UAC, a waste?

[wonderfield]

So UAC wont kick on as it was not user initiated

That doesn't matter. UAC isn't cognizant of what actions are user-initiated versus those which aren't. There are ways to bypass UAC via automation, like with task scheduler (which will require elevation itself), and probably a couple ways to bypass it via an exploit, but if a process needs elevation to do something, it's going to fire.

 

[Tawnos]

UAC is on a different (secure) desktop so that apps can't inject input and automatically click "Yes" on a UAC prompt (or interact with the prompt at all). A desktop switch on slow video drivers causes the glitch described.

Read a couple posts back from me . I know what it is and how it gets there. The only question I don't know the answer to (and neither does Raymond Chen, it seems) is why it does a full mode change, rather than just a framebuffer switch.

 

[Red Squirrel]

You do realize UAC isn't solely about things you clicked and want to do... right?

Yeah but that constant annoyance is enough for me to turn it off. If it actually did all the other stuff and ONLY the other stuff it would be great, but it remains off. I've lived without it on my first computer that ran 98, I lived without it when I got a new PC and upgraded to 2000, I lived without it for may years with XP, I'm sure I can live without it now too. I could count the number of virus/spyware infections I've got in my life using one hand.

I'm sure I'll do just fine without it.

 

[six_storm]

Yeah but that constant annoyance is enough for me to turn it off. If it actually did all the other stuff and ONLY the other stuff it would be great, but it remains off. I've lived without it on my first computer that ran 98, I lived without it when I got a new PC and upgraded to 2000, I lived without it for may years with XP, I'm sure I can live without it now too. I could count the number of virus/spyware infections I've got in my life using one hand.

I'm sure I'll do just fine without it.

This. The only reason that I've turned UAC off is to shut it up. UAC can pop up whenever something is installing, but other than that, leave me alone. Everyone I know sees UAC pop ups left and right, and want it turned off immediately. Not to mention, UAC interferes with a lot of business software, especially banking.

 

[nOrVow]

You know you can use Local security policies to fine tune UAC to your liking? Or do people not know how to do that simple task in this thread? lol =P

 

[Red Squirrel]

Still easier to just turn it off. One of these days I should probably sit down and tweak it, but bah, works fine as it is.

 

[TeeJayHoward]

With UAC:
"Hey, this malicious software wants to install itself. Are you okay with that?"
-Stupid User: Yes
-Smart User: No

Without UAC:
"Installing malicious software."

Is it REALLY that annoying to click a button every now and then?

 

[Gorankar]

This. The only reason that I've turned UAC off is to shut it up. UAC can pop up whenever something is installing, but other than that, leave me alone. Everyone I know sees UAC pop ups left and right, and want it turned off immediately. Not to mention, UAC interferes with a lot of business software, especially banking.

If it is popping up left and right, when they are not actively making a system wide change, or installing/using poorly written software that needlessly wants admin privileges, then they have a problem. And UAC is not the problem.

 

[Red Squirrel]

With UAC:
"Hey, this malicious software wants to install itself. Are you okay with that?"
-Stupid User: Yes
-Smart User: No

Without UAC:
"Installing malicious software."

Is it REALLY that annoying to click a button every now and then?

Except 99.9999% of operations done on a computer are not malicious and it still asks for it, which defeats it's purpose. An anti malware app is much better suited. Sure there's the odds that there's no definitions for a certain piece of malware (especially with the US government being involved with viruses) but at least it ONLY bothers you if there is a real threat.

Imagine if your smoke detector went off randomly just in case there really is a fire. You'd turn it off, or just ignore it every time, when there is a real fire it would serve no purpose. UAC is like the boy who cried wolf.

 

[TeeJayHoward]

Except 99.9999% of operations done on a computer are not malicious and it still asks for it, which defeats it's purpose. An anti malware app is much better suited. Sure there's the odds that there's no definitions for a certain piece of malware (especially with the US government being involved with viruses) but at least it ONLY bothers you if there is a real threat.

Imagine if your smoke detector went off randomly just in case there really is a fire. You'd turn it off, or just ignore it every time, when there is a real fire it would serve no purpose. UAC is like the boy who cried wolf.

I disagree. In my mind, it's more like the smoke detector going off every time it smells smoke. The stupid user will just ignore it every time. The smart user will tell it to ignore the candles she likes to light.

