is it bad to turn off user account control?

Create Your own account as 'user' only - you can play anywhere you like with full knowledge that your PC is pretty bulletproof - nothing can be installed on your PC in the background - to install anything you will have to switch accounts
LUA doesn't stop malware from running and stealing your data. It just prevents them from embedding into your system.

LUA doesn't stop all malware from doing harm. That's my point.
The topic is "is it bad to turn off user account control?", my answer is NO - it's not bad, BUT there's a catch - you need to use LUA... I, now, will not argue if LUA stop ALL malware or not, I've stated several times, even if you got a nasty keylogger, the keylogger will be locked at your current LUA, it won't go system wide (which is VERY GOOD).

As pparks1 said, if you want to be completely safe, turn off your computer, go play something else...

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion.
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64Intel Core i7-2600 @3.40GHz8.00GB DDR3NVIDIA GeForce GTX 555 w/1.0GB RAM
Computer Manufacturer/Model Number
Alienware X51
OS
Windows 7 Home Premium x64
CPU
Intel Core i7-2600 @3.40GHz
Memory
8.00GB DDR3
Graphics Card(s)
NVIDIA GeForce GTX 555 w/1.0GB RAM
Monitor(s) Displays
BenQ XL2420TX
Screen Resolution
1920x1080@120Hz
Hard Drives
1TB
PSU
330-watt
Keyboard
Logitech Wireless Illuminated Keyboard K800
Mouse
Razer Orochi
Internet Speed
Campus Internet
Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion.

+1 to that
 

My Computer My Computer

At a glance

Windows 10 Pro x64Intel Core i5 7400 @ 3.00GHz8GB 2133Mhz DDR4 (OEM supplied)Gygabyte Windforce GTX 1050Ti (Factory Overcl...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Medion Erazer (note to self: insert model number) - with custom additions
OS
Windows 10 Pro x64
CPU
Intel Core i5 7400 @ 3.00GHz
Motherboard
OEM supllied with PC
Memory
8GB 2133Mhz DDR4 (OEM supplied)
Graphics Card(s)
Gygabyte Windforce GTX 1050Ti (Factory Overclocked)
Sound Card
Realtek
Monitor(s) Displays
Acer Al1980 + HKC
Screen Resolution
1360*768(HKC) / 1280*1024(Acer)
Hard Drives
1TB Toshiba
1TB WD Caviar Green
120GB Samsung Evo 840
PSU
OEM supplied (no power rating on case)
Case
OEM Supplied
Cooling
Stock
Keyboard
Logitech Wireless
Mouse
Logitect Wireless
Internet Speed
40Mb/s Down 10Mb/s Up
Antivirus
Defender
Browser
Firefox
Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion.
Agreed, plus the power switch...

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
IMHO, it's better to have UAC at off... It's not a security feature (it's written several times in MSDN). It's a way to force developers to develop proper applications that respects user class differentiation. Having UAC on doesn't protect you from virus/malware, it just made it a tiny bit hassle for the virus/malware to get installed. I got mine at off, and so are my colleagues and close friends... We know what we're doing, so UAC is off for us, I don't really know about you, but that's where I'm at...

zzz2496

Agree with this 100 percent, if you think UAC is going to save you then you are sadly mistaken. It's more about using compatible and safe programs rather than saving your system. Not even A/V's will save you from some of the exploits that are floating around. UAC is mostly there to save people who know nothing about the programs they are installing, even then it's just too easy to click yes all the time which defeats the purpose of using it. If you want to be completely safe turn off your computer LOL, so true.

Obviously we could go back and forth on this subject all day but I think my original answer was worth defending. ;)
 

My Computer My Computer

At a glance

Windows 7 Ult, Windows 8.1 Pro,Q9650-4.275GHz, E8600 4.5GHz, E6750-3.8GHzG.Skill PC2 9600 1200Mhz 5 5 5 15 2TGTX480
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home built
OS
Windows 7 Ult, Windows 8.1 Pro,
CPU
Q9650-4.275GHz, E8600 4.5GHz, E6750-3.8GHz
Motherboard
Evga 780i FTW
Memory
G.Skill PC2 9600 1200Mhz 5 5 5 15 2T
Graphics Card(s)
GTX480
Sound Card
Asus Xonar D2
Monitor(s) Displays
HannsG
Screen Resolution
1680X1050
Hard Drives
GSkill Phoenix Pro 120GB SSD
PSU
ThermalTake Toughpower 1000Watt modular
Case
ThermalTake XaserV
Cooling
Xigmatek S1283
Keyboard
Logitech G15
Mouse
Logitech G9
Internet Speed
T1
Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion.

