Is UAC really needed ?

[Jimmy Brush]

Hello,

After having used UAC for months, I can say that I do indeed get used
to UAC prompts when I expect them to happen, but unexpected or
different looking UAC prompts are very, very noticable.

Since UAC is there to make sure that a user is the one initiating an
action, this isn't as big of a deal as it seems (although it is still
an important weakness in certain scenarios), since if the user is
starting a program and it throws a UAC prompt, they are expected to
allow it to continue.

As long as the user notices unexpected UAC prompts and, if they are
expecting a UAC prompt and they notice it if it looks different than
what it usually does and that makes them inspect it more, things are
pretty good.

 

[Jimmy Brush]

Hello,

Unfortunately, UAC must ask every time or it would not be effective.

UAC is there not to protect you from yourself, but to protect you from
programs that would try to run themselves or trusted system components
without you wanting them to.

If UAC did not prompt every time, then malicious programs could simply
start programs that you trust and use them to take over or damage your
computer.

Imagine a simple case with a command prompt. If UAC did not prompt to
make sure you are the one who is starting a command prompt with admin
privileges every time it was opened, then a malicious program could
simply start an admin command prompt and use it to start itself with
admin privileges.

Since "admin actions" are neither inherently good nor inherently bad,
malicious programs can take advantage of any programs that perform
admin actions by using them for bad, even if those programs are
trusted by you and used for good *in your hands*.

 

[Jimmy Brush]

Hello,

Windows Vista does not control the prompts - your application does.

It is up to your app to include a manifest file (either compiled into
the app or as a seperate file, yourapp.exe.manifest) that tells
Windows Vista how it needs to run.

Your app can tell vista one of three things:

- It never needs admin privileges, even if the user is logged in as an
admin (asInvoker)

- It needs admin privs if the user is an admin, but it can also run if
the user is not an admin (highestAvailable)

- It must have admin privs to run, and standard users cannot run it
(requiresAdministrator)

If your application has no manifest, then the first option (no admin
privs) is assumed, unless your app is determined to be an installer,
then the third option (requiresAdministrator) is assumed.

To see if your app will work on Vista without needing to display a UAC
prompt, then create a limited user in Windows XP and see if it works.

If it doesn't, then your app may require admin privileges via a UAC
prompt in order to run correctly on Vista.

 

[Stephan Rose]

Hello,

Windows Vista does not control the prompts - your application does.

It is up to your app to include a manifest file (either compiled into
the app or as a seperate file, yourapp.exe.manifest) that tells
Windows Vista how it needs to run.

Your app can tell vista one of three things:

- It never needs admin privileges, even if the user is logged in as an
admin (asInvoker)

- It needs admin privs if the user is an admin, but it can also run if
the user is not an admin (highestAvailable)

- It must have admin privs to run, and standard users cannot run it
(requiresAdministrator)

If your application has no manifest, then the first option (no admin
privs) is assumed, unless your app is determined to be an installer,
then the third option (requiresAdministrator) is assumed.

To see if your app will work on Vista without needing to display a UAC
prompt, then create a limited user in Windows XP and see if it works.

If it doesn't, then your app may require admin privileges via a UAC
prompt in order to run correctly on Vista.

Ok wonderful, thank you. I don't forsee any problems in that case. =)

--
Stephan
2003 Yamaha R6

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯
å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

 

[Guest]

I would say it's a good idea implemented badly.


Asking before programs INSTALL is a good thing.
Asking before programs run for the first time is a good thing.

Asking about the same program that is run every single day is just tiresome.


I turned it off as well. For a brief while, I was running the TweakUAC
program to turn it off for just "Administrators", but then I realized
that every user on my machine is an administrator. So I just turned it
off completely.

Actually they are not.
That's part of UAC

 

[Milhouse Van Houten]

This brings up a couple questions. 1) Are you saying it's impossible for an
OS to know when a user with a mouse has clicked and run something as opposed
to it happening another way? 2) As for not being able to designate that
certain tasks should always be trusted and therefore not display a prompt
next time, how do you reconcile that with the way that almost every firewall
on the market works?

 

[Ronnie Vernon MVP]

Not Me

Do some research and check on how many trojans and viruses disable the
installed anti-virus program on the system. Spyware is dynamic and
constantly changing to defeat programs that are designed to protect a users
system.

