A Fresh Look at Vista's User Account Control

Art Grimm writes to mention a post at Ed Bott's Microsoft Report on ZDNet. There, he talks about Vista's User Account Control, and the issues he sees with the setup as it exists now. From the article: "The UAC prompts I depicted in the first post are those that appear when you install a program, when you run a program that requires access to sensitive locations, or when you configure a Windows setting that affects all users. But as many beta testers have discovered, UAC prompts can also show up when you perform seemingly innocent file operations on drives formatted using NTFS. In this post, I explain why these prompts appear and why some so-called Windows experts miss the obvious reason (and the obvious fix)."

How annoying

[kimvette]

Could they possibly make that "article" any more annoying? They'd have been better-served to turn it into a flash-animated slide show. I'm not going to click all the way through that thing.

Either put it all on one or two pages (interspersed with ads if you must), or put it into a slide show if the article is written as a slide show.

Re:How annoying

[Anonymous Coward]

You beat me to it. I have no problem with long articles being broken up but this one is like two sentences, a picture and a "more" button. Screw you, ZDNet.

Re:I wish they would fix XP's account control

[kansei]

There is no need to switch users.

- You can right-click on any program and select "Run As", type the admin credentials.

- For systems functions, "Run As" IE (as an admin) and change to the Control Panel in the address bar.

- From the command prompt, you can use the "runas" command.

This is not flamebait, someone mod it back up

[moultano]

When I first clicked on the article, I couldn't even figure out immediately where the rest of it was. It was like 90% crap, a tiny bit of text, and a tiny more link that disappeared amidst all of the crap.

Re:This is not a good approach

[jawtheshark]

I have no idea... BUT... If you're running WinXP Pro, go to the folder where it is installed and give "Full" access rights to "Users". If that doesn't work, go into regedit (assuming XP Pro...otherwhise go to regedt32) and look for registry entries in HKEY_LOCAL_MACHINE related to your program. Grant them full access rights to "User" on that part of the tree. 99% of the programs I have encountered will work then. You could say that security is compromised because a normal user could kill the program. That is true, but the application programmers are to blame for that.

If you have XP Home, read up on cacls [microsoft.com]. Alas, in XP Home it is hard to configure access control on folders.
For example:
C:\> cacls C:\MyFolder\ /T /E /G Users:F

Re:This is not a good approach

[Gnavpot]

Tell me how to get Monsters Inc. Scream Team Training to run on a non-admin account without me manually entering an admin pw into Run As... every time and I'll be unbelievably grateful.

If you are on XP Pro (not XP Home), you should look into the '/savecred' option for the command line version of RunAs.

First time a program is started with 'runas /savecred /user:administrator', you will be prompted for the administrator password. The next time this command is used to start the program, XP will remember that this user is allowed to run the program with administrator priviledges and will not ask for a password. To make things a little more convenient and self-explanatory, you can put the command into a .bat file, make a shortcut to the .bat file and select the program's icon for the shortcut.

It is certainly not a perfect solution, but it can solve some problems.

However, you should not use this solution if you don't trust the user. I am almost certain that the program can be replaced with another program with the same name without revoking the priviledges.

Re:This is not a good approach

[laplandsix]

Right click the shortcut and prepend the following:

C:\WINDOWS\system32\runas.exe /savecred /user:administrator
The first time you run the app it'll prompt you for the admin password (in an UGLY ass dos box) after that it'll run with no prompting. Honestly, this isn't rocket science. Not quite as slick as suid, but it works. Until you change the admin password of course.

Re:No one says that you cannot.

[Mancat]

You can gain access to the "Security" tab in XP Home by installing NT Security Configuration Manager:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ tools/scm/SCESP4I.EXE [microsoft.com]

Run the executable and extract it to a folder, then open the folder. Right-click on "setup.inf," click Install, and restart once it's done. Works with all service pack levels of Home.

