The Great UAC Debate!

[MagicAndre1981]

Thats one reason why I've disabled it

read this:

https://www.neowin.net/forum/topic/888334-90-percent-of-windows-7-flaws-fixed-by-removing-admin-rights/

:whistle:

[+Warwagon MVC]

UAC is the first thing i disable on every Vista system i setup... UAC is a royal pain in the *SS, and most of my clients absolutely hate UAC, because it constantly nags/annoys the user about the most trivial activities. UAC just gets in the way of getting real work done.

UAC is not a feature, it's a bug, and if microsoft was serious about securing the OS, then they would never have hacked together a crappy/half-assed/stop-gap measure like UAC.

You must be just like the computer repair place in the next town. She's always turning UAC off when ever a computer comes into her shop. I swear she considers it "Tweaking" the machine. But that's ok, I always turn it back on whenever I work on a computer she has previously touched.

[+allan MVC]

Can't believe this thread is still going. Anyway, as was discussed MUCH earlier in this thread, instead of disabling UAC just set it to quiet mode. You still retain most of its functionality without the annoying prompts.

[+Warwagon MVC]

Can't believe this thread is still going. Anyway, as was discussed MUCH earlier in this thread, instead of disabling UAC just set it to quiet mode. You still retain most of its functionality without the annoying prompts.

I was reading up on quiet mode

Is the "quiet" mode of UAC less secure?

If you've used TweakUAC, you've seen the "quiet" option it offers that lets you suppress the elevation prompts of UAC without turning the UAC off completely. In such a mode, you keep all the positive effects of UAC, such as Internet Explorer operating in the protected mode, applications starting without the administrative privileges by default, etc. The only thing that gets changed is that you will no longer see the infamous "Windows needs your permission to continue" messages whenever you attempt to make a change to your Vista configuration, or when you run a program that needs administrative rights.

So in quite mode if you run an app that needs admin privileges, it just gives it to the application? How the hell is that secure? Sure it doesn't nag you, but if an application on my computer wants admin privileges I want windows to prompt me.

[hdood]

So in quite mode if you run an app that needs admin privileges, it just gives it to the application? How the hell is that secure? Sure it doesn't nag you, but if an application on my computer wants admin privileges I want windows to prompt me.

It will still prompt you for third-party software, it's just certain signed Microsoft executables that are allowed to elevate without prompting.

This does somewhat reduce security (if something else can ride along with the automatic elevation), but it's always about compromises. It's better than having someone disable it completely.

(Also, you can actually disable prompts while still keeping things like Protected Mode IE. Forgive me if that's what this "TweakUAC" actually means.)

[unintentional]

I hate UAC. Notepad is a potentially harmful program my butt!

[mrp04]

I hate UAC. Notepad is a potentially harmful program my butt!

It is if run as Administrator.

[LiquidSolstice]

I hate UAC. Notepad is a potentially harmful program my butt!

Yeah, you know, Notepad run as administrator only has the power to edit core system files. I mean, how potnetially harmful is that?

/sarcasm (since I doubt you'll see it)

[Jonny Wright]

I use it. Not saved me yet but I'm sure my time will come :p

[lalalawawawa]

Using the default level in Windows 7. Almost never notice it.

[Buendia]

Did you notice that UAC takes longer to show up if executable is very large in size?

E.g. when launching a setup that is 150MB large, there is noticeable delay in the time UAC prompt shows up, never mind speaking of larger .exe files;

it's like it's "reading" the whole executable before launching the Yes/No dialog.

[onifoni]

Hello.

I had viruses on my computer. But I think UAC kinda saved my ass and made the damage a lot less. First I had one of the viruses that wanted access to something, I pressed no. That didn't come up again. Then this more tricky one came, it kept spamming me with new UAC and wanted access to cmd to do stuff. It kept coming and coming and I keep hitting no.

I don't know if that saved me, but it probably did. Does anyone know if UAC stops giving prompts if you say no for a number of times or did it somehow run? Because while that was happening I did CTRL - ALT - DEL fast to stop all process.

Yeah well so... I don't know 100 % if UAC helped me here. But it seems like it, because some things the viruses were supposed to do (according to tech. info) didn't happen, so it was probably UAC.

[Raa]

Using the default level in Windows 7. Almost never notice it.

Same. Which is one of the many reasons Windows 7 rocks.

UAC doesn't save stupid people. The majority of people out there still click "yes" even though they have no idea what is going on. :rolleyes:

[LukeEDay]

I tried to use it but the popups from pushing the start button cause me to want to kill it ...

