UAC - How do I configure this to bring some sanity to my desktop?

[David Craig]

If you have a program that requires admin access, you can create your own
external manifest for it and have it automatically invoked with UAC
prompting. The companies that produce software should separate their
executables into those normal users can use and those that need to perform
an admin activity. It is not that difficult. Maybe in future Windows
versions they will allow an executable to invoke the UAC prompt only when it
needs to do so. There are some indications that Microsoft has been choosing
a course that will make it difficult for small developers to enter the
market. Doing 64-bit device drivers has become much more difficult.

 

[David Craig]

ActiveX is the stupidest thing designed since Windows 3.x & 9x where they we
just shells over DOS. It is an executable that has access to any part of
the system that access controls don't stop. UAC may help some in that
Internet Exploder is placed into a limited box, but I am not certain how
much power activeX controls can obtain. The fact that they are used by
Windows/Microsoft Update to replace and modify OS files indicates they
possess too much power for my liking. Yes, I want an update that is easy to
use, but I want it to be a little harder than before.

 

[Joseph Geretz]

to do that now. it probably would have worked if you had right-clicked it

and clicked Run As Administrator.

Why should an Administrator have to specify 'Run as Administrator'? And once
having done that, don't you think the OS should 'remember' that setting so
that every time I don't have to go through the same song-and-dance? My
goodness, before I turned off UAC just opening up the Services windo was a
whole debate!

- Joseph Geretz -

 

[Joseph Geretz]

If you always wrote programs that assumed they had administrator

permissions

What exactly does this mean to a VB6 developer??? Sure I remember coding
GetPrivMode in COBOL back on the HP3000 but where's the applicability in
terms of the standard VB6 devleopment we've been doing over the past decade?

- Joe Geretz -

 

[Joseph Geretz]

ActiveX is the stupidest thing designed since Windows 3.x & 9x where they

we

Wow! I guess you missed the whole COM vs CORBA thing during the mid-late
90's where MS was swearing up and down that COM/ActiveX was the greatest
thing since Windows 3.1!!!

So now ActiveX is just supposed to go quietly into the night? Well, it is
going, but it's going to take some time and meanwhile we ActiveX developers
would like to be able to install our applications on Vista. We didn't create
this whole ActiveX / Registry mess (the Registry, yeah another great idea -
I bet the guy who invented the Registry worked lead on the Vista development
group) we just work with it for a living.

- Joe Geretz -

 

[Joseph Geretz]

This is a partially incorrect statement. Yes, the system knows that you

clicked the mosue. But the system DOES NOT KNOW that you intended to start
a program.

Problem in a nutshell. If an OS can't tell when I explicitly ask for
something, then it needs to be torn down and rebuilt so that it can.

- Joseph Geretz -

 

[David Craig]

You can install your activeX programs on Vista. If you have a signed
activeX "control" (more B.S. - it is a program) and a signed .msi file it
can be installed with only one prompt or maybe less but I don't do apps
myself. I need to learn a little about how to do manifests, but it appears
to be a manual process that is a real pain to get one created. I guess they
could have made it more obscure. Why not a manifest editor in VS2005 that
just lets you choose what you need if it is side-by-side and what
priviliges. Life could be better and simpler and less confusing for those
of us who only dabble in apps. Drivers are so much easier.

 

[David Craig]

How can you do automated testing? There are some reasons for having the
ability to replay a sequence of inputs to test applications. You can't hire
enough people and write enough test scripts to test every old bug so
automation is necessary to make sure a previously fixed bug hasn't
reappeared. I know with drivers we frequently add tests for bugs that have
been fixed to make sure a change doesn't get dropped or someone forgets that
that approach was a failure and try to resurrect it.

 

[Joseph Geretz]

How can you do automated testing?

I didn't say that your run of the mill application would need to
discriminate between physical and 'virtual' inputs. But the OS should be
able to. And your comment regarding automated testing tools is demonstrates
the exception which perhaps proves the rule. Recognizing and clamping down
on the ability to 'impersonate' user input would mean that 1% of all
applications which are automated testing tools (and the like) would need to
comply with more stringent requirements. The result would be that 99% of all
other types of apps would run in a more secure environment.

But that evidently isn't the Microsoft vision. Their implementation
basically concedes that their OS is so unsafe that their only choice is to
ask the user every time he presses a button - 'hey, did you really want to
do that'?

 

[Adam Albright]

Hello,

Ignoring the parts of your posts not related to UAC ...

Since you snipped everything you were replying to I can only guess
you're responding to me.

Your problem is not with UAC or even Vista, it is with application
compatability.

