UAC: Don't be part of the problem
-
Patrick Sears wrote:
The blame rests squarely on Microsoft's shoulders for not making the default account a USER account instead of an ADMIN account in all prior versions of Windows.
Perhaps. But now that home users have non-admin accounts by default, let's not continue the problem by continuing our unfortunate tradition of writing software that requires admin privileges.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: The Virginia Tech Shootings, Guns, and Politics The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Judah Himango wrote:
But now that home users have non-admin accounts by default
Actually, users STILL have admin accounts by default. The default Vista account is an admin account. You only get a standard user account if you explicitly create one. Yes, even after all of the hype.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
Christian Graus wrote:
Of course, my ISP won't let me connect with UAC active
:omg::wtf: That's one of the biggest WTFs I've ever heard. Have you submitted it to thedailywtf yet? ;) Actually, there may be a reasonable explanation: do you have to run some ISP software to connect?
Tech, life, family, faith: Give me a visit. I'm currently blogging about: The Virginia Tech Shootings, Guns, and Politics The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Yeah, it's wireless and I need to run their connection program.
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
-
...that's a quick count of 3rd-party simulation / biz-logic DLLs are used by my app right now. These are written either by consultants hired by suppliers, or in-house by engineers. Most of them are not maintained, and of the few that have source available, it's almost always in rough shape, very, very difficult to build or fix. Some of them are over twenty years old, written in FORTRAN, and last compiled for Win95. Oh yeah, and most of them assume they have admin rights for one reason or another. Maybe they try to write or lock files in their installation directory, or maybe they try to write to HKLM registry keys. Doesn't matter. I can't change them, and i can't replace them. Wanna blame the developers? Yeah, me too. But it doesn't help to bitch at someone who's long gone. As luck would have it, i got wind of a support call today, an external user asking if they could run our app on Vista. So, tonight or tomorrow, i'll install it, running as a normal user with UAC enabled, and see just how many hoops i have to jump through to make it work. If UAC can stay on, then i'll pass that along. If it can't, then i'll describe how to disable it. If there are changes needed to the installer to throw the whole mess into some sort of compatibility mode, then i'll suggest them to the installer guy. If it's just too much trouble, i'll simply state that it won't run on Vista, and they'll just have to stick with XP for the time being. No big deal, really. Frankly, i couldn't care less if not a single one of them upgrades to Vista...
----
i hope you are feeling sleepy for people not calling you by the same.
--BarnaKol on abusive words
Yeah, remote capture of Canon cameras is dead in Vista, thus killing one of the apps I work on.
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
I don't care about UAC, I have failed to be heated by all the noise it produce... Just press the button baby!
-
But on Windows we have an unfortunate history of ordinary applications that demand admin privileges for no good reason. If the Windows development culture hadn’t gone down this road we would never have needed UAC.
This is the basis for his entire argument, and it sounds convincing, except that it is entirely wrong. The blame rests squarely on Microsoft's shoulders for not making the default account a USER account instead of an ADMIN account in all prior versions of Windows. Developers only ever developed to the admin account, because - TADA! - that's all the users ever used unless they were working in a corporate environment where the IT staff actually bothered to apply a group policy. Microsoft should NEVER have made the home users have an Admin account by default.
Cheers, Patrick
Patrick Sears wrote:
The blame rests squarely on Microsoft's shoulders for not making the default account a USER account instead of an ADMIN account in all prior POOR versions of Windows.
Fixed that for ya :)
"The difficulty lies, not in the new ideas, but in escaping from the old ones." -- John Maynard Keyes, 1936
-
The only reason we have UAC at all is because of a cultural problem: many developers run as administrators on Windows. Is Ian trying out for the one-eared rabbit award? I think so. What a stupid statement. Developers are, what, .01% of all the users of Windows? And yet he says that we developers and our culture of running as administrators is the reason we have UAC? What a load of myopic horse manure. Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh SmithTwo 1 votes for saying that? Again there come the group of spearheads; who will object an individuals opinion with their little one votes. :rolleyes:
"The difficulty lies, not in the new ideas, but in escaping from the old ones." -- John Maynard Keyes, 1936
-
Matt Newman wrote:
Oh right, I forgot you were perfect now.