+2 Very well stated.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32 bitIntel(R) Pentium(R) 4 CPU 3.00GHz2.50 GB RAMNVIDIA GeForce 7600 GS
Computer Manufacturer/Model Number
Home built
OS
Windows 7 Ultimate 32 bit
CPU
Intel(R) Pentium(R) 4 CPU 3.00GHz
Motherboard
ASUS P4P800-VM Motherboard Chipset: Intel 865G + ICH5
Memory
2.50 GB RAM
Graphics Card(s)
NVIDIA GeForce 7600 GS
Sound Card
SoundMax Integrated Digital Audio (Chip)
Monitor(s) Displays
ViewSonic VX 1962 wm
Screen Resolution
1680 X 1050
Hard Drives
Seagate Barracuda 7200.10 80 GB
ST380215A ATA Device 18.6 GB
Western Digital "My Book" external hard drive 750 GB
Cooling
Fan based
Keyboard
Microsoft Comfort Curve Keyboard 2000 v10 USB
Mouse
Logitec optic USB
Internet Speed
3.01 Mb/s download 0.64 Mb/s upload
if you think UAC is going to save you then you are sadly mistaken.
While it may not save you, it may alert you to a strange situation when a known piece of software is attempting to auto elevate itself. This is where I come to rely upon knowing that UAC is in place. Even as a systems admin and a self proclaimed computer nerd...I honestly don't know exactly what every single piece of software is doing on my machine.

UAC is mostly there to save people who know nothing about the programs they are installing, even then it's just too easy to click yes all the time which defeats the purpose of using it.
This really isn't the intention of UAC. While it might be the result, the intent is to run a Windows computer without being an admin 100% of the time. Previously history in Windows shows that everybody=admin=all the time...doesn't work out so well and you end up with egg on your face at a corporate level with people belittling your software/OS.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Q9550 2.83Ghz OC'd to 3.40Ghz8GB G.Skill PI DDR2-800, 4-4-4-12 timingsEVGA 1280MB Nvidia GeForce GTX570
Computer Manufacturer/Model Number
Self-Built in July 2009
OS
Windows 7 Ultimate x64
CPU
Intel Q9550 2.83Ghz OC'd to 3.40Ghz
Motherboard
Gigabyte GA-EP45-UD3R rev. 1.1, F12 BIOS
Memory
8GB G.Skill PI DDR2-800, 4-4-4-12 timings
Graphics Card(s)
EVGA 1280MB Nvidia GeForce GTX570
Sound Card
Realtek ALC899A 8 channel onboard audio
Monitor(s) Displays
23" Acer x233H
Screen Resolution
1920x1080
Hard Drives
Intel X25-M 80GB Gen 2 SSD
Western Digital 1TB Caviar Black, 32MB cache. WD1001FALS
PSU
Corsair 620HX modular
Case
Antec P182
Cooling
stock
Keyboard
ABS M1 Mechanical
Mouse
Logitech G9 Laser Mouse
Internet Speed
15/2 cable modem
Other Info
Windows and Linux enthusiast. Logitech G35 Headset.
The topic is "is it bad to turn off user account control?", my answer is NO - it's not bad, BUT there's a catch - you need to use LUA... I, now, will not argue if LUA stop ALL malware or not, I've stated several times, even if you got a nasty keylogger, the keylogger will be locked at your current LUA, it won't go system wide (which is VERY GOOD).

As pparks1 said, if you want to be completely safe, turn off your computer, go play something else...

zzz2496
I know/I agree.

I'm questioning whether you should "play anywhere you like" when using LUA.
 

My Computer My Computer

At a glance

Arch Linux 64-bit
OS
Arch Linux 64-bit
Disabling UAC basically results in a return to the Windows XP security model. Here are some consequences of disabling UAC:

a) When using standard account:

  • loss of protective benefits of mandatory integrity control using integrity levels, including User Interface Privilege Isolation and Protected Mode of Internet Explorer
  • worse application compatibility due to disabling of file and registry virtualization
  • loss of UAC prompt when a program isn't working due to lack of admin rights, which lets the user know why the program failed; some programs will give an informative error message at such a failure, but some won't
  • loss of ability to elevate programs through UAC
  • switching to admin account to do admin activities is more dangerous (see below)

b) When using admin account:

  • programs run with full admin token by default, including Internet Explorer
  • worse application compatibility due to disabling of file and registry virtualization
  • system compromise by malware can be done without any UAC prompt
From New UAC Technologies for Windows Vista:
UIPI [User Interface Privilege Isolation] comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.A lower privilege process cannot:

  • Perform a window handle validation of higher process privilege.
  • SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
  • Use thread hooks to attach to a higher privilege process.
  • Use Journal hooks to monitor a higher privilege process.
  • Perform dynamic link-library (DLL) injection to a higher privilege process.
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels:

  • Desktop window, which actually owns the screen surface
  • Desktop heap read-only shared memory
  • Global atom table
  • Clipboard
I use a standard account for everyday tasks, and normally switch to an admin account to do admin-only tasks. I use UAC on its highest setting. For situations in which there is too much inconvenience to switch to an admin account, I launch programs elevated from a standard account without any UAC prompt by using an elevated program launcher - see http://www.sevenforums.com/system-s...-prompts-using-elevated-program-launcher.html for more details.
 

