ANS: "What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was

[Michael Jennings]

The guys working on the Principle Of Least Authority are aware that
there are still problems with their system of dealing with malware,
which is to let it run but confine it so strictly it can't do anything,
however they have made progress. If Microsoft is too confused
to adequately deal with the situation, HP labs is apt to step in:
http://www.hpl.hp.com/techreports/2003/HPL-2003-191.html

 

[mayayana]

Instead, UAC is there to protect users from programs ... it's there to
insure that the programs that are requesting admin power from the user are
doing so at the request of the user.

There's a certain logic to that, but if that's the way
you view your software - as "requesting admin power
from the user", then you probably need to reassess
what you're installing. I have all sorts of programs
installed. In all cases, I want the software to do whatever
it "thinks" is necessary. It's a tool in my service. If I
didn't feel that way I wouldn't keep the software!
In the meantime, I want Windows to be a software
*platform*, not a decision maker.

There's nothing wrong with running under very high
security, especially if you're in a vulnerable network
scenario, but to tell others that they *should* do
as you do borders on religion.

 

[Jimmy Brush]

But, Windows is not making any policy decision. UAC has nothing to do with
deciding what should run on the system.

All it is doing is enforcing what you are doing. If you are starting a
program that is requesting admin access, you are expected to click continue
. The only time there is a bit of "warning guidance" is when the program
being launched is unsigned, in which case the OS cannot guarantee that the
program that you are lauching hasn't been replaced by some malware when it
gets executed.

UAC is protecting you when either a program would launch that you did not
start, and you click cancel, or you notice a different looking prompt for a
program that you expected to prompt (a normal signed prompt vs. an unsigned
prompt, for example), and you click cancel.

This certainly does not stop you from running malware, it just stops stuff
from running that you did not start. UAC allows other really cool things to
work, like programs isolated into seperate privilege levels on your desktop,
and it also works in conjunction with other more traditional security
products to create multiple levels of security.

And for what it's worth, I could care less if others do as I do ... I would
just like people to really understand what UAC is doing before they decide
to turn it off .

 

[Jimmy Brush]

I think that some incarnation of UAC is a very important part of least
privilege. Somehow, the OS has to be *certain* that the user is at the root
of any action that is being initiated on their behalf. That is what UAC is
really doing, albiet at a coarse level as you described. I would be very
pleased to see a better implementation of it, regardless of who comes up
with it.

 

[mayayana]

But, Windows is not making any policy decision. UAC has nothing to do with

deciding what should run on the system.

All it is doing is enforcing what you are doing. If you are starting a
program that is requesting admin access, you are expected to click continue
. The only time there is a bit of "warning guidance" is when the program
being launched is unsigned, in which case the OS cannot guarantee that the
program that you are lauching hasn't been replaced by some malware when it
gets executed.

Those are decisions made by Windows without
my approval. I clicked an icon. That tells Windows
"run this program". I didn't ask it to ask me for
confirmation ... I don't want to hear about Microsoft's
"digital signature" scam ... I don't want to be reminded
that my crash helmet chin strap should be tightened
before proceeding ... I just want to run the darn
software! I'll worry about the malware, Thank-You-Very-Much.

If Microsoft wants to help prevent malware infections,
they could create one nag that would actually help:

Put a big red button on
Internet Explorer. Clicking the button would show a message
that says, "You are about to enable scripting. Are you sure
you want to do that? You should only enable scripting
when absolutely necessary." Then, even if scripting is
enabled, it will be disabled at the next website.

And of course, the setting to disable that nag will
be hidden somewhere like:

HKLM\Software\Microsoft\Internet Options_
IExplorer\JScriptWarningOptions\Security_
ToolBarButton\DisableJSCriptWarningToolbarButton

Then setting the value DisableJSCriptWarningToolbarButton
to the DWORD avalue of 16439 will return control of
browser scripting to the user.

 

[Jimmy Brush]

If you don't care what runs on your machine with elevated privilege, by all
means turn it off .