 

[heatlesssun]

The one thing that I don't think anyone had bought up because if the level of arrogance in places like this. Security 101 teaches that you have to assume that bad things will happen to you. If you are assuming that bad things won't happen to you then you've violated the core tenant of security, be it physical or cyber. Indeed, it's why I support the Second Amendment, though I don't excuse failures when fuck ups happen. Be afraid, be very afraid, but screwing up in fear is no defense.

 

[squishy]

Well, my. 02

I think for fairly saavy people it has an obvious benefit. Sadly, for the people that need it most, it is much less effective as they are much, much more likely to hit yes anyway.

For the earlier comparison to sudo, the two are not even remotely alike. If I replace one of your binaries that you use via sudo, you'll still be executing my code. Sudo is intended for a limited command set for unprivaledged users, nothing more. UAC is much more akin to selinux if anything.

 

[daglesj]

In terms of helping the less aware PC users it's not very good. As folks have said for 99.9999999% of the time those messages are safe and just a straight click yes'. So is that type of user going to notice the one time they should click No after clicking Yes for the previous 5 years?

I doubt it.

The idea and intention behind UAC is fine. But the way it's implemented is fatally flawed.

 

[Forceman]

In terms of helping the less aware PC users it's not very good. As folks have said for 99.9999999% of the time those messages are safe and just a straight click yes'. So is that type of user going to notice the one time they should click No after clicking Yes for the previous 5 years?

I doubt it.

The idea and intention behind UAC is fine. But the way it's implemented is fatally flawed.

You can't protect people from themselves. At least UAC gives a chance for someone to stop something bad from happening, which is better than what XP did. And for normal users, once the system is set up and running, they should hardly ever get a UAC prompt.

I still haven't seen anyone give three examples of times the get a UAC prompt (talking about the people who complain about it popping up all the time and harshing their mellow, or whatever). I get it when I run CoreTemp, AfterBurner, and Fraps (which happens whenever I reboot, so about once a weeK) and that's it. I don't see the issue.

 

[Red Squirrel]

As for when I got a prompt, pretty much every single time I install something, for one. I'd have to turn it on again just to see what else triggers it, but definitely software installation.

These actions are 99.9999% of the time safe, there could be the odd ball chance that a program I'm installing is infected and has a virus, but if I clicked on it, it's assumed I don't know it's infected, and I'll click yes anyway. Hopefully the AV will have caught it before it gets to that point. There is no point in warning "in case" something is malicious. It's better to actually detect that something is, and only actually do something if it is.

 

[Forceman]

As for when I got a prompt, pretty much every single time I install something, for one. I'd have to turn it on again just to see what else triggers it, but definitely software installation.

These actions are 99.9999% of the time safe, there could be the odd ball chance that a program I'm installing is infected and has a virus, but if I clicked on it, it's assumed I don't know it's infected, and I'll click yes anyway. Hopefully the AV will have caught it before it gets to that point. There is no point in warning "in case" something is malicious. It's better to actually detect that something is, and only actually do something if it is.

The system isn't really designed to stop you from installing infected software, it is designed to keep infected software from installing itself. So complaining about it popping up when you install something is basically complaining about the software developers writing the code so it needs administrator access to install, which really isn't Microsoft's problem.

 

[wonderfield]

Part of it is Microsoft's problem, however, as they encourage writes to the registry (in fact going so far as to 'deprecate' INI files and so forth for application settings) and protect the defacto install location for applications unnecessarily. These issues don't plague OS X or Linux, so escalation prompts are seen less frequently.

An NeXTstep-like application bundle system for applications would alleviate these issues, but Microsoft is intent on going against the grain for the sake of going against it.

 

[daglesj]

I have over 20 apps that I use regularly that incur the UAC prompt.

Plenty of them out here.

 

[Arainach]

Part of it is Microsoft's problem, however, as they encourage writes to the registry (in fact going so far as to 'deprecate' INI files and so forth for application settings) and protect the defacto install location for applications unnecessarily. These issues don't plague OS X or Linux, so escalation prompts are seen less frequently.

An NeXTstep-like application bundle system for applications would alleviate these issues, but Microsoft is intent on going against the grain for the sake of going against it.

If settings are stored in the registry, they should be in HKCU (which doesn't require Administrator to write to in general). Save games, etc. should be stored in the user's folder, not the program's folder. It's absolutely necessary to protect program installation locations, or programs could overwrite program settings and files to elevate themselves. Unix-based systems do the same thing, protecting /etc/ and wherever the hell they store program binaries these days (seemed to change every week back when I used Linux)

 

[KarsusTG]

I think UAC got a bad rap in Vista where it was far worse.