My Computer My Computer

At a glance

Windows 7 x64
OS
Windows 7 x64
Disabling UAC basically results in a return to the Windows XP security model. Here are some consequences of disabling UAC:

a) When using standard account:

  • loss of protective benefits of mandatory integrity control using integrity levels, including User Interface Privilege Isolation and Protected Mode of Internet Explorer
  • worse application compatibility due to disabling of file and registry virtualization
  • loss of UAC prompt when a program isn't working due to lack of admin rights, which lets the user know why the program failed; some programs will give an informative error message at such a failure, but some won't
  • loss of ability to elevate programs through UAC
  • switching to admin account to do admin activities is more dangerous (see below)

b) When using admin account:

  • programs run with full admin token by default, including Internet Explorer
  • worse application compatibility due to disabling of file and registry virtualization
  • system compromise by malware can be done without any UAC prompt
From New UAC Technologies for Windows Vista:
UIPI [User Interface Privilege Isolation] comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.A lower privilege process cannot:

  • Perform a window handle validation of higher process privilege.
  • SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
  • Use thread hooks to attach to a higher privilege process.
  • Use Journal hooks to monitor a higher privilege process.
  • Perform dynamic link-library (DLL) injection to a higher privilege process.
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels:

  • Desktop window, which actually owns the screen surface
  • Desktop heap read-only shared memory
  • Global atom table
  • Clipboard
I use a standard account for everyday tasks, and normally switch to an admin account to do admin-only tasks. I use UAC on its highest setting. For situations in which there is too much inconvenience to switch to an admin account, I launch programs elevated from a standard account without any UAC prompt by using an elevated program launcher - see http://www.sevenforums.com/system-s...-prompts-using-elevated-program-launcher.html for more details.
MrBrian, very nice post... I understand the implications of disabling UAC, I understand many technologies that make up UAC and I'm one of those who won't use UAC. If you read this thread from the start, I posted a link to another thread where I discussed UAC quite lengthy with other members (one of them is pparks1). Yes I know about MIC, UIPI, Registry virtualization, and other virtualization techiques implemented by UAC. Here are my why(s):

  1. Running everything in standard user with UAC off is faster because all of those so called "security" layers aren't operational, and is not needed because the token which is currently used is a standard user. Why waste processor cycles for useless processes? There are lots and lots of malware that uses social engineering that can "bypass" UAC just like that, why waste processing time if with or without UAC you can catch bad things? MIC, UIPI and so on is there so that if a so called malware wants to install it self silently UAC will catch it, but come on, this is 3+ years since UAC is first introduced, are those malware/virus developers really that stupid?
  2. IE, don't use it, it's bad for anything - unless your company is depending it's life on it (which is VERY BAD), still dont' use it (argue your boss to move to another safer browser)... No matter what version, as long it's IE, stay away from it (unless MS can prove otherwise in a wide open public test with several hundred thousand testers and tested for at least a year straight). With LUA or not, stay away from IE period.
  3. Application compatibility has nothing to do with UAC, if a program can't access HKEY_LOCAL _MACHINE, with UAC it won't be able to access it, without UAC it still won't be able to access (with LUA), in both cases - the app will crash. Better for it to crash than to run intermittently. Maybe UAC will tell you something, but how many users will read the darn message? The fact is the app crashed... Should the registry virtualization let you run an app, most of the time that app will crash anyway, unless you run it in XP mode (saves time, blood, tears, and frustration).
  4. Privilege elevation is still somewhat doable through "Run as..." context menu, too bad this method doesn't behave as transparent as sudo in *nix.
  5. Once you understand the difference between Admin and Standard user, when you need to do system administration, you login to admin account, do whatever you need (update apps, install new apps [installers has been scanned with AV], update drivers, etc), then log off and use standard user for everything else. You don't use admin to browse the net, especially use IE while in admin account, that's suicidal.
  6. You can get malware/virus. With UAC enabled or not, you can still get it, with admin + UAC, your virus/malware will infect your whole system in an instant (there are many thread posts that proofs just that). With LUA, the one that's infected is the limited user's files/account, it won't spread to Windows's core. Login to another user (preferably admin) and clean it up.
The basic idea of UAC is to let regular Windows user (those who uses admin account all the time) to be able to practice safe computing without learning anything, that's all there is to it. UAC strips you off your admin privileges and saving you in the process. But for those who understands the basics of how multi user environment works, using UAC + LUA is moot, it checks and do everything to strip you out off something you don't have... It's pointless...

