G
Guest
How can I declare a program I know as "trusted" so that UAC does not always
ask me for authorization to run it?
Thanks for suggestions
ask me for authorization to run it?
Thanks for suggestions
K
Kerry Brown
You can't. It would defeat the purpose of uac. What would stop programs from
changing this setting them self?
changing this setting them self?
G
Guest
Hello,
Once you've pre-approved an application to run elevated without consent, the
cat is out of the bag. Other programs can run that program and bypass their
privilege restrictions.
Imagine the case where you mark the command prompt as
always-elevated-without-prompt. Other programs could start a command prompt
and then run some payload from that elevated command prompt with full
privileges - without you knowing about it - thus defeating the purpose of uac.
As for your second point, YES Windows can be made to tell whether you are
performing UI - but it CANNOT know what you intend to do with the UI.
To use my command prompt example, Windows could be modified so that a
program could only launch the elevate-without-prompting command prompt when
you say click a button. But, a malicious program could pop up a message box
saying you won a thousand dollars and only offer one button, OK, for the user
to click on to dismiss the dialog - and when the user clicks that button, WAM
the payload would be executed.
Windows CAN tell when you are doing UI ... Windows CANNOT tell what you
intend to accomplish by performing the UI, nor what an application will do
with said UI.
- JB
Once you've pre-approved an application to run elevated without consent, the
cat is out of the bag. Other programs can run that program and bypass their
privilege restrictions.
Imagine the case where you mark the command prompt as
always-elevated-without-prompt. Other programs could start a command prompt
and then run some payload from that elevated command prompt with full
privileges - without you knowing about it - thus defeating the purpose of uac.
As for your second point, YES Windows can be made to tell whether you are
performing UI - but it CANNOT know what you intend to do with the UI.
To use my command prompt example, Windows could be modified so that a
program could only launch the elevate-without-prompting command prompt when
you say click a button. But, a malicious program could pop up a message box
saying you won a thousand dollars and only offer one button, OK, for the user
to click on to dismiss the dialog - and when the user clicks that button, WAM
the payload would be executed.
Windows CAN tell when you are doing UI ... Windows CANNOT tell what you
intend to accomplish by performing the UI, nor what an application will do
with said UI.
- JB
J
Jupiter Jones [MVP]
Are you using one of the Beta builds or RTM?
UAC has steadily gotten better.
I rarely see it in RTM and have left it enabled.
UAC has steadily gotten better.
I rarely see it in RTM and have left it enabled.
G
Guest
I'm in the same boat here. I mark a program as trusted and was getting
pop-ups everytime I used it (inclueding I.E. 7) I got so tired of it that I
just shut down the uac and have been pop-up free ever since...
BTW: I'm running vista rc1(bummer) missed the boat on rc2......And stuck
waiting for vista to hit the stores...
--
Just when you thought you had the top of the line system...You find out that
you have to upgrade yet again. The pain gasp!!
The suffering!!
Until Payday!!!
pop-ups everytime I used it (inclueding I.E. 7) I got so tired of it that I
just shut down the uac and have been pop-up free ever since...
BTW: I'm running vista rc1(bummer) missed the boat on rc2......And stuck
waiting for vista to hit the stores...
--
Just when you thought you had the top of the line system...You find out that
you have to upgrade yet again. The pain gasp!!
The suffering!!
Until Payday!!!
D
David J. Craig
You now have a system that anyone can use to access the computers and
servers protected by the VPN. Why use a VPN at all? Just put your
company's data on an open IP address so the world can do whatever they want
with it.
servers protected by the VPN. Why use a VPN at all? Just put your
company's data on an open IP address so the world can do whatever they want
with it.
J
Jimmy Brush
Hello,
You can make/change the manifest to tell Windows how much privilege the
specific application needs; however, this won't allow you to always trust an
application. If you specify in the manifest that the application needs
administrator privileges then the system will prompt with UAC.
