Administrator required to run applications?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

This is crazy. I am already a member of the administrators group in Vista.
So, why do I have to run certain applications as administrator?

Also, why does Windows Defender block some Windows programs such as System
Configuration Utility and Secure Update from running?
 
Hello,

In Windows Vista, even though you are an administrator, only the programs
that you give permission to (via a "Windows needs your permission to
continue" prompt) will be able to use your administrator powers.

Programs that do not need admin powers (such as the calculator) will not ask
for it and thus will not be able to do such things as format your hard
drive.

Really, why should <insert name of non-administrative program> be able to do
system administration tasks? That's just begging for trouble.

The benefits of this is:

1) Programs that do not need admin power, don't get it

2) You are aware of all programs that start with admin power and are able to
deny programs access to your admin power (for example, if
SeeTheDancingBears.exe request admin access to your computer, you can
disallow it).

All Windows Vista-compliant applications will automatically ask you for
permission when they want to do administrative tasks.

Legacy programs, or programs that generally don't need admin permission but
may need such permission in certain scenarios (such as using notepad to edit
the HOSTS file), you will need to explictly give them admin permission by
right-clicking them and clicking Run As Administrator.

To prevent a possible denial-of-service, programs that require
administrative privileges CANNOT automatically start up when you log in /
start your computer. Windows blocks these programs from running, instead of
showing a bunch of prompts on every login.

These programs should be updated to be Vista-compatible, if (or when) such
updates are available.



--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
 
I could live with the permission thing if I could at least get into my own
dam folders.
 
I agree with the other posters. This is NUTS! I was a very experienced XP
user and now I have no idea how to use my new computer! If Microsoft doesn't
fix the complexity of VISTA, the software will be a titanic failure, and
Apple stock will soar. I hope I am wrong but my bet is that the average user
will be very frustrated.
 
Hello,

In Windows Vista, even though you are an administrator, only the programs
that you give permission to (via a "Windows needs your permission to
continue" prompt) will be able to use your administrator powers.

Programs that do not need admin powers (such as the calculator) will not ask
for it and thus will not be able to do such things as format your hard
drive.

Really, why should <insert name of non-administrative program> be able to do
system administration tasks? That's just begging for trouble.

The benefits of this is:

1) Programs that do not need admin power, don't get it

2) You are aware of all programs that start with admin power and are able to
deny programs access to your admin power (for example, if
SeeTheDancingBears.exe request admin access to your computer, you can
disallow it).

All Windows Vista-compliant applications will automatically ask you for
permission when they want to do administrative tasks.

Legacy programs, or programs that generally don't need admin permission but
may need such permission in certain scenarios (such as using notepad to edit
the HOSTS file), you will need to explictly give them admin permission by
right-clicking them and clicking Run As Administrator.

To prevent a possible denial-of-service, programs that require
administrative privileges CANNOT automatically start up when you log in /
start your computer. Windows blocks these programs from running, instead of
showing a bunch of prompts on every login.

These programs should be updated to be Vista-compatible, if (or when) such
updates are available.

In addition to what Jimmy has posted, there are other operating systems
that have historically required extra steps to perform a task at system
(root) level. Other operating systems may be a little more "smooth" about
it but it's the same concept.

In the long run, UAC works in your favor. I'll agree that it's a pain
getting through software and driver installs and certain "tweaks." But once
all is setup, UAC doesn't appear often at all.

A few of the applications that I use caused too many prompts when installed
under the protected "Program Files." Until Vista aware versions are
released for those titles, I've created a folder "OtherApps" and install
them there. Not as secure but, for now, but it eliminates the UAC prompts
these apps would have caused if installed elsewhere.
 
Hi Jimmy
Why can't I open the temporary internet files folder under users , carl ,
local , temporary internet files.
What is so security risking about that folder.
There are lots of folders under local that have the shortcut arrow that are
not accesable,such as the documents folder.picture,music,video folders.Why
is that?they are my personal folders,why can't I get into them? I am the
adminestrator and the only user on this PC.
Just don't see all this security stuff. It is my computer,my instalation of
windows, if I want to destroy it ,that is my perogative I would think.
Thanks
 
Well,

The problem here is that those locations no longer exist in Windows Vista,
hence you can't access them.

Sure, you can still "see" some of the old locations, like you mentioned, if
you have turned on the showing of hidden / OS files.

But, these locations have been moved/renamed/replaced, and you need to learn
the new locations.

Technically, these things that you see that are transparent with a shortcut
symbol are called junctions, and they are there to make some misbehaving
programs work.

To see what these locations have been replaced by, you can use the command
prompt:

- Open a command prompt
- CD to the folder that contains the location that has moved
- Type: dir /al

It will list the old locations as '<JUNCTION>' or '<SYMLINKD>' and show
their new location in brackets.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
 
Hi guys, I have a few problems around Vista which my PC vendor's team have
been unable to resolve. No Vista knowledge at all! Anyone offer any help pls?

1) Outloook 2000

Error message: "An error occurreed while attempting to open the Windows
Address Book. Unable to find the WAD DLL".

ADDITIONAL INFO: There is an address book which I imported from old XP PC
via Easy Transfer. I read somewhere that OE v6.0 checks WAB and detects
corrupt WAB whereas prior versions WAB did not detect corruption. Might this
be the problem? How I do a regenerate a new uncorrupted WAB? Aint OE v6
part of Vista OS so how do I do a partail reinstall? I cant even see the
Vista OS in Uninstall Programs List (was OEM though I get get a a CD copy
also).

2) UAC. All the Windows Vista guides talk about running 'secpol.msc' and
'gpedit.msc' to configure UAC. When I do a search apparently these files are
NOT found? They MUST exist, right as part of OS?

