Thursday, April 3, 2008

aka "How to never by annoyed by UAC again"
My last post was a lame April Fool's joke. I wasn't seriously proposing that we replace the UAC prompt with a Captcha. It would kinda sorta make sense in some scenarios, but we've already solved the problem* differently. And captchas are annoying. Necessary evil, but annoying. (Isn't it truly weird that Captchas are the first step to Bladerunner-esque interrogations?)

*What problem? One of the things AUC addresses: If you are an admin user on Vista, your applications (mostly) run in normal user context - that is the core feature of UAC on Vista. If any (potentially) malicious software is running on your computer (in user context), you don't want it to be able to silently elevate to system context and open up firewall ports/reconfigure your system/etc.

(Yes, malware, even in user context, can probably send your credit card details to the other side other planet...malware running in system context is worse though, as it can reconfigure anything on the system to turn your computer into a spam zombie or botnet node/spy on other users/etc.)
If we didn't prompt the user before launching code in system context (from user context), malware could do literally anything to your machine (without you knowing) as soon as you doubleclicked on SeeParisHiltonNaked.exe. (Replace Paris Hilton with whoever you really really want to see in the nude.)

The AUC prompt is displayed on a dark background because it is running in a different screen session - the malware (back in user context) can't see the prompt/automatically click on it/etc. (If we displayed a captcha at this point (instead of an Allow/Cancel prompt) the malware back in user context won't be able to see it, or perform any action on it. The black frame means that only you, the user, and the Windows OS, can see (or interact with) any content on the screen.)

So - UAC prompts: Neccesary evil. Well...Neccesary evil to protect you from true evil.

Unless, of course, you generally know what you are doing.

You can easily configure UAC to never prompt you. You do, of course, need to be careful when downloading and running any software downloaded from the internet - you don't want random code from the internet to be able to get into system context on your machine.

But, if you always go "Hmm, is this a good idea to do this?" when you see the UAC shield on a button/ don't need to see a UAC prompt, do you?

If you are a user with administrator priviledges:

To remove the prompt - run gpedit.msc, go to Local Computer Policy - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options.
Look for 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' in the list on the right, and set it to 'Elevate without prompting'
Then, run 'gpupdate' from an elevated command prompt.

And you'll never see any UAC prompts, ever again.

But you have to promise to never run random executables off of the internet - stick to or Paint.Net - stuff people trust. Stay away from SeeHarrisonFordNaked.exe.


[deXter] said...

Uhm, is the "" mention a slip-up or sarcasm? (I mean, what with all the holes in Flash and everything..)

Anyways, my question is: If the UAC prompt is disabled in this manner, would it also remain disabled for limited user accounts?

Andrew said...

So are you saying that this will remove the prompt - yet still allow the same protection or capability that UAC provides? For example - is this the same as just turning off UAC or is UAC just in full operation - just without a prompt?

Soma said...

"Is the '' mention a slip-up or sarcasm?"
A 'slip-up' - My point was that software from large vendors is much less likely to be malware. I have Flash installed on my computer, like almost everybody else on the planet. :) (Who wants to go without YouTube?)
Adobe will patch Flash very soon, I'm sure. If you are paranoid, you can uninstall it until they release a patch. Most people aren't that paranoid.

"If the UAC prompt is disabled in this manner, would it also remain disabled for limited user accounts?"
Anybody running in a 'limited' (non-admin) user account will still get the admin-password prompt. As they should - they aren't admins!

"is this the same as just turning off UAC or is UAC just in full operation - just without a prompt?"
This is *not* turning off UAC.
If you turn off UAC, all programs run with full permissions (if you are a user with administrator priviledges)
If you *disable* the AUC prompt, your software still runs without administrator priviledges (even though your user account has administator priviledges) - Any program on your computer can silently (without you knowing) elevate to full admin/system you should only run things you trust.

