The wonderful allow/deny message

[Guest]

My girlfriend and I wanted to get new PC's this year and felt it would be a
good way to try out Vista Home Premium. We get the machines home (Acer
Aspire AMD 4200+ Geforce4 chipset machines), go thru the horribly arduous
setup process, and start installing our programs. I soon find out that in
order to run Lineage 2, A VERY popular Massive Multiplayer Online Roleplaying
Game, I have to give it Administrations rights to the machine - which I feel
is normal as I had to do the same thing with ProcessGuard on my XP machines.
I next find out I must do the same with another very popular program, Fraps,
which is a Framerate, Screencapture, Video recording utility which has been
out for YEARS which under ProcessGuard only needed global keyboard/mouse
hooks. After doing this, upon every reboot of Windows I am forced to tell
windows to allow Fraps to start. Upon every startup of Lineage 2 I am forced
to do the same thing. Why should I have to do this when I told vista they
have Administration rights? Why didn't Microsoft put an "Always do this
action" checkbox in the Popup notification? Not everyone is a novice computer
user and for those of us who are power users and can setup security on our
machines this is very annoying and shortsighted on Microsoft's part. I dug
thru the help trying to find a way to register the above programs so they
would be in the "known programs" list but couldn't find anything. I tried
finding help on disabling the annoying popup from certain programs but
couldn't find anything. Yes I agree more security is nice but on the other
hand I don't feel I should have to tell my PC TWICE I want it to do
something. This annoying lack of customizable security forced me to purchase
2 copies of windows XP-pro (more money wasted IMHO) so I can remove Vista
from these machines.

Basically these items need implemented:

1) An "Always do this action button" added to the warning popup

2) Customizeable levels of Administration rights for programs (I'm sure
someone in Microsoft has seen/used ProcessGuard and knows what I mean)

3) An easy way to register programs as "safe to run in Administration mode"

Thank you,

Very annoyed Vista Ex-user (I may be back after SP1 or 2
come out)

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://windowshelp.microsoft.com/co...fc&dg=microsoft.public.windows.vista.security

 

[Guest]

I agree that the "how to install" info in Vista sucks. But have you tried
right mouse clicking on the icon on the desktop/prog file and in the
compatibility tab, clicking on "run as admin" and then on "run as XP sp2"?

 

[David Hearn]

My girlfriend and I wanted to get new PC's this year and felt it would be a
good way to try out Vista Home Premium. We get the machines home (Acer
Aspire AMD 4200+ Geforce4 chipset machines), go thru the horribly arduous
setup process, and start installing our programs. I soon find out that in
order to run Lineage 2, A VERY popular Massive Multiplayer Online Roleplaying
Game, I have to give it Administrations rights to the machine - which I feel
is normal as I had to do the same thing with ProcessGuard on my XP machines.
I next find out I must do the same with another very popular program, Fraps,
which is a Framerate, Screencapture, Video recording utility which has been
out for YEARS which under ProcessGuard only needed global keyboard/mouse
hooks.

Expecting applications written years ago to work correctly with a
completely different security model is unrealistic. If it shouldn't
require admin privs, then it shouldn't use/request them.

After doing this, upon every reboot of Windows I am forced to tell
windows to allow Fraps to start. Upon every startup of Lineage 2 I am forced
to do the same thing. Why should I have to do this when I told vista they
have Administration rights? Why didn't Microsoft put an "Always do this
action" checkbox in the Popup notification?

Because that would be a major loophole in the UAC process. UAC is there
to warn people of tasks which require administrative access. If UAC is
enabled, there is *no* work around, no backdoor, no way of elevating a
process without UAC prompting. Once that requirement has been set in
stone, the concept of always starting as admin, or having a "Always do
this" option in a dialog is automatically discounted.

Not everyone is a novice computer
user and for those of us who are power users and can setup security on our
machines this is very annoying and shortsighted on Microsoft's part. I dug
thru the help trying to find a way to register the above programs so they
would be in the "known programs" list but couldn't find anything. I tried
finding help on disabling the annoying popup from certain programs but
couldn't find anything.

