UAC - on or off

[Jay]

No doubt this has been asked/discussed here before.
New to Vista but long time windows user.

UAC. I run Vista business on an admin account. At present I'm
standalone (it's also on a laptop).
UAC pop ups annoy but I seem to remember reading that turning them off
came with a risk. Something about apps not working or windows getting
confused... or something?
I mainly use visual studio, sql and watch movies on it. On or off?
risks?
Thanks

 

[Guest]

Jay

IMHO, definitely ON !

 

[Rick Rogers]

Hi Jay,

Because of the way Vista implements user security and the way programs
should be run under it, many that are Vista compatible will not install or
function correctly if UAC is disabled. While it may initially be a bit of an
encumberance initially, once a system is set up with the preferred software
and running under normal use you will not encounter it very often.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
My thoughts http://rick-mvp.blogspot.com

 

[Jimmy Brush]

No doubt this has been asked/discussed here before.
New to Vista but long time windows user.

UAC. I run Vista business on an admin account. At present I'm
standalone (it's also on a laptop).
UAC pop ups annoy but I seem to remember reading that turning them off
came with a risk. Something about apps not working or windows getting
confused... or something?
I mainly use visual studio, sql and watch movies on it. On or off?
risks?
Thanks

Hello,

Besides disabling many important security features built into Windows,
disabling UAC also poses a risk relating to application compatability.

Important security features:

UAC stops administrative programs from running that you do not start.
With UAC on, no program can run with admin control of your computer
without your permission. Disabling UAC allows any program to use your
administrative power, even if you do not start it.

UAC is also the technology that allows Internet Explorer Protected Mode
to work - turning off UAC gets rid of that.

Application Compatibility:

Many non-administrative programs assume that they will be running with
administrative power, and so they write settings or files to locations
that they are not supposed to write to (such as Program Files).

In Vista under UAC, non-admin programs cannot do this, even if the user
is an administrator, so UAC has to deal somehow with these programs,
since there are a bunch of them that do this.

In order to get these programs to work in Vista, UAC watches for these
common write-to-protected-location scenarios. When it detects a write to
a monitored location that is failing because the program does not have
administrator power, UAC makes a copy of the modified data and saves it
inside of your user profile folder WITHOUT modifying the file/data in
the protected location, while making the program THINK that it was saved
to the protected location.

Whenever a non-compliant program opens a file in a protected location,
UAC first checks to see if there is a "modified" version of that file
inside of your user profile folder, and if so, opens the modified file
instead of the original, without the program realizing it.

This allows the program to function by making it THINK that it is
writing to a protected location, when in reality it is not.

When you disable UAC, this compatability feature of UAC is turned off.

This means that all those hidden copies of modified data are now
invisible to applications, since they will be seeing the original,
unmodified data that exists inside of the real protected folder that
they now have access to.

The consequences of this transition can be quite drastic if you have
many programs on your computer that relied on this compatibility feature
to function, since they will no longer have access to any created or
modified data that they think they have saved to protected locations -
instead, they will only see the original data that was probably put in
place when their application was installed.

 

[Jay]

Hello,

Besides disabling many important security features built into Windows,
disabling UAC also poses a risk relating to application compatability.

Important security features:

UAC stops administrative programs from running that you do not start.
With UAC on, no program can run with admin control of your computer
without your permission. Disabling UAC allows any program to use your
administrative power, even if you do not start it.

UAC is also the technology that allows Internet Explorer Protected Mode
to work - turning off UAC gets rid of that.

Application Compatibility:

Many non-administrative programs assume that they will be running with
administrative power, and so they write settings or files to locations
that they are not supposed to write to (such as Program Files).

In Vista under UAC, non-admin programs cannot do this, even if the user
is an administrator, so UAC has to deal somehow with these programs,
since there are a bunch of them that do this.