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
Running everything in standard user with UAC off is faster because all of those so called "security" layers aren't operational, and is not needed because the token which is currently used is a standard user. Why waste processor cycles for useless processes? There are lots and lots of malware that uses social engineering that can "bypass" UAC just like that, why waste processing time if with or without UAC you can catch bad things? MIC, UIPI and so on is there so that if a so called malware wants to install it self silently UAC will catch it, but come on, this is 3+ years since UAC is first introduced, are those malware/virus developers really that stupid?
And here is that answer....
a) When using standard account:

  • loss of protective benefits of mandatory integrity control using integrity levels, including User Interface Privilege Isolation and Protected Mode of Internet Explorer
  • worse application compatibility due to disabling of file and registry virtualization
  • loss of UAC prompt when a program isn't working due to lack of admin rights, which lets the user know why the program failed; some programs will give an informative error message at such a failure, but some won't
  • loss of ability to elevate programs through UAC
  • switching to admin account to do admin activities is more dangerous (see below)


If you were to work on a Help Desk,, you would know that the more information you can get the better when trouble shooting. You can't always get it direct form the user. Sorry, but they have no clue what they are asking or talking about, they have no idea what they are even telling you when they are trying to tell you what is wrong. The more information the better. Even in a home user environment.

IE, don't use it, it's bad for anything - unless your company is depending it's life on it (which is VERY BAD), still dont' use it (argue your boss to move to another safer browser)... No matter what version, as long it's IE, stay away from it (unless MS can prove otherwise in a wide open public test with several hundred thousand testers and tested for at least a year straight). With LUA or not, stay away from IE period.
Uhhh,, prove it with,, IE8. ..... .... Yes, there might be safer browsers.. it's called Security through Obscurity.
But, try convincing any company that has invested a ton of money in a model that does work to change for one that isn't so sure. Sorry,, FF works well for what it does, but put it under certain business models and it chokes.



Privilege elevation is still somewhat doable through "Run as..." context menu, too bad this method doesn't behave as transparent as sudo in *nix.
blah blah blah nix blah blah blah

Once you understand the difference between Admin and Standard user, when you need to do system administration, you login to admin account, do whatever you need (update apps, install new apps [installers has been scanned with AV], update drivers, etc), then log off and use standard user for everything else. You don't use admin to browse the net, especially use IE while in admin account, that's suicidal.
Answered above already.

You can get malware/virus. With UAC enabled or not, you can still get it, with admin + UAC, your virus/malware will infect your whole system in an instant (there are many thread posts that proofs just that). With LUA, the one that's infected is the limited user's files/account, it won't spread to Windows's core. Login to another user (preferably admin) and clean it up.
No one is arguing that.


The basic idea of UAC is to let regular Windows user (those who uses admin account all the time) to be able to practice safe computing without learning anything, that's all there is to it. UAC strips you off your admin privileges and saving you in the process. But for those who understands the basics of how multi user environment works, using UAC + LUA is moot, it checks and do everything to strip you out off something you don't have... It's pointless..
Again,, answered above
 