[amon91]

Hello.

I had viruses on my computer. But I think UAC kinda saved my ass and made the damage a lot less. First I had one of the viruses that wanted access to something, I pressed no. That didn't come up again. Then this more tricky one came, it kept spamming me with new UAC and wanted access to cmd to do stuff. It kept coming and coming and I keep hitting no.

I don't know if that saved me, but it probably did. Does anyone know if UAC stops giving prompts if you say no for a number of times or did it somehow run? Because while that was happening I did CTRL - ALT - DEL fast to stop all process.

Yeah well so... I don't know 100 % if UAC helped me here. But it seems like it, because some things the viruses were supposed to do (according to tech. info) didn't happen, so it was probably UAC.

UAC stopped the nasty stuff from making changes to your system, that's why you didn't experience all the symptoms. Technically malware can nag you with UAC prompts until you out of desperation click 'Yes' but terminating the process and running a scan immediately is the best thing to do. (Y)

[Darth Laidher]

i disabled it, tired of gettin pop up's, yes its a good thing sometimes but meh i'll take the risk of not having it turned on.

[onifoni]

UAC stopped the nasty stuff from making changes to your system, that's why you didn't experience all the symptoms. Technically malware can nag you with UAC prompts until you out of desperation click 'Yes' but terminating the process and running a scan immediately is the best thing to do. (Y)

Yeah. It actually does seem like that. For example the viruses were supposed to break my internet, but I could access it normally. Some registry changes that should of been done weren't, but only some. It just limited things, which was not all that bad. I didn't check it much though, I formatted the next day just to be on the safe side (you never know what you get into your PC).

Something should of been done against that nagging though; it was really hard and I seriously didn't know what to do. I did no, no, no, no, no then suddenly it stopped? or maybe it ran? or maybe my CTRL ALT DEL accidently pressed yes? No idea.

But for sure I will keep UAC turned on on every computer I ever fix and help people with it, because I saw my myself that it helped... even if it would not limit damages atleast it gave me a sign that I have an infection.

So people, Turn your UAC on! It's not just for your own sake, it's for the your fellow computer users too.

Day by day viruses are getting more. They are also getting more dangerous and finding easier ways to infect us. People who say common sense have no idea what they are doing; I was one of the "common sense people". I was one of those "Don't format, just remove the virus." But then you understand just by going to your daily website, you can infect your PC with a malware cocktail you will learn common sense is useless here.

[Alan-]

I noticed a very interesting thing when I had UAC off, you couldn't elevate processes. With UAC on if you say "Run as Administrator" it will actually do as you say and run as if there is nothing in your way, as long as you allow it via the pop up. However, with UAC off and selecting "Run as Administrator", you really don't get that much of a change and end up having the process be not as elevated.

[hdood]

I noticed a very interesting thing when I had UAC off, you couldn't elevate processes. With UAC on if you say "Run as Administrator" it will actually do as you say and run as if there is nothing in your way, as long as you allow it via the pop up. However, with UAC off and selecting "Run as Administrator", you really don't get that much of a change and end up having the process be not as elevated.

I think you misunderstand. There's no "not as elevated." What normally happens when you have administrator approval mode (AAM, what you mean by UAC) enabled is that your account has two security tokens. One with the rights of an administrator, and one with the rights of a standard user.

By default everything runs with the standard token, unless you click yes to the elevation prompt. When you do that, it switches tokens and runs that specific process with the administrator rights. If you disable AAM, then this standard user token goes away and everything always runs with the administrator token.

In other words, if you disable AAM, then your account becomes a full administrator account and every single thing you click always runs with full administrator rights and full access to your system.

[onifoni]

I think you misunderstand. There's no "not as elevated." What normally happens when you have administrator approval mode (AAM, what you mean by UAC) enabled is that your account has two security tokens. One with the rights of an administrator, and one with the rights of a standard user.

By default everything runs with the standard token, unless you click yes to the elevation prompt. When you do that, it switches tokens and runs that specific process with the administrator rights. If you disable AAM, then this standard user token goes away and everything always runs with the administrator token.

In other words, if you disable AAM, then your account becomes a full administrator account and every single thing you click always runs with full administrator rights and full access to your system.

So, can you say that there is no need to have a "Standard account" for web browsing and these stuff if you have Vista or 7?

Or is it still safe to have one?

And seriously - anyone knows if UAC stops prompting you if you have a malware that keeps wanting access? It gets so annoying and one almost gets depressed haha.