This is still *somewhat* better than running with AUC off - If your progam gets data off of the internet (eg a Bittorrent client, etc) and it has a buffer overrun...A random attacker on the internet could take over that program. And (now that I think about it) silently (without you knowing) elevate to full administrator/system context code - because you disabled the UAC prompt... long you are very sure that the programs on your computer aren't malware...and you are sure they don't contain any buffer overruns or other security are safe.

aaron.axvig said...

Much easier, although I suspect not exactly the same thing: Open control panel, type "Disable UAC", click the first result.

Mugunth Kumar said...

The most annoying this in the prompt is that, "An un-identified program wants to access this computer..." {0asddfkh-ajey-qhwif78-fhi3-qwr783}
How the hell do I know what programs' guid is that? Why can't you just display the executable path? Secondly, why don't you just start the program with least privileges and elevate it when it needs to perform admin tasks?
For example I start regedit from an admin account. Start it with least privileges and when I edit a HKEY_LOCAL_MACHINE key, elevate it. When I edit a HKEY_CURRENT_USER key, don't do anything. I like the Windows Defender Software Explorer design. It starts up normally showing current user tasks. But when I click the "Show All users", the task is elevated and I get to see all users' tasks. Elevate only when absolutely necessary. Avoid elevating at program startup. Sometimes people just get used to it and click "Allow" in the UAC prompt...

Craig said...

Hold on

What is AUC?

Chris Knight said...

UAC = tell the vendor to stop shipping crap software

UAC != enhanced security

Mindless clicking leads to the same old problem. At the end of the day, Joe Average has no idea what UAC is preventing. There's absolutely no useful context provided in the UAC prompt as to what the user is being asked to elevate. The Defender prompts are only slightly better.

Registry virtualisation and system file virtualisation helps, as will behavioural analysis of software, but we've got a way to go yet.

lx said...

Yeah, but if the UAC window pops up while Joe is working with ms paint / [insert other program here] or maybe even doing nothing at all, then the chances are good that he might be sceptical.
UAC is a good start and there isn't really someone who has a better solution implemented to this problem right now (correct me if i'm wrong).

Of course there is and will always be a very stupid user; you can't do anything about it.

To end this post with a quote:

"Programming today is a race between programmers striving to build bigger and better idiot proof programs, and the universe trying to build bigger and better idiots. So far the universe is winning"

Lebegő Alma said...

Hi there!

I was wondering if the next windows could have a real dedicated folder for temporary files.
It has such now.. but there are many other folders where are stuff which I can delete to get more space ( like before a proper defragmentation )( folders like the thumbnail cache, like iexplorer cache etc...).

This would be great when ALL of such files would be placed in to that folder. And maybe other third party software would find it useful to use that folder too.


Mugunth Kumar said...

@Lebego alma,
Actually there is a handler that should be implemented by every application that creates huge temporary files. This handler is the one that notifies Windows Disk Cleanup utility to remove its files. Unfortunately, it's not properly implemented by the third-party vendors... I'm not sure whether this is a mandatory implementation for the "Designed for Windows Vista" logo program...
May be Soma can throw us some light on that...

Lebegő Alma said...

Mugunth Kumar
Thank you for this info, however I think it is much much easier to create such temp folder and tell everyone to use it. This is not a brainer for any software developer, but telling windows Disk Cleanup where to delete and what... I think you know what I mean. And btw, who uses that utility anyway? :D

Mugunth Kumar said...

Yeah, that's a kind of neat implementation... but, having more APIs means porting the application becomes a problem. If porting becomes a problem then application migration will be time-consuming. If it becomes time consuming, then, no one will do it. So a Windows app will not be available for Mac. Which effectively means, Switching to a diff os is simply impossible... Registry, Dll Hell are all indirect way of doing the same thing... (If developing for Windows is so complex why do many ppl write windows app?) the answer is, M$'s very powerful IDE...that does magic behind...

laptop battery said...

