I need some Vista UAC/permissions help and tips

Ok, I have used DOS and all windows versions,plus Macs, so I like my chances on mastering an OS, but this Vista has me licked so far.

For example..I get a file and want to unrar it to a folder, but I have to unrar to the desktop. Anything else gives me an error in winrar. Do I need to run it as an admin? Whats the deal?

Also, what is the "safe desktop"? I still have utils with desktop shorcuts that ask for my permission to run every time..easy ones like temp monitor..I mean..cmon MS.

 

You can go into your user account and turn off UAC. That's what I did.

 

I dont want to do that man..there has to be a better way to do this.

 

looks like you got a long way to go before mastering anything

 

I too strongly recommend disabling UAC, it's generally more trouble than it's worth and causes all sorts of headaches. HOWEVER, if you've been running Vista awhile and have installed a lot of stuff already, it's NOT a good idea to disable UAC -- wait until you do a clean install of Vista and then turn it off before you start installing apps. The reason is, when UAC is enabled, certain folders targeted by application installers are virtualized into your own personal folder. When UAC is disabled, this folder virtualization is disabled as well, which means some apps break because they can't find their dependent files anymore.

As far as making your life easier with UAC enabled, I'm not aware of any effective methods. I believe you can flag specific applications to always run as an Administrator, but then you'll be prompted for a password whenever you run them.

 

Wow..what a fantastic post this was. Thanks so much for your witty banter and incredible contribution.


Dmorris, is your workaround with Winrar to unrar everything to the desktop then move it to a folder?

 

I think running Winrar as an admin should work fine...if it does not, go into some of your folders and take ownership. The structure of menus is nearly identical to XP for accomplishing this, save the occasional UAC prompt.

I left UAC on since the beginning, and have no issues what so ever. IMO, too many people complain about it. If you think about it, Windows is protecting the computer from the user, which could be considered a slap in the face. However, I know a lot of users who need this protection.

 

I agree. I just look at my files and I am logged in as the admin, and it gives full control under advanced. So I will try running win rar as admin. I can't wait for SP1 to hopefully adjust this. For example, ceretain programs give you the UAC prompt every time you run them and it just gets annoying.

 

I don't have any workarounds for Winrar because (a) I don't have UAC enabled and everything runs as Admin, and (b) I don't use Winrar. My recommendation would be never to try to extract to the desktop. It's considered a system folder anyway, hence the issues you're having, and I never understood why some folks use it for a dumping ground. Create a temp folder like most of us, and extract temporary stuff to it instead. You can even create shortcut to the temp folder on your desktop so that you can quickly access it from there.

ttupa, I'm a Unix/Linux user for the last 12+ years. I login as a normal user and sudo or setuid root when I need to. I appreciate how user/process security works, when done right. As it is on *nix, it's seldom a hassle. UAC, on the other hand, is a different animal altogether. MS has attempted to "bolt on" process security to an operating system that is inherently insecure from its design, and the nature of the OS itself combined with years of user expectation of how Windows operates, causes it to be more trouble than it's worth. Studies have shown that users get so accustomed to UAC popping up constantly in order to get routine work done, that they blindly click OK without giving any thought whatsoever to why they're being prompted -- which entirely defeats its purpose. The majority of Windows users don't even comprehend the concepts behind it in the first place, and just want to get on with whatever they're doing. To them, it's an added annoyance. That's why it is ineffective as a security feature while being a pain in the ass at the same time. Hence, my suggestion to just turn it off and save the headache and additional calls for support. Such as this one.

When the OS and application developers can properly implement process security, then great. But UAC ain't it.

 

Orlando Guy,

First, I strongly disagree with everyone who is telling you to turn off UAC. I keep it on and I don't consider it a problem.

Secondly, I don't have unrar, but... I strongly suspect that the problem is the permissions on the folder you're trying to extract the files into. You could solve this by using "Run as administrator" for unrar, but the better way is to fix the folder permissions. The reason you don't need to run as admin to extract to your desktop is that you have write permissions on your desktop folder.

