UAC: Don't be part of the problem
-
Chris Losinger wrote:
If you are a developer who has turned off UAC in frustration, remember that UAC is only this way because of all those software developers who insist on running as admin.
Even though I've been bitten by UAC before I have to admit there is more than a little truth behind this statement. The irony is that some Microsoft products – such as Visual Studio 2005 – don’t play nice with UAC enabled. I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
Steve
Stephen Hewitt wrote:
I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
I thought VS 2005 with SP1 Vista Update was supposed to fix this kind of thing? If not, what does it fix?
Kevin
-
Stephen Hewitt wrote:
I’ve been forced to run 2005 in an account with UAC disabled so drag and drop works.
I thought VS 2005 with SP1 Vista Update was supposed to fix this kind of thing? If not, what does it fix?
Kevin
Drag-and-drop doesn't work due to User Interface Privilege Isolation. Programs running at a lower, non-privileged level (Explorer in this case) cannot send many window messages (to start the drag-drop conversation) to programs running at a higher, elevated level (Visual Studio). This prevents 'shatter' attacks. The Vista update adds a UAC manifest to Visual Studio which says 'if the user is an administrator, please run elevated' so you get a UAC prompt whenever you run Visual Studio, if you're a member of the Administrators group. However, if you're a Standard User, you don't get the prompt, VS isn't elevated, and drag-and-drop works. However, COM registration will fail as, I think, will some debugging features. I'm still using XP as a standard user.
Stability. What an interesting concept. -- Chris Maunder
-
Two 1 votes for saying that? Again there come the group of spearheads; who will object an individuals opinion with their little one votes. :rolleyes:
"The difficulty lies, not in the new ideas, but in escaping from the old ones." -- John Maynard Keyes, 1936
brahmma wrote:
Two 1 votes for saying that?
Criticizing a perceived demi-god is always dangerous. Criticizing Microsoft is problematic. Criticizing UAC (and Vista in general) is controversial. I would have been better off arguing that UAC contributes to global warming climate change because of the extra energy both man and machine spend dealing with it. :rolleyes: Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh Smith -
...that's a quick count of 3rd-party simulation / biz-logic DLLs are used by my app right now. These are written either by consultants hired by suppliers, or in-house by engineers. Most of them are not maintained, and of the few that have source available, it's almost always in rough shape, very, very difficult to build or fix. Some of them are over twenty years old, written in FORTRAN, and last compiled for Win95. Oh yeah, and most of them assume they have admin rights for one reason or another. Maybe they try to write or lock files in their installation directory, or maybe they try to write to HKLM registry keys. Doesn't matter. I can't change them, and i can't replace them. Wanna blame the developers? Yeah, me too. But it doesn't help to bitch at someone who's long gone. As luck would have it, i got wind of a support call today, an external user asking if they could run our app on Vista. So, tonight or tomorrow, i'll install it, running as a normal user with UAC enabled, and see just how many hoops i have to jump through to make it work. If UAC can stay on, then i'll pass that along. If it can't, then i'll describe how to disable it. If there are changes needed to the installer to throw the whole mess into some sort of compatibility mode, then i'll suggest them to the installer guy. If it's just too much trouble, i'll simply state that it won't run on Vista, and they'll just have to stick with XP for the time being. No big deal, really. Frankly, i couldn't care less if not a single one of them upgrades to Vista...
----
i hope you are feeling sleepy for people not calling you by the same.
--BarnaKol on abusive words
Shog9 wrote:
Maybe they try to write or lock files in their installation directory, or maybe they try to write to HKLM registry keys.
Compatibility redirection should handle that. Just don't expect the values to be the same across multiple users, because each user has their own independent redirected file store. Also don't expect them to appear in the right place in Explorer - the 'correct' path will gain a 'Compatibility Files' button in the toolbar which you can click to go to the redirected files. Finally, if the program is run elevated it won't find the files in the redirected store. Also, don't add a Vista UAC manifest. If you do, the redirection will be disabled and the errors will return. Redirection is only applied to applications not marked with a Vista UAC manifest.
Stability. What an interesting concept. -- Chris Maunder
-
Drag-and-drop doesn't work due to User Interface Privilege Isolation. Programs running at a lower, non-privileged level (Explorer in this case) cannot send many window messages (to start the drag-drop conversation) to programs running at a higher, elevated level (Visual Studio). This prevents 'shatter' attacks. The Vista update adds a UAC manifest to Visual Studio which says 'if the user is an administrator, please run elevated' so you get a UAC prompt whenever you run Visual Studio, if you're a member of the Administrators group. However, if you're a Standard User, you don't get the prompt, VS isn't elevated, and drag-and-drop works. However, COM registration will fail as, I think, will some debugging features. I'm still using XP as a standard user.
Stability. What an interesting concept. -- Chris Maunder
Mike Dimmick wrote:
The Vista update adds a UAC manifest to Visual Studio which says 'if the user is an administrator, please run elevated' so you get a UAC prompt whenever you run Visual Studio, if you're a member of the Administrators group.
