User Account Control - UAC - Change Notification Settings

alacarre said:

You are right, I tried it and it didn't help. In fact that's only part of what I wanted disabled. There's a very strange bug that exists in Win 7 and I'm not sure if it's new or nobody noticed. And that's the following:

Take *any* program (particularly one that is not an install program and rename it so that the word "setup" appears in the file name. For example hellosetupworld.exe for *any* program (except a real installer).

If you do that a little shield appears with the program's icon and when you try to run what would otherwise be an innocuous unit test that tries (and would normally fail) to make some global system change, instead you get the UAC prompt for which you will click yes (ever clicked no?) and it will have acquired Admin access to your system and install a rootkit or whatever it wants to do. Trusted Installer is more on the level of NT Authority System than a regular old Administrator.

- Alan

The shield overlay on the icon would just mean that the program requires elevated rights to run/open and that you will get a UAC prompt if you click on it.

If you click on "No" for a UAC prompt, it will just close not allow the item to open.

I think you misunderstood me. It happens only with certain programs and I don't know the criteria. Probably just that it be a console program.

Try this:

1. Copy %SystemRoot%\System32\debug.exe to some temporary directory.
2. Run the program and quit.
3. Rename it to asetup.exe
4. Run it again and you will get the privilege escalation prompt.

But that's a 16 bit program so you're going to think it has to do with that. But it doesn't. Same thing happens with SOME Win32 console applications. I have to find an example that I didn't compile myself to prove it!

Okay, I found one you might have. pkzipc.exe

That's a Win32 program. For one thing, all the examples I've tried didn't have an icon. Let me try 7z.exe

Okay, 7z.exe does it. And also another console application I have that has an icon does it.

Okay now, this part is interesting. pslist.exe which is a console application without an icon does NOT exhibit the behavior. Call it setup.exe and it does not acquire a shield. So I'm guessing it has to do with digital signatures.

Finally, I tried Win32 application, SUBSYSTEM:WINDOWS (not console) with icon, renamed to setup.exe and it acquirres a shield. Definitely it is a bug related to digital signatures.

I'm afraid that I don't know why it behaves that way either when doing that. You would think that only files that require elevation to run would get the UAC shield overlay on their icons.

It's definitely a bug. Probably with one of the policy manager's handling of digital signatures for installation programs. It is also a very serious security vulnerability.

The whole UAC prompt "idea" is already a serious security vulnerability. You only need to think for a minute to see why:

1. If a process is untrusted the user is presented with a choice of either:

1. Abort the process all together.
2. Hand over full administrative rights to the untrusted program.

And this ultimatum is presented before anything is known about what the program intends to do. Neither of those choices are of any use if you want to install a program safely.

I want to respond "No, I don't want to let it run with rights akin to NT Authority System, I want to let it run normally with normal access rights." If the program requires privilege escalation the system will (and it knows it will) prompt me during the install process. It could even tell me why it needs a privilege boost. If it's to create and write to a directory under Program Files, I'll OK that and ONLY that until it asks me again. If it wants to change global registry settings it could tell me in detail what settings will be changed.

I may or may not approve, but at each step I will only grant approval for the action requested. Not every possible action that can be performed on my system including reformatting the hard drive. That's just ludicrous. Right? But that's what that prompt is asking you allow a program to do because it is untrusted ?!?!? How does that make any sense?

- Alan

@alacarre

The problem with that argument is your not thinking about the average user or developers. They would have constant annoyance every time they go to install a program to be prompted multiple times.
A standard user would not even know or understand what program files even is. A majority of them barely read the prompt as it is now. Being prompted more would just annoy them to the point they would get so frustrated and get something else. (As in a mac) OR worse, click yes or every pop up they see, as they think its just interfering with their work.

The other problem with your argument is your choices could easily break the program. If a program needs certain files in certain places and its written to expect them there, you could easily break the application by denying something it needs. Which is a major headache on developers.

For example:

This is exactly why Android for example does not give a choice on what permissions are allowed for apps. Its these are the permissions it wants, ether approve all or deny all. You cannot pick certain ones. For example, a contact application that helps manage people contacts would need to be able to have read and write permissions on the contact layer. But, if people denied that permission, IT would break the entire application. Then you would have idiots screaming to the developer that the app is broke and to fix it, when they themselves are the one that broke it!

Sure, I would like to see a option someday that offers a advanced mode of UAC or something, but in the end the best you can do it set it to always notify. That makes it more like vista UAC structure. I won't deny its not a vulnerability, it is. The problem comes into play where they need to balance security with prompts. If you want the best security, use Linux. Not windows. But even then, Linux is not foolproof. Unfortunately nothing is.

Having said all that, there are third party applications like win patrol that can and will give you constant alerts about every bleeping thing that happens on your pc and for you to approve it all.

So if you do want that option, its there and available.

In the end though, security is a myth. You can lock all your doors and go crazy on security software, but there is always a way for a determined soul. Best to follow the best practices and have a backup.


Side note: You could try telling Microsoft about the problem you discovered.
http://technet.microsoft.com/en-us/s.../ff852094.aspx

andrew129260 said:

@alacarre

The problem with that argument is your not thinking about the average user or developers. They would have constant annoyance every time they go to install a program to be prompted multiple times.

