UAC: Don't be part of the problem
-
Look, I don't know what I have done different but I run VS 2005 without upgrading my privlages and I do not receive any UAC messages. Yes, I am running SP1 with the Vista fix. The applications I develop do not bug users with unnecessary user elevation messages. So, am I doing something wrong? You folks sort of have me worried because I am hearing that most of you keep being driven nuts by the UAC and VS 2005.
DB_Cooper1950 Either enjoy life, Or Hate Life, Just quit SITTING ON THE FENCE!
I personally don't know. I'm still on XP, and have been developing with Visual Studio under a limited user account for 3 years now. I heard there are some problems running VS under Vista with UAC enabled. This MSDN article[^] covers it a bit.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I just noticed the little graphic in the UAC dialog box in the article has a little man jumping over a shark. Does anyone else find this mildy ironic? Definition of "Jump the Shark": http://www.urbandictionary.com/define.php?term=Jump+the+shark[^] Useage: "Microsoft really jumped the shark with Vista"
Regards, Dave
That's Ian's little addition, of course. :)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
He has a point there, but as administrator i couldn't delete the windows.old directory and other files from my HD... if they think i keep 3G just for fun on my HD they're wrong.
Then temporarily elevate yourself or a process (like cmd.exe) and delete the files. The point isn't "never elevate yourself as root/admin", but rather, develop your software so that it can run as non-admin. The best way to do this is run as non-admin yourself whilst developing your software, thus, you're immediately aware of any admin-related issues and can deal with them as they're developed.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Microsofts BIG security fix for windows - Annoy the users and blame the developers! UAC IS NOT A SECURITY FIX- MS even state that! So why not remove the annoyance and create secure programs from the start? - Linux can, Apple can, Microsoft can't!
Programit wrote:
Microsofts BIG security fix for windows - Annoy the users and blame the developers!
You're insane. Users running as non-admins is a big security boon. And MS is not blaming the developers -- Ian Griffiths does not work for Microsoft. But he's right nonetheless; devs should be building software that runs on non-admin accounts.
Programit wrote:
Linux can, Apple can
Both of those operating systems run users in non-admin mode. UAC is a way to help users and developers ween off the admin mode that's been prevalent for the last 10 years on Windows.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I agree with the statement of the article, but I believe the basic concept of UAC (do your daily work as a user, just elevate when needed) is not the main problem - nobody who calls himself an IT Pro can seriously disagree with this concept. I think it's more a problem with current implementation details of UAC that makes people hate it (e.g. not being able to share network connections and substs between user session and elevated session, confirm requests if applications are explicitly started with 'run as admin', always elevated start of some applications like regedit, ...) Gerd
I'm not running Vista yet (haven't since Beta 1), so I can't confirm what you've said, but if what you said is true, I would agree entirely that UAC could be done better.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Then temporarily elevate yourself or a process (like cmd.exe) and delete the files. The point isn't "never elevate yourself as root/admin", but rather, develop your software so that it can run as non-admin. The best way to do this is run as non-admin yourself whilst developing your software, thus, you're immediately aware of any admin-related issues and can deal with them as they're developed.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
i have to agree with that. :-)
-
It's a bit difficult to decide who to reply to seeing as their are so many replies so I'll reply to OP but my comments are probably more centred on comments that have been made. I agree that developing in a restricted environment is a good way to find these permission issues early on. It really doesn't matter which side of the argument you sit on; but for example, I develop for one client who has a policy that all users run as "standard" users. For anything requiring "admin" rights a member of support will have to do this. I don't agree with it; I believe there are better ways of administering the policy but the bottom line is, if my software doesn't run as a standard user, I don't get paid :). Personally, I run as an admin. I think its a bad habit, but somehow I just haven't got over it :) but I have a machine on my network that is purely for testing (ie a set of VMs with standard accounts). Its odd how this seems a difficult habit to break in Windows, when I have absolutely no issue with running as a standard user in Linux. Just what you get used to I suppose.
The only thing unpredictable about me is just how predictable I'm going to be.
SimonRigby wrote:
Just what you get used to I suppose.
Precisely. Over time it will change on Windows; we're just used to 10 years of old habit. So is all the software out there; most software assumes an admin account. (I know this because I've been running under a limited XP account for 3 years now.) Now is the time to start breaking that bad habit. I think more managers will start asking, "why the hell is your application bugging me all the time with UAC popups?!" and apps will change over time, to the point that it will be easy to run as a standard user on Windows in 2-3 years. But for the time being, some developers just like to bitch and blame it on Microsoft. :)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Excellent indeed, but there is one thing I need to add to this. I noticed that windows acts really weird with UAC turned off. Sometimes you get unexplainable errors. I had this with VS2005, copying files to the program files directory and more stuff. After turning on UAC again and right-clicking run as administrator solved the problem. So don't turn it off, it gives you a bigger headache then when you leave it on.