It's your seat belt, and there is a reason they are required... The amount of Virus's, Trojans and other malicious software is growing exponentially. User awareness is not.

 

[orijin]

I think it is a waste personally but I put UAC for my dad so he doesn't accidentally activate malicious software he isn't computer savvy so trojans and etc can happen to him a lot easily.

 

[Unknown-One]

They've fixed that annoyance in Windows 8 now, actually. I'm not sure why the previous method used a display mode switch, but in some cases it's better not to ask why Microsoft does certain things.

A quick glance at a UAC prompt on Windows 7 vs. a UAC prompt on Windows 8 makes the answer fairly obvious.

Ever notice that UAC prompts on Windows 7 are rendered using Aero Basic? Windows 7 disallows all untrusted drivers from running on top of a dimmed UAC screen, which includes 3rd party video drivers from Nvidia, AMD, Intel, etc. With no 3rd party video drivers allowed, Windows has to render the UAC prompt using the old theme engine rather than DWM, and this requires a video reset to switch over.

This is all done in order to prevent exploits based on virtual device drivers, which could auto-dismiss the UAC prompt.

DWM in Windows 8 nolonger requires hardware acceleration, and includes a 1st party driver capable of running DWM in all circumstances (even safe mode). DWM never has to be disabled, so there's no ned for a video reset anymore.

 

[boss99]

I have UAC switched off as its just an annoyance. Id expect most people on HardForum to know what they are doing with a pc and so not require it. Iv never had a virus on my pc as a little common sense is all you need.

The only people i think should have UAC on are the people who don't understand what the print screen key is, don't understand what the "any key" is etc and workplace pc's.

Reading threads like these prompted me to start using UAC and I've found it to be not as intrusive as people make it out to be.

A lot of people say "I'm good at the internet and don't need that crap", and after attending a few IT security classes, I'm convinced that UAC helps more than being a nuisance.

 

[wonderfield]

A quick glance at a UAC prompt on Windows 7 vs. a UAC prompt on Windows 8 makes the answer fairly obvious.

Thanks for both the explanation and the condescension, though one is more appreciated than the other.

 

[Azhar]

I leave UAC on, but without the screen dimming function. UAC prompts don't bother me. The screen dimming is kind of annoying.

Anyone who says UAC constantly prompts is full of shit, I'm sorry but I just don't believe you.

 

[bigdogchris]

The only thing that I've found UAC helpful for is installing software under a Standard User. Without UAC "run-as admin" hardly works.

Otherwise, things like Malware just install to your user profile, which is full access to user profile so UAC is pointless there.

 

[Durntdude]

First thing I do is disable it. The media player I previously used would trigger it EVERY TIME I changed movie/audio track.

 

[Unknown-One]

First thing I do is disable it. The media player I previously used would trigger it EVERY TIME I changed movie/audio track.

Then the media player was poorly written and attempting to write to a portion of the file system owned by "System" rather than a portion of the filesystem owned by the current user. This is exceedingly poor behavior, there's no reason for a simple media player to write to a portion of the file system not owned by the current user when simply changing tracks.

Disabling UAC entierly to fix such a problem is like going after a house fly with an atom bomb. All you had to do was take ownership of the folder that the media player wanted to write to. That would have prevented further prompts for THAT application, while keeping UAC enabled for the rest of the system.

 

[serpretetsky]

Except 99.9999% of operations done on a computer are not malicious and it still asks for it, which defeats it's purpose. An anti malware app is much better suited. Sure there's the odds that there's no definitions for a certain piece of malware (especially with the US government being involved with viruses) but at least it ONLY bothers you if there is a real threat.

Imagine if your smoke detector went off randomly just in case there really is a fire. You'd turn it off, or just ignore it every time, when there is a real fire it would serve no purpose. UAC is like the boy who cried wolf.

My first reaction to the UAC popup is to instinctively say no. I say no to stuff so fast i dont even know what i just denied . Unless I am actually expecting the UAC to come up, then its a different story.

No, imagine you have an intruder alarm on your house that works perfectly, and it locks down when ANYONE tries to enter the house and asks you to approve or deny (even your wife!).

I suppose you can approve everybody (in which case it really does become pointless!), but i'm going to deny every single thing on earth until i come and look through the door eye-piece to see who it is.

 

[Red Squirrel]

My first reaction to the UAC popup is to instinctively say no. I say no to stuff so fast i dont even know what i just denied . Unless I am actually expecting the UAC to come up, then its a different story.

No, imagine you have an intruder alarm on your house that works perfectly, and it locks down when ANYONE tries to enter the house and asks you to approve or deny (even your wife!).