In order to get these programs to work in Vista, UAC watches for these
common write-to-protected-location scenarios. When it detects a write to
a monitored location that is failing because the program does not have
administrator power, UAC makes a copy of the modified data and saves it
inside of your user profile folder WITHOUT modifying the file/data in
the protected location, while making the program THINK that it was saved
to the protected location.

Whenever a non-compliant program opens a file in a protected location,
UAC first checks to see if there is a "modified" version of that file
inside of your user profile folder, and if so, opens the modified file
instead of the original, without the program realizing it.

This allows the program to function by making it THINK that it is
writing to a protected location, when in reality it is not.

When you disable UAC, this compatability feature of UAC is turned off.

This means that all those hidden copies of modified data are now
invisible to applications, since they will be seeing the original,
unmodified data that exists inside of the real protected folder that
they now have access to.

The consequences of this transition can be quite drastic if you have
many programs on your computer that relied on this compatibility feature
to function, since they will no longer have access to any created or
modified data that they think they have saved to protected locations -
instead, they will only see the original data that was probably put in
place when their application was installed.

Wow awesome responses - thanks.
It'll be staying on!

But.. when I (admin account) browse folders with windows explorer, why
am I asked to confirm to open "program files"
Why do i have access denied when I try to open the documents short
cut. It took me 3 confirms before I managed to unzip a file into a new
folder under program files.

Fully appreciate the other reasoning though.

 

[Jimmy Brush]

Wow awesome responses - thanks.
It'll be staying on!

But.. when I (admin account) browse folders with windows explorer, why
am I asked to confirm to open "program files"
Why do i have access denied when I try to open the documents short
cut. It took me 3 confirms before I managed to unzip a file into a new
folder under program files.

Fully appreciate the other reasoning though.

You have to confirm any action that is an admin action. This is how
Windows prevents other programs from pretending to be you and taking
those actions without your knowledge - by double-checking with you and
making sure that you are, in fact, the one who is doing those actions.

As for the "Access Denied" issue, you may be encountering one of Windows
Vista's application compatability junctions.

If you have enabled the showing of system and hidden files, these guys
look like a ghosted shortcut to a folder. In reality, they are a
junction that points certain types of applications that access them to
the new location.

For example, "Documents and Settings" is a junction that points to the
new Users folder that replaces this old Windows XP location, and if you
double-click it, you will get Access Denied.

The Access Denied isn't to stop you from accessing it, it is to stop
programs from thinking it is a real folder, because they might not be
able to handle seeing the same files in two different locations (both
the Users folder and the Documents and Settings junction).

 

[Mike Hall - MVP]

You have to wonder how we made it all the way from DOS without UAC, don't
you..

Hello,

Besides disabling many important security features built into Windows,
disabling UAC also poses a risk relating to application compatability.

Important security features:

UAC stops administrative programs from running that you do not start. With
UAC on, no program can run with admin control of your computer without
your permission. Disabling UAC allows any program to use your
administrative power, even if you do not start it.

UAC is also the technology that allows Internet Explorer Protected Mode to
work - turning off UAC gets rid of that.

Application Compatibility:

Many non-administrative programs assume that they will be running with
administrative power, and so they write settings or files to locations
that they are not supposed to write to (such as Program Files).

In Vista under UAC, non-admin programs cannot do this, even if the user is
an administrator, so UAC has to deal somehow with these programs, since
there are a bunch of them that do this.

In order to get these programs to work in Vista, UAC watches for these
common write-to-protected-location scenarios. When it detects a write to a
monitored location that is failing because the program does not have
administrator power, UAC makes a copy of the modified data and saves it
inside of your user profile folder WITHOUT modifying the file/data in the
protected location, while making the program THINK that it was saved to
the protected location.

Whenever a non-compliant program opens a file in a protected location, UAC
first checks to see if there is a "modified" version of that file inside
of your user profile folder, and if so, opens the modified file instead of
the original, without the program realizing it.

This allows the program to function by making it THINK that it is writing
to a protected location, when in reality it is not.

When you disable UAC, this compatability feature of UAC is turned off.