Some programs don't work right when the system changes. UAC definately
counts as a system change.

UAC is PART OF THE SYTEM designed by Microsoft. You're talking
gibberish. If it actually was directly under your control it could be
useful. The implementation is flawed. This is very noticeable when
transferring applications from a older version of Windows to a new one
where UAC takes it upon it self to either give or reject permissions
where previously XP may have been and likely was set up differently.
The result can be a hodgepodge of messed up settings where UAC
decides, again on its own, this application is ok to have permission
to do blah, blah, but oh, not this one. How anyone can suggest this is
progress or a good idea is beyond me.

The concept is good, but the implementation is awful. A correct way to
proceed would be like many firewall applications behave when you first
install them. You install a firewall who's job it is to sit between
you and the Internet. Its purpose is to act as a traffic cop either
allowing or blocking access to incoming and outgoing applications that
wish access to the outside world. The UAC does no such thing, it just
does WHAT IT WANTS as in the example I gave. You then can't change the
behavior IT, not you, assigned. Again, that's not progress, that's
stupidity.

Vista does alot to work around this, but it still ain't perfect.

That's a understatement. In typical Microsoft fashion it not only is
clumsy, it often doesn't allow you to fix it, aside from turning this
"feature" off. Again, that's a step backwards, not forwards.

The fact is, Vista is different, and that will break things.

No, Vista's UAC is BROKEN and it breaks applications that worked in
previous versions of Windows and even breaks applications that are
suppose to be "Vista Ready". That blame falls squarely on Microsoft's
shoulders for not tesing compatibility BEFORE dumping Vista on the
unsuspecting masses that didn't expect the new version of Windows to
in effect prevent much of a user's software from funcioning. If you're
lucky at worst you get a nag screen you can click through. Often, you
can't easily control your own applications, Microsoft attempt to be
your mommy if you ask it to or not. Thanks, but no thanks.

It's been the same for every major OS upgrade, and it will continue to be that way.

So what you're saying is in spite of Windows being in "development"
for twenty years the Microsoft software engineers STILL haven't got a
version that actually works as advertised. Somehow that just don't cut
it with me. How much more time you think they will need? Just imagine
if this was any other industry. They would be laughed out of business.

At the core of many of Windows inbreed problems is the newest version
of Windows builds on the previous version in part in order to have
backward compatibility. That's a double edge sword at best. Whatever
is wrong or a clumsy "feature" of Windows gets carried into the next
version and in time (surely 20 years is enough) the result is a
hodgepodge of patched code, bloated code and code that barely works
and sometimes don't under certain situations. I see UAC as a clumsy
attempt to try to "fix" a lot of ills that's always infested Windows
and made it a easy target to hackers. The bottom line is Windows has
always been a sloppy, ill tested hodgepodge of sometimes it works,
someitmes it don't bloated coding.

For example, the reason your program in particular wasn't working is
probably because it wasn't requesting administrator rights. Programs have
to do that now.

You think? Well kid, you're dead wrong. I have some vintage Windows
3.1 era software running just fine on Vista. That kind of blows a
giant hole in your arguement I would think.

For example Windcode (a joiner/splitter) version 2.7.3 copyright
1993-96 Snappy Software. Back then there was no UAC, no NTSF, nothing
like that. Your argument that "it wasn't requesting administrator
rights. Programs HAVE TO DO THAT now" is also faulty since you can
turn off UAC and it works fine and it doesn't need the rights, what it
needs is to accept the rights you tell it the application HAS or
needs. Vista sometimes simply won't let you, graying out the boxes
that is suppose to make it possible or even removing any boxes. I
would call that a bug. You I suppose will try to call it a feature.
That's default double talk for Microsoft failings. They rarely admit
to having bugs in their software.

Further you seem confused. The question isn't was the program working,
rather Vista kept refusing to initalize it because of some half-ass
rights it ALREADY had if you can believe what Vista is showing under
the security tab for the application in question. That to me says
Vista is dumb. Very, very dumb.

it probably would have worked if you had right-clicked it
and clicked Run As Administrator.

No, because Vista halted it dead in its tracks at the application's
splash screen with the warning box on top of it preveing you from
doing anything other than to curse Windows for being so damn dumb.

Windows Vista does not block you from performing common or administrative
tasks.

ROTFLMAO! Read what I just said again. Slowly.

However, you may have trouble using non-vista-compatible programs to
perform those tasks.

More double talk.

 

[Adam Albright]

Problem in a nutshell. If an OS can't tell when I explicitly ask for
something, then it needs to be torn down and rebuilt so that it can.