acer btp-620 btp-39d1 btp-39sn ms2103 laptop battery
acer travelmate 22x 23x 26x 28x btp-43d1 laptop battery
acer 916-2350 BT.A0807.002 SQU-207 laptop battery
acer BT.A1007.002 SQU-302 laptop battery
asus a4 a4d a4g a4k a4l a4s a4000 a42-a4 laptop battery
A32-F3 Battery ASUS F3 F3J F3Q F3JA F3JM F3JF Hi-Capaci laptop battery

battery for COMPAQ M300 N400 146630-001 291694-001 laptop battery
Battery fits COMPAQ Presario 1200 1600 1800 116314-001 laptop battery
Battery For Compaq Presario 311227-001 PP2162S Laptop laptop battery
battery for COMPAQ N150 PP2111X 232060-001 231962-001 laptop battery
Notebook Laptop Battery for Dell D9200 D5318 G5260 laptop battery
6600mAh Battery fits DELL XPS M1210 NF343 HF674 NEW laptop battery

3cell Battery for Dell Latitude X1 T6840 312-0342 Y6457 laptop battery
New Dell Inspiron B130 1300 b120 Battery 312-0416 56whr laptop battery
Gateway M360 M460 M680 8-Cell Notebook Battery 6500949 laptop battery
New Battery for HP M2000 Series DV1000 DV4000 laptop battery
Battery For HP F2019 F2019A F2019B 6000 VT6200 XT6200 laptop battery
Battery For HP HSTNN-IB04 346970-001 HSTNN-DB02 DP399A laptop battery

9999 said...


明男 said...

