Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: User Account Control - UAC - Change Notification Settings

23 Nov 2013   #60
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Quote   Quote: Originally Posted by alacarre View Post
You are right, I tried it and it didn't help. In fact that's only part of what I wanted disabled. There's a very strange bug that exists in Win 7 and I'm not sure if it's new or nobody noticed. And that's the following:

Take *any* program (particularly one that is not an install program and rename it so that the word "setup" appears in the file name. For example hellosetupworld.exe for *any* program (except a real installer).

If you do that a little shield appears with the program's icon and when you try to run what would otherwise be an innocuous unit test that tries (and would normally fail) to make some global system change, instead you get the UAC prompt for which you will click yes (ever clicked no?) and it will have acquired Admin access to your system and install a rootkit or whatever it wants to do. Trusted Installer is more on the level of NT Authority System than a regular old Administrator.

- Alan
The shield overlay on the icon would just mean that the program requires elevated rights to run/open and that you will get a UAC prompt if you click on it.

If you click on "No" for a UAC prompt, it will just close not allow the item to open.


My System SpecsSystem Spec
23 Nov 2013   #61
alacarre

Windows 7 Ultimate 32 bit
 
 

I think you misunderstood me. It happens only with certain programs and I don't know the criteria. Probably just that it be a console program.

Try this:

1. Copy %SystemRoot%\System32\debug.exe to some temporary directory.
2. Run the program and quit.
3. Rename it to asetup.exe
4. Run it again and you will get the privilege escalation prompt.

But that's a 16 bit program so you're going to think it has to do with that. But it doesn't. Same thing happens with SOME Win32 console applications. I have to find an example that I didn't compile myself to prove it!

Okay, I found one you might have. pkzipc.exe

That's a Win32 program. For one thing, all the examples I've tried didn't have an icon. Let me try 7z.exe

Okay, 7z.exe does it. And also another console application I have that has an icon does it.

Okay now, this part is interesting. pslist.exe which is a console application without an icon does NOT exhibit the behavior. Call it setup.exe and it does not acquire a shield. So I'm guessing it has to do with digital signatures.

Finally, I tried Win32 application, SUBSYSTEM:WINDOWS (not console) with icon, renamed to setup.exe and it acquirres a shield. Definitely it is a bug related to digital signatures.
My System SpecsSystem Spec
23 Nov 2013   #62
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

I'm afraid that I don't know why it behaves that way either when doing that. You would think that only files that require elevation to run would get the UAC shield overlay on their icons.
My System SpecsSystem Spec
23 Nov 2013   #63
alacarre

Windows 7 Ultimate 32 bit
 
 

It's definitely a bug. Probably with one of the policy manager's handling of digital signatures for installation programs. It is also a very serious security vulnerability.

The whole UAC prompt "idea" is already a serious security vulnerability. You only need to think for a minute to see why:

1. If a process is untrusted the user is presented with a choice of either:
  1. Abort the process all together.
  2. Hand over full administrative rights to the untrusted program.

And this ultimatum is presented before anything is known about what the program intends to do. Neither of those choices are of any use if you want to install a program safely.

I want to respond "No, I don't want to let it run with rights akin to NT Authority System, I want to let it run normally with normal access rights." If the program requires privilege escalation the system will (and it knows it will) prompt me during the install process. It could even tell me why it needs a privilege boost. If it's to create and write to a directory under Program Files, I'll OK that and ONLY that until it asks me again. If it wants to change global registry settings it could tell me in detail what settings will be changed.

I may or may not approve, but at each step I will only grant approval for the action requested. Not every possible action that can be performed on my system including reformatting the hard drive. That's just ludicrous. Right? But that's what that prompt is asking you allow a program to do because it is untrusted ?!?!? How does that make any sense?

- Alan
My System SpecsSystem Spec
24 Nov 2013   #64
andrew129260

Windows 7 Professional x64 Sp1
 
 

@alacarre

The problem with that argument is your not thinking about the average user or developers. They would have constant annoyance every time they go to install a program to be prompted multiple times.
A standard user would not even know or understand what program files even is. A majority of them barely read the prompt as it is now. Being prompted more would just annoy them to the point they would get so frustrated and get something else. (As in a mac) OR worse, click yes or every pop up they see, as they think its just interfering with their work.

The other problem with your argument is your choices could easily break the program. If a program needs certain files in certain places and its written to expect them there, you could easily break the application by denying something it needs. Which is a major headache on developers.