Re:This is not a good approach

[Talchas]

Alternatively, just reboot into safe mode and the Security tab will magically appear and you can do it just like with pro.

SHGetFolderPath()

[tepples]

Most games still save their save files into C:\Program Files.

Games certified to run on Windows Vista don't. Instead, they'd use SHGetFolderPath() [microsoft.com] to look up the current user's My Documents folder and end up saving to e.g. C:\Documents and Settings\Pinocchio Poppins\My Documents\GTA Hot Coffee\ or something like that.

Problem/Issue is obvious if you understand Unix

[fortinbras47]

Windows is continuing its transition to the Unix user/security model, but your average user (and many IT people) neither understand the user/admin distinction nor permissions.

As I understand the article, EVERYONE in Vista is a normal user. Administrators have the ability though to take administrator actions on a case by case basis after supplying credentials.

To me, this sounds exactly like "sudo" under unix/linux or the "Authenticate: blahblah requires that you type your password" under Mac OS X. This model is more secure and works great, but there are some legacy transition issues.

For you unix people, the problem the article describes is, "what if you mount an old drive, the drive has restrictive permissions, and the file owner UIDs don't match the new system?" (your user account doesn't have permission to do anything on the drive)

NTFS has file permissions, but they rarely came up in practice because everyone in Windows was doing everything as the Unix equivalent of root. In Unix, the obvious fix is to do a sudo chown -R newuser /mnt/olddrive (or an ultraghetto sudo chmod -R o+rwx /mnt/olddrive) . The user/permission concept is totally foreign to your average windows user though, and hence the problem.

Re:Games -vs- firewalls

[Anonymous Coward]

If the game wants to write in certain registry keys or system directories like Program Files, Vista is going to do copy-on-write and store the actual modified files somewhere under your user profile, where they will only be visible to that program. Or you can configure this not to happen, and the game will get ERROR_ACCESS_DENIED unless you elevate it when starting (run it from an elevated command prompt, or click "Run as administrator" from the context menu of the executable or shortcut, which gives you the UAC prompt).

Elevation can only happen when a process is created, so you won't be prompted mid-game unless the game starts another executable (or explicitly creates an elevated COM object and host process, which wasn't possible before Vista) to do that work.

Re:I wish they would fix XP's account control

[afidel]

You can't do this in a network environment because you can only have one set of ACL's between your machine and a server or other workstation. This is a fundamental problem with the way ACL's and GUID's work currently with SMB and the windows workstation client, does anyone know if Vista fixes this?

Re:How annoying

[scumdamn]

I'm replying to this thread because it's at the top. The article says that the reason that you get all of those messages is that the standard user token doesn't have access to the files that you're trying to change. So as soon as you get your Vista system, add your user token to the Program Files folder and stuff so you don't get those damn messages. I'm not sure what implications that has for security since you wouldn't give your user priveledges to the Windows folder where the registry is, but if you're worried about security, it sucks to be you, pretty much.

Re:How annoying

[Elevator_Inspector]

Quick fix for the annoying article. Change the page id in the URL to "all" as in http://blogs.zdnet.com/Bott/?page_id=all [zdnet.com]

Re:How annoying

[IthnkImParanoid]

Heh, I take it you're familiar with the "Eject Media Wizard" (at least on W2K server)?

Right-Click->Eject Media

Welcome to the eject media wizard!
The media eject wizard allow you to....blah blah blah
[Cancel] [Next]

Finished:Eject Media Wizard
Congratualtions, you've completed the eject medi....blah blah blag
[Cancel] [Finish]

Wizards are intuitive, and FUN! (Almost as fun as stabbing whoever is responsible for that in the face.)

Re:This is not a good approach

[CAR912]

Or add the security tab to XP Home without needing to always reboot into safe mode, just follow the advice on this site: http://www.scottxp.com/winxp.php#advuser [scottxp.com], scroll down to the "Advanced File Sharing & Security" section, and follow method 3. I did it, and it works well.