My Computer My Computer

At a glance

Win 7 Ultimate 32bitC2D E6600 2.4Ghz4G Kingston KHX5400D2EVGA GTX 570 HD SC (012-P3-1573-KR)
Computer Manufacturer/Model Number
Self Built
OS
Win 7 Ultimate 32bit
CPU
C2D E6600 2.4Ghz
Motherboard
Intel D965WH
Memory
4G Kingston KHX5400D2
Graphics Card(s)
EVGA GTX 570 HD SC (012-P3-1573-KR)
Sound Card
On-Board
Monitor(s) Displays
Samsung 226BW
Screen Resolution
1680 x 1050
Hard Drives
2 x 250 Seagate Barracuda
2 x 500 Seagate Barracuda (Raid1)
PSU
Corsair TX750W
Case
In-Win C589
Cooling
Stock Intel Cooling
  1. Running everything in standard user with UAC off is faster because all of those so called "security" layers aren't operational, and is not needed because the token which is currently used is a standard user. Why waste processor cycles for useless processes? There are lots and lots of malware that uses social engineering that can "bypass" UAC just like that, why waste processing time if with or without UAC you can catch bad things? MIC, UIPI and so on is there so that if a so called malware wants to install it self silently UAC will catch it, but come on, this is 3+ years since UAC is first introduced, are those malware/virus developers really that stupid
  2. IE, don't use it, it's bad for anything - unless your company is depending it's life on it (which is VERY BAD), still dont' use it (argue your boss to move to another safer browser)... No matter what version, as long it's IE, stay away from it (unless MS can prove otherwise in a wide open public test with several hundred thousand testers and tested for at least a year straight). With LUA or not, stay away from IE period.
  3. Application compatibility has nothing to do with UAC, if a program can't access HKEY_LOCAL _MACHINE, with UAC it won't be able to access it, without UAC it still won't be able to access (with LUA), in both cases - the app will crash. Better for it to crash than to run intermittently. Maybe UAC will tell you something, but how many users will read the darn message? The fact is the app crashed... Should the registry virtualization let you run an app, most of the time that app will crash anyway, unless you run it in XP mode (saves time, blood, tears, and frustration).
  4. Privilege elevation is still somewhat doable through "Run as..." context menu, too bad this method doesn't behave as transparent as sudo in *nix.
  5. Once you understand the difference between Admin and Standard user, when you need to do system administration, you login to admin account, do whatever you need (update apps, install new apps [installers has been scanned with AV], update drivers, etc), then log off and use standard user for everything else. You don't use admin to browse the net, especially use IE while in admin account, that's suicidal.
  6. You can get malware/virus. With UAC enabled or not, you can still get it, with admin + UAC, your virus/malware will infect your whole system in an instant (there are many thread posts that proofs just that). With LUA, the one that's infected is the limited user's files/account, it won't spread to Windows's core. Login to another user (preferably admin) and clean it up.
The basic idea of UAC is to let regular Windows user (those who uses admin account all the time) to be able to practice safe computing without learning anything, that's all there is to it. UAC strips you off your admin privileges and saving you in the process. But for those who understands the basics of how multi user environment works, using UAC + LUA is moot, it checks and do everything to strip you out off something you don't have... It's pointless...

zzz2496

Nice post also, zzz2496.

Some thoughts about your points:
1. If you're using a standard account and not actually elevating anything, then I believe that any time differences are for most intents and purposes inconsequential, at least on a fairly modern machine. There is a few seconds delay on my fairly new machine when elevating from an admin account - that's a fair point. I don't notice any delay when launching elevated apps in a standard account using the elevated program launcher method.
2. I do run Firefox as a low integrity process. For those that use IE however, I wouldn't be surprised that Protected Mode IE is the part of UAC that is preventing the most damage to users.
3. I disagree. Let's use a concrete example to illustrate. Yahoo Messenger running as a standard user writes information to its Program Files folder. Without file virtualization of UAC (or manual altering of file permissions), Yahoo Messenger would fail - correct me if I'm wrong. With UAC turned on, UAC redirects the file writes to the VirtualStore folder, and Yahoo Messenger works without any problems.
4. I agree. But without UIPI that UAC provides, there is less protection of elevated apps from non-elevated apps running in the same desktop.
5. That's what I do typically also.
6. I agree that UAC in an admin account is not as good, because malware running non-elevated has access to the same account where elevated processes run. I don't have any data to demonstrate what percent of malware is taking advantage of these deficiencies of UAC in an admin account.
 

My Computer My Computer

At a glance

Windows 7 x64
OS
Windows 7 x64
Tepid,

I'm sorry, I don't work in help desk:p, I do act as one of the core domain admins. I don't really care if a client complains about his/her computer, I asked them what did they do, they will describe something, then I point them to the "rule book", then they nod without asking me anything anymore, all is well... My office runs on my internal web portal, primary apps in use are: FF/GC/Safari, Vanilla Windows installation (or Linux live CD image) + basic drivers + FF (or GC on most Windows computers, Safari on Macs). Servers runs Linux under VMM, when infected with ANY malware/virus, I run CloneZilla, restore the disk image off one of my storage silos, business as usual in less than 10 minutes. I'm planning on moving the clients to iSCSI boot, write protected disk images, boot over LAN, no headache guaranteed.

As for IE, my own internal portal that conforms to W3C standards, tested with FF/Safari/GC/Opera, runs fine on those three, but will almost always render incorrectly with IE, either a small glitch (IE has it's own DOM format, doesn't conform to industry standards) to complete disaster, I don't want to remember it - made me debug my library until 3 AM... Oh yeah, I've left the ActiveX ways, much better these days with Async JS + JSON than ActiveX (reminded me another nightmare few years back), so no IE dependency at all.