My only points were that UAC does in fact guarantee with a high degree of
certainty that only the programs you run will have admin access to your box,
and by using digital signatures UAC can even guarantee that the program that
you are about to elevate is in fact the program the prompt says it as, and
without UAC you have absolutely no control over what runs with elevated
privilege and what doesn't (everything runs with elevated privilege,
assuming of course you are logged in as an admin).

 

[Jimmy Brush]

\> I clicked an icon. That tells Windows

"run this program".

This is a common misconception people have .

I think this is the main reason people have a hard time grasping UAC, is
because they believe this to be true, and at first glance it does seem like
this would be something obvious the computer should be able to do without
any problems.

Unfortunately, it isn't ... Windows does not know that you are the one
starting a program even if you double-click on it in explorer. That is
exactly why UAC prompts you, to ascertain this.

If this could be done without a prompt, it would be very cool indeed, and
then the only prompt that would be needed would be the case where the
program is unsigned.

However, this is a much bigger technical problem than it appears at first
glance.

 

[mayayana]

\> I clicked an icon. That tells Windows

This is a common misconception people have .

I think this is the main reason people have a hard time grasping UAC, is
because they believe this to be true, and at first glance it does seem like
this would be something obvious the computer should be able to do without
any problems.

Unfortunately, it isn't ... Windows does not know that you are the one
starting a program even if you double-click on it in explorer. That is
exactly why UAC prompts you, to ascertain this.

If this could be done without a prompt, it would be very cool indeed, and
then the only prompt that would be needed would be the case where the
program is unsigned.

However, this is a much bigger technical problem than it appears at first
glance.

Indeed. Rube Goldberg would be pleased to have you as
an apprentice.
I don't want to scare you unduly, but how
do you know it's Windows showing you that UAC prompt,
and not one of your famously ubiquitous malware programs
hooking the mouse input? Hopefully in SP2 Microsoft will
start taking security seriously and offer a retina scan
confirmation using external hardware. In the meantime
it might be best if we all try to keep our clicking to a
minimum.

 

[Jimmy Brush]

What difference would a fake UAC prompt make, for the majority of users
running as an administrator with the default configuration of just
continue/cancel?

Clicking a fake continue button on a fake UAC prompt does not increase the
privilege level.

 

[Steffer]

I am trying to install office 2007. The launcher says that it must be run by
an administrator. When I right click on this file in the dvd drive there is
no choice that says run as administrator. Now what??

 

[Not Me]

Login to an account that is a member of the administrators group.

 

[~Alex~.:MVP Windows Shell/User:.]

Right Click on the setup.exe file and choose the Run as admin option
available there. This will solve your problem.

 

[personalnjc]

Anyone who reads all of the posts regarding UAC and believes that all of this
information is helpful is frozen in computing of 1991. Are you all not aware
of how stupid it is at this point in time to have to repair a user account by
using all of this mumbo jumbo? And has anyone tried it? You don't have
permissions to overlay folders in the new user account when you try to copy
one over. And if thd Admin account is gone you have to go through that
reinstall disk VOODOO using various techniques that should have been
outlawed, much less suggested. VISTA is a disaster. I have never had this
many problem with any other operating system. I'd rather use Windows 95 than
VISTA.

 

[Marge T]

What must I do to uninstall adobe Reader8.1.2 . I am told there is not
sufficient access to uninstall same, that I need to contact a`systems
administrator.How do I do that, what are my steps?

 

[Ronnie Vernon MVP]

All of that nonsense can be eliminated by running UAC in “quiet†mode.

This is a fallacy! If UAC cannot notify the user that a program is trying to
gain global access to the system, then it is effectively 'disabled'. This so
called 'quite mode' setting just changes a UAC registry setting to
'automatically elevate everything without prompting'. This means that when
you click to open a file, it is 'assumed' that you already know that the
file will have unrestricted access to your computer.

The main thing that UAC does is to detect when a program or application
tries to access restricted parts of the system or registry that requires
administrator privileges. When a program does this, UAC will prompt the user
for administrative elevation. Without this prompt, UAC cannot warn the user,
which means that it is effectively disabled.