[hdood]

So, can you say that there is no need to have a "Standard account" for web browsing and these stuff if you have Vista or 7?

Or is it still safe to have one?

The best setup is to run as a standard user, if you can live with the hassle of having to log onto an administrator account to make system changes (the credentials prompt is not secure.) If you can't, then admin approval mode is a good compromise.

And seriously - anyone knows if UAC stops prompting you if you have a malware that keeps wanting access? It gets so annoying and one almost gets depressed haha.

Not sure what you mean. Are you saying that your system is infected by something that keeps asking for administrator rights? What you have to understand about UAC (AAM) is that it's not a defense against malware.

First of all, malware doesn't technically need administrator rights to do bad things. Most are designed that way today, but it's not something technically needed. Malware running as standard user still has access to all your data and still has access to the internet. It could still steal all your personal files and make you part of a botnet. Getting administrator rights is merely a convenience that lets it hide itself better.

Second, malware running as standard user can trick you into elevating it, for example by replacing a file that you've downloaded with malware before you have a chance to run it, or by taking advantage of the way the library loader works in order to piggyback on a legitimate elevation request by a program you trust. It's very hard to know what you're actually saying yes to when you see a UAC prompt. For this reason, it's not considered a security boundary at all. It merely exists as a convenience.

It is not safe to run any executables you don't trust, period. Just don't do it. The second you double-click any executable, your system could be compromised.

[onifoni]

The best setup is to run as a standard user, if you can live with the hassle of having to log onto an administrator account to make system changes (the credentials prompt is not secure.) If you can't, then admin approval mode is a good compromise.

Not sure what you mean. Are you saying that your system is infected by something that keeps asking for administrator rights? What you have to understand about UAC (AAM) is that it's not a defense against malware.

First of all, malware doesn't technically need administrator rights to do bad things. Most are designed that way today, but it's not something technically needed. Malware running as standard user still has access to all your data and still has access to the internet. It could still steal all your personal files and make you part of a botnet. Getting administrator rights is merely a convenience that lets it hide itself better.

Second, malware running as standard user can trick you into elevating it, for example by replacing a file that you've downloaded with malware before you have a chance to run it, or by taking advantage of the way the library loader works in order to piggyback on a legitimate elevation request by a program you trust. It's very hard to know what you're actually saying yes to when you see a UAC prompt. For this reason, it's not considered a security boundary at all. It merely exists as a convenience.

It is not safe to run any executables you don't trust, period. Just don't do it. The second you double-click any executable, your system could be compromised.

Sad but true. And especially the last one, it's hard to trust anything. How do you know the Firefox you are downloading is safe and clean? A few weeks ago some famous IRC Server (UnrealD? or something similiar) was revelead having a backdoor for 9 months without the developers even noticing. And a lot of people would say that is a trusted file.

You can't trust anything on the internet. I didn't believe this before but now when I see what can really happen, you don't really have a chance and your best shoot is to: 1) Have backups. 2) Protect yourself with 50 layers of security tools (haha). 3) Be very, very, very, very careful when downloading files & browsing.

[SakuraKira]

I have UAC on and left at default settings. The only time I notice it is when I go to install something, which is very rare. I've read things about UAC before and people act as if it's a constant annoyance, forcing them to disable it. Why is this? What are you doing on a daily basis that is making the UAC prompt you several times? o_O

[Udedenkz]

I have UAC on and left at default settings. The only time I notice it is when I go to install something, which is very rare. I've read things about UAC before and people act as if it's a constant annoyance, forcing them to disable it. Why is this? What are you doing on a daily basis that is making the UAC prompt you several times? o_O

7-Zip couldn't extract newer minefield builds on top of older ones, it always failed.

I just then set it to run with Admin privileges all the time, but that would make UAC prompt me all the time. So I disabled UAC prompting.

That was satisfactory for some time.

Then, I noticed some things starting up extremely slowly (Gothic II auto-run or installer was one of them I think). So, I simply disabled the UAC driver. Surprisingly only a few people realize that this is the only true way to disable UAC.

Whatcha know? Windows 7 felt snappier. And well no annoyingly long pause before launching some programs.

So,

Annoyances can be avoided by turning off UAC prompts as well as making program always run with admin privileges. Ex: 7-Zip

Disabling UAC prompts != disabling UAC; disabling UAC is done by nuking the driver.

Nuking UAC = startup performance increase in some applications.

[franklin101]

UAC doesn't do all that much, but I don't find it annoying enough to make me turn it off. Vista just bugs me.