- JB
Microsoft MVP - Windows Shell/User
Windows Vista Support Faq
http://www.jimmah.com/vista/
You can make/change the manifest to tell Windows how much privilege the
specific application needs; however, this won't allow you to always trust an
application. If you specify in the manifest that the application needs
administrator privileges then the system will prompt with UAC.
- JB
Microsoft MVP - Windows Shell/User
Windows Vista Support Faq
http://www.jimmah.com/vista/
G
Guest
You can change the Windows integrity level as I understand and am currently
working with. Let me know if this makes sense to everyone:
http://www.minasi.com/vista/chml.htm
Check out the above link.
Users can change the integrity level of an object if they have the SeRelabel
Priveledge.
You can remove, edit and change the Windows integrity levels via this
command line program and write a new SDDL to the file. You can read the
mandatory levels with the vista command line tool ICacls ( I can run this
command from either an elevated command prompt or just the regular command
prompt, and I have been able to view Mandatory labels). You just need read
permission for the object in order to view the mandatory label.
Here is an example:
c:\users\wosully\appdata\locallow OSULLIVAN\wosully
F)
OSULLIVAN\wosullyOI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMF)
NT AUTHORITY\SYSTEMOI)(CI)(IO)(F)
BUILTIN\AdministratorsF)
BUILTIN\AdministratorsOI)(CI)(IO)(F)
Mandatory Label\Low Mandatory
LevelOI)(CI)(N
working with. Let me know if this makes sense to everyone:
http://www.minasi.com/vista/chml.htm
Check out the above link.
Users can change the integrity level of an object if they have the SeRelabel
Priveledge.
You can remove, edit and change the Windows integrity levels via this
command line program and write a new SDDL to the file. You can read the
mandatory levels with the vista command line tool ICacls ( I can run this
command from either an elevated command prompt or just the regular command
prompt, and I have been able to view Mandatory labels). You just need read
permission for the object in order to view the mandatory label.
Here is an example:
c:\users\wosully\appdata\locallow OSULLIVAN\wosully
F)OSULLIVAN\wosully
OI)(CI)(IO)(F)NT AUTHORITY\SYSTEM
F)NT AUTHORITY\SYSTEM
OI)(CI)(IO)(F)BUILTIN\Administrators
F)BUILTIN\Administrators
OI)(CI)(IO)(F)Mandatory Label\Low Mandatory
Level
OI)(CI)(N
G
Guest
The integrity level of an object controls what applications can modify that
object. Changing the integrity level of an .exe would control what
applications can modify the actual .exe file, not what integrity level the
application runs at.
Of course, if you are a programmer and researched it enough you could
probably make a program that implements some sort of "trust always"
functionality, but this functionality is not built in to windows and I
believe it would be doing a great disservice to users to make such a program.
object. Changing the integrity level of an .exe would control what
applications can modify the actual .exe file, not what integrity level the
application runs at.
Of course, if you are a programmer and researched it enough you could
probably make a program that implements some sort of "trust always"
functionality, but this functionality is not built in to windows and I
believe it would be doing a great disservice to users to make such a program.
J
Jimmy Brush
Hello,
What applications do you run all the time that requires administrator
privileges? I would guess that either they really should not need admin
privileges, or they could be redesigned to reduce or eliminate prompts.
I think once the Vista-compatible applications are released, this will be
much less of a problem.
--
- JB
Microsoft MVP - Windows Shell/User
Windows Vista Support Faq
http://www.jimmah.com/vista/
What applications do you run all the time that requires administrator
privileges? I would guess that either they really should not need admin
privileges, or they could be redesigned to reduce or eliminate prompts
.I think once the Vista-compatible applications are released, this will be
much less of a problem.
--
- JB
Microsoft MVP - Windows Shell/User
Windows Vista Support Faq
http://www.jimmah.com/vista/
G
Guest
I've got the same issue, and I'm willing to take the risk and allow SOME
programs to auto run with full privilages.
The one program I use that wants confermation EVERY time. Microsft Visual
Basic Express 2005
programs to auto run with full privilages.
The one program I use that wants confermation EVERY time. Microsft Visual
Basic Express 2005