Today, you must have a layered system of anti....? programs to stay safe.
UAC is just another layer, but one of the most important since it is the
module that can stop a malicious program after the program has already
defeated the others.

 

[Ronnie Vernon MVP]

Mick

I guess if all you do is play with SR all day, then yes, you will see a lot
of UAC prompts.

Try to contribute something useful instead of just repeating the same old,
tired rhetoric.

 

[Jimmy Brush]

Hello,

These are some excellent questions, and I will address them in-line.

This brings up a couple questions. 1) Are you saying it's impossible for an
OS to know when a user with a mouse has clicked and run something as opposed
to it happening another way?

Yes.

Now obviously, the OS knows where the user's mouse is and where they
click on the screen. However, the OS *does not* know what the user
intends to do with that mouse click.

From the perspective of the OS, every application that is running on
the user's system is a block box. The OS has no idea what that
application is going to do with a mouse or keyboard input;

It doesn't know if a mouse-click on that application's window is meant
to format a hard drive or close the application, because the entire
purpose of the application is to translate user input into actions
that are fulfilled by the Operating System, and the OS is not involved
in this process at all.

In fact, "users" never really run applications - an application is
ALWAYS the thing that runs other applications, whether it is explorer
running an application, a utility running a secondary application to
perform some background processing, etc.

The OS has no way to tell whether the user is intending for an
application to run based on where the mouse is, what the user clicked
on, or what buttons they have pressed on the keyboard, because it has
no idea what that application has told the user and whether the
application has made the user aware that their action will result in a
program being run.

This is where UAC comes in - when an application runs that needs full
access to the computer, the OS steps in and checks with the user to
make sure they know that the program is running and are the ones that
are running it, because it has no other way to tell if this is so.

2) As for not being able to designate that
certain tasks should always be trusted and therefore not display a prompt
next time, how do you reconcile that with the way that almost every firewall
on the market works?

Application-specific outgoing firewall rules suffer from the same sort
of exploit that UAC protects against, but the consequences are nowhere
near as drastic that allowing this behavior in UAC would have.

Let me give an example.

In the case of a firewall, let's say that you have msn instant
messenger, and you allow it to talk to microsoft's servers.

Once MSN is trusted to perform this action, ANY PROGRAM can start MSN
and cause it to talk to microsoft's servers.

Umm ... no big deal, right?

Now let's switch over to UAC...

Let's say you have a disk utility, called format.exe, that formats
hard drives.

You run it once, you get the UAC prompt, and you mark it as trusted.

Now, ANY PROGRAM can start format.exe and cause it to format hard
drives.

Do you see the difference?

 

[xfile]

Here is what I gathered:

(1) Even Microsoft admitted that UAC cannot totally remove threats from
malware (we all know that, actually) and it also provides OneCare as part of
security solutions,

(2) As far as I know (correct me if I am wrong), best practice "still"
relies on a user's good habits + security software/hardware + program
updates (security patches),

(3) Expert testimony: I can't remember how many experts and experienced
users have said the following in this and other forums: I have never had any
problem when using xxx security product with my good habits,

(4) Don't know others, but I can't find exactly what kind of malwares UAC
can prevent. Appreciate anyone can point me to the right directions, if
they know.


If the above are true, my personal conclusion - Business as usual. You
still have to rely on the current best practice for protection.

So if something (or anything) cannot provide details about what types of
treats it can prevent and tangible benefits by eliminating anything we need
for protection, I don't know its purpose.

Intension is not in question, as most rational people would NOT question
intension unless evidences suggest so.

Also understood is that it would take tremendous efforts on implementations.

Just to make sure are on the same page and this is - implementations on one
of the most important releases from the largest software company in the
world with decades of development experiences and feedbacks from
professionals and consumers around the world, and with the decision of
getting into security software business, and with a premium price...

OR

are we talking about some free distro that many of you won't raise eyebrows?

If this is the first one, I can't accept it. If we are talking the second
one, case is closed (no offense though).

 

[Jimmy Brush]

Hello,

UAC does not detect/remove/prevent malware.

UAC's purpose in life is to make your computer more secure by only
letting programs that you run have full control over your computer.

This does not prevent malware in and of itself; what it DOES do is
give you more control over your computer and work in conjunction with
other security utiltities to provide overlapping layers of security to
make a very secure system.