I think I cant see access/them due to Admin rights or something...though I
am an Administrator Account Type as opposed to a Std User. Anyone any ideas?
 
It's interesting that you are even running Outlook 2000 on the latest version
of Windows. That's like putting regular gasoline in a Ferrari. C'mon dude,
upgrade already; save yourself the unnecessary headache.
 
I'll have to admit that I have been somewhat hesitant in appreciating these
new features; however, you have shed new light on them and I'm sure that the
benefits of this new "highlight" are worth the inconvenience of the extra
clicks.

Although, it would be nice to have an option to disable that added
functionality for those of us that already know everything :P
 
Well,

You can of course disable User Account Control (the part of Windows that
allows this technology to function).

But, I would like to make it absolutely clear that the security is in place
as much for the person who "knows everything" as it is for the person who
doesn't.

At its CORE, the security in Vista is about allowing stuff that *YOU* want
to happen work, and stuff that you DON'T want to happen NOT work.

Windows knows what you want to happen by asking you.

If you turn off the prompts, Windows just assumes that everything that
happens on your computer (whether started by you OR NOT) should have
complete control over your computer.

You can turn UAC off in the user accounts control panel.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
 
2) UAC. All the Windows Vista guides talk about running 'secpol.msc' and
'gpedit.msc' to configure UAC. When I do a search apparently these files
are
NOT found? They MUST exist, right as part of OS?

These guides assume that you are running Vista Business or Ultimate.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
 
Why can't I open the temporary internet files folder under users , carl ,
local , temporary internet files.
What is so security risking about that folder.

Well, it's a #1 entry point for malware, asd it's the easiest point of
entry. I'd want that locked down, wouldn't you?
There are lots of folders under local that have the shortcut arrow that are
not accesable,such as the documents folder.picture,music,video folders.Why
is that?they are my personal folders,why can't I get into them?

Those are hidden to avoid confusion. I also unhide everything, but
that meant I had to learn not to be confused :-)

Those legacy paths are junctions to the new locations. Programs can
traverse them automatically, whereas the shell won't let you do so - I
suspect to avoid problems that would arise if you (or code operating
as "you") could reach the same place via both paths, and be unaware
that it was operating in the same place.

Consider logic like "Copy from A to B, if exists on B, delete old copy
on A" when the code isn't aware that A = B.
Just don't see all this security stuff. It is my computer,my instalation of
windows, if I want to destroy it ,that is my perogative I would think.

That's always been my perspective, and still is.

Once upon a time, NT was for professionally-administered corporate use
only. Everyone using it would be doing so on company time, subject to
policy restrictions. You'd have rights to do only what you needed to
do, and you'd log on to prove your identity, and off you'd go.

Most of XP's security is still based on this model, which is wildly
inappropriate when you use the OS in consumerland.

As a "free" user, I might have an accounting app open that should not
be 'net-accessible but should access my sensitive data, while I surf
the web using a browser that allows sites to drop and automate "rich
content" that shouldn't reach my data, and play a game that needs
access to neither my data nor the Internet.

So already, the same user is doing different things at the same time
that really should have different restrictions. Then I start clicking
on emaul attackments from "someone I know", or the system gets spoofed
by creatively-malformed content that gets to run as raw code.

Either way, the result is the same; code gets to run that shouldn't,
and it automatically gets all rights that I've been assigned as the
logged-in user. I don't want to cower in a "panic room" while this
stealthy malicious code stomps all over the house!

So, what to do? Well, treat all code as suspect, unless you know it
isn't. If something happens that affects the PC beyond my user
account, then UAC pops up. When that happens straight after I
initiate a Format (say), I'm annoyed. When I get an unexpected
"Format?" pop-up just after I view an email "message text", then I'm
very glad to have the opportunity to Just Say No.

UAC's a great learning tool; one learns how do do things with a
minimum of risk exposure. The tools you trust, you can set to run as
Admin via the shortcut you use interactively, while hopefully not
assigning the same rights when the same code is automated, etc.


--------------- ---- --- -- - - - -
Saws are too hard to use.
Be easier to use!
 
I'll have to admit that I have been somewhat hesitant in appreciating these
new features; however, you have shed new light on them and I'm sure that the
benefits of this new "highlight" are worth the inconvenience of the extra
clicks.

Although, it would be nice to have an option to disable that added
functionality for those of us that already know everything :P

My idea to solve the "everyone loves admin" problem would be to use a
"janitor account" that has full admin control over the system, but is
very bare and limited in other ways - no Internet access, no content
groping (even extraction of icons from .EXEs), all paths and file
names shown in full, etc.

I wrote about this as "LUA and the One Hand Rule":

http://cquirke.blogspot.com/2005/04/lua-and-one-hand-rule.html

Open can of gasolene and flaming torch: Pick one

Internet access and admin power: Pick one

:-)

IOW, while I'm not in the middle of installing stuff, recovering data
via sector editors, etc. I don't want that degree of exposure - and
unlike under the "old rules", I do NOT want to have to log out of one
account and create another, pretending to be two different people to
appease some dated corp-orientated NTvision of how things should be.


--------------- ---- --- -- - - - -
Saws are too hard to use.
Be easier to use!
 
Cquirke (MVP said:
 The tools you trust, you can set to run as Admin via the shortcut
you use interactively,

PMJI -- is this to say that I can set something in the shortcut
properties that will stop UAC from asking if I trust the application
and so enable me to open it without being queried?

If so I'd be grateful for indications on how to do it. Setting the
Advanced Property as [x] Run as Administrator makes no difference to
the UAC query.

TIA
 
Why is the 'run as administartor' option greyed out in the compatability tab.
My kids are pretty fed up with me explaining the in and outs of the UAC they
want to click the short cut and run their games .....
 
Back
Top