DescentBB

OK, someone tell me what I'm doing wrong. I'm not that savvy on permissions and such.

I install every program on my Win 7 64 bit machine from an "administrator" account. Sometimes I get full rights with no UAC nag, sometimes I get that damned little blue and yellow shield slapped on an .exe that pops up the UAC when you open the program (it still claims I have full rights). There doesn't seem to be a rhyme or reason. I hate that! I even tried running the installs by right clicking and running as the administrator.

What's the proper procedure for installing a program so that you DON'T get that thing stuck to any particular .exe? And is there a way to get rid of the stupid shield AFTER the install? I don't want to disable or lower the UAC particularly.

By design UAC only has two options, Annoying and Off. And unfortunately any attempt to overcome this limitation would defeat the purpose of UAC in the first place so you are pretty much stuck with it. :-/

Krom Right either it's on or off I prefer off I hate the UAC bastid

Turning it off is not recommended. Dig around in the properties of the installed EXE file, there should be ways to automatically start it w/ full blown rights.

There is a way to make it silent without turning it off. But it will weaken the UAC protection.

http://malwaretips.com/blogs/how-to-tur ... ts-safely/

Install the 'unsigned program' in a different directory other than in Program Files .... you avoid the protected directory crap of UAC virtualization and the Virtual Store - especially if it is game

Or install the program with UAC disabled and reboot with UAC enabled

The real issue is how the program writes to the hard drive and to which directories, older programs sometimes write to system folders which is non compliant to windows 7 and must be virtualized

Bubbalou is exactly correct on this one.

also make sure its not running in any compatibility mode.

BUBBALOU wrote:Install the 'unsigned program' in a different directory other than in Program Files .... you avoid the protected directory crap of UAC virtualization and the Virtual Store - especially if it is game

Or install the program with UAC disabled and reboot with UAC enabled

The real issue is how the program writes to the hard drive and to which directories, older programs sometimes write to system folders which is non compliant to windows 7 and must be virtualized

What about a program that is not technically "installed" like Core Temp or EVGA Precision? They're just run from whatever directory I stuck them in after being downloaded.

As for installing without the UAC on, what about programs already installed? Am I stuck putting up with the UAC unless I uninstall and reinstall?

fliptw wrote:also make sure its not running in any compatibility mode.

Well, some of my games need to run in that mode, so I guess I'm stuck there.

I did find this on the Windows Seven forum. Anybody try it? It looks complicated as hell. It's also different from the other link's method that TigerRaptorFX gave, so I don't know how it impacts the UAC.

http://www.sevenforums.com/tutorials/11 ... reate.html

CoreTemp and other hardware monitors need a kernel driver in order to directly access the hardware where it gets its readings, since it isn't installed it has to load this driver at runtime which requires elevation. Overclocking tools have the same limitation of needing to directly access the hardware, which can't be done from a program running in the user space.

You might see if there is any way to start the "backend" as a service upon boot. Then the kernel drivers would be installed at boot time, and when you run the front end as a user, you'd just hook into the parts that's already running with elevated permissions.

You'd pretty much be dependent on the vendor to have implemented this ability, though.

snoopy wrote:You might see if there is any way to start the "backend" as a service upon boot. Then the kernel drivers would be installed at boot time, and when you run the front end as a user, you'd just hook into the parts that's already running with elevated permissions.

You'd pretty much be dependent on the vendor to have implemented this ability, though.

What's the best way to do that?

I find this most interesting.

However, David Cross, a product unit manager at Microsoft, stated during the RSA Conference 2008 that UAC was in fact designed to "annoy users," and force independent software vendors to make their programs more secure so that UAC prompts would not be triggered.

A study by Sophos using 10 unique virus samples which had arrived in their labs, showed that UAC, on its default level, could not protect Windows 7 from 8 of the samples.

Wikipedia as source.

Edit links added

http://nakedsecurity.sophos.com/2009/11 ... 0-viruses/

http://news.cnet.com/Microsoft-Vista-fe ... 37191.html

Edit Why use it if it doesn't really protect your PC in the first place?

Windows without an Anti-virus is not going to stop viruses or malware. Which isn't surprising, coming from one of the best known AV developers known. Its like complaining that seat-belts don't prevent accidents.

Even with antivirus programs windows is not going to stop malware. Antivirus programs are largely useless in the wild, pretty much every machine I have had to clean malware and viruses off of had a paid subscription antivirus suite running. They just don't work because it isn't possible to protect a machine from the actions of its users.

Not only that, but there are things like drive-by Java exploits that anti-virus software can't really do anything to prevent in the first place. I've been burned by one or two myself, and I tend to keep things up-to-date.

The worst drive-by exploits are the flash/pdf ones, if it were up to me I'd blacklist Adobe software entirely it is so bad. The best currently available way to protect against exploits like that are the noscript and adblockplus firefox extensions, don't read the web without them.

So, what do most of you do, just disable the UAC altogether?

Krom wrote:The worst drive-by exploits are the flash/pdf ones, if it were up to me I'd blacklist Adobe software entirely it is so bad. The best currently available way to protect against exploits like that are the noscript and adblockplus firefox extensions, don't read the web without them.