I suppose you can approve everybody (in which case it really does become pointless!), but i'm going to deny every single thing on earth until i come and look through the door eye-piece to see who it is.

So all your stuff fails to run because you keep saying no? The problem with the concept of UAC is that it's usually something that is safe and required for the operation of the computer. For example, installing software, or running certain apps. If I want to know the cpu temperature or the gpu temperature, I get prompted when I open the app, if I change a setting somewhere, I get prompted. It's not security, it's just sillyness. And the analogy of the alarm is off, normally you don't just let someone into your house, you go answer the door, UAC is like getting a prompt at your door asking you if you are sure you want to open it because the person on the other end might have a gun and will shoot you when you open the door but 99.9999% of the time it will be someone you know, or other person that is not hostile. UAC's design naturally conditions us to always click yes, so the one time that it IS something bad, you'll probably hit yes anyway.

I recently switched to Linux and it does have sorta a UAC like feature, but it asks for the password, and only does it seldomly. Mostly for installing software, but not using software. But as annoying as it can be too, at least it has a purpose, because it requires a password. So an automated process or person maliciously accessing your computer would not be able to bypass it unlike UAC.

 

[Unknown-One]

So all your stuff fails to run because you keep saying no?

He didn't say that. He said he says "No" unless it was expected that the action he just performed would generate a UAC prompt.

For example, if he initiated a program installation, he knows a UAC prompt is coming. If he did not do anything that would normally cause a UAC prompt to appear, but one has popped up, he'll click "No" by default.

The problem with the concept of UAC is that it's usually something that is safe and required for the operation of the computer. For example, installing software, or running certain apps. If I want to know the cpu temperature or the gpu temperature, I get prompted when I open the app, if I change a setting somewhere, I get prompted. It's not security, it's just sillyness.

It's prompting you when something needs DIRECT administrative access to your computer. That sounds like security to me...and is pretty much exactly what Linux does.

And if the proper channels are used, the ones Microsoft has built into Windows Vista, 7, and 8, then things like temperature monitoring programs WILL NOT generate a UAC prompt (aside from the one they generated when you first installed the application on your computer). I'm using a system monitoring utility on my desktop right now that doesn't trigger a UAC prompt when I launch it, yet it can read temperatures, change fan speeds, and overclock my processor. After being given permission, the installer for a program can simply install a driver and/or service to facilitate elevation.

This is how Firefox and Chome implement "silent" updates that do not generate UAC prompts even though they write to a system-owned portion of the file system. When you trusted the installer from Mozilla or Google, they installed a service that runs as administrator and handles updates (this service does not run all the time, only when an update is taking place).

I recently switched to Linux and it does have sorta a UAC like feature, but it asks for the password, and only does it seldomly. Mostly for installing software, but not using software. But as annoying as it can be too, at least it has a purpose, because it requires a password. So an automated process or person maliciously accessing your computer would not be able to bypass it unlike UAC.

It also asks you when changing system settings, same as on Windows.

Big difference is, Linux has been a multi-user environment from the get-go. Pretty much ALL Linux applications are already written so that they don't need to access to portions of the system owned by Root (they do not assume they have root privileges).

Windows, on the other hand, had most users running as Administrators (root) up until Windows Vista came around and forcibly implemented a new security model. Poorly written applications written for XP and previous could usually simply assume they have administrator access and start writing to places on the system that aren't owned by the current user (which triggers a UAC prompt). Like I mentioned previously, new applications that follow proper guidelines really shouldn't generate UAC prompts anymore, there's no reason for them aside from the installation wizard.

Better programing practices have seriously improved the situation. Aside from applications that are actually designed to modify system files and settings (which SHOULD generate a UAC prompt every time, to prevent a malicious program from operating through them automaticaly), I don't think I have a single program that prompts at every launch anymore...

 

[heatlesssun]

I recently switched to Linux and it does have sorta a UAC like feature, but it asks for the password, and only does it seldomly. Mostly for installing software, but not using software. But as annoying as it can be too, at least it has a purpose, because it requires a password. So an automated process or person maliciously accessing your computer would not be able to bypass it unlike UAC.

The behavior of UAC can be changed to require a password in Group Policy. And the Protected Desktop is extremely difficult to automate from the desktop, it's almost as good as a password.

 

[Unknown-One]

The behavior of UAC can be changed to require a password in Group Policy.

Or you can simply make an actual "user" account with the account type set to "user" rather than "administrator," and use that as your primary user account on the machine.