This means that all those hidden copies of modified data are now invisible
to applications, since they will be seeing the original, unmodified data
that exists inside of the real protected folder that they now have access
to.

The consequences of this transition can be quite drastic if you have many
programs on your computer that relied on this compatibility feature to
function, since they will no longer have access to any created or modified
data that they think they have saved to protected locations - instead,
they will only see the original data that was probably put in place when
their application was installed.

--


Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/

 

[Kerry Brown]

DOS and the versions of Windows based on it were not really multi-user OS's.
They are also not safe to use in the modern connected world. Even NT based
versions of Windows can be quite easily taken over by a malicious program if
you can be tricked into running it. With UAC you at least have a chance to
say no.

 

[ThePro]

Hi Jay,

Because of the way Vista implements user security and the way programs
should be run under it, many that are Vista compatible will not install or
function correctly if UAC is disabled. While it may initially be a bit of
an encumberance initially, once a system is set up with the preferred
software and running under normal use you will not encounter it very
often.

I agree 100%. You get a lot of UAC pop-ups in the first few days when you
install a lot of software and you configure Vista to your liking, but after
the initial period you rarely get them.

ThePro

 

[njem]

Given how UAC affects installs and such if I turned off UAC early on a
new Vista system and installed programs and settings and now decide to
turn it on, it's going to be a very confused system isn't it? Am I
going to have to do a lot of re-install or something?

Thanks,
Tom

 

[Adam Albright]

Given how UAC affects installs and such if I turned off UAC early on a
new Vista system and installed programs and settings and now decide to
turn it on, it's going to be a very confused system isn't it? Am I
going to have to do a lot of re-install or something?

Thanks,
Tom

No, turning UAC off and on doesn't present any serious problems. The
issue like it always is seems to be is some people expect Microsoft to
be able to write computer code that's compact, efficient and actually
works. That's like expecting water to run up hill.

UAC is just poorly designed, badly implemented and because of it
doesn't really do what it was intended to do. Many rubes will swear by
it.. because they don't have a clue. It is mostly feel good BS, much
like the next to useless Homeland Security Department is "protecting"
us from terrorists, nothing more than hype and hot air.

Surely nothing in the way of real security. So turning it off or on is
more a personal preference and depends in part on your pain threshold
for tolerating needless warnings and nag screens you're going to end
up clicking through anyway. So if UAC makes you "feel" safe, turn it
on.

 

[Ken Blake, MVP]

No doubt this has been asked/discussed here before.
New to Vista but long time windows user.

UAC. I run Vista business on an admin account. At present I'm
standalone (it's also on a laptop).
UAC pop ups annoy but I seem to remember reading that turning them off
came with a risk. Something about apps not working or windows getting
confused... or something?
I mainly use visual studio, sql and watch movies on it. On or off?
risks?

My advice is to leave it on. Although it's not a feature that I'm
crazy about, and I think its security value is overrated, you will
find that some programs (the Installation of Adobe Reader 8, for
example) will fail without it on. And when they fail, they will do so
without telling you why they failed.

 

[Tinman]

When you disable UAC, this compatability feature of UAC is turned off.

This means that all those hidden copies of modified data are now invisible
to applications, since they will be seeing the original, unmodified data
that exists inside of the real protected folder that they now have access
to.

The consequences of this transition can be quite drastic if you have many
programs on your computer that relied on this compatibility feature to
function, since they will no longer have access to any created or modified
data that they think they have saved to protected locations - instead,
they will only see the original data that was probably put in place when
their application was installed.

If MS is going to institute work-arounds so UAC will work (with those kinds
of apps) then they should have had the foresight to move the remnants of the
kludge should UAC be turned off. Better yet, offer that as an option when
turning UAC off.

 

[Kerry Brown]

No, turning UAC off and on doesn't present any serious problems. The
issue like it always is seems to be is some people expect Microsoft to
be able to write computer code that's compact, efficient and actually
works. That's like expecting water to run up hill.

