UAC Tweaking

  • Thread starter Thread starter Mark Veldhuis
  • Start date Start date
M

Mark Veldhuis

Hi,


Is it possible to tweak UAC in a way that everything is disabled,
*except* the protected mode in IE7? That is one feature I find useful,
the others I can do without.


Regards,
Mark Veldhuis.
 
I don't know to a way. Unfortunately, disable UAC and you also disable
protected mode in IE 7.0

--
John Barnett MVP
Associate Expert
http://xphelpandsupport.mvps.org
http://vistasupport.mvps.org

The information in this mail/post is supplied "as is". No warranty of any
kind, either expressed or implied, is made in relation to the accuracy,
reliability or content of this mail/post. The Author shall not be liable for
any direct, indirect, incidental or consequential damages arising out of the
use of, or inability to use, information or opinions expressed in this
mail/post..
 
Kind of ...

If you go into the Local Security Policy MMC under Administrative Tools in
the control panel, browse to Local Policies and click on Security Options,
and then change the option labeled "User Account Control: Behavior of the
elevation prompt for administrators in Admin Approval Mode" to "Elevate
Without Prompting", then UAC will behave like this:

- Programs that are marked as requiring admin privileges will automatically
run with admin
- Programs that are NOT marked as needing admin privs will NOT receive admin
privs

So, you will still run into circumstances where you will have to work around
UAC (i.e. where a program requires admin permissions but it is not marked as
such), but this gives you the best of both worlds.
 
Hi,

Kind of ...
Click to expand...

<snip>

Thanks Jimmy. I will try this and see how it works.
I am running Vista Ultimate RC2 right now, and will purchase Home
Premium when it's available in the stores. Do you know if the Local
Security Policy MMC is also available in that version, or only in
business/more expensive versions of Vista?


Regards,
Mark Veldhuis.
 
I'm fairly certain it is. If it turns out it's not ,there's a registry key
that can be set instead.

Also, I should point out that configuring UAC as I described allows any
application that requests admin permission to get it, including applications
that you may not know is requesting admin permission or want to have admin
permission. :)
 
If the option you describe allows any application that requests admin
permission to get it, is it wise to even tamper witht he option, surely that
is defeating the object of UAC? You are causing a security headache for
yourself.

--
John Barnett MVP
Associate Expert
http://xphelpandsupport.mvps.org
http://vistasupport.mvps.org

The information in this mail/post is supplied "as is". No warranty of any
kind, either expressed or implied, is made in relation to the accuracy,
reliability or content of this mail/post. The Author shall not be liable for
any direct, indirect, incidental or consequential damages arising out of the
use of, or inability to use, information or opinions expressed in this
mail/post..
 
Agreed ... however, some people are going to turn it off, regardless; this
is a better way of doing it that shutting it down completely, so I'd rather
people do this :)
 
I'd like a way for it to work where you only see a prompt for elevation when
it's a result of something that you *didn't* just ask to do yourself. All
the annoyances would fall away then, and you'd only be alerted when there's
some other action occurring on the system.
 
Mark Veldhuis said:
Hi,


Is it possible to tweak UAC in a way that everything is disabled,
*except* the protected mode in IE7? That is one feature I find useful,
the others I can do without.
Click to expand...

DON'T DISABLE THE UAC.
 
You appear to be stuck in a continuous loop.. have you tried rebooting?
 
I agree. However, as was discussed at length in another thread, the
implementation of this is very, very tricky. Answering the question "Did the
user knowingly cause X program to run and intend for it to have admin
powers" (without asking the user) is NOT easy.
 
I have a qestion: i have been looking around in this forum but i couldnt
really find an answer to my question: is there really no way allow a certain
programm to start once and for all??!!! I have to verify Battlefield 2142
every time i want to run it. Isnt there a way to tell my pc that its ok to
run that?? i do run it 'as admin' (settings>compatibility) but dont know if
that has anything to do with my problem ( i think i need it to be on for it
to runn at all or sth...) i also gave all users every right as far as i can
tell (i only created one account which im using but if i rightklick on the
programm and go to the security tab theres Everyone, system, admins, and
users) and i gave vull acces to admins and users (because im not quite sure
which one im using...) i just cant believe microsoft was so stupid not to
give you the option to confirm that and let it remember.

thanks for your help

ps: also on the program icon theres taht microsoft shield. im assuming it
has sth to do with the problem described above but im not sure what it means.
thank you)
 
ndepal said:
I have a qestion: i have been looking around in this forum but i couldnt
really find an answer to my question: is there really no way allow a certain
programm to start once and for all??!!! I have to verify Battlefield 2142
every time i want to run it. Isnt there a way to tell my pc that its ok to
run that?? i do run it 'as admin' (settings>compatibility) but dont know if
that has anything to do with my problem ( i think i need it to be on for it
to runn at all or sth...) i also gave all users every right as far as i can
tell (i only created one account which im using but if i rightklick on the
programm and go to the security tab theres Everyone, system, admins, and
users) and i gave vull acces to admins and users (because im not quite sure
which one im using...) i just cant believe microsoft was so stupid not to
give you the option to confirm that and let it remember.

thanks for your help

ps: also on the program icon theres taht microsoft shield. im assuming it
has sth to do with the problem described above but im not sure what it means.
thank you)
Click to expand...