Bingo!

That's the impossible dream. Windows has now become a monster. A OS is
suppose to sit quitely in the background and respond the the owner's
commands. Maybe too many members of the Vista Development team got a
hold of the Patroit Act and decided Windows should now do what it
wants, throw out all the rules and if your don't like, tough luck.

 

[Guest]

Well, that applies to every OS out there now, depending on how you define
'OS' .

But I do agree with you.

 

[Guest]

He shouldn't have to right-click and click Run As Administrator.

The application should request permission automatically.

As for "why can't it remember", see my reply to the original poster (its a
whopper of a post but I think it explains things completely).

 

[Jimmy Brush]

As I keep saying, the (main) problem isn't that the input isn't trusted,
although that is part of the problem. Even if the input was known to come
from the user, it still wouldn't let the OS know what the user is intending
to do. The job of the OS isn't to ACT on input; it is to forward input to
applications. Until now, the OS hasn't had a reason to need to know what the
user wants to do when they make an input.

Microsoft's OS isn't unsafe - the applications that run on it are.

These statements are true of ALL operating systems (right now).

UAC in its current form is born out of necessity. I think future versions of
UAC will be much more pleasant to work with, and offer much more visible
benefits.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

How do you figure that giving the user so much more control over the
computer than ever before is likened to the patriot act?


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

In an environment that I would envision, the system would be able to tell
that the user is intending to send fake inputs to other applications, in
contrast to an application that would attempt to do this without the user's
knowledge or intent.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

UAC is PART OF THE SYTEM designed by Microsoft. You're talking

gibberish. If it actually was directly under your control it could be
useful. The implementation is flawed. This is very noticeable when
transferring applications from a older version of Windows to a new one
where UAC takes it upon it self to either give or reject permissions
where previously XP may have been and likely was set up differently.
The result can be a hodgepodge of messed up settings where UAC
decides, again on its own, this application is ok to have permission
to do blah, blah, but oh, not this one. How anyone can suggest this is
progress or a good idea is beyond me.

Applications that don't prompt for admin permission DON'T GET IT - they run
as if a standard user had executed them. This IS PROGRESS. Applications that
don't need admin privileges have no business running with them, even if the
user is an administrator.

In its current form, here's how UAC works:

1) The application tells Windows how much privilege it needs to run (either
nothing special, as much as possible, or have to have administrator). If an
app doesn't tell Windows what privilege it needs, Windows assume the app
doesn't need any special privileges.

2) If the user wants to be prompted for the privileges the app requests,
they will be prompted, and the app will only be run if the user wants it to

As you can see, there is no magic or hocus-pocus going on. The amount of
privilege an application receives is decided by the APPLICATION and the
USER - *Windows has no say in it at all*.

If a non-administrative application doesn't work correctly when running as a
standard user, then that's the developer's fault for not programming their
application correctly.

If an administrative application doesn't correctly indicate to Windows that
it needs admin privileges, than the user will have to explicitly give it
such privilege by right-clicking it and clicking run as administrator.

UAC does not decide what privilege to give an application - it forwards the
application's request of privilege to the user and defers to them to approve
or deny, depending on the settings the user has specified.

The concept is good, but the implementation is awful. A correct way to
proceed would be like many firewall applications behave when you first
install them. You install a firewall who's job it is to sit between
you and the Internet. Its purpose is to act as a traffic cop either
allowing or blocking access to incoming and outgoing applications that
wish access to the outside world. The UAC does no such thing, it just
does WHAT IT WANTS as in the example I gave. You then can't change the
behavior IT, not you, assigned. Again, that's not progress, that's
stupidity.

UAC is not a firewall. To liken it to a firewall would be incorrect - they
are conceptually two very different things.

You CAN change the behavior of UAC, and UAC does what the USER and the
APPLICATION decide on doing.

No, Vista's UAC is BROKEN and it breaks applications that worked in
previous versions of Windows and even breaks applications that are
suppose to be "Vista Ready". That blame falls squarely on Microsoft's
shoulders for not tesing compatibility BEFORE dumping Vista on the
unsuspecting masses that didn't expect the new version of Windows to
in effect prevent much of a user's software from funcioning. If you're
lucky at worst you get a nag screen you can click through. Often, you
can't easily control your own applications, Microsoft attempt to be
your mommy if you ask it to or not. Thanks, but no thanks.

Again, application compatability issues exist in all new versions of an OS.
This will pass, as it always does, as compatible apps are released.

