How can I optimise UAC on Vista 64?

  • Thread starter Thread starter Quentin
  • Start date Start date
Q

Quentin

Vista 64 SP1, fully patched.

When UAC kicks in, it's a real pain. Not that it kicks in but the way it
kicks in. The screen dims and the system is unresponsive for a couple of
seconds - just long enough for me to notice and then a bit longer. Then the
UAC prompt comes up. I'd like to remove the screen dimming and change it to
the sort of warning prompt you get when you try to run an ActiveX control or
Java applet. Can I do this?

Note that I don't want to disable UAC just modify the behaviour.
 
Quentin said:
Vista 64 SP1, fully patched.

When UAC kicks in, it's a real pain. Not that it kicks in but the way it
kicks in. The screen dims and the system is unresponsive for a couple of
seconds - just long enough for me to notice and then a bit longer. Then
the
UAC prompt comes up. I'd like to remove the screen dimming and change it
to
the sort of warning prompt you get when you try to run an ActiveX control
or
Java applet. Can I do this?

Note that I don't want to disable UAC just modify the behaviour.

I think you're out of luck.
 
Quentin said:
Vista 64 SP1, fully patched.

When UAC kicks in, it's a real pain. Not that it kicks in but the way it
kicks in. The screen dims and the system is unresponsive for a couple of
seconds - just long enough for me to notice and then a bit longer. Then
the
UAC prompt comes up. I'd like to remove the screen dimming and change it
to
the sort of warning prompt you get when you try to run an ActiveX control
or
Java applet. Can I do this?

Note that I don't want to disable UAC just modify the behaviour.

It takes a snapshot of your current screen, darkens it, and switches
to a secure desktop with the darkened screenshot as background.
Then it displays the prompt. It is not just fluff, it is a security measure.

You are probably not able to change this easily.
 
midway64 said:
XdN Tweaker has an option for turning Secure Desktop off (what the
"blackness" is called). It works in both 32 and 64 bit flavors and you
can get it here:

http://http://xenomorph.net/?page_id=336

There is also a way of doing it by modifying a registry entry but this
is easier.

Yeah, that's a nice set of tools there. I like the UAC black screen disable.

It's a keeper, thanks. :)
 
Mr. Arnold said:
Yeah, that's a nice set of tools there. I like the UAC black screen
disable.

It's a keeper, thanks. :)

Disabling the secure desktop feature of the UAC prompt
doesn't exactly "optimize" UAC - in fact it disables UAC
for any malware program smart enough to take advantage
of that change. Sure, maybe it is unlikely that a malware
program exists that can do this, but if enough Vista users
take this option - I'm sure some will be written.
 
FromTheRafters said:
Disabling the secure desktop feature of the UAC prompt
doesn't exactly "optimize" UAC - in fact it disables UAC
for any malware program smart enough to take advantage
of that change. Sure, maybe it is unlikely that a malware
program exists that can do this, but if enough Vista users
take this option - I'm sure some will be written.
You need to provide some proof here that disabling that black screen is
disabling the security functionality you speak about.
 
You need to provide some proof here that disabling that black screen is
disabling the security functionality you speak about.

http://technet.microsoft.com/en-us/library/cc709628.aspx

Here's the relevant excerpt:

"Securing the Elevation Prompt

The elevation process is further secured by directing the prompt to the
secure desktop. The consent and credential prompts are displayed on the
secure desktop by default in Windows Vista. Only Windows processes can
access the secure desktop. In addition to the recommendations for
administrators and standard users, Microsoft also strongly recommends that
the User Account Control: Switch to the secure desktop when prompting for
elevation setting should be kept enabled for higher levels of security.

When an executable requests elevation, the interactive desktop (also called
the user desktop) is switched to the secure desktop. The secure desktop
renders an alpha-blended bitmap of the user desktop and displays a
highlighted elevation prompt and corresponding calling application window.
When the user clicks Continue or Cancel, the desktop switches back to the
user desktop.

It is worthwhile to note that malware can paint over the interactive desktop
and present an imitation of the secure desktop, but when the setting is set
to prompt for approval the malware does not gain elevation should the user
be tricked into clicking Continue on the imitation. If the setting is set to
prompt for credentials, malware imitating the credential prompt may be able
to gather the credentials from the user. Note that this does also does not
gain malware elevated privilege and that the system has other protections
that mitigate malware from automated driving of user interface even with a
harvested password."
 