MrBrian,

I'm sorry, I don't use Yahoo Messenger... I use either Pidgin or Digsby. Pidgin is running in "portable" mode so it won't complain anything... Everything in my place is running close to static image, except my development box which I use the way I want it to. As I said earlier, if the user (me) bumped to a program that doesn't work with Win7, the user (me) will learn to not use the program and will look for alternatives that will work. Not to mention I have my own XMPP chat server in my internal network, so Yahoo Messenger isn't really important...;)

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
Ahhhh,,, that explains it.

I don't give advice on how I use my system, (exactly), I give advice on how a system is supposed to be used and works. For instance, I do run as full admin with no UAC, but, that is because I know how to fix it if it breaks, clean it if it gets infected, needs a re-image when needed. Takes me a very short amount of time.

but telling others (general public and those who really don't know how to do these things) information on how and what I do, according to how I use my system, could set them up for disaster. Could leave them vulnerable and not know how to fix it and coming back here to try and figure out what happened.

So, playing the side of caution, Standard User with UAC is the best answer for the average individual that comes in here or anywhere , asking. You can't teach those who lurk over a forum. And those that post or ask don't always fully understand what is being told to them.

I am a Help Desk and Desktop Support tech. Trust me when I say, "people don't really want to know what is broken or how it broke when you start explaining and you either hear (literally) or see their eyes glaze over with "huh?" and you try to break it down and they say, "but it's fixed right?"

Same goes in any forum, if they really want to know, I or someone will break it down, but when the question is as simple as the one asked here, the answer should be as simple also. "Don't do what I do, cause I actually do know more than you and can rectify problems easier than you can, so my answer is the simplest answer, run the system the way it is meant to be run, you will be better off." otherwise, you could set someone up for failure.

Granted, I may forget this rule from time to time, I try not to. And in my real life, if I do forget, it almost always comes back to bite me. The main 2 rules are.....

Rule 1: simplicity (or even fudging the truth) is worth more than trying to fully explain. (ie. it was a ID10T error, or the admins screwed the pooch and that wiped out your settings) kidding of course, but not by much.

Rule 2: Get in, fix it and get out, don't try to do more unless they ask (I'm guilty, I still break this one on occasion), it confuses most clients, or forums readers.

If I do break Rule 2, I try to explain to the best of my ability and provide extra info that anyone can go look at when possible if they want to.

But, I digress as I think this thread is starting to beat a dead horse.
 

My Computer My Computer

At a glance

Win 7 Ultimate 32bitC2D E6600 2.4Ghz4G Kingston KHX5400D2EVGA GTX 570 HD SC (012-P3-1573-KR)
Computer Manufacturer/Model Number
Self Built
OS
Win 7 Ultimate 32bit
CPU
C2D E6600 2.4Ghz
Motherboard
Intel D965WH
Memory
4G Kingston KHX5400D2
Graphics Card(s)
EVGA GTX 570 HD SC (012-P3-1573-KR)
Sound Card
On-Board
Monitor(s) Displays
Samsung 226BW
Screen Resolution
1680 x 1050
Hard Drives
2 x 250 Seagate Barracuda
2 x 500 Seagate Barracuda (Raid1)
PSU
Corsair TX750W
Case
In-Win C589
Cooling
Stock Intel Cooling
Ahhhh,,, that explains it.

I don't give advice on how I use my system, (exactly), I give advice on how a system is supposed to be used and works. For instance, I do run as full admin with no UAC, but, that is because I know how to fix it if it breaks, clean it if it gets infected, needs a re-image when needed. Takes me a very short amount of time.

but telling others (general public and those who really don't know how to do these things) information on how and what I do, according to how I use my system, could set them up for disaster. Could leave them vulnerable and not know how to fix it and coming back here to try and figure out what happened.

So, playing the side of caution, Standard User with UAC is the best answer for the average individual that comes in here or anywhere , asking. You can't teach those who lurk over a forum. And those that post or ask don't always fully understand what is being told to them.

I am a Help Desk and Desktop Support tech. Trust me when I say, "people don't really want to know what is broken or how it broke when you start explaining and you either hear (literally) or see their eyes glaze over with "huh?" and you try to break it down and they say, "but it's fixed right?"

Same goes in any forum, if they really want to know, I or someone will break it down, but when the question is as simple as the one asked here, the answer should be as simple also. "Don't do what I do, cause I actually do know more than you and can rectify problems easier than you can, so my answer is the simplest answer, run the system the way it is meant to be run, you will be better off." otherwise, you could set someone up for failure.

Granted, I may forget this rule from time to time, I try not to. And in my real life, if I do forget, it almost always comes back to bite me. The main 2 rules are.....

