to a file in \Program Files\

I have UAC on, the file is at Version 1.0.

I make a change to the file, so the virtual store has version 2.0, but \Program Files\ still has 1.0.

Now, I turn UAC off. Version 2.0 is in the Virtual Store, so the app won't see it anymore. It'll only see version 1.0.

[Brandon Live Veteran]

UAC is still effective with the Secure Desktop disabled, however, it makes you vulnerable to spoof attacks.

Secure Desktop with UAC has nothing to do with spoofing attacks. What are they going to spoof, "haha, we tricked you into clicking Continue on a box that doesn't really do anything! Owned!"

Secure Desktop is there so that you can give consent instead of credentials, in a secure way.

[Linkinfamous]

Secure Desktop with UAC has nothing to do with spoofing attacks. What are they going to spoof, "haha, we tricked you into clicking Continue on a box that doesn't really do anything! Owned!"

Secure Desktop is there so that you can give consent instead of credentials, in a secure way.

I figured the secure desktop was better for preventing false input to the prompts.

UIPI should stop them from being able to mess around with the consent process, so the window/sound never occurs, and the dialog never even flickers up, accepting the prompt automatically, but without the secure desktop, nothing stops hijacking the mouse and or keyboard, right.

I mean, does anyone actually ever check to make sure they're on the secure desktop? I mean, taking a screenshot, darkening it, and putting up a fullscreen window that tries its best to keep itself on top, killing off things like alt+tab/flip3d wouldn't be hard, to trick the user into thinking they're on the secure desktop.

I mean, yes, the secure desktop will prevent keylogging, but preventing false dialogs?

[Brandon Live Veteran]

I figured the secure desktop was better for preventing false input to the prompts.

UIPI should stop them from being able to mess around with the consent process, so the window/sound never occurs, and the dialog never even flickers up, accepting the prompt automatically, but without the secure desktop, nothing stops hijacking the mouse and or keyboard, right.

I mean, does anyone actually ever check to make sure they're on the secure desktop? I mean, taking a screenshot, darkening it, and putting up a fullscreen window that tries its best to keep itself on top, killing off things like alt+tab/flip3d wouldn't be hard, to trick the user into thinking they're on the secure desktop.

I mean, yes, the secure desktop will prevent keylogging, but preventing false dialogs?

Right. Anyone could make something that looks like the secure desktop. That isn't hard. But as I said, it's not meant to prevent spoofing. If you want to prevent keyloggers, you require CTRL+ALT+DEL.

The darkened screenshot is there as a convenience so that it doesn't look like you're switching desktops... the idea being that it is less jarring. It is darkened so you know that you cannot interact with it. Also, the window that requested the elevation is highlighted (albeit subtly). If you use remote desktop and run something elevated, you know what it actually looks like if that screenshot isn't put there.

[Voyager02]

If I spend my hard earned money buying Vista, then i should have the option to turn things off/on as and when i want to.

I think all operating systems/software should by law be made to give the buyer a choice of turning things off or on.

An example is the balloon pop-ups in win-xp/vista, they are helpful for people thats learning computers, but for others like me they are just so annoying, so we turn them off. everybody customises their computer the way they like it.

there are all kinds of people in this world who have different opinions and we should respect their comments, so please everybody just think before posting, me included.

[Brandon Live Veteran]

I'm hoping future versions will not have an option to disable UAC,

If I spend my hard earned money buying Vista, then i should have the option to turn things off/on as and when i want to.

I think all operating systems/software should by law be made to give the buyer a choice of turning things off or on.

An example is the balloon pop-ups in win-xp/vista, they are helpful for people thats learning computers, but for others like me they are just so annoying, so we turn them off. everybody customises their computer the way they like it.

If you want an off/on option for every function of the OS, build your own. If you aren't happy with the configuration options available in Windows, there are several feedback channels available to you. If that's not good enough, don't buy it. Use something else. If there isn't something that suits your needs, tough luck.

I don't mean to sound crass, but that's simply the reality of capitalism and (relatively) free market. I don't know what country you live in, but I live in the US - where Microsoft is based. It is entirely counter to American values to suggest that a law should require a manufacturer to offer certain features in this way. In fact, the very notion disgusts me. It's such a blatantly selfish, ill-conceived suggestion that I can only hope you wrote that without thinking it through.

Fascist proposals aside - why doesn't Microsoft provide options for everything that could be turned on and off? That answer shouldn't be hard to guess.

If we had to build Windows such that the user could configure every conceivable option that their little hard desired, we'd never ship anything. Forget the time to code it all, the test coverage alone would add years to every release cycle. The added value would be absolutely miniscule and apply to such a fanastically insignificant portion of the userbase that it's difficult to even fathom. Even more important, the experience would undoubtedly be degraded for a much larger set of the population.

Now, why would Microsoft go and remove the option in Vista that disables UAC? For the same reason Microsoft will probably remove support for XP-style display drivers someday. For the same reason that 16-bit DOS, POSIX, and OS/2 support are gone from 64-bit versions of Windows. For the same reason that old APIs are deprecated in every release.

Because maintaining those alternate code paths, especially for something as pervasive as UAC, is expensive. Every legacy subsystem or API that we need to support means less time and resources to build new, better ones. It means more bloat, more compatibility testing for developers, and a larger attack surface for the bad guys.

Heck, supporting legacy architecture is something Microsoft is usually criticized for. And here you go suggesting we should do more of it.

there are all kinds of people in this world who have different opinions and we should respect their comments, so please everybody just think before posting, me included.

My post was well thought-through. Was yours?