That's because there is nothing an end user can do to have a 'known
programs' list. Each application is treated separately. If an
application requires admin privs, then it should say so in its manifest
and you'll get a UAC prompt on startup. If it doesn't require admin
privs, then again, state this in its manifest and you won't get UAC
prompts (but you won't get admin privs either).

Yes I agree more security is nice but on the other
hand I don't feel I should have to tell my PC TWICE I want it to do
something.

No, you told it once for each application. That's not telling it to do
something twice.

This annoying lack of customizable security forced me to purchase
2 copies of windows XP-pro (more money wasted IMHO) so I can remove Vista
from these machines.

Basically these items need implemented:

(in your opinion)

1) An "Always do this action button" added to the warning popup

Unlikely to happen.

2) Customizeable levels of Administration rights for programs (I'm sure
someone in Microsoft has seen/used ProcessGuard and knows what I mean)

How granular do you need? Either you trust an application to do things
on your behalf (ie. as admin), or you don't.

3) An easy way to register programs as "safe to run in Administration mode"

Right click on file, select properties and then tick the "Always run as
Administrator" option. This will result in UAC always asking when you
double click the icon.

D

 

[Guest]

Expecting applications written years ago to work correctly with a
completely different security model is unrealistic. If it shouldn't
require admin privs, then it shouldn't use/request them.


Because that would be a major loophole in the UAC process. UAC is there
to warn people of tasks which require administrative access. If UAC is
enabled, there is *no* work around, no backdoor, no way of elevating a
process without UAC prompting. Once that requirement has been set in
stone, the concept of always starting as admin, or having a "Always do
this" option in a dialog is automatically discounted.


That's because there is nothing an end user can do to have a 'known
programs' list. Each application is treated separately. If an
application requires admin privs, then it should say so in its manifest
and you'll get a UAC prompt on startup. If it doesn't require admin
privs, then again, state this in its manifest and you won't get UAC
prompts (but you won't get admin privs either).


No, you told it once for each application. That's not telling it to do
something twice.


(in your opinion)


Unlikely to happen.


How granular do you need? Either you trust an application to do things
on your behalf (ie. as admin), or you don't.



Right click on file, select properties and then tick the "Always run as
Administrator" option. This will result in UAC always asking when you
double click the icon.

D


" Expecting applications written years ago to work correctly with a
completely different security model is unrealistic. If it shouldn't
require admin privs, then it shouldn't use/request them."

Thank you for not even bothering to read/understand what I was saying.
Lineage2 has required Admin rights ever since they added gameguard. Fraps has
always required a global keyboard/mouse hook to operate correctly,
unfortunately Windows Vista doesn't let me customize the rights so I am
forced to give it global admin rights.

" Because that would be a major loophole in the UAC process. UAC is there
to warn people of tasks which require administrative access. If UAC is
enabled, there is *no* work around, no backdoor, no way of elevating a
process without UAC prompting. Once that requirement has been set in
stone, the concept of always starting as admin, or having a "Always do
this" option in a dialog is automatically discounted."

How in the hell could adding an "always do this" checkbox compromise
security?
I am the Administrator, I told windows to give the programs admin rights,
Why should I have to keep telling Windows they have those rights? The
checkbox requires user input as does the annoying popup box. If someone can
force a toggle to be set whats to stop them from forcing admin rights on
anything? I have NEVER,EVER had my machines comprimised with ProcessGuard
running on them, which has an "Always do this action" checkbox BTW. Vista
already KNOWS the programs I gave admin rights to should start that way, I
shouldn't have to tell it I want it that way over and over and over again.

"That's because there is nothing an end user can do to have a 'known
programs' list. Each application is treated separately. If an
application requires admin privs, then it should say so in its manifest
and you'll get a UAC prompt on startup. If it doesn't require admin
privs, then again, state this in its manifest and you won't get UAC
prompts (but you won't get admin privs either)."

How the heck am I supposed to edit a programs manifest? I am not a
programmer nor do I have access to said programs source code. Apparently
Vista checks programs very differently than any previous incarnation thus
older programs don't have the required data in their manifests, however, I
TOLD windows to give the said programs Admin rights. Why keep repeating this
over and over?

"No, you told it once for each application. That's not telling it to do
something twice."