Mr. Arnold said:
Yeah ok, I see it and see the functionality. However, that little utility
program has some other nice features not that disable *Black* on UAC is a
bad feature either.


Disabling the secure desktop isn't necessarily a bad thing as long as you
understand the implications of doing so. It is automatically disabled when
you RDP to a Vista box for instance.

As the secure desktop is enabled by default it's very unlikely malware would
be coded to look to see if it was disabled and take advantage of that fact.
What percentage of users would be able to figure out that it could be
disabled and then figure out how to do it? How many of those would just say
"Interesting, but so what" then leave it enabled? Although you would be
relying on security by obscurity I think it's very unlikely disabling secure
desktop would actually cause you any harm. Security is all about assessing
risk and managing a balance between mitigating that risk and performing a
task without too many hurdles. For me the increased security of secure
desktop more than makes up for the slight inconvenience it causes.

UAC gives us a few more tools to help manage that balance. All of the
settings that the UAC tweak tools provide were built into Vista to help
people manage UAC. I do agree that some of them give you nice GUI way to do
it though.
 
Mr. Arnold said:
You need to provide some proof here that disabling that black screen is
disabling the security functionality you speak about.

All of the official documentation I have read about UAC funtionality
indicates that this is so. As far as whether or not it is a good idea to
circumvent this part of UAC - some users don't need UAC at all and
even that extreme is okay with me. They can enable and unhide the
most privileged user account and do without it, but it should be an
informed decision.
 
Bother. At least, is there any way of making it faster? If the d*mn thing
came up straightaway, it would be much less of a bother.
 
Quentin said:
Bother. At least, is there any way of making it faster? If the d*mn thing
came up straightaway, it would be much less of a bother.

Why don't you read the rest of the threads in this posts?
 
Kerry Brown said:
Disabling the secure desktop isn't necessarily a bad thing as long as you
understand the implications of doing so. It is automatically disabled when
you RDP to a Vista box for instance.

As the secure desktop is enabled by default it's very unlikely malware
would be coded to look to see if it was disabled and take advantage of
that fact. What percentage of users would be able to figure out that it
could be disabled and then figure out how to do it? How many of those
would just say "Interesting, but so what" then leave it enabled? Although
you would be relying on security by obscurity I think it's very unlikely
disabling secure desktop would actually cause you any harm. Security is
all about assessing risk and managing a balance between mitigating that
risk and performing a task without too many hurdles. For me the increased
security of secure desktop more than makes up for the slight inconvenience
it causes.

UAC gives us a few more tools to help manage that balance. All of the
settings that the UAC tweak tools provide were built into Vista to help
people manage UAC. I do agree that some of them give you nice GUI way to
do it though.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
You know, many users would not even think of disabling UAC if it had one
extra option: to remember what was accepted. Just like the way good
firewalls do. But now, if you have to use an application that has to be
checked by the UAC, and you have to use it many times a day, then you have
to tell the UAC every time again that it is OK. That's the ONLY reason that
users wish to disable the UAC.

You can state that this would be less secure but then I ask: what's worse,
using UAC with such a function, of not using UAC at all? Here I see a
tendency that I found in other cases too: Microsoft seems to think that all
users are stupid idiots. The simplest things are "secured" with questions
like: are you sure you want that? I always think then: yeah, I am not an
idiot, stupid! Now you get the situation that users click Yes without even
reading it, because it is overused. That's why I started to use Buzoff
(basta computing) to have it automatically done in cases where this question
is simply too stupid to think about.

If Microsoft would start to look at users as normal behaving people, the
real security issues would be much more accepted.
 
If Microsoft would start to look at users as normal behaving people, the
real security issues would be much more accepted.

The "real reason" for UAC is supposeldly to nudge software developers
to write Vista-compatible apps, not to burden users with a barrage of
prompts.

Yeah, riiiiiiiiight.
 
Paul Montgomery said:
The "real reason" for UAC is supposeldly to nudge software developers
to write Vista-compatible apps, not to burden users with a barrage of
prompts.

Yeah, riiiiiiiiight.

Whatever reason they give, it is the user who gets headaches of this. They
refuse to look from our point of view.
 
Flight said:
You know, many users would not even think of disabling UAC if it had one
extra option: to remember what was accepted. Just like the way good
firewalls do. But now, if you have to use an application that has to be
checked by the UAC, and you have to use it many times a day, then you
have to tell the UAC every time again that it is OK. That's the ONLY
reason that users wish to disable the UAC.