I thought this was what was supposed to happen before the update? :confused:
Kevin
-
Ah, ok.
Judah Himango wrote:
If devs just write software that doesn't require admin priveleges -- honestly, it isn't that hard! -- this problem wouldn't exist.
Well, then please ask Ian: WHY DOES VS2005 UNDER VISTA TELL ME I SHOULD RUN WITH ADMINISTRATIVE PRIVILEGES BECAUSE SOME PARTS OF VS2005 WILL NOT WORK UNDER A NORMAL USER ACCOUNT??? Eh Ian? What say you to that? The very friggin' tool tells you to run as Admin!!! [edit]Oh, but I suppose one could argue that running VS2005 as admin is still different from running the app your developing with VS2005. While technically true, I feel that he is still making up excuses.[/edit] Marc
People are just notoriously impossible. --DavidCrow
There's NO excuse for not commenting your code. -- John Simmons / outlaw programmer
People who say that they will refactor their code later to make it "good" don't understand refactoring, nor the art and craft of programming. -- Josh SmithWhoever put that notice on the VS2005 nagging screen that you should run it with administrative privileges should be fired. He basically ruined the whole purpose of UAC (yes, it's for developers, not for users). VS2005 ran fine on my XP standard user account and it continues to run fine without elevating on Vista. Drag'n'drop works fine for me because I simply don't run it as admin. You only need to run VS2005 as admin if you use it to perform tasks that require admin rights: registering COM components or debugging Windows services (e.g. IIS). If you write normal .NET class libraries, Windows applications, or just debug your web applications using the development server, there's no need to run VS2005 with admin rights, it works fine in standard user mode. The message on the nagging screen is just misleading; it's sabotaging UAC just so that the guys debugging IIS don't have to look in the documentation to find out why it doesn't work on Vista.
-
Irregardless of whether or not the default account is an admin account, if a developer doesn't take into account standard users it is the developers fault.
Matt Newman
Regardless, not irregardless! Irregardless is not even in the dictionary. Anyway, if the piece of software gets into production like that, it isn't even the developer**'**s fault, it's QA's fault for not testing the product on a restricted user account.
Asynchronously daydreaming...
-
Regardless, not irregardless! Irregardless is not even in the dictionary. Anyway, if the piece of software gets into production like that, it isn't even the developer**'**s fault, it's QA's fault for not testing the product on a restricted user account.
Asynchronously daydreaming...
-
Regardless, not irregardless! Irregardless is not even in the dictionary. Anyway, if the piece of software gets into production like that, it isn't even the developer**'**s fault, it's QA's fault for not testing the product on a restricted user account.
Asynchronously daydreaming...
Please tell me you're joking! Why is it always the testers fault? It seems to me that while developers, requirements managers and project managers are deemed to be human and therefore fallible - hence the existence of the QA department in the first place, testers have to be God-like and incapable of oversight. Last time I checked the QA team I was part of had introduced 0% of all defects in the application under test.
-
Regardless, not irregardless! Irregardless is not even in the dictionary. Anyway, if the piece of software gets into production like that, it isn't even the developer**'**s fault, it's QA's fault for not testing the product on a restricted user account.
Asynchronously daydreaming...
As a technical writer, I could not resist! 4 results for: Irregardless[^] View results from: Dictionary | Thesaurus | Encyclopedia | All Reference | the Web Dictionary.com Unabridged (v 1.1) - Cite This Source ir·re·gard·less /ˌɪrɪˈgɑrdlɪs/ Pronunciation Key - Show Spelled Pronunciation[ir-i-gahrd-lis] Pronunciation Key - Show IPA Pronunciation –adverb Nonstandard. regardless. -------------------------------------------------------------------------------- [Origin: 1910–15; ir-2 (prob. after irrespective) + regardless] —Usage note Irregardless is considered nonstandard because of the two negative elements ir- and -less. It was probably formed on the analogy of such words as irrespective, irrelevant, and irreparable. Those who use it, including on occasion educated speakers, may do so from a desire to add emphasis. Irregardless first appeared in the early 20th century and was perhaps popularized by its use in a comic radio program of the 1930s. Dictionary.com Unabridged (v 1.1) Based on the Random House Unabridged Dictionary, © Random House, Inc. 2006.
-
Regardless, not irregardless! Irregardless is not even in the dictionary. Anyway, if the piece of software gets into production like that, it isn't even the developer**'**s fault, it's QA's fault for not testing the product on a restricted user account.
Asynchronously daydreaming...
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
I just noticed the little graphic in the UAC dialog box in the article has a little man jumping over a shark. Does anyone else find this mildy ironic? Definition of "Jump the Shark": http://www.urbandictionary.com/define.php?term=Jump+the+shark[^] Useage: "Microsoft really jumped the shark with Vista"
Regards, Dave
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Look, I don't know what I have done different but I run VS 2005 without upgrading my privlages and I do not receive any UAC messages. Yes, I am running SP1 with the Vista fix. The applications I develop do not bug users with unnecessary user elevation messages. So, am I doing something wrong? You folks sort of have me worried because I am hearing that most of you keep being driven nuts by the UAC and VS 2005.