For example:

This is exactly why Android for example does not give a choice on what permissions are allowed for apps. Its these are the permissions it wants, ether approve all or deny all. You cannot pick certain ones. For example, a contact application that helps manage people contacts would need to be able to have read and write permissions on the contact layer. But, if people denied that permission, IT would break the entire application. Then you would have idiots screaming to the developer that the app is broke and to fix it, when they themselves are the one that broke it!

Sure, I would like to see a option someday that offers a advanced mode of UAC or something, but in the end the best you can do it set it to always notify. That makes it more like vista UAC structure. I won't deny its not a vulnerability, it is. The problem comes into play where they need to balance security with prompts. If you want the best security, use Linux. Not windows. But even then, Linux is not foolproof. Unfortunately nothing is.

Having said all that, there are third party applications like win patrol that can and will give you constant alerts about every bleeping thing that happens on your pc and for you to approve it all.

So if you do want that option, its there and available.

In the end though, security is a myth. You can lock all your doors and go crazy on security software, but there is always a way for a determined soul. Best to follow the best practices and have a backup.


Side note: You could try telling Microsoft about the problem you discovered.
http://technet.microsoft.com/en-us/s.../ff852094.aspx
My System SpecsSystem Spec
24 Nov 2013   #65
alacarre

Windows 7 Ultimate 32 bit
 
 

Quote   Quote: Originally Posted by andrew129260 View Post
@alacarre

The problem with that argument is your not thinking about the average user or developers. They would have constant annoyance every time they go to install a program to be prompted multiple times.
Maybe you've misunderstood what I said. It is the average user that I have in mind, not the expert user. My concern is that there are far too many of these "special permission" prompts already and, in terms of security, the OS should be designed to reduce these sorts of prompts to the bare minimum or else they (the prompts) lose their effectiveness. That is, I'm trying to make your point so I don't understand how you would have a problem with that.

Quote:
The other problem with your argument is your choices could easily break the program. If a program needs certain files in certain places and its written to expect them there, you could easily break the application by denying something it needs. Which is a major headache on developers.
Actually I haven't made an argument that enforces that scenario. Yes, being prompted on specific administrative actions could and would have that effect with certain programs. It becomes the developer's responsibility then, to make sure that such resources are actually needed. I cannot remember ever writing a piece of software that required administrative privileges, either for install or execution. Also keep in mind that on systems with UAC (particularly Windows 7) there is a user-specific analogue for almost every single "global" system resource and if your program is designed to use those resources they would be where they'd normally be and their usage would be transparent to your application.

Quote:
This is exactly why Android for example does not give a choice on what permissions are allowed for apps. Its these are the permissions it wants, ether approve all or deny all. You cannot pick certain ones. For example, a contact application that helps manage people contacts would need to be able to have read and write permissions on the contact layer. But, if people denied that permission, IT would break the entire application. Then you would have idiots screaming to the developer that the app is broke and to fix it, when they themselves are the one that broke it!
Heh... well of course I would deny that one out of hand. I will counter that example with one of my own, from only last week:

I visited a website that had a blog. I wanted to post a reply to the blog, just as I'm doing now. At one point (after posting the reply) the webpage came up with its own prompt asking me if it could have access to public data about myself. So this is a question coming from the website, not from the system, so it didn't really need to ask any questions; in theory it could have just gone ahead and done what it did without my consent. That's what I thought anyway ... so I agreed.

A few minutes later I realized my mistake: What I just explained above. It did not need special approval so why the question? If the data is public, then I've already made it available and hence I'd been duped into agreeing to something else. Something more than what was asked for. Immediately I changed my account password.

A few hours later I get an SMS from Google about a blocked login attempt on my account using my password from a location in Spain.

But see ... (of course it might not have been that particular website but I checked online and that was the only site I'd visited recently [apart from my usual ones] and the only one that had asked for some kind of special permission having to do with my account - they were also known to use 3rd party services that would at best be described as "shady") ... anyway, see granting special access really did require my approval. That's why I realized I'd made a mistake (unfortunately too late) but I might have realized that before agreeing were I not presented with so many of these types of prompts in similar contexts.

