UAC

[Denis]

I am a little puzzled about how UAC works. I have several "old" programs
installed on my Vista machine, all marked to run as Administrator. When I
run them UAC kicks in on some of them but not all. What determines this?
One of the programs where UAC does not kick in is at least 4 years old.

 

[Adam Albright]

I am a little puzzled about how UAC works. I have several "old" programs
installed on my Vista machine, all marked to run as Administrator. When I
run them UAC kicks in on some of them but not all. What determines this?
One of the programs where UAC does not kick in is at least 4 years old.

Vista made a "sea change" in how it grants or blocks access to your
files. I always wanted to use that term which is popular today but
goes back to Shakespeare's Tempest. ;-)

For decades Microsoft by default encouraged users and developers to
run as and write applications to run under administrator level unless
you changed things not to. Dumb, but they did. Now they (Microsoft) is
trying to get everything where possible to run as a 'standard user'
for "security" reasons like limiting access to critical system files
within Windows itself. UAC while good in concept, is lousy in
implementation, at least so far. Things as you knew them in prior
versions of Windows no longer apply, at least not how they used to be.
Just because you happen to be administrator means nothing as to you
having a right to do things as you once could.

Think of UAC as a traffic cop with a hard-on for writing traffic
violation tickets if they're justified or not. While perhaps well
meaning, not helpful to drivers or users of Vista, since under the
right condition UAC can and does go nuts for no good reason. Worse it
is incapable of learning from it's past mistakes so you as the owner
of the computer trying to educate UAC to allow what YOU, not it wants
to do isn't always easy. Because of that many users have simply turned
off UAC.

The new paradigm actually borrowed from the UNIX world is both
ownership and permissions get assigned to files. If you as some user
aren't the owner then Vista will nag and sometimes prevent you from
doing what you want and it could care less that you're the
administrator. It sees any attempted access to a file you don't "own"
or have "permission" to use as a potential threat.

Since I've wrote about it before and there are now many web pages that
discuss the topic in detail I won't repeat it again here. Basically to
make things go smoother you need to understand how to take ownership
of folders and the files in them and assign rights called permissions
so they can be used as you intended. Failing that, UAC often with nag,
nag, nag or in extreme cases prevent you from doing what you use to do
without trouble. Some see this as an advancement.

 

[Denis]

Thank for you such a detailed explanation. Unfortunately I am none the
wiser as yet, but will look into taking ownership of folders that you
mention.

Regarding sea change and Shakespeare, the English would have said Vista
"could NOT care less" that you are the administrator!

 

[mayayana]

Here's one link:
http://technet2.microsoft.com/WindowsVista/en/library/00d04415-2b2f-422c-b70
e-b18ff918c2811033.mspx

You can also find others at Microsoft. But I've
re-read several of them a few times and I'm still
not entirely clear on how UAC works. I don't
know what you mean by "kicks in". I wonder if maybe
you just have some software that's not trying to
access restricted areas.

 

[Denis]

By "kick in" I mean UAC become active as soon as I try to run a program
asking for permission to continue.

Not sure what the restricted areas are but none of the programs is doing
anything special

 

[Tie Various]

I would say vista frikin stinks

How is that for English?

 

[mayayana]

By "kick in" I mean UAC become active as soon as I try to run a program

asking for permission to continue.

Not sure what the restricted areas are but none of the programs is doing
anything special

I'm not certain I've got it all straight (maybe someone
can correct me if not), but I think it goes something
like this:

If you set the program to run as admin - or if the
program has a manifest file that requests admin
permissions - then when it tries to do something
requiring admin permission you get an "elevation"
prompt asking for permission. If it's running as non-
admin then virtualization takes over, pretending that
the program is being allowed to accomplishing its
task but actually keeping the program sandboxed
without telling you.

In other words, under "normal" conditions a program
running as admin doesn't actually get admin permission,
but does get the elevation-prompt option, while with a
program running non-admin, restricted functionality is
just blocked without telling you or giving you a choice
in the matter.

Restricted access is just about anything: Accessing
HKLM in the Registry, accessing nearly any file other
than those in the Documents folder or user App Data
folder, etc. Even access to a program's own program
folder is restricted! So you might have one program
like Notepad that doesn't access anything and therefore
needs no elevation, while another program might, say,
try to write to its own INI file in its own program folder,
and that will be regarded by Vista/UAC as a potential
security calamity, requiring explicit permission. So in that
case you get the elevation prompt. A third program
running as non-admin that tries to write to its own
INI file will, I think, be tricked by virtualization, only
allowing it to write to a dummy file belonging to the current
user, with the result that traditional all-user INI settings
stored in the program folder won't work.

 

[rtk]

I'm not certain I've got it all straight (maybe someone
can correct me if not), but I think it goes something
like this:

If you set the program to run as admin - or if the
program has a manifest file that requests admin
permissions - then when it tries to do something
requiring admin permission you get an "elevation"
prompt asking for permission. If it's running as non-
admin then virtualization takes over, pretending that
the program is being allowed to accomplishing its
task but actually keeping the program sandboxed
without telling you.

If a program is started restricted, it can't then elevate. If a program
needs admin rights, it has to ask for them before it's started.