UAC is just poorly designed, badly implemented and because of it
doesn't really do what it was intended to do. Many rubes will swear by
it.. because they don't have a clue. It is mostly feel good BS, much
like the next to useless Homeland Security Department is "protecting"
us from terrorists, nothing more than hype and hot air.

Surely nothing in the way of real security. So turning it off or on is
more a personal preference and depends in part on your pain threshold
for tolerating needless warnings and nag screens you're going to end
up clicking through anyway. So if UAC makes you "feel" safe, turn it
on.

This is one person's opinion and in my opinion is wrong. UAC has some
definite security advantages as many people have already pointed out in this
thread.

 

[Jay]

You have to confirm any action that is an admin action. This is how
Windows prevents other programs from pretending to be you and taking
those actions without your knowledge - by double-checking with you and
making sure that you are, in fact, the one who is doing those actions.

As for the "Access Denied" issue, you may be encountering one of Windows
Vista's application compatability junctions.

If you have enabled the showing of system and hidden files, these guys
look like a ghosted shortcut to a folder. In reality, they are a
junction that points certain types of applications that access them to
the new location.

For example, "Documents and Settings" is a junction that points to the
new Users folder that replaces this old Windows XP location, and if you
double-click it, you will get Access Denied.

The Access Denied isn't to stop you from accessing it, it is to stop
programs from thinking it is a real folder, because they might not be
able to handle seeing the same files in two different locations (both
the Users folder and the Documents and Settings junction).

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ -http://www.jimmah.com/vista/- Hide quoted text -

- Show quoted text -

I see...
I just wondered whether the OS may have recognised the process trying
to gain access to the folder (explorer.exe under the context of my
account?) and thought ahh it's just my user... you may pass.

 

[Mike Hall - MVP]

Kerry

Agreed on all points except that the majority with virus and malware
problems invite the crap willingly.. asking them a few more times if they
really want to open funstuff.exe will not make any difference at all.. they
have seen the screen shots and they want funstuff come hell or high water..

DOS and the versions of Windows based on it were not really multi-user
OS's. They are also not safe to use in the modern connected world. Even NT
based versions of Windows can be quite easily taken over by a malicious
program if you can be tricked into running it. With UAC you at least have
a chance to say no.

--


Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/

 

[Kerry Brown]

I agree that a lot of people willingly download and install malware. There
is no way to stop people from harming themselves

 

[Jay]

You can use TweakUAC to keep UAC enabled, but make it operate in the
"quiet" mode:

htp://www.tweak-uac.com

Nice link.
Not sure I'll use it but it gave me more of an insight to something I've
only recently become aware of (UAC)
Ooh now I notice you are the site owner.

Jay

 

[Rock]

No doubt this has been asked/discussed here before.
New to Vista but long time windows user.

UAC. I run Vista business on an admin account. At present I'm
standalone (it's also on a laptop).
UAC pop ups annoy but I seem to remember reading that turning them off
came with a risk. Something about apps not working or windows getting
confused... or something?
I mainly use visual studio, sql and watch movies on it. On or off?

I recommend leaving it on. Here are some links with more info on UAC.

Inside Windows Vista User Account Control (by Mark Russinovich)
http://www.microsoft.com/technet/technetmag/issues/2007/06/UAC/default.aspx

Jesper Johansson's Blog
http://msinfluentials.com/blogs/jes...-about-vista-features-what-uac-really-is.aspx

Why is Windows Vista always asking for my permission: An explanation of UAC
(User Account Control) by MVP Jimmy Brush
http://www.jimmah.com/vista/security/uac.aspx

Windows Vista User Account Control Step by Step Guide (TechNet)

 

[Jimmy Brush]

If MS is going to institute work-arounds so UAC will work (with those kinds
of apps) then they should have had the foresight to move the remnants of the
kludge should UAC be turned off. Better yet, offer that as an option when
turning UAC off.

Agreed.