UAC will then require the password of a local administrator in order to elevate a program.

 

[serpretetsky]

Or you can simply make an actual "user" account with the account type set to "user" rather than "administrator," and use that as your primary user account on the machine.

UAC will then require the password of a local administrator in order to elevate a program.

yeah, thats what i do. I have to type my password every time something wants to do a system change. Doesn't really bug me.

 

[daglesj]

Anyone using EMET?

I've been running it on my machines. Other than a couple of apps I had to tweak the settings it seems to be pretty benign.

 

[heatlesssun]

So all your stuff fails to run because you keep saying no? The problem with the concept of UAC is that it's usually something that is safe and required for the operation of the computer.

That's not what he said, he said he instinctively says no to UAC unless that what he was expecting, and that's how I treat it as well. The only time one should see a UAC prompt in Windows 7 at the default settings is when installing software, that's expected and when running certain programs that also trigger it but that should be very rare for the vast majority of people and there are was to whitelist apps one may frequently run that do trigger it.

For most people in normal day to day use of their computer, they'll never see a UAC prompt, even advanced users unless they are doing something low level shouldn't see it much.

 

[c3141hf]

So all your stuff fails to run because you keep saying no? The problem with the concept of UAC is that it's usually something that is safe and required for the operation of the computer. For example, installing software, or running certain apps. If I want to know the cpu temperature or the gpu temperature, I get prompted when I open the app, if I change a setting somewhere, I get prompted. It's not security, it's just sillyness. And the analogy of the alarm is off, normally you don't just let someone into your house, you go answer the door, UAC is like getting a prompt at your door asking you if you are sure you want to open it because the person on the other end might have a gun and will shoot you when you open the door but 99.9999% of the time it will be someone you know, or other person that is not hostile. UAC's design naturally conditions us to always click yes, so the one time that it IS something bad, you'll probably hit yes anyway.

I recently switched to Linux and it does have sorta a UAC like feature, but it asks for the password, and only does it seldomly. Mostly for installing software, but not using software. But as annoying as it can be too, at least it has a purpose, because it requires a password. So an automated process or person maliciously accessing your computer would not be able to bypass it unlike UAC.

*nix operating systems have been multiuser from the beginning. Programs in the *nix world have always been written to handle the fact that they may not have full access to the computer. In contrast, Windows started out as a single user operating system where every program has full access to the system. As a result, elevation prompts are much less common in *nix environments because programs are and have always been written to not require superuser privileges unless they absolutely need them.

This is exacerbated by the fact that Visual Studio allows people with limited or no programming experience to create crude programs without the understanding of how to write good code or even how to program.

 

[Vercinaigh]

I got many critical drivers I use that require UAC off to function. And yes UAC can be completely bypassed, i've literally sat and watched it happen. I am -not- going to debate that with you over the internet as i could honestly care less if you believe me or not, it's your pc, not mine. I run the garbage with it off, it is garbage, it's fucking annoying, it screws over many complex tweaks and programs i use that no i can't "Tweak UAC" to work for, by design it breaks their code, and their code is the -only- way they can work. So there is no "poorly written" statements to be made, simply must work the way they do.

i find it appalling that tech guru's suddenly can't keep their shit safe and UAC (Which doesn't work, if someone wants to bypass it, they simply will.) is now their fail safe. Sad, Just sad.

Don't bother replying i'm not watching this thread after this, kinda sickens me tbh.

 

[Volume]

I got many critical drivers I use that require UAC off to function. And yes UAC can be completely bypassed, i've literally sat and watched it happen. I am -not- going to debate that with you over the internet as i could honestly care less if you believe me or not, it's your pc, not mine. I run the garbage with it off, it is garbage, it's fucking annoying, it screws over many complex tweaks and programs i use that no i can't "Tweak UAC" to work for, by design it breaks their code, and their code is the -only- way they can work. So there is no "poorly written" statements to be made, simply must work the way they do.

i find it appalling that tech guru's suddenly can't keep their shit safe and UAC (Which doesn't work, if someone wants to bypass it, they simply will.) is now their fail safe. Sad, Just sad.

Don't bother replying i'm not watching this thread after this, kinda sickens me tbh.

QFT dude. QFTMFT.

UAC is the first thing I disable when installing Win7 or Windows Server.

 

[wonderfield]

yeah, thats what i do. I have to type my password every time something wants to do a system change. Doesn't really bug me.

That's how it should work for all accounts in Windows. I can understand why Microsoft would try to balance security against user frustration, though, as elevation prompts still fire too frequently in my opinion.