情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,美國aneros,rudeboy,英國rudeboy,英國Rocksoff,德國Fun Factory,Fun Factory,英國甜筒造型按摩座,甜筒造型按摩座,英國Rock Chic ,瑞典 Lelo ,英國Emotional Bliss,英國 E.B,荷蘭 Natural Contours,荷蘭 N C,美國 OhMiBod,美國 OMB,Naughti Nano ,音樂按摩棒,ipod按摩棒,美國 The Screaming O,美國TSO,美國TOPCO,美國Doc Johnson,美國CA Exotic,美國CEN,美國Nasstoy,美國Tonguejoy,英國Je Joue,美國Pipe Dream,美國California Exotic,美國NassToys,美國Vibropod,美國Penthouse,仿真按摩棒,矽膠按摩棒,猛男倒模,真人倒模,仿真倒模,PJUR,Zestra,適趣液,穿戴套具,日本NPG,雙頭龍,FANCARNAL,日本NIPPORI,日本GEL,日本Aqua Style,美國WET,費洛蒙,費洛蒙香水,仿真名器,av女優,打炮,做愛,性愛,口交,吹喇叭,肛交,魔女訓練大師,無線跳蛋,有線跳蛋,震動棒,震動保險套,震動套,TOY-情趣用品,情趣用品網,情趣購物網,成人用品網,情趣用品討論,成人購物網,鎖精套,鎖精環,持久環,持久套,拉珠,逼真按摩棒,名器,超名器,逼真老二,電動自慰,自慰,打手槍,仿真女郎,SM道具,SM,性感內褲,仿真按摩棒,pornograph,hunter系列,h動畫,成人動畫,成人卡通,情色動畫,情色卡通,色情動畫,色情卡通,無修正,禁斷,人妻,極悪調教,姦淫,近親相姦,顏射,盜攝,偷拍,本土自拍,素人自拍,公園露出,街道露出,野外露出,誘姦,迷姦,輪姦,凌辱,痴漢,痴女,素人娘,中出,巨乳,調教,潮吹,av,a片,成人影片,成人影音,線上影片,成人光碟,成人無碼,成人dvd,情色影音,情色影片,情色dvd,情色光碟,航空版,薄碼,色情dvd,色情影音,色情光碟,線上A片,免費A片,A片下載,成人電影,色情電影,TOKYO HOT,SKY ANGEL,一本道,SOD,S1,ALICE JAPAN,皇冠系列,老虎系列,東京熱,亞熱,武士系列,新潮館,情趣用品,情趣,情趣商品,情趣網站,跳蛋,按摩棒,充氣娃娃,自慰套,G點,性感內衣,情趣內衣,角色扮演,生日禮物,生日精品,自慰,打手槍,潮吹,高潮,後庭,情色論譠,影片下載,遊戲下載,手機鈴聲,音樂下載,開獎號碼,統一發票號碼,夜市,統一發票對獎,保險套,做愛,減肥,美容,瘦身,當舖,軟體下載,汽車,機車,手機,來電答鈴,週年慶,美食,徵信社,網頁設計,網站設計,室內設計,靈異照片,同志,聊天室,運動彩券,大樂透,威力彩,搬家公司,除蟲,偷拍,自拍,無名破解,av女優,小說,民宿,大樂透開獎號碼,大樂透中獎號碼,威力彩開獎號碼,討論區,痴漢,懷孕,美女交友,交友,日本av,日本,機票,香水,股市,股市行情, 股市分析,租房子,成人影片,免費影片,醫學美容,免費算命,算命,姓名配對,姓名學,姓名學免費,遊戲,好玩遊戲,好玩遊戲區,線上遊戲,新遊戲,漫畫,線上漫畫,動畫,成人圖片,桌布,桌布下載,電視節目表,線上電視,線上a片,線上掃毒,線上翻譯,購物車,身分證製造機,身分證產生器,手機,二手車,中古車,法拍屋,歌詞,音樂,音樂網,火車,房屋,情趣用品,情趣,情趣商品,情趣網站,跳蛋,按摩棒,充氣娃娃,自慰套, G點,性感內衣,情趣內衣,角色扮演,生日禮物,精品,禮品,自慰,打手槍,潮吹,高潮,後庭,情色論譠,影片下載,遊戲下載,手機鈴聲,音樂下載,開獎號碼,統一發票,夜市,保險套,做愛,減肥,美容,瘦身,當舖,軟體下載,汽車,機車,手機,來電答鈴,週年慶,美食,徵信社,網頁設計,網站設計,室內設計,靈異照片,同志,聊天室,運動彩券,,大樂透,威力彩,搬家公司,除蟲,偷拍,自拍,無名破解, av女優,小說,民宿,大樂透開獎號碼,大樂透中獎號碼,威力彩開獎號碼,討論區,痴漢,懷孕,美女交友,交友,日本av ,日本,機票,香水,股市,股市行情,股市分析,租房子,成人影片,免費影片,醫學美容,免費算命,算命,姓名配對,姓名學,姓名學免費,遊戲,好玩遊戲,好玩遊戲區,線上遊戲,新遊戲,漫畫,線上漫畫,動畫,成人圖片,桌布,桌布下載,電視節目表,線上電視,線上a片,線上a片,線上翻譯,購物車,身分證製造機,身分證產生器,手機,二手車,中古車,法拍屋,歌詞,音樂,音樂網,借錢,房屋,街頭籃球,找工作,旅行社,六合彩,整型,水噹噹,貸款,貸款,信用貸款,宜蘭民宿,花蓮民宿,未婚聯誼,網路購物,珠海,下川島,常平,珠海,澳門機票,香港機票,婚友,婚友社,未婚聯誼,交友,婚友,婚友社,單身聯誼,未婚聯誼,未婚聯誼,婚友社,婚友,婚友社,單身聯誼,婚友,未婚聯誼,婚友社,未婚聯誼,單身聯誼,單身聯誼,婚友,單身聯誼,未婚聯誼,婚友,交友,交友,婚友社,婚友社,婚友社,大陸新娘,大陸新娘,大陸新娘,越南新娘,越南新娘,外籍新娘,外籍新娘,台中坐月子中心,搬家公司,搬家,搬家,搬家公司,線上客服,網頁設計,線上客服,網頁設計,網頁設計,土地貸款,免費資源,電腦教學,wordpress,人工植牙,關鍵字,關鍵字,seo,seo,網路排名,自然排序,網路排名軟體,