Rule 1: simplicity (or even fudging the truth) is worth more than trying to fully explain. (ie. it was a ID10T error, or the admins screwed the pooch and that wiped out your settings) kidding of course, but not by much.

Rule 2: Get in, fix it and get out, don't try to do more unless they ask (I'm guilty, I still break this one on occasion), it confuses most clients, or forums readers.

If I do break Rule 2, I try to explain to the best of my ability and provide extra info that anyone can go look at when possible if they want to.

But, I digress as I think this thread is starting to beat a dead horse.

I think the thread "started" to beat a dead horse a long time ago...

BTW, it's impressive that you have the patience to help out on here in addition to help desk work. Most people don't have it in them to spend their free time doing the same thing they do during work hours ... I know I certainly don't!

Kudos!
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64Intel Core i7-2600 @3.40GHz8.00GB DDR3NVIDIA GeForce GTX 555 w/1.0GB RAM
Computer Manufacturer/Model Number
Alienware X51
OS
Windows 7 Home Premium x64
CPU
Intel Core i7-2600 @3.40GHz
Memory
8.00GB DDR3
Graphics Card(s)
NVIDIA GeForce GTX 555 w/1.0GB RAM
Monitor(s) Displays
BenQ XL2420TX
Screen Resolution
1920x1080@120Hz
Hard Drives
1TB
PSU
330-watt
Keyboard
Logitech Wireless Illuminated Keyboard K800
Mouse
Razer Orochi
Internet Speed
Campus Internet
A long time ago I had problems downloading updates via Windows Update. I couldn't figure out what was going on.
Someone suggested on the forums here to turn off UAC and sure enough that did the trick. I turned it back on when the updates were complete but now I know what to do in the case where they won't install.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64 with SP1Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz8 GBIntel(R) HD Graphics Family, NVIDIA GeForce
Computer Manufacturer/Model Number
ASUSTeK Computer Inc./Q550LF/Laptop
OS
Windows 7 Ultimate x64 with SP1
CPU
Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz
Motherboard
ASUSTeK Computer Inc.
Memory
8 GB
Graphics Card(s)
Intel(R) HD Graphics Family, NVIDIA GeForce
Hard Drives
Hitachi HTS547575A9E384
Internet Speed
XFINITY
Antivirus
Trend Micro
A long time ago I had problems downloading updates via Windows Update. I couldn't figure out what was going on.
Someone suggested on the forums here to turn off UAC and sure enough that did the trick. I turned it back on when the updates were complete but now I know what to do in the case where they won't install.

I would suggest you use User Account for your day-2-day use and logon to an Admin account whenever you need to install something (once blue moon when you're set up) - UAC is PITA and totally unnecessary piece of baggage - XP didn't need it, Vista doesn't and neither does Win 7

.
 

My Computer My Computer

At a glance

Vista Premium
OS
Vista Premium
Ahhhh,,, that explains it.

I don't give advice on how I use my system, (exactly), I give advice on how a system is supposed to be used and works. For instance, I do run as full admin with no UAC, but, that is because I know how to fix it if it breaks, clean it if it gets infected, needs a re-image when needed. Takes me a very short amount of time.

but telling others (general public and those who really don't know how to do these things) information on how and what I do, according to how I use my system, could set them up for disaster. Could leave them vulnerable and not know how to fix it and coming back here to try and figure out what happened.

So, playing the side of caution, Standard User with UAC is the best answer for the average individual that comes in here or anywhere , asking. You can't teach those who lurk over a forum. And those that post or ask don't always fully understand what is being told to them.

I am a Help Desk and Desktop Support tech. Trust me when I say, "people don't really want to know what is broken or how it broke when you start explaining and you either hear (literally) or see their eyes glaze over with "huh?" and you try to break it down and they say, "but it's fixed right?"

Same goes in any forum, if they really want to know, I or someone will break it down, but when the question is as simple as the one asked here, the answer should be as simple also. "Don't do what I do, cause I actually do know more than you and can rectify problems easier than you can, so my answer is the simplest answer, run the system the way it is meant to be run, you will be better off." otherwise, you could set someone up for failure.

Granted, I may forget this rule from time to time, I try not to. And in my real life, if I do forget, it almost always comes back to bite me. The main 2 rules are.....

Rule 1: simplicity (or even fudging the truth) is worth more than trying to fully explain. (ie. it was a ID10T error, or the admins screwed the pooch and that wiped out your settings) kidding of course, but not by much.

Rule 2: Get in, fix it and get out, don't try to do more unless they ask (I'm guilty, I still break this one on occasion), it confuses most clients, or forums readers.

If I do break Rule 2, I try to explain to the best of my ability and provide extra info that anyone can go look at when possible if they want to.