For the next 10 minutes. Then I turn into a pumpkin. ;P Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh SmithI love pumpkin seeds fried with garlic and butter. I can wait for ten minutes.;P
"The difficulty lies, not in the new ideas, but in escaping from the old ones." -- John Maynard Keyes, 1936
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Excellent indeed, but there is one thing I need to add to this. I noticed that windows acts really weird with UAC turned off. Sometimes you get unexplainable errors. I had this with VS2005, copying files to the program files directory and more stuff. After turning on UAC again and right-clicking run as administrator solved the problem. So don't turn it off, it gives you a bigger headache then when you leave it on.
WM. What about weapons of mass-construction? "What? Its an Apple MacBook Pro. They are sexy!" - Paul Watson
-
If you are a developer who has turned off UAC in frustration, remember that UAC is only this way because of all those software developers who insist on running as admin. nope. UAC only exists because Windows is such a delicious target for malware.
image processing toolkits | batch image processing | blogging
Chris Losinger wrote:
If you are a developer who has turned off UAC in frustration, remember that UAC is only this way because of all those software developers who insist on running as admin.
Even though I've been bitten by UAC before I have to admit there is more than a little truth behind this statement. The irony is that some Microsoft products – such as Visual Studio 2005 – don’t play nice with UAC enabled. I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
Steve
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
It's a bit difficult to decide who to reply to seeing as their are so many replies so I'll reply to OP but my comments are probably more centred on comments that have been made. I agree that developing in a restricted environment is a good way to find these permission issues early on. It really doesn't matter which side of the argument you sit on; but for example, I develop for one client who has a policy that all users run as "standard" users. For anything requiring "admin" rights a member of support will have to do this. I don't agree with it; I believe there are better ways of administering the policy but the bottom line is, if my software doesn't run as a standard user, I don't get paid :). Personally, I run as an admin. I think its a bad habit, but somehow I just haven't got over it :) but I have a machine on my network that is purely for testing (ie a set of VMs with standard accounts). Its odd how this seems a difficult habit to break in Windows, when I have absolutely no issue with running as a standard user in Linux. Just what you get used to I suppose.
The only thing unpredictable about me is just how predictable I'm going to be.
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
I agree with the statement of the article, but I believe the basic concept of UAC (do your daily work as a user, just elevate when needed) is not the main problem - nobody who calls himself an IT Pro can seriously disagree with this concept. I think it's more a problem with current implementation details of UAC that makes people hate it (e.g. not being able to share network connections and substs between user session and elevated session, confirm requests if applications are explicitly started with 'run as admin', always elevated start of some applications like regedit, ...) Gerd
-
Judah Himango wrote:
Late nite with Marc Clifton. I love it!
It's not too different from regular daytime hours, you know. :) Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh SmithActually I thought you were cooling down in your later hours...
regards, Paul Watson Ireland & South Africa
Shog9 wrote:
And with that, Paul closed his browser, sipped his herbal tea, fixed the flower in his hair, and smiled brightly at the multitude of cute, furry animals flocking around the grassy hillside where he sat coding Ruby on his Mac...
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
He has a point there, but as administrator i couldn't delete the windows.old directory and other files from my HD... if they think i keep 3G just for fun on my HD they're wrong.
-
But on Windows we have an unfortunate history of ordinary applications that demand admin privileges for no good reason. If the Windows development culture hadn’t gone down this road we would never have needed UAC.
This is the basis for his entire argument, and it sounds convincing, except that it is entirely wrong. The blame rests squarely on Microsoft's shoulders for not making the default account a USER account instead of an ADMIN account in all prior versions of Windows. Developers only ever developed to the admin account, because - TADA! - that's all the users ever used unless they were working in a corporate environment where the IT staff actually bothered to apply a group policy. Microsoft should NEVER have made the home users have an Admin account by default.