Maybe you've misunderstood what I said. It is the average user that I have in mind, not the expert user. My concern is that there are far too many of these "special permission" prompts already and, in terms of security, the OS should be designed to reduce these sorts of prompts to the bare minimum or else they (the prompts) lose their effectiveness. That is, I'm trying to make your point so I don't understand how you would have a problem with that.

The other problem with your argument is your choices could easily break the program. If a program needs certain files in certain places and its written to expect them there, you could easily break the application by denying something it needs. Which is a major headache on developers.

Actually I haven't made an argument that enforces that scenario. Yes, being prompted on specific administrative actions could and would have that effect with certain programs. It becomes the developer's responsibility then, to make sure that such resources are actually needed. I cannot remember ever writing a piece of software that required administrative privileges, either for install or execution. Also keep in mind that on systems with UAC (particularly Windows 7) there is a user-specific analogue for almost every single "global" system resource and if your program is designed to use those resources they would be where they'd normally be and their usage would be transparent to your application.

This is exactly why Android for example does not give a choice on what permissions are allowed for apps. Its these are the permissions it wants, ether approve all or deny all. You cannot pick certain ones. For example, a contact application that helps manage people contacts would need to be able to have read and write permissions on the contact layer. But, if people denied that permission, IT would break the entire application. Then you would have idiots screaming to the developer that the app is broke and to fix it, when they themselves are the one that broke it!

Heh... well of course I would deny that one out of hand. I will counter that example with one of my own, from only last week:

I visited a website that had a blog. I wanted to post a reply to the blog, just as I'm doing now. At one point (after posting the reply) the webpage came up with its own prompt asking me if it could have access to public data about myself. So this is a question coming from the website, not from the system, so it didn't really need to ask any questions; in theory it could have just gone ahead and done what it did without my consent. That's what I thought anyway ... so I agreed.

A few minutes later I realized my mistake: What I just explained above. It did not need special approval so why the question? If the data is public, then I've already made it available and hence I'd been duped into agreeing to something else. Something more than what was asked for. Immediately I changed my account password.

A few hours later I get an SMS from Google about a blocked login attempt on my account using my password from a location in Spain.

But see ... (of course it might not have been that particular website but I checked online and that was the only site I'd visited recently [apart from my usual ones] and the only one that had asked for some kind of special permission having to do with my account - they were also known to use 3rd party services that would at best be described as "shady") ... anyway, see granting special access really did require my approval. That's why I realized I'd made a mistake (unfortunately too late) but I might have realized that before agreeing were I not presented with so many of these types of prompts in similar contexts.

Sure, I would like to see a option someday that offers a advanced mode of UAC or something, but in the end the best you can do it set it to always notify. That makes it more like vista UAC structure. I won't deny its not a vulnerability, it is. The problem comes into play where they need to balance security with prompts. If you want the best security, use Linux. Not windows. But even then, Linux is not foolproof. Unfortunately nothing is.

Windows NT has one of the tightest security systems in the world. It is a "C2 level" security system as outlined and used by the US Department of Defense. The problem, and I agree with you, is that even the best security system in the world is defenseless against the "fool". Users need to be trained (by experience, not actual training!) to be surprised when special permissions are asked for. The jerk reaction should be to deny, not grant. Developers need to ensure their products can install and run properly with non-administrative privileges to ensure that no unnecessary prompting occurs. And that's not hard to do. I even have an example I just made the other day which would be perfect except for the idiotic setting that all downloaded files are immediately marked as untrusted. So there's a special prompt. Mind you, that prompt is not for special administrative privileges, but who can tell the difference? So the user is still being trained that approval is always required.

- Alan

Hello pandasniper,

If you like, you could use the method in the tutorial below to create an elevated shortcut to "Run as administrator" the .bat file without getting a UAC prompt. :)

Elevated Program Shortcut without UAC Prompt - Create

Brink said:

I'm afraid that I don't know why it behaves that way either when doing that. You would think that only files that require elevation to run would get the UAC shield overlay on their icons.

I discovered why it behaves this way, and that the behaviour can be disabled using the Local Security Settings manager (run "secpol.msc" from the run menu or command prompt etc.)

Once the security policy manager comes up, select "[Local Policies]/[Security/Options]" and scroll down to the bottom of the list and then up arrow about 5 times.

The option is called:
"Detect application installations and prompt for elevation" (default = Enabled)

Disable that setting and you won't get promoted on the basis of file name. A non-setup program will not bring up a UAC prompt and you can go ahead and run those installers with Standard user rights. Many applications will install perfectly and run perfectly fine without Administrator privileges. Even applications that require the use and installation of COM objects will install correctly and run correctly for the user account wherein it was installed ONLY.

COM objects will be installed in the registry under these keys:

1. HKEY_CURRENT_USER\Software\Classes\CLSID,
2. HKEY_CURRENT_USER\Software\Classes\Interface
3. HKEY_CURRENT_USER\Software\Classes\Typelib

And hence will not be accessible to other users on your machine and will not be granted administrator rights.

- Alan

Hello Alan,

I tested with that secpol disabled, and I still get prompted by UAC, and still have get UAC shield on old or newly created elevated program shortcut icons.

Whether it's an elevated program (ex: DeviceProperties.exe) or installer (ex: IconViewer) , UAC still prompts me.