But, I digress as I think this thread is starting to beat a dead horse.
Ahahaha ;), all this because we have different approach to the same problem... I should've pointed out that I give suggestions based on how I use my system(s). If I know straight away how and why something should be disabled (or better disabled) like UAC, I'll say it straight out without thinking if the other party is knowledgeable enough or not... Everyone is entitled to their own opinion, I can't force my opinion to you nor to anyone else. I say UAC is better off, it's my opinion - and I respect your opinion of UAC should stay on (as Help desk loves less problems), I stand by my opinion because I know it's better off for my systems, you know it's better on because it will cause less problems... and the thread starter is lost in all of this vast jungle of information...

I agree, we are beating an already dead horse here...

zzz2496
 

My Computer My Computer

At a glance

Windows7 Ultimate 64bitIntel Core 2 Quad Q6600DDR2 Adata 4GBNvidia GeForce GTX 285 1024 and Nvidia GeForc...
Computer Manufacturer/Model Number
Self Built
OS
Windows7 Ultimate 64bit
CPU
Intel Core 2 Quad Q6600
Motherboard
Abit IN9-32X-MMAX
Memory
DDR2 Adata 4GB
Graphics Card(s)
Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card
Asus Xonar HDAV 1.3
Monitor(s) Displays
Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution
3840x1200 and 1024x768
Hard Drives
2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
PSU
Corsair TX 850W
Case
Cooler Master HAF932
Cooling
Arctic Cooling Freezer Extreme and plenty of fans...
Keyboard
MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse
Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
Internet Speed
1.5Mbps down/384Kbps up
Other Info
APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
UAC is PITA and totally unnecessary piece of baggage - XP didn't need it, Vista doesn't and neither does Win 7

.

It seems that everybody running XP as an admin user really wasn't that good of a concept now in retrospect. Look at all of the infected, malware ridden, XP boxes which were hijacked and decimated as the result of standard users with too much access to the system itself. While UAC isn't perfectly, I couldn't more strongly disagree with you on this matter.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Q9550 2.83Ghz OC'd to 3.40Ghz8GB G.Skill PI DDR2-800, 4-4-4-12 timingsEVGA 1280MB Nvidia GeForce GTX570
Computer Manufacturer/Model Number
Self-Built in July 2009
OS
Windows 7 Ultimate x64
CPU
Intel Q9550 2.83Ghz OC'd to 3.40Ghz
Motherboard
Gigabyte GA-EP45-UD3R rev. 1.1, F12 BIOS
Memory
8GB G.Skill PI DDR2-800, 4-4-4-12 timings
Graphics Card(s)
EVGA 1280MB Nvidia GeForce GTX570
Sound Card
Realtek ALC899A 8 channel onboard audio
Monitor(s) Displays
23" Acer x233H
Screen Resolution
1920x1080
Hard Drives
Intel X25-M 80GB Gen 2 SSD
Western Digital 1TB Caviar Black, 32MB cache. WD1001FALS
PSU
Corsair 620HX modular
Case
Antec P182
Cooling
stock
Keyboard
ABS M1 Mechanical
Mouse
Logitech G9 Laser Mouse
Internet Speed
15/2 cable modem
Other Info
Windows and Linux enthusiast. Logitech G35 Headset.
MrBrian,

I'm sorry, I don't use Yahoo Messenger.

The general point is that turning off UAC causes some programs to fail in a standard account that would otherwise work fine with UAC on.

From http://technet.microsoft.com/en-us/library/cc709628%28WS.10%29.aspx:
Because the enterprise environment has long been a place where system administrators have been attempting to lock down systems, many line-of-business (LOB) applications are designed to not require a full administrator access token. As a result, IT administrators will not need to replace the majority of pre-Windows Vista applications when running Windows Vista with UAC enabled.

Windows Vista includes file and registry virtualization technology for applications that are not UAC compliant and that have historically required an administrator's access token to run correctly. Virtualization ensures that even applications that are not UAC compliant will be compatible with Windows Vista. When a non-UAC-compliant administrative application attempts to write to a protected directory, such as Program Files, UAC gives the application its own virtualized view of the resource it is attempting to change, using a copy-on-write strategy. The virtualized copy is maintained under the user's profile. As a result, a separate copy of the virtualized file is created for each user that runs the non-compliant application.

The virtualization technology ensures that non-compliant applications will not silently fail to run or fail in a non-deterministic way. UAC also provides file and registry virtualization and logging by default for pre-Windows Vista applications that write to protected areas.
 

My Computer My Computer

At a glance

Windows 7 x64
OS
Windows 7 x64
Back
Top