I would use NoScript, but it seems like a massive pain to have to go through and whitelist every single site I use frequently. I do have AdBlockPlus, but I don't have any of the global filters turned on, since there are some sites I want ads appearing on.

NoScript may be a pain, but what security measure is? I also found an add-on for keeping those web trackers at bay called Ghostery. But it too has a whitelist and a blocking list that have to be maintained. But it's fun to screw with these bastards.

tunnelcat wrote:So, what do most of you do, just disable the UAC altogether?

Even though it's not recommended I have it off. I find it more annoying than helpful. It's suppose to help prevent unauthorized changes but as you see here changes still can be made by malware and viruses with it on.

Heretic wrote:

tunnelcat wrote:So, what do most of you do, just disable the UAC altogether?

Even though it's not recommended I have it off. I find it more annoying than helpful. It's suppose to help prevent unauthorized changes but as you see here changes still can be made by malware and viruses with it on.

There are alternative programs to help prevent an infection takeover where UAC fails. Sadly not everyone knows how to use a HIPS or Behavior Blocker.

True enough.

tunnelcat wrote:

snoopy wrote:You might see if there is any way to start the "backend" as a service upon boot. Then the kernel drivers would be installed at boot time, and when you run the front end as a user, you'd just hook into the parts that's already running with elevated permissions.

You'd pretty much be dependent on the vendor to have implemented this ability, though.

What's the best way to do that?

Look into the vendor's documentation of their software to see if it has a daemon or backend or some such.

You could also try adding it to the startup, and see if you can make it auto-start without giving you the UAC thing - I'm not sure but there may be an administrative portion of the startup and a user portion... the user portion would probably still queue the UAC, but the administrative portion wouldn't.

Sorry, but I don't have details.... I've hardly used Win7...


As far as antivirus/security/UAC goes: Really, this all represents a movement toward the Unix philosophy of defaulting to deny access until it's proven to be really necessary, which from a security standpoint is the way to go. The problem for Microsoft (and the reason for the UAC) is that they probably should have forced people to make the switch back when they moved from the 3.X base to the NT base in 2000, but they didn't... so now they're stuck fighting that many more years of usage and development under the old, insecure philosophy where everything had the ability to muck up your system. The root of the difference is whether the machine is designed to be a multi-user, multi-terminal system, or a single user & terminal system. The residual shortcomings of MS's decision to treat the system as a single-user, single-terminal box are still being felt in the form of UAC's and other annoyances. (such as the fact that trying to remote in forces off any local users with XP)

Of course, you still can't fix stupid.... Linux documentation has stuff plastered all over it about how you shouldn't log into your machine under root and you shouldn't run things as root unless absolutely necessary and people still go and screw their machines up because they ignored the warnings. Theoretically, Linux users are instructed to audit all of the code that they want to run as root before they do so. I don't know how many poeple actually do that... but people that do end up with very few problems on their machines. Microsoft's situation (for better or for worse) is that they're the preferred OS for all the dummies out there that are most likely to screw up their machines... so they're stuck with the task of trying to protect people from themselves (and the spammers that they invite in) when the last ten plus year's worth of momentum is to have the entire system wide open to any malicious code that the user might run.

Bottom line: I think they're right to make the UAC annoying, and the goal was correct, too - strong-arm the developers into creating software that actually does things properly for the multi-user environment that the modern PC has to provide. In a sense, it's on the developers... they should have gotten with the program a long time ago, but they didn't. Hopefully people like ATI will come up with methods to mitigate the UAC annoyance that represent long-term solutions sooner rather than later, for your sake, Tunnel.

(Now, throw in the whole new tablet/smartphone craze, and you hit the same philosophical junction again... should the kernel of these devices be designed to serve a single terminal, or multiple ones?)

snoopy wrote:I've hardly used Win7...

Yeah, I'm finding out why. Thanks for the info.

tunnelcat wrote:What about a program that is not technically "installed" like Core Temp or EVGA Precision? They're just run from whatever directory I stuck them in after being downloaded.

Use the task sheduler to get around UAC nagging on autostarts. Click.

Edit: Similar to what you found.

tunnelcat wrote:

snoopy wrote:I've hardly used Win7...

Yeah, I'm finding out why. Thanks for the info.

Well... If you're looking for "it just works" Linux isn't for you....

Grendel wrote:

tunnelcat wrote:What about a program that is not technically "installed" like Core Temp or EVGA Precision? They're just run from whatever directory I stuck them in after being downloaded.

Use the task sheduler to get around UAC nagging on autostarts. Click.

Edit: Similar to what you found.

I did use that method on Core Temp and EVGA Precision. Worked like a charm.

Snoopy wrote:Well... If you're looking for "it just works" Linux isn't for you....

It'd be nice if someday computers were turnkey machines that users didn't have to fiddle with constantly like a cantankerous old Model A Fords just to get to work as intended.

Tunnel,

I think they exist, and are made by a company named Apple or (to a bit lesser degree) Google.

Macs are somewhat that way, but rather than being a maintenance free car they are more like a train. They still require maintenance, just someone else does it and it only rides on the rails so it can't go to many of the places the Model A can. Although when they do derail, it is that much more of a pain to get back on track than it is pulling the Model A getting out of the ditch.