I can't go with that:

1)Aa personal FW/personal packet filter is not a firewall.
2) The Application Control in personal FW(s)/packet filters has no business
trying to control applications running on the machine, because that can
easily be defeated, nothing but snake-oil in the solution.
3) If UAC accepted a remembered prompt for approval for an actual malware
solution ok-ing it, then it's always going to be run with no challenge, just
like Application Control in PFW(s) -- snake-oil.

You can state that this would be less secure but then I ask: what's worse,
using UAC with such a function, of not using UAC at all? Here I see a
tendency that I found in other cases too: Microsoft seems to think that
all users are stupid idiots. The simplest things are "secured" with
questions like: are you sure you want that? I always think then: yeah, I
am not an idiot, stupid! Now you get the situation that users click Yes
without even reading it, because it is overused. That's why I started to
use Buzoff (basta computing) to have it automatically done in cases where
this question is simply too stupid to think about.

No, you miss a key point of UAC. Since Admin is locked down to Standard user
with two secuirty tokens representing Full Admin Rights and Standard Admin
rights (discussed in the link below), when a situation arises that promps
for Full Admin rtghts such as malware about to be installed, then the user
as a signal that something may be wrong.

http://technet.microsoft.com/en-us/library/cc709691.aspx

Now, take the examples in the link below of a user clicking on something as
Full Admin rights running on Win NT, Win 2k, or Win XP. What's going going
to happen? I'll tell you. The machine is going to be compromised, with a
user sitting there clicking with Full Admin rights. As opposed to Vista with
UAC enabled, Admin is locked down to Standard user, and Admin user is
prompted/challenged for Full Admin rights to do it, which they can see
something is about to happen.

http://www.eweek.com/c/a/Security/Hundreds-Click-on-Click-Here-to-Get-Infected-Ad/

You can apply the same principles above when an Admin user is clicking on an
unknown email attachment with malware in it that wants to install itself on
the machine.
If Microsoft would start to look at users as normal behaving people, the
real security issues would be much more accepted.

They are treating users like normal people that will not practice safehex
computing, and they will click on everything under the Sun not knowing that
malware is about to install itself. With UAC enabled and they click, they
got a chance of seeing that something may be wrong when prompted to allow or
disallow or give that Admin User-id and PSW if the user is a Standard user
with only a Standard user security token.

I don't see this is really being any different than when a user has to give
that Root Full Admin rights user-id and psw on Linux when root full admin
rights are required.

One doesn't have a ton of applications that require full admin rights to
run. I think I have maybe 4 applications I use that use full admin rights in
order to run. And I am not running those applications all the time, so I get
very little prompts from UAC. The rest can run with Standard user rights.
One doesn't get prompted when the application only needs Standard rights to
run, unless you have Run As Administrator enabled on every
application/program, *you* did it, and you are being prompted all over the
place when you shouldn't be.
 
[snip]
You know, many users would not even think of disabling UAC if it had one
extra option: to remember what was accepted. Just like the way good
firewalls do.

Yeah, that is a common complaint.
But now, if you have to use an application that has to be checked by the
UAC, and you have to use it many times a day, then you have to tell the
UAC every time again that it is OK. That's the ONLY reason that users wish
to disable the UAC.

Not the only reason, but it is high on the list.
You can state that this would be less secure but then I ask: what's worse,
using UAC with such a function, of not using UAC at all?

Almost equivalent in the long run.
Here I see a tendency that I found in other cases too: Microsoft seems to
think that all users are stupid idiots. The simplest things are "secured"
with questions like: are you sure you want that? I always think then:
yeah, I am not an idiot, stupid! Now you get the situation that users
click Yes without even reading it, because it is overused.

That is a stupid idiotic thing to do, so it seems Microsoft was right
in the assessment you attributed to them. :o)
That's why I started to use Buzoff (basta computing) to have it
automatically done in cases where this question is simply too stupid to
think about.

What an ugly hat (whoops) ... looks good on you though. :o/
If Microsoft would start to look at users as normal behaving people, the
real security issues would be much more accepted.

They tried that with previous versions, and what a mess it created.
Now they make a more secure OS (default settings) and people
complain - actually Vista can be made nearly equivalent to XP by
user configurable settings.

If you really don't need "hand holding" then by all means shut the
feature off. The up side is that the newbies will be more secure
and most of them won't have issues with UAC anyway.
 
Back
Top