Some people will tell you that using "quiet mode" will still let IE run in
protected mode, but this just isn't true. Without the UAC prompt, a
malicious file that runs from a website can run, without restrictions, and
silently.

Another issue is that with UAC prompt disabled, some legitimate procedures
will just silently fail to work properly, with no notification, if you are
logged on with a Standard User account, since the application cannot notify
you that administrative privileges are required.

Even the developer of the TweakUAC utility includes this statement about his
product.
"if you are an experienced user and have some understanding of how to manage
your Windows settings properly, you can safely use the quiet mode of UAC."
In my opinion, if you are an experienced user, the last thing you would want
to do is turn off the UAC notification.

If you 'are' an experienced user, then you would already know how to
temporarily bypass the UAC prompt to perform just about any procedure in
Vista, such as running programs from an elevated command prompt, or using an
elevated instance of windows explorer.

The last problem I have with this so-called 'quiet mode' is that it
dissuades developers from programming their applications to run in a least
user privilege environment.

 

[Guest]

Ronnie
Even with the prompt enabled it still requires the user to be
knowledgeable of the application UAC is prompting about. Once elevation is
allowed UAC does not protect the user. Clicking allow becomes nothing more
than an annoying additional click which in many cases becomes automatic.
Additionally, the most common way a PC becomes infected is by downloading
something from the net and even with the UAC prompts disabled you still
receive a security warning when you attempt a download.

Personally, when I decide to run something I don't have a need to be asked
to confirm it. If I didn't want to run it I would not have clicked on it
in the first place.

The bottom line is UAC does no more than protect the user from himself,
and even that still requires the user to be knowledgeable.

"Ronnie Vernon MVP" wrote ...

Sorry, Bob, but I agree with Ronnie. The so-called "quiet" mode is nothing
more than disabling the built-in warning system. UAC actually works.

Troubleshooting my nephew's pc over the weekend, set in "quiet" mode, I
found a worm and three everyday ordinary virus hits. Apparently, after
tweaking the UAC, the worm disabled the AV enough to allow a virus to
auto-install, three different times, in just under a month.

His excuse? Clicking the little box when he installed a couple games was too
annoying.

 

[Ronnie Vernon MVP]

Bob

<inline>

Ronnie
Even with the prompt enabled it still requires the user to be
knowledgeable of the application UAC is prompting about. Once elevation is
allowed UAC does not protect the user. Clicking allow becomes nothing more
than an annoying additional click which in many cases becomes automatic.

It it only annoying until you run into something unexpected. Right after
Vista was first released, we went through all of the debates about users
getting to the point where clicking on the prompt became an 'automatic'
response.

One user told us about a utility that he downloaded and installed and he got
the expected 'security warning' about the file not having a digital
signature. He clicked to run the file anyway and the utility installed. He
then got a message to 'click here' to configure your personal settings. He
then received this prompt.

http://i196.photobucket.com/albums/aa86/rvmv/UACPrompt2.jpg

Without UAC, he never would have been aware of the second file being
installed, since he had already permitted the program to run. Needless to
say, he decided that he would leave UAC on.

Additionally, the most common way a PC becomes infected is by downloading
something from the net and even with the UAC prompts disabled you still
receive a security warning when you attempt a download.

Only in specific instances, such as an installation file that does not have
a digital signature attached. The security warning does nothing to protect
against 'drive-by' downloads that run automatically. Most of the smaller
software developers will not bother with a digital signature, simply because
it is time consuming and expensive for them.

Personally, when I decide to run something I don't have a need to be asked
to confirm it. If I didn't want to run it I would not have clicked on it
in the first place.

It's not about you deciding to run a program, it's about 'isolation', it's
about 'integrity levels', it's about what background actions the program
will take when you do run it. Have you ever wondered why an application,
that does nothing more than make images look better, needs full and
unrestricted access to every part of your computer?

The bottom line is UAC does no more than protect the user from himself,
and even that still requires the user to be knowledgeable.

