UAC: Don't be part of the problem
-
Then temporarily elevate yourself or a process (like cmd.exe) and delete the files. The point isn't "never elevate yourself as root/admin", but rather, develop your software so that it can run as non-admin. The best way to do this is run as non-admin yourself whilst developing your software, thus, you're immediately aware of any admin-related issues and can deal with them as they're developed.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
i have to agree with that. :-)
-
It's a bit difficult to decide who to reply to seeing as their are so many replies so I'll reply to OP but my comments are probably more centred on comments that have been made. I agree that developing in a restricted environment is a good way to find these permission issues early on. It really doesn't matter which side of the argument you sit on; but for example, I develop for one client who has a policy that all users run as "standard" users. For anything requiring "admin" rights a member of support will have to do this. I don't agree with it; I believe there are better ways of administering the policy but the bottom line is, if my software doesn't run as a standard user, I don't get paid :). Personally, I run as an admin. I think its a bad habit, but somehow I just haven't got over it :) but I have a machine on my network that is purely for testing (ie a set of VMs with standard accounts). Its odd how this seems a difficult habit to break in Windows, when I have absolutely no issue with running as a standard user in Linux. Just what you get used to I suppose.
The only thing unpredictable about me is just how predictable I'm going to be.
SimonRigby wrote:
Just what you get used to I suppose.
Precisely. Over time it will change on Windows; we're just used to 10 years of old habit. So is all the software out there; most software assumes an admin account. (I know this because I've been running under a limited XP account for 3 years now.) Now is the time to start breaking that bad habit. I think more managers will start asking, "why the hell is your application bugging me all the time with UAC popups?!" and apps will change over time, to the point that it will be easy to run as a standard user on Windows in 2-3 years. But for the time being, some developers just like to bitch and blame it on Microsoft. :)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Excellent indeed, but there is one thing I need to add to this. I noticed that windows acts really weird with UAC turned off. Sometimes you get unexplainable errors. I had this with VS2005, copying files to the program files directory and more stuff. After turning on UAC again and right-clicking run as administrator solved the problem. So don't turn it off, it gives you a bigger headache then when you leave it on.
WM. What about weapons of mass-construction? "What? Its an Apple MacBook Pro. They are sexy!" - Paul Watson
May very well be true, thanks.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I don't care about UAC, I have failed to be heated by all the noise it produce... Just press the button baby!
:-D
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
Yes, the OS is interrupting. Reason? Software that you and me write is doing potentially dangerous things when it doesn't need to be. The point? Write software that doesn't require admin privileges. It's safer for users to run as non-admins; so let's not continue the unfortunate habit of writing software the requires admin privileges when it doesn't really need it. Honestly, it's not that hard.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Judah Himango wrote:
The point is, for the things that are under our control, let's not continue the unfortunate tradition of requiring admin rights.
Yeah, i got that. :) The truth is, i've been writing code that doesn't need admin rights for years now. Since around the time XP came out, and i started getting calls from network admins telling me that the app wasn't playing nice with their beautifully configured user accounts. Went to a lot of effort tracking everything the app, satellite apps, and the installers touched during and after installation. And after all the code changes were in, there was still the big steaming pile of stuff i can't touch. So, the installer was modified to grant write permissions to the proper places, and instructions were written to aid the network admins in getting it all working. And now, years later, i'm still seeing 3rd-party engines rolling in that stomp all over the system. Sent a strictly-worded email just this morning to a supplier, asking them to fix their DLL. Do i think it'll happen? No, not really. Because i happen to know that the reason they're having this problem is because they have a 3rd-party library that writes these files wherever it feels like it. It's the library that came with the development tool they use. And i don't think i'll get very far encouraging them to migrate to another dev tool (not that it'll stop me...) So yeah. We have generations of developers who just don't know any better, generations of development tools that actively encourage this poor behavior, and an operating system that thinks a garish user interface and some sketchy compatibility shims are gonna fix everything. But sure, it's up to us. ;)
----
i hope you are feeling sleepy for people not calling you by the same.
--BarnaKol on abusive words
Ok, fair enough.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Yeah, it's wireless and I need to run their connection program.