It won't stop *you* from running malware. It *will* stop programs from
running with admin power unless you are the one running them (or you
allow them to run), whether they be malware or not.

 

[xfile]

Hi,

Thanks for the kind input.

This does not prevent malware in and of itself; what it DOES do is
give you more control over your computer and work in conjunction with
other security utilities to provide overlapping layers of security to
make a very secure system.

It won't stop *you* from running malware. It *will* stop programs from
running with admin power unless you are the one running them (or you
allow them to run), whether they be malware or not.

Totally understood, but ...

It *will* stop programs from
running with admin power unless you are the one running them (or you
allow them to run), whether they be malware or not.

This is the part that really don't make any sense (at least to me) by not
being able to differentiate and remember.

 

[Jimmy Brush]

This is the part that really don't make any sense (at least to me) by not
being able to differentiate and remember.

How do you mean?

 

[xfile]

Meaning, it cannot tell if this is a user's command and if there are any
patterns for user's commands for running the programs.

 

[Jimmy Brush]

Meaning, it cannot tell if this is a user's command and if there are any
patterns for user's commands for running the programs.

That is the whole reason it prompts in the first place ... to ask the
user if they started the program.

If it could tell that without prompting, most people would never see
UAC or know it existed.

As for patterns in use ... this would be a dangerous feature to
implement if it were to REPLACE the prompt, as it would not be 100%
accurate, and as soon as someone found a flaw in this algorithm, the
game would be up.

However, if the patterns in use were to accompany the prompt, this
would be a nice added feature.

 

[xfile]

Hi,

Apologize if I mislead you. No, I did not mean to use patterns to "replace"
prompt, but I do mean to establish patterns from user behaviors.

As for patterns in use ... this would be a dangerous feature to
implement if it were to REPLACE the prompt, as it would not be 100%
accurate, and as soon as someone found a flaw in this algorithm, the
game would be up.

We all know 100% accuracy is not a realistic target, right? And we all
know there is no perfect algorithm in the world, right? Or maybe there
is, and in the case, forgive my ignorance.

However, if the patterns in use were to accompany the prompt, this
would be a nice added feature.

That's the essence of my argument and should have been implemented in the
first place.

 

[Jimmy Brush]

I agree that the UAC prompt could be made better.

However, I also believe that the current implementation does what it
set out to do (ascertains user intent to run a program).


--
-JB
Microsoft MVP - Windows Shell
Windows Vista Support FAQ - http://www.jimmah.com/vista/

Hi,

Apologize if I mislead you. No, I did not mean to use patterns to "replace"
prompt, but I do mean to establish patterns from user behaviors.

As for patterns in use ... this would be a dangerous feature to
implement if it were to REPLACE the prompt, as it would not be 100%
accurate, and as soon as someone found a flaw in this algorithm, the
game would be up.

We all know 100% accuracy is not a realistic target, right? And we all
know there is no perfect algorithm in the world, right? Or maybe there
is, and in the case, forgive my ignorance.

However, if the patterns in use were to accompany the prompt, this
would be a nice added feature.

That's the essence of my argument and should have been implemented in the
first place.

 

[xfile]

However, I also believe that the current implementation does what it

set out to do (ascertains user intent to run a program).

Ok, fully respected. After all, we are sharing individual's observations
and conclusions.

Thanks for the input

I agree that the UAC prompt could be made better.

However, I also believe that the current implementation does what it
set out to do (ascertains user intent to run a program).

 

[Jimmy Brush]

I do hope one day the UAC prompt will no longer be necessary. I
envision a world where one can click on a button that says "see the
dancing bears" and be confident that you will ONLY see dancing bears
-- the system will make sure that it will be impossible for anything
else to happen (like install nasty malwares).

Until then, I am glad to have the UAC prompt... I may not know what
exactly a program will do when it runs, but thanks to UAC, I know when
a program runs that wants full control over my computer, and I can
choose whether or not it can run.

 

[xfile]

I can't help. Sorry.

I also envision one day, when a person starts his/her car with their very
own car key, the car will know for sure that it's the person's own will and
absolutely without any other outside influences on the decision or it won't
do so and make the certain the driver is taking every right decision when
driving the car, or it will not allow, the same thing for turning on TV,
cell phones, and every single product and device in our life.

That will be a wonderful world