So what you're saying is in spite of Windows being in "development"
for twenty years the Microsoft software engineers STILL haven't got a
version that actually works as advertised. Somehow that just don't cut
it with me. How much more time you think they will need? Just imagine
if this was any other industry. They would be laughed out of business.
At the core of many of Windows inbreed problems is the newest version
of Windows builds on the previous version in part in order to have
backward compatibility. That's a double edge sword at best. Whatever
is wrong or a clumsy "feature" of Windows gets carried into the next
version and in time (surely 20 years is enough) the result is a
hodgepodge of patched code, bloated code and code that barely works
and sometimes don't under certain situations. I see UAC as a clumsy
attempt to try to "fix" a lot of ills that's always infested Windows
and made it a easy target to hackers. The bottom line is Windows has
always been a sloppy, ill tested hodgepodge of sometimes it works,
someitmes it don't bloated coding.

First you complain about the LACK of application compatibility, and then you
complain about the EXISTANCE of it? I am confused. Microsoft walks a thin
line between application compatability and adding new features, just like
every other OS and application manufacturer.

You think? Well kid, you're dead wrong. I have some vintage Windows
3.1 era software running just fine on Vista. That kind of blows a
giant hole in your arguement I would think.

LOL. You're right. I meant to say "Programs that NEED ADMINISTRATIVE
PRIVILEGES have to do that now." Which probably applies to the software you
were trying to run.

Further you seem confused. The question isn't was the program working,
rather Vista kept refusing to initalize it because of some half-ass
rights it ALREADY had if you can believe what Vista is showing under
the security tab for the application in question. That to me says
Vista is dumb. Very, very dumb.

You seem confused as to what the security tab represents. It does not
represent what privileges are assigned to the application.

No, because Vista halted it dead in its tracks at the application's
splash screen with the warning box on top of it preveing you from
doing anything other than to curse Windows for being so damn dumb.

I believe the application was the one issuing the error, not Windows, most
likely because it needed you to give it administrator permission (right
click -> run as administrator).



--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Adam Albright]

Microsoft's OS isn't unsafe - the applications that run on it are.

LOL! That's the biggest whopper I've seen posted here yet. If
Microsoft's OS was "safe", why does Microsoft constantly issue
"SECURITY" updates, CRITICL patches and Service Packs for Windows?
SP2 was 250MB in size!

These statements are true of ALL operating systems (right now).

UAC in its current form is born out of necessity.

Translation: Microsoft has thrown in the towel accepting its Windows
versions are so buggy and primed to be easy hacker targets the only
thing it can do short of weekly "critical updates" is constantly
challenge much of the software on your system by asking moronic
questions like are you sure you want to do this or that which do
little other than to offer a sense of false security.

I think future versions of
UAC will be much more pleasant to work with, and offer much more visible
benefits.

So that's just your way of saying that the current form of UAC sucks
big time and is more of a nussiance than a help and accept that the
vast majority of users after seeing what a total mess it is and how
clumsy it is to work with will simply turn it off.

 

[Adam Albright]

How do you figure that giving the user so much more control over the
computer than ever before is likened to the patriot act?

If you read the entire Patriot Act you'll see the Bozos in Congress
who most freely admit they NEVER READ IT before voting on the bill and
making it law, takes away or infringes on Constitutional guarantees
like the protection against unwarranted searches or due process in our
legal system. In case you don't know, it is now "legal" for the police
to search your home without warrant or even advising you they were
there afterwards. It is now "legal" to be simply suspected of
terrorist activity and be taken away to a undisclosed place and held
there without benefit of legal council or even having formal charges
made. That should scare the crap out of all Americans.

In a similar vain, Microsoft, the 800 pound gorilla, has decided it,
not you, determines how to restrict use of your software, without your
input.

If you think this is giving users "so much more control" you're
delusional pal. In the example I gave I clearly detailed how Microsoft
prevented me from running software installed on XP and capable of
running on Vista (it is right now with UAC turned off) after I did a
install in place which obviously as you know keeps your installed
software. NOTHING I do allows me to change the permissions on some of
MY software. The so-called security tabs are either grayed out the
boxes to check options are missing totally.

If you continue to defend such moronic practices as "good things" I
think we will have some interesting discussions in the future.

 

[Dave Wood [MS]]

A quick note: If you register your ActiveX controls in HKEY_LOCAL_MACHINE in
the registry then normally that will require admin privileges, because
modifying HKEY_LOCAL_MACHINE changes the state of the system for all users.

However, you should instead be able to register controls for the current
user only in HKEY_CURRENT_USER which won't require admin privileges and thus
no UAC prompting will be required.

Dave Wood