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
Ah, see? If your ISP would've listened to Ian, they would've developed their software to run under a limited account. ;P That really stinks, though. Can you run the process as admin? I do that under my limited account in XP when some apps do dumb things like write to protected locations at runtime.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Judah Himango wrote:
But now that home users have non-admin accounts by default
Actually, users STILL have admin accounts by default. The default Vista account is an admin account. You only get a standard user account if you explicitly create one. Yes, even after all of the hype.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Richie308 wrote:
The default Vista account is an admin account.
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type....
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Vikram A Punathambekar wrote:
although George Bush may have said that as well
He probably said it for stategery reasons. ;)
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
Good points, thanks Herbert.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
The reason that Microsoft made home users Admins is historical. Before Windows XP was released, all home users used Windows 9x/Me--operating systems that basically ran on top of MS-DOS and had absolutely no security at all. Most early OEM Windows XP installations also had their hard drives formatted with FAT32, not NTFS which is necessary for file security. So that old Windows 9x/Me and MS-DOS software had to run on Windows XP home or people would not have upgraded to it. Also for YEARS software had to be designed to run on both Windows 9x and Windows XP (Really Windows NT 5.1). And also, for YEARS, many IT departments also continued to use Windows 98 because the hardware for Windows XP was just too expensive. But I do blame Microsoft for rushing Vista out the door with a poorly implemented and tested UAC. Beta testers screamed when it was introduced near the end of the beta without time for proper testing. But they had promised Wall Street and the OEMs that Vista would ship. Major, major design mistakes made Vista late. The first was the attempt to base the file system on SQL. That caused the reset when they had to start over. Another was all of effort that went into AERO at the expense of security. Thankfully many of the people who pushed form over function are no longer part of Microsoft.
Herbert N Swearengen III
hswear3 wrote:
The reason that Microsoft made home users Admins is historical.
I know, it's also exactly why the blame rests with Microsoft. The Unix permission system existed 30 years ago, so Microsoft can't claim they had no basis for comparison. They simply chose to build a system without permissions or security at all. I do agree that developers SHOULD be testing their applications on non-Admin accounts, and always should have been; but the culture of always having admin rights started with Microsoft. That's all I was saying :)
Cheers, Patrick
-
Ian Griffiths tells it like it is[^]. Excellent article.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Torah Answers to Christian Questions The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
"On UNIX, you’d be considered nuts if you ran as root all the time." I think I'll have that put up on my wall -- in foot-high letters, painted in blood.
-
Richie308 wrote:
The default Vista account is an admin account.
“In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type....
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
The built-in Administrator account is disabled by default, but I'm speaking as one who has installed and uses Vista Ultimate. The account that it creates for you after installation is an admin account. You are still required to answer UAC prompts, but the prompts do not require a password, they only require you to click "Yes". This quote is directly from the Vista Help and Support: When you set up Windows, you'll be required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you would like to use. Once you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing. It's more secure to use a standard user account instead of an administrator account.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
-
The built-in Administrator account is disabled by default, but I'm speaking as one who has installed and uses Vista Ultimate. The account that it creates for you after installation is an admin account. You are still required to answer UAC prompts, but the prompts do not require a password, they only require you to click "Yes". This quote is directly from the Vista Help and Support: When you set up Windows, you'll be required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you would like to use. Once you have finished setting up your computer, we recommend that you use a standard user account for your day-to-day computing. It's more secure to use a standard user account instead of an administrator account.
-------------------------------- "All that is necessary for the forces of evil to win in the world is for enough good men to do nothing" -- Edmund Burke
Ah, now I understand; chicken and egg problem if you don't start out with an admin account. So it's an account used for creating other accounts. And when you create other accounts, they're standard users by default; that accomplishes almost the same thing, since virtually every machine I've been on has multiple users.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
"On UNIX, you’d be considered nuts if you ran as root all the time." I think I'll have that put up on my wall -- in foot-high letters, painted in blood.
:-D
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
Ah, now I understand; chicken and egg problem if you don't start out with an admin account. So it's an account used for creating other accounts. And when you create other accounts, they're standard users by default; that accomplishes almost the same thing, since virtually every machine I've been on has multiple users.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: Funny Love The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
Sort of. There is an "Admin" account that works like in XP and previous and starts every app with admin privileges, but it's hidden and not available by default. The difference in vista UAC between a normal account and an "administrator" account is that the normal user needs to enter the password of an admin account to run an app with admin privileges or to clear other UAC prompts. The "administrator" account type only requires clicking yes, no password is needed but all your apps still run with regular user privileges by default.