Cheers, Patrick
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
-
Chris Losinger wrote:
If you are a developer who has turned off UAC in frustration, remember that UAC is only this way because of all those software developers who insist on running as admin.
Even though I've been bitten by UAC before I have to admit there is more than a little truth behind this statement. The irony is that some Microsoft products – such as Visual Studio 2005 – don’t play nice with UAC enabled. I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
Steve
Stephen Hewitt wrote:
I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
I thought VS 2005 with SP1 Vista Update was supposed to fix this kind of thing? If not, what does it fix?
Kevin
-
Stephen Hewitt wrote:
I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
I thought VS 2005 with SP1 Vista Update was supposed to fix this kind of thing? If not, what does it fix?
Kevin
Drag-and-drop doesn't work due to User Interface Privilege Isolation. Programs running at a lower, non-privileged level (Explorer in this case) cannot send many window messages (to start the drag-drop conversation) to programs running at a higher, elevated level (Visual Studio). This prevents 'shatter' attacks. The Vista update adds a UAC manifest to Visual Studio which says 'if the user is an administrator, please run elevated' so you get a UAC prompt whenever you run Visual Studio, if you're a member of the Administrators group. However, if you're a Standard User, you don't get the prompt, VS isn't elevated, and drag-and-drop works. However, COM registration will fail as, I think, will some debugging features. I'm still using XP as a standard user.
Stability. What an interesting concept. -- Chris Maunder
-
Two 1 votes for saying that? Again there come the group of spearheads; who will object an individuals opinion with their little one votes. :rolleyes:
"The difficulty lies, not in the new ideas, but in escaping from the old ones." -- John Maynard Keyes, 1936
brahmma wrote:
Two 1 votes for saying that?
Criticizing a perceived demi-god is always dangerous. Criticizing Microsoft is problematic. Criticizing UAC (and Vista in general) is controversial. I would have been better off arguing that UAC contributes to global warming climate change because of the extra energy both man and machine spend dealing with it. :rolleyes: Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh Smith -
...that's a quick count of 3rd-party simulation / biz-logic DLLs are used by my app right now. These are written either by consultants hired by suppliers, or in-house by engineers. Most of them are not maintained, and of the few that have source available, it's almost always in rough shape, very, very difficult to build or fix. Some of them are over twenty years old, written in FORTRAN, and last compiled for Win95. Oh yeah, and most of them assume they have admin rights for one reason or another. Maybe they try to write or lock files in their installation directory, or maybe they try to write to HKLM registry keys. Doesn't matter. I can't change them, and i can't replace them. Wanna blame the developers? Yeah, me too. But it doesn't help to bitch at someone who's long gone. As luck would have it, i got wind of a support call today, an external user asking if they could run our app on Vista. So, tonight or tomorrow, i'll install it, running as a normal user with UAC enabled, and see just how many hoops i have to jump through to make it work. If UAC can stay on, then i'll pass that along. If it can't, then i'll describe how to disable it. If there are changes needed to the installer to throw the whole mess into some sort of compatibility mode, then i'll suggest them to the installer guy. If it's just too much trouble, i'll simply state that it won't run on Vista, and they'll just have to stick with XP for the time being. No big deal, really. Frankly, i couldn't care less if not a single one of them upgrades to Vista...
----
i hope you are feeling sleepy for people not calling you by the same.
--BarnaKol on abusive words
Shog9 wrote:
Maybe they try to write or lock files in their installation directory, or maybe they try to write to HKLM registry keys.
Compatibility redirection should handle that. Just don't expect the values to be the same across multiple users, because each user has their own independent redirected file store. Also don't expect them to appear in the right place in Explorer - the 'correct' path will gain a 'Compatibility Files' button in the toolbar which you can click to go to the redirected files. Finally, if the program is run elevated it won't find the files in the redirected store. Also, don't add a Vista UAC manifest. If you do, the redirection will be disabled and the errors will return. Redirection is only applied to applications not marked with a Vista UAC manifest.
Stability. What an interesting concept. -- Chris Maunder