DB_Cooper1950 Either enjoy life, Or Hate Life, Just quit SITTING ON THE FENCE!
-
Look, I don't know what I have done different but I run VS 2005 without upgrading my privlages and I do not receive any UAC messages. Yes, I am running SP1 with the Vista fix. The applications I develop do not bug users with unnecessary user elevation messages. So, am I doing something wrong? You folks sort of have me worried because I am hearing that most of you keep being driven nuts by the UAC and VS 2005.
DB_Cooper1950 Either enjoy life, Or Hate Life, Just quit SITTING ON THE FENCE!
I personally don't know. I'm still on XP, and have been developing with Visual Studio under a limited user account for 3 years now. I heard there are some problems running VS under Vista with UAC enabled. This MSDN article[^] covers it a bit.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I just noticed the little graphic in the UAC dialog box in the article has a little man jumping over a shark. Does anyone else find this mildy ironic? Definition of "Jump the Shark": http://www.urbandictionary.com/define.php?term=Jump+the+shark[^] Useage: "Microsoft really jumped the shark with Vista"
Regards, Dave
That's Ian's little addition, of course. :)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
He has a point there, but as administrator i couldn't delete the windows.old directory and other files from my HD... if they think i keep 3G just for fun on my HD they're wrong.
Then temporarily elevate yourself or a process (like cmd.exe) and delete the files. The point isn't "never elevate yourself as root/admin", but rather, develop your software so that it can run as non-admin. The best way to do this is run as non-admin yourself whilst developing your software, thus, you're immediately aware of any admin-related issues and can deal with them as they're developed.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Microsofts BIG security fix for windows - Annoy the users and blame the developers! UAC IS NOT A SECURITY FIX- MS even state that! So why not remove the annoyance and create secure programs from the start? - Linux can, Apple can, Microsoft can't!
Programit wrote:
Microsofts BIG security fix for windows - Annoy the users and blame the developers!
You're insane. Users running as non-admins is a big security boon. And MS is not blaming the developers -- Ian Griffiths does not work for Microsoft. But he's right nonetheless; devs should be building software that runs on non-admin accounts.
Programit wrote:
Linux can, Apple can
Both of those operating systems run users in non-admin mode. UAC is a way to help users and developers ween off the admin mode that's been prevalent for the last 10 years on Windows.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I agree with the statement of the article, but I believe the basic concept of UAC (do your daily work as a user, just elevate when needed) is not the main problem - nobody who calls himself an IT Pro can seriously disagree with this concept. I think it's more a problem with current implementation details of UAC that makes people hate it (e.g. not being able to share network connections and substs between user session and elevated session, confirm requests if applications are explicitly started with 'run as admin', always elevated start of some applications like regedit, ...) Gerd
I'm not running Vista yet (haven't since Beta 1), so I can't confirm what you've said, but if what you said is true, I would agree entirely that UAC could be done better.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Then temporarily elevate yourself or a process (like cmd.exe) and delete the files. The point isn't "never elevate yourself as root/admin", but rather, develop your software so that it can run as non-admin. The best way to do this is run as non-admin yourself whilst developing your software, thus, you're immediately aware of any admin-related issues and can deal with them as they're developed.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
i have to agree with that. :-)
-
It's a bit difficult to decide who to reply to seeing as their are so many replies so I'll reply to OP but my comments are probably more centred on comments that have been made. I agree that developing in a restricted environment is a good way to find these permission issues early on. It really doesn't matter which side of the argument you sit on; but for example, I develop for one client who has a policy that all users run as "standard" users. For anything requiring "admin" rights a member of support will have to do this. I don't agree with it; I believe there are better ways of administering the policy but the bottom line is, if my software doesn't run as a standard user, I don't get paid :). Personally, I run as an admin. I think its a bad habit, but somehow I just haven't got over it :) but I have a machine on my network that is purely for testing (ie a set of VMs with standard accounts). Its odd how this seems a difficult habit to break in Windows, when I have absolutely no issue with running as a standard user in Linux. Just what you get used to I suppose.
The only thing unpredictable about me is just how predictable I'm going to be.
SimonRigby wrote:
Just what you get used to I suppose.
Precisely. Over time it will change on Windows; we're just used to 10 years of old habit. So is all the software out there; most software assumes an admin account. (I know this because I've been running under a limited XP account for 3 years now.) Now is the time to start breaking that bad habit. I think more managers will start asking, "why the hell is your application bugging me all the time with UAC popups?!" and apps will change over time, to the point that it will be easy to run as a standard user on Windows in 2-3 years. But for the time being, some developers just like to bitch and blame it on Microsoft. :)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango