Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Rethinking usefulness of UAC

03 Aug 2011   #1
strollin

W10 Pro desktop, W10 laptop, W10 laptop, W10 Pro tablet (all 64-bit)
 
 
Rethinking usefulness of UAC

I've been running Win 7 since RC1 and I've always run with UAC enabled but I've been rethinking that lately.

About a week ago I was trying to run a little utility from the Startup folder but it wouldn't run because of UAC. I set it to "Run As Administrator" but that didn't make any difference. I looked for an option that would let me tell UAC that I want to permanently allow that program to run but couldn't find such an option. (If that option exists, please tell me where it's at.) I ended up disabling UAC to get it to work.

I was concerned about that at first but then I got to thinking and realized that in the almost 2 years I've been running Win 7 on multiple machines, not once have I ever answered "No" when prompted by UAC as to whether to allow some program to do something that it was trying to do. Not once.

Has anyone else ever had UAC catch some errant program from doing something you didn't want it to do? I still haven't totally decided against UAC, the rest of my machines still have it enabled but I'm not concerned about having it disabled on the one machine.


My System SpecsSystem Spec
.
03 Aug 2011   #2
Bare Foot Kid
Microsoft MVP

W 7 64-bit Ultimate
 
 

Hello Bruce .



Have a look at this, you may find it useful, I use it for several things to include opening an elevated command window when needed.


Elevated Program Shortcut without UAC Prompt - Create

My System SpecsSystem Spec
03 Aug 2011   #3
cluberti

Windows 10 Pro x64
 
 

UAC provides a lot of benefits, but it's not something that I would give a blanket "everyone should use this" statement to either. However, if you disable UAC, you lose the ability for file and registry virtualization, regular users lose the ability to run utilities and programs that need elevations without using something 3rd party, you lose mandatory integrity control (low, medium, high IL processes), and admins run with full tokens (and as such become much more dangerous, from a security perspective, to do). If you are personally comfortable running without UAC, then it's worth looking into. However, given that quite a bit of OS security is "hidden" behind having UAC running, it is usually more useful to figure out why what you're doing requires UAC, if there's a way to find another way to do whatever it is you're doing (without needing UAC - that might include using a different program or method to accomplish a task), etc.

For an example of something related I came across today, read this.
My System SpecsSystem Spec
.

03 Aug 2011   #4
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

I'm with Bruce on this too. If UAC had a setting "don't bother me when I open a program I've opened before" it would be great. even at the lowest setting it will give me a squawk.
Yes, CCleaner and Norton will make changes to my computer, but it is OK.
My System SpecsSystem Spec
03 Aug 2011   #5
cluberti

Windows 10 Pro x64
 
 

OK, but where do you store this information, and protect it from malicious software (which would rename itself to something you've allowed - now, you might as well have disabled it)? It'll be somewhere on the filesystem or registry, which means you'll have to store it with some sort of encryption, making something that could be time-sensitive now have to do hashing and checks on a binary, which also means totally checking it, which will depend on binary size and whether or not it has an ADS. That's not a good user experience, which makes it more likely people will disable UAC, which is exactly what you *don't* want the average user doing. You could reduce some of those checks or make them less strict (or fairly insecure) to increase performance, but that makes it easier to attack (and if UAC keeps a list somewhere, it ***will*** be a massive attack vector - imagine hundreds of millions of machines with security you can bypass if you can simply crack some very inefficient or insecure hash algorithm!!!

It's not just that straightforward - yes, a very good idea on paper, but a pretty poor one to implement.
My System SpecsSystem Spec
03 Aug 2011   #6
pparks1

Windows 7 Ultimate x64
 
 

The issue with remembering a program, is that UAC is designed to alert you when a program elevates. So, if at one point your browser wants to elevate to patch it, you might want it to proceed. But in the middle of a week, without an update, I'd be very concerned if I opened up Firefox and it wanted to escalate. With a blanket allow statement, how would i know if anything fishy came up.
My System SpecsSystem Spec
03 Aug 2011   #7
strollin

W10 Pro desktop, W10 laptop, W10 laptop, W10 Pro tablet (all 64-bit)
 
 

How is it different than using Brink's tutorial that BFK linked to above? The info to run the program thru the task scheduler "with highest privileges" must be stored somewhere as well, no?

I also would like to reiterate that I personally have never had a situation where UAC protected me from an errant program but had plenty of instances where the UAC was an annoyance.
My System SpecsSystem Spec
03 Aug 2011   #8
cluberti

Windows 10 Pro x64
 
 

It's stored as a manifest in the program itself, making it 1. attackable only on a per-binary basis and 2. much quicker and easier to trust, because only trusted binaries with a valid signature matching back to a Microsoft-signed and trusted CRL (this is one of the reasons getting CRL CAPI errors in the event log could be bad... ) are allowed to do this by default. So no, it's not the same.
My System SpecsSystem Spec
03 Aug 2011   #9
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Right cluberti, but I'm no software engineer so I have no idea how most things really operate. What are CRL CAPI errors? I'm not up to speed with all anagrams.
My System SpecsSystem Spec
03 Aug 2011   #10
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi,

Something that hasn't yet been mentioned, but could be critical for browser security is that if you turn UAC OFF, then you also turn OFF IE Protected Mode.

For me, UAC provides an additional layer of security in my IE browser through the Protected Mode. From that point of view, I think UAC is really useful.

Referer to the warning in Brink's tutorial here:

Internet Explorer Protected Mode - Turn On or Off

Regards,
Golden
My System SpecsSystem Spec
Reply

 Rethinking usefulness of UAC




Thread Tools




Similar help and support threads
Thread Forum
Mint Hack Has Me Rethinking Passwords
Ever since the Linux Mint forum was hacked, and forum members' passwords were potentially compromised, I have been thinking about passwords. Like most people, mine probably aren't up to snuff. For example, I just learned that router passwords should be 25 characters. And the old 12-character...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:59.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App