Quote:
Sure, I would like to see a option someday that offers a advanced mode of UAC or something, but in the end the best you can do it set it to always notify. That makes it more like vista UAC structure. I won't deny its not a vulnerability, it is. The problem comes into play where they need to balance security with prompts. If you want the best security, use Linux. Not windows. But even then, Linux is not foolproof. Unfortunately nothing is.
Windows NT has one of the tightest security systems in the world. It is a "C2 level" security system as outlined and used by the US Department of Defense. The problem, and I agree with you, is that even the best security system in the world is defenseless against the "fool". Users need to be trained (by experience, not actual training!) to be surprised when special permissions are asked for. The jerk reaction should be to deny, not grant. Developers need to ensure their products can install and run properly with non-administrative privileges to ensure that no unnecessary prompting occurs. And that's not hard to do. I even have an example I just made the other day which would be perfect except for the idiotic setting that all downloaded files are immediately marked as untrusted. So there's a special prompt. Mind you, that prompt is not for special administrative privileges, but who can tell the difference? So the user is still being trained that approval is always required.

- Alan
My System SpecsSystem Spec
19 Jan 2015   #66
pandasniper100

Windows 7 Home Premium 64bit
 
 

is there anyway to disable uac for specific .bat files that i have made?
My System SpecsSystem Spec
19 Jan 2015   #67
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Hello pandasniper,

If you like, you could use the method in the tutorial below to create an elevated shortcut to "Run as administrator" the .bat file without getting a UAC prompt.

Elevated Program Shortcut without UAC Prompt - Create
My System SpecsSystem Spec
21 Jan 2015   #68
alacarre

Windows 7 Ultimate 32 bit
 
 

Quote   Quote: Originally Posted by Brink View Post
I'm afraid that I don't know why it behaves that way either when doing that. You would think that only files that require elevation to run would get the UAC shield overlay on their icons.
I discovered why it behaves this way, and that the behaviour can be disabled using the Local Security Settings manager (run "secpol.msc" from the run menu or command prompt etc.)

Once the security policy manager comes up, select "[Local Policies]/[Security/Options]" and scroll down to the bottom of the list and then up arrow about 5 times.

The option is called:
"Detect application installations and prompt for elevation" (default = Enabled)

Disable that setting and you won't get promoted on the basis of file name. A non-setup program will not bring up a UAC prompt and you can go ahead and run those installers with Standard user rights. Many applications will install perfectly and run perfectly fine without Administrator privileges. Even applications that require the use and installation of COM objects will install correctly and run correctly for the user account wherein it was installed ONLY.

COM objects will be installed in the registry under these keys:


1. HKEY_CURRENT_USER\Software\Classes\CLSID,
2. HKEY_CURRENT_USER\Software\Classes\Interface
3. HKEY_CURRENT_USER\Software\Classes\Typelib

And hence will not be accessible to other users on your machine and will not be granted administrator rights.

- Alan
My System SpecsSystem Spec
21 Jan 2015   #69
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Hello Alan,

I tested with that secpol disabled, and I still get prompted by UAC, and still have get UAC shield on old or newly created elevated program shortcut icons.

Whether it's an elevated program (ex: DeviceProperties.exe) or installer (ex: IconViewer) , UAC still prompts me.
My System SpecsSystem Spec
Comment

 User Account Control - UAC - Change Notification Settings




Tutorial Tools





Similar help and support threads
Windows 7 Tutorial Category
Can't Access User Account Control Settings
Hi there, my problem is that I'm unable to access my UAC settings - there is no Admin password installed, I'm operating as a standard user. every time I try to download a program onto my computer - the "User Account Control" dialog box appears and tells me to type in the Admin password then click...
System Security
Problem changing the User Account Control Settings
I'm trying to change the User Account Control Settings in my Standard Account but each time I try to do so I'm greeted with the message that I "must be logged in as an administrator to select this setting". What's puzzling is that I am logged in as an administrator when I try to change the setting...
System Security
User account notification settings
I installed an APC battery backup yesterday along with the required software. Now every time I boot up, the message about "do I want this program to make changes to your computer" comes up. I have the software installed in my startup folder so don't know why I have to see this at each boot up. Any...
Software
Change user account control settings
I'm trying to change the settings back to "never notify", but every time I click the link, after typing it in the search bar, nothing happens. Wile in the user account menu, the 4 options with an admin symbol next to them don't work either. I'm assuming that's the problem, I don't have admin...
System Security
User Account Control Settings Shortcut - Create
How to Create a User Account Control Settings Shortcut in Windows 7 This will show you how to create or download a User Account Control Settings shortcut. You can also Pin to Taskbar or Pin to Start Menu this shortcut, or move where you like for easy use in Windows 7. EXAMPLE: User Account...
Tutorials
User Account Control Settings
Hello all....:) I'm just wondering what all of you are running (if at all) your UAC at? Post and let us know. I have mine set at "full"; slider all the way up. I've seen from experience over at x64 that it's a bad idea to operate with it disabled... People that (supposedly..;).) know what...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 18:05.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App