Yes I am. Double click program, then click the stupid allow button, or in
the case of Fraps, start on windows startup, open the stupid little taskbar
box then click allow - that's twice, count em, 1,2.

"How granular do you need? Either you trust an application to do things
on your behalf (ie. as admin), or you don't."

Why shouldn't I be allowed to be "granular" as you put it. I have used
ProcessGuard for years and have set varying levels of security for each and
every program on my XP machines. If a program only requires mouse hooks then
I give em just those privileges. Lineage 2 is the only program Other than
Diagnostic programs I have ever used that requires full admin access to run -
mostly because of that crappy gameguard. None of my other most used programs
need direct memory access, or the ability to modify files, or install drivers
etc. so why give them those rights?

"Right click on file, select properties and then tick the "Always run as
Administrator" option. This will result in UAC always asking when you
double click the icon."

What do you think I am some little kiddy moron? How do you think I got the
stupid little box I am complaining about. I am talking about some sort of
global manifest that windows can access either online or locally so it knows
that this popup box isn't required. This UAC that Microsoft has added is a
major thorn in my side. If I could find a way to to turn it off and install a
program that makes more sense I would. This is why I am going back to XP
(which I didn't start using till SP2 was stabilized). I have full control
over what the programs are/are not allowed to do, Not windows. Windows
machines will always be targets of hackers, spammers, bots, and spyware. It
is just a matter of time before someone finds a way around this so called
"better security". Any PC owner with a inkling of a clue can install programs
to protect their machines that are many, many times better that what has been
included in any incarnation of Windows, Including this one. Windows always
has been and always will be (apparently) bloatware which is designed to dumb
down the user and give them a false sense of security. I for one wish I could
get a version of Windows that would just be what it should be - an operating
system. Let the user decide what level of security they need, what programs
they want, what firewall they want, what antivirus they want, what spywqare
blocker they want......oh wait - that sounds like Linux.....to bad Lineage no
longer runs on Linux.

BTW Susan, compatibility mode doesn't override that stupid popup. Tried it
before I posted here.

 

[Jimmy Brush]

How in the hell could adding an "always do this" checkbox compromise
security?
I am the Administrator, I told windows to give the programs admin rights,
Why should I have to keep telling Windows they have those rights?

Because if you "always trust" a program to run with admin rights, you are
*also* trusting EVERY OTHER PROGRAM ON YOUR COMPTUER to run that program
with admin rights.

That UAC prompt is there to make sure *you* are starting a program, not some
other program.

For example, if you trust format.exe to run, it is implied that you only
trust it to run *when you expect it to run*. You wouldn't want malware using
format.exe without you knowing about it, would you?

The prompt is how windows determines that you initiated an administrative
action as opposed to a program.

The
checkbox requires user input as does the annoying popup box. If someone
can
force a toggle to be set whats to stop them from forcing admin rights on
anything? I have NEVER,EVER had my machines comprimised with ProcessGuard
running on them, which has an "Always do this action" checkbox BTW. Vista
already KNOWS the programs I gave admin rights to should start that way, I
shouldn't have to tell it I want it that way over and over and over again.

What keeps a malicous program from starting a program that has been trusted
to install device drivers and instructing that program to install a
malicious device driver?

With UAC, this is preventing by prompting you EACH TIME an administrative
program starts - so if you are not expecting an administrative program to
start, you can stop it from happening.

Why shouldn't I be allowed to be "granular" as you put it. I have used
ProcessGuard for years and have set varying levels of security for each
and
every program on my XP machines. If a program only requires mouse hooks
then
I give em just those privileges. Lineage 2 is the only program Other than
Diagnostic programs I have ever used that requires full admin access to
run -
mostly because of that crappy gameguard. None of my other most used
programs
need direct memory access, or the ability to modify files, or install
drivers
etc. so why give them those rights?

I agree with you here, that it should be granular. And I hope one day UAC is
as granular as processguard. But UAC makes certain assurances that
processguard cannot.

These include:

- That *you* initiated an administrative action, vs. some program without
your knowledge initiating it
- That processes that do not run privileged, *cannot* (even by proxy) obtain
such privilege.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/