-- You have to explain to them [VB coders] what you mean by "typed". their first response is likely to be something like, "Of course my code is typed. Do you think i magically project it onto the screen with the power of my mind?" --- John Simmons / outlaw programmer
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
RedZenBird wrote:
windows update decided it just "HAD" to reboot my w/s
Actually that's a setting that *you* approved of when you installed either XP SP2, or Vista. Remember that "get updates automatically" prompt? Probably not, most people just {click}{click}{click} their way through setups without actually reading what they're approving. Go into the Control Panel, open up the security center portion and change the setting from "Install updates automatically" to "Download updates but let me choose whether to install them". Yes you'll get a small balloon that says updates are available for install, but hey, at least you won't loose any work you didn't save prior to walking away from your computer.
Mike Poz
-
Excellent indeed, but there is one thing I need to add to this. I noticed that windows acts really weird with UAC turned off. Sometimes you get unexplainable errors. I had this with VS2005, copying files to the program files directory and more stuff. After turning on UAC again and right-clicking run as administrator solved the problem. So don't turn it off, it gives you a bigger headache then when you leave it on.
WM. What about weapons of mass-construction? "What? Its an Apple MacBook Pro. They are sexy!" - Paul Watson
-
Programit wrote:
Microsofts BIG security fix for windows - Annoy the users and blame the developers!
You're insane. Users running as non-admins is a big security boon. And MS is not blaming the developers -- Ian Griffiths does not work for Microsoft. But he's right nonetheless; devs should be building software that runs on non-admin accounts.
Programit wrote:
Linux can, Apple can
Both of those operating systems run users in non-admin mode. UAC is a way to help users and developers ween off the admin mode that's been prevalent for the last 10 years on Windows.
Tech, life, family, faith: Give me a visit. I'm currently blogging about: A Torah-observer's answers to Christianity The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
UAC, in its implimintation, IS the biggest security vulnerability because it endlessly pops up useless messages, that 90% of end users ignore! Just hit okay and continue! - No one takes any notice, its just an annoyance that people who know how to, just turn off! IF microsoft was ever to get serious about security, then simply lock out the admin access to general users. Bad luck that 95% of all software won't run. Developers would soon then rewrite software to be secure and compatable because they'd have to if they stick with MS. In a couple of years Windows could then be a semi secure system. - It'll never happen! MS won't do this because it would mean they didn't make countless billions off insecure software. Linux and apple got it right, microsoft won't. "Vista - the WOE starts now!"
-
Hey this computer belongs to ME! If I want to run all kinds of stuff at any friggen privilege level I want to then that is MY RIGHT. I am getting pretty alienated with M'soft forgetting that fact, and thinking the whole darn thing belongs to them and the friggen OS. Perfect example: I left my w/s running last night as I was late getting out of the office. When I came in today, windows update decided it just "HAD" to reboot my w/s .... My Gawd! Os-es-interruptus is getting too much in the way.... What I want is an application shipped from m'soft to protect me from *them* more than I'm worried about a program I purchased and *want* to use running at some so-called "admin level." This appliance is supposed to be a tool from which I benefit by use of, not some extension of some over hardened security dink that thinks they have any right to determine what I should allowed to do with MY GEAR without needing some "special permission" to do so....Come on, don't be so quick to buy the m'soft party line on this stuff.....They have lost their way....The more power ballman gets, the worse that company gets.....
Just trying to keep the forces of entropy at bay
I fully agree with you. Since Microsofts started using malware and virus type intervention with updates hiding programs and their "genuine advantage" fiasco marking 6 of 18 work machines as non-genuine, I have ALL automatic updates turned off on all computers. I then select the ones I want, if any, have a lot less issues. We removed Vista from all new business machines and loaded XP (and a couple of Ubuntus-hooray!) and have no problems now! My Personal machine runs full admin in vista (Hidden admin account[^]) I have a lot of compatability issues - but thats Vista in general - but no security problems. (I still run XP 95% of the time - it works and is far better for development.)