WM. What about weapons of mass-construction? "What? Its an Apple MacBook Pro. They are sexy!" - Paul Watson
May very well be true, thanks.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I don't care about UAC, I have failed to be heated by all the noise it produce... Just press the button baby!
:-D
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
Yes, the OS is interrupting. Reason? Software that you and me write is doing potentially dangerous things when it doesn't need to be. The point? Write software that doesn't require admin privileges. It's safer for users to run as non-admins; so let's not continue the unfortunate habit of writing software the requires admin privileges when it doesn't really need it. Honestly, it's not that hard.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Judah Himango wrote:
The point is, for the things that are under our control, let's not continue the unfortunate tradition of requiring admin rights.
Yeah, i got that. :) The truth is, i've been writing code that doesn't need admin rights for years now. Since around the time XP came out, and i started getting calls from network admins telling me that the app wasn't playing nice with their beautifully configured user accounts. Went to a lot of effort tracking everything the app, satellite apps, and the installers touched during and after installation. And after all the code changes were in, there was still the big steaming pile of stuff i can't touch. So, the installer was modified to grant write permissions to the proper places, and instructions were written to aid the network admins in getting it all working. And now, years later, i'm still seeing 3rd-party engines rolling in that stomp all over the system. Sent a strictly-worded email just this morning to a supplier, asking them to fix their DLL. Do i think it'll happen? No, not really. Because i happen to know that the reason they're having this problem is because they have a 3rd-party library that writes these files wherever it feels like it. It's the library that came with the development tool they use. And i don't think i'll get very far encouraging them to migrate to another dev tool (not that it'll stop me...) So yeah. We have generations of developers who just don't know any better, generations of development tools that actively encourage this poor behavior, and an operating system that thinks a garish user interface and some sketchy compatibility shims are gonna fix everything. But sure, it's up to us. ;)
----
i hope you are feeling sleepy for people not calling you by the same.
--BarnaKol on abusive words
Ok, fair enough.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Yeah, it's wireless and I need to run their connection program.
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
Ah, see? If your ISP would've listened to Ian, they would've developed their software to run under a limited account. ;P That really stinks, though. Can you run the process as admin? I do that under my limited account in XP when some apps do dumb things like write to protected locations at runtime.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Judah Himango wrote:
But now that home users have non-admin accounts by default
Actually, users STILL have admin accounts by default. The default Vista account is an admin account. You only get a standard user account if you explicitly create one. Yes, even after all of the hype.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Richie308 wrote:
The default Vista account is an admin account.
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type....
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Vikram A Punathambekar wrote:
although George Bush may have said that as well
He probably said it for stategery reasons. ;)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
hswear3 wrote:
The reason that Microsoft made home users Admins is historical.
I know, it's also exactly why the blame rests with Microsoft. The Unix permission system existed 30 years ago, so Microsoft can't claim they had no basis for comparison. They simply chose to build a system without permissions or security at all. I do agree that developers SHOULD be testing their applications on non-Admin accounts, and always should have been; but the culture of always having admin rights started with Microsoft. That's all I was saying :)
Cheers, Patrick
-
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
Good points, thanks Herbert.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
"On UNIX, you’d be considered nuts if you ran as root all the time." I think I'll have that put up on my wall -- in foot-high letters, painted in blood.
-
Richie308 wrote:
The default Vista account is an admin account.
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type....
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
The built-in Administrator account is disabled by default, but I'm speaking as one who has installed and uses Vista Ultimate. The account that it creates for you after installation is an admin account. You are still required to answer UAC prompts, but the prompts do not require a password, they only require you to click "Yes". This quote is directly from the Vista Help and Support: When you set up Windows, you'll be required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you would like to use. Once you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing. It's more secure to use a standard user account instead of an administrator account.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
The built-in Administrator account is disabled by default, but I'm speaking as one who has installed and uses Vista Ultimate. The account that it creates for you after installation is an admin account. You are still required to answer UAC prompts, but the prompts do not require a password, they only require you to click "Yes". This quote is directly from the Vista Help and Support: When you set up Windows, you'll be required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you would like to use. Once you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing. It's more secure to use a standard user account instead of an administrator account.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Ah, now I understand; chicken and egg problem if you don't start out with an admin account. So it's an account used for creating other accounts. And when you create other accounts, they're standard users by default; that accomplishes almost the same thing, since virtually every machine I've been on has multiple users.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
"On UNIX, you’d be considered nuts if you ran as root all the time." I think I'll have that put up on my wall -- in foot-high letters, painted in blood.
:-D
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