UAC is meant to work without a "remember" feature, like many firewalls
or HIPS have, in order to make sure that no one else but you allows a
program to start; with no one else I meant nothing else: malicious
script files, rootkits etc...So as long as UAC is turned on, you'll be
prompted. Checking the run as admin box in an application properties
just means that you will be prompted to allow this application to run
with admin privilege. This is only useful when UAC restricts an
application rights for instance, and does not prompt you to decide. I've
got the case of CCleaner that wouldn't delete everything if not run with
admin privilege. If you start it normally, UAC won't prompt you, but it
just won't allow the program to run properly, it will just let it start
without popping up any kind of warning.
Now if you don't want to be bothered with UAC prompting you to allow
BF2142 to run, turn UAC off, it's the only way. If you use security
software like Spyware Terminator, System Safety Monitor or Coreforce
that integrate HIPS, it's not such a big deal to turn UAC off. When I
started to run Vista, I almost immediately turned UAC off, just found it
very upsetting; I was using Spyware Terminator and felt safe enough with
that. For resource issues I had to uninstall ST, and turned UAC back on,
and I'm getting used to it now. Not to mention that UAC does protect
your system very efficiently, and allows IE7 to run in protected mode,
if you want.I'm not a IE7 user, but I appreciate that MS finnaly did
something concerning IE security. Next step will be to enhance this
browser features and make them match Firefox features. That's for 2025,
or 2142 lol.

cheers
hermes

ps. totally out of topic, I wanted to ad: The presence of IE7 in Vista
is a real shame.The idea of the protected mode was good, but not enough
to stop me from thinking that this bloody browser should not exist
anymore. It's an insult to users.
 
thank you very much for the quick response! it really helped me understand
uac a lot. i'm gonna check those anti-spyware programs out you mentioned. the
only thing i still have a problem with is that on helpero
(http://www.helpero.com/Questions-an...ndows/What-is-User-Account-Controls_9877.html)
and other sites there is a way described to change certain settings of UAC.
the only problem is: when i go to the control pannel (in my german versio of
vista) theres no such thing as administrative tools. there is the accounts
menu or the security, hardware, programs time language region, settings to
change desktop and stuff and the system options (with the power management in
it) so i cant find the UAC settings. is it possible that that description
only applied to some RTM version and is not available anymore? since when i
enter secpol.msc in the run-window windows doent find it... whats the deal
with that?

thanks in advance
 
ndepal said:
thank you very much for the quick response! it really helped me understand
uac a lot. i'm gonna check those anti-spyware programs out you mentioned.
the
only thing i still have a problem with is that on helpero
(http://www.helpero.com/Questions-an...ndows/What-is-User-Account-Controls_9877.html)
and other sites there is a way described to change certain settings of
UAC.
the only problem is: when i go to the control pannel (in my german versio
of
vista) theres no such thing as administrative tools. there is the accounts
menu or the security, hardware, programs time language region, settings to
change desktop and stuff and the system options (with the power management
in
it) so i cant find the UAC settings. is it possible that that description
only applied to some RTM version and is not available anymore? since when
i
enter secpol.msc in the run-window windows doent find it... whats the deal
with that?

thanks in advance
Click to expand...

Hello ndepal,
Firstly I noticed from a coment that you posted on the Helpero site that you
are running Vista Home Premium. Unfortunately you can only get access to the
Group Security Policy Editor 'secpol.msc' if you have either Vista Business
Editon or Vista Ultimate Edition. For reasons of simplification of the
system, this is one of the things left out of the 'Home' Editions of Vista.
(This was also the same on XP, the home edtion didn't have the Group Policy
Editor, whilst XP Professional did).
As for not finding Administrative Tools in Control Panel, which view of the
Control Panel are you looking at? If you choose the 'Classic View' of
Control Panel you should see an icon for Administrative Tools on the top
row, second from left. BUT again because you are running Vista Home Premium
the link in the Adminstrative Tools that the Helpero article talks about
won't be available to you. It's a but naughty of Helpero not to make clear
that their article referes to things that are only available to people
running either Business Edtion, Ultimate Edition or the Enterprise Edition
of Vista.

Jonathan.
 
thank you very much jonathan! now it finally makes sense. since my last post
here i have sorta gotten used to uac...
i still havent been able to find the administrative tools... you told me
where they are in the english version of vista but i guess it has a different
name in german so its somewhere else. the second from the left on my pc is
'autoplay'...
maybe were talking about 'user accounts' here? but i guess its not that
important since now i dont need to find it anymore...

thank you for your help.

ndepal

:>
 
Back
Top