Run as Administrator question

[Guest]

If I am an administrator, why do I have to run something as an administrator?
I have a VB.net app that I wrote that reads and writes a file. I use this
app a lot. Why do I have to select Run As Administrator to get access to
write to the file? Is there any way I can tell Vista that this app is safe
and always run as administrator? I'm getting a little tired of the security
prompts every time I want to do something.

 

[Guest]

I found in the shortcut properties a checkbox to always run the shortcut as
an administrator. However, I still get a UAC Cancel/Allow popup. How can I
avoid this popup?

 

[Ronnie Vernon MVP]

You cannot specify that any particular program can override the elevation
prompt. This would defeat the whole purpose of the new security model. If
this was possible, it would be very easy for any malicious program to attach
itself to this program and run without restriction and without the knowledge
of the user.

 

[Guest]

That's ridiculous. It's my computer. I'm an administrator. I should be
able to do anything I want. If I want to open up myself to malicious code or
programs, that's my problem. For advanced users, UAC is terrible. I have a
router that blocks ports, a software based firewall, and I don't visit
peer-to-peer sites or other sites that would download malicious programs or
code. If it happens, I'll deal with it. I should at least have the
opportunity to do so if I want.

Why doesn't Microsoft Word or Excel prompt you when you run it? You can
modify files in your documents folder and you get no warnings or prompts.
Why can't a program that I developed myself bypass UAC like Word seems to do?

 

[Ronnie Vernon MVP]

<responses Inline>

That's ridiculous. It's my computer. I'm an administrator. I should be
able to do anything I want. If I want to open up myself to malicious code
or
programs, that's my problem. For advanced users, UAC is terrible. I have
a
router that blocks ports, a software based firewall, and I don't visit
peer-to-peer sites or other sites that would download malicious programs
or
code. If it happens, I'll deal with it. I should at least have the
opportunity to do so if I want.

Opening yourself to malicious code is no longer just 'your' problem. The
first thing that malicious code will do is turn 'your' computer into a
zombie that broadcasts that malicious code to systems all over the world,
without you even being aware of it. Like it or not, your a member of a
worldwide community and you have a responsibility to that community.

Why doesn't Microsoft Word or Excel prompt you when you run it? You can
modify files in your documents folder and you get no warnings or prompts.
Why can't a program that I developed myself bypass UAC like Word seems to
do?

Because these programs are configured properly to work without accessing
restricted areas of the system or requiring administrator privileges. If you
are developing programs, you need to use the developer programming
guidelines that have been available for a long time from Microsoft. Here are
some links.

Developer Best Practices and Guidelines for Applications in a Least
Privileged Environment:
http://msdn2.microsoft.com/en-us/library/aa480150.aspx

Security in Longhorn: Focus on Least Privilege:
http://msdn2.microsoft.com/en-us/library/aa480194.aspx

You can access the Vista Developer forums here and dialog with other
developers who are doing the same work that you are.
http://forums.microsoft.com/MSDN/default.aspx?SiteID=1

 

[Jimmy Brush]

Hello,

If I am an administrator, why do I have to run something as an
administrator?

Because you have to tell Windows when you want a particular program to have
full control over your computer. This protects you from programs that would
take control over your computer without your knowledge or consent.

I have a VB.net app that I wrote that reads and writes a file. I use this
app a lot. Why do I have to select Run As Administrator to get access to
write to the file?

Because the file is in a sensitive location (like, say, program files).

Applications that want to write to system locations must be running with
administrator power. This prevents an application from taking over your
computer by modifying system files or other installed program files.

Alternatively, if you want to allow ANY PROGRAM (including your program and
any other possibly malicious program) to write to this file without
prompting, you can change the security on that file to specifically allow
your user account full control over it.

Is there any way I can tell Vista that this app is safe
and always run as administrator? I'm getting a little tired of the
security
prompts every time I want to do something.

Yes, and you found the solution (program properties).

There is no way to keep it from asking for your permission, however. The
prompting is all or none: if it didn't prompt for certain programs, then
malicious programs could use those certain programs to take over the
computer or otherwise do things that they shouldn't be able to do.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Jimmy Brush]

That's ridiculous. It's my computer. I'm an administrator. I should be

able to do anything I want.

And nothing is stopping you. The prompt doesn't stop you, it gives you a
decision: to run the program or not.

If I want to open up myself to malicious code or
programs, that's my problem.
Agreed.

For advanced users, UAC is terrible.

Disagree. UAC lets advanced users know when they are running an admin
program, and gives them a chance to stop programs from running with admin
power if they weren't intending to run a program with full control over
their computer.

I have a
router that blocks ports, a software based firewall, and I don't visit
peer-to-peer sites or other sites that would download malicious programs
or
code. If it happens, I'll deal with it. I should at least have the
opportunity to do so if I want.

What is stopping you from doing what you want? It is a prompt - it doesn't
stop you from doing anything, it gives you the opportunity to either stop
that "thing" from happening, or allow it.

Why doesn't Microsoft Word or Excel prompt you when you run it? You can
modify files in your documents folder and you get no warnings or prompts.
Why can't a program that I developed myself bypass UAC like Word seems to
do?

Windows requires applications that perform ADMINISTRATIVE actions to prompt
you for permission.

Administrative actions are things that can affect the entire system or other
users on the computer.

Writing to your documents only affects you - so it's fine without prompting.
Writing to program files or c:\ affects the entire computer, so your program
must prompt to do that.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

I cannot disagree with the concept if running a program. Personally in my
services to others, I have worked on so many computers for clients and seen
their systems get compromised from malwares. However, being prompted for
permission when say adding printers from shared networked printers from other
servers or workstations is a frequent nucance. Vista has its quarks due to
different ways of doing things compared to XP. Like the others say, I am the
administrator. There should be a remember me for system configuration
management. did I miss something? Thanks.

 

[Jimmy Brush]

The reason the UAC prompt appears at all is to make sure that *you* are the
one performing the admin operation (as opposed to some program).

Its sole purpose is to ascertain that you intend to do something that
affects your entire computer.

The only way it can do that is by asking you every time that a program runs
that wants full control over your computer.

There is no "remember me" option because the only way the system can
determine if you are the one performing the action is by asking you directly
via the prompt.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Guest]

I understand and agree with the feature. There are many clients who are
administrators and not knowledgeble to what is being installed or changed. I
turned mine off primarily to avoid answering every time I change
configurations when troubleshooting. It did took a little time to locate the
control but I am OK and in control. Thanks. Also, I did site to site
autmation for a client. Should I ever do this on Vista, I would need to turn
off the UAC whether temporarily or permanently. Thanks.