This is the whole point of UAC. The only way that a malicious program can be
installed is if the user gets complacent and stops paying attention to what
they are doing.

When Vista is first installed, a user will typically see a ton of UAC
prompts as they install all of their software programs and utilities, but
these will gradually become more rare. Windows has to overcome almost twenty
years of being a 'push button' operating system before it will attain any
semblance of a 'secure' operating system. The education of users as well as
developers will take some time. UAC and other security 'hardening'
procedures are not going to 'go away'.

When the majority of developers see the benefits, and start following the
Microsoft developer guidelines for coding their programs and applications to
run in a 'least user privilege' environment, UAC will become a prompt that
is rarely seen. The vast majority of windows software should not even need
to initiate a UAC prompt.

Take a few minutes to read the following article. It will give you a better
understanding, and show you the underlying reasons and goals of UAC.

The Long-Term Impact of User Account Control:
http://technet.microsoft.com/en-us/magazine/cc137811.aspx

 

[Colo2008]

Well said Jimmy. But just a couple minor additions. Using a computer in a
limited account for day-to-day stuff has been a security "best practice" for
many years, and totally ignored outside the corporate environment for just
as many years. Basically Vista makes that practice security best practice
automatic and as painless as possible by letting you temporarily elevate
on-the-fly on an as-needed basis.

Also, for home users, there's a tie-in to parental controls here. From a
password-protected administrative account you can set parental controls on
children's standard accounts and monitor their computer and Internet use.
The kids can't get to any of that from their standard accounts (without an
administrative password). So they can't tamper with any of that.

 

[Ronnie Vernon MVP]

Ronnie

I had previously read the article.

The quote that stands out to me is "UAC does not, nor is it intended to,
stop malware"

That's correct, the primary job for UAC is to allow a user to run with a
Standard User (Limited User in XP) token and still have the capability to
elevate a program or procedure with administrator privileges on demand.
However, as a side benefit, if you get an unexpected UAC prompt, this can
warn you that a process you did not start is trying to access a restricted
part of the OS.

In the example you give the user would have received a prompt even if UAC
was disabled providing he was running Windows Defender.
"If potentially harmful software tries to run or install itself on your
computer, Windows Defender notifies you and helps you choose how to take
action."

Windows Defender can only stop 'known' malware. It checks a database that is
updated often when a new threat is discovered. Defender is not an anti-virus
program.

Neither Defender nor UAC are designed to replace a good anti-virus program.

Re: "Have you ever wondered why an application,
that does nothing more than make images look better, needs full and
unrestricted access to every part of your computer?"

I don't know why you say that. I run Photoshop Elements and afaik it
doesn't need unrestricted access to every part of my computer.

This is because photoshop elements is probably designed to work properly, or
the part of the program that requires admin privileges has been Virtualized
by UAC. I have even heard of word processors that get a UAC prompt when they
are started.

 

[ScottK]

I've noticed that a lot of the questions in these newsgroups are either
directly or indirectly related to UAC (User Account Control). In this post,
I will go over what UAC does, how it works, the reasoning behind it, how to
use your computer with UAC on, why you shouldn't turn UAC off, and answer
some common questions and respond to common complaints about it.


Having to go through an extra step (clicking Continue) when opening
administrative programs is annoying. And it is also very frustrating to run
a program that needs admin power but doesn't automatically ask you for it
(you have to right-click these programs and click Run As Administrator for
them to run correctly).

But, keep in mind that these small inconveniences are insignificant when
weighed against the benefit: NO PROGRAM can get full access to your system
without you being informed. The first time the permission dialog pops up and
it is from some program that you know nothing about or that you do not want
to have access to your system, you will be very glad that the Cancel button
was available to you.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

I think I missed the answer to the question, "UAC is annoying how do I turn
it off?" I am doing a copy and replace, small directories, which are each
located with in separate .zip files that I need to copy and replace from My
Documents to another drive. Having to do 6 to 8 mouse clicks for each of two
dozen directories is NOT FUN. Again, How do I turn it off?