What is the "safe desktop" thing you referred to? Anyway, I really wouldn't expect a temperature monitor to run without admin privileges, because it needs low-level access to your hardware. However, to make it always run a particular program as admin, right-click the shortcut and choose Properties > Shortcut tab > Advanced > Run as administrator.

 

This question is off-topic, but since the OP has had his problem largely resolved, I'll use this thread to ask a related question.

I know that XP had issues (not being a multi-user designed OS) with having guests temperorily use administrative rights like Linux. It was a strong security advantage that Linux has had over Windows.

Does Vista improve on this shortcoming at all, or is UAC the best that Microsoft can do?

 

I'm also coming from a Unix perspective, having also used Unix for over a decade, but the only thing above that I agree with is that the majority of Windows users don't understand the concepts behind UAC, and so they just consider it an annoyance. With that in mind, I'll give a quick and simple explanation.

Basically there are three user classes: standard, admin, and superuser. (I don't know what MS calls the last one, so I'm just calling it superuser here.) The default account in Windows is an admin. The main difference between standard and admin is that standard user needs to enter a password to execute a program as superuser, while admins just have to click "Continue" or "Allow".

The things you need superuser permission for are:
- Reading/writing/executing files that you don't have file/directory permissions to read/write/execute (or in folders that you don't have permission for).
- Installing software / messing with the registry
- Anything that affects other user accounts
- Changing system configuration (most of the stuff in the control panel)
- Accessing hardware at a low level (i.e. more control than typical desktop apps would need)

Executables designed with Vista in mind contain some header information telling Vista whether superuser permission is needed for this program or not. For older executables without this info, Windows makes a guess based on some heuristics. Sometimes it guesses you don't need superuser permissions, but you really do, so then you get a permissions error message. In that case, use the "Run as administrator" feature (really run as superuser).

The point of all this of course is so that programs executed accidently or via exploits such as buffer overflow won't be able to do much, since they won't be running with superuser priviliges so they can't mess with anything important.

 

Contrary to popular opinion, XP was designed as a multi-user OS... and I've run it that way for the last couple years. It just wasn't used that way by most people though. There aren't really any major bugs with it, but I have to say though in practice it doesn't work well as a multi-user OS, due to two major problems. One, the default account was an admin user, so most software companies didn't bother to test the case of a non-admin user, and programs would break in weird ways. Since about 98% of people won't change any given default, companies just didn't see it as worthwhile to make things work right as a non-admin user. The other issue was related: XP lacked a UAC-like mechanism for quick privilege escalation... so you had to switching users to do admin stuff. For those two reasons, IMO, running XP as a low-privilege user is a real pain.

Both. The main problem IMO is that the Windows user base is not as technically knowledgeable as the Linux/Unix user base, so they don't understand what's going on, get frustrated, and turn off UAC, effectively running everything as a superuser with full privileges. A secondary problem is that some apps designed before Vista don't handle the Vista privileges model well and need to be run as a superuser in order to work right, when they really shouldn't need that. However, this problem is lessening over time as programs get updated or designed with UAC in mind.

 

Ok..the temp folder is a nice idea. Now, how do i set it up? I am asking as dummy so I get it right. I am thinking..go to C: , make a folder called downloads...and then how is the best way to get it going from there so it's easily accessed?

 

Perhaps for a complete novice UAC offers some protection, but to me as a somewhat experienced user it is by far Vista's most annoying feature. If you get a decent firewall and virus software, both of which are freely available on the internet, that's more than enough for most people. Then just make sure you have a backup of every thing which you should have anyway.

What I like to do is do a clean install of all the drivers and apps I'm going to use on its own C:\ partition. Then I make an image of the the C:\ drive. I make a separate partition for all my data. Then at any time if my installation gets corrupted I can install the image wiping out any maladies without touching the other partition.

 

It has nothing to do with whether you're a "complete novice" or not. If you're the victim of a buffer overflow exploit (say on a malicious web page or media file for example), it won't matter if you're a novice or not but it will matter if you're running UAC. Because with UAC you're running in a lower-privilege mode, so the exploit won't be able to do much.

I love how many people try to claim that their own preference is what's right for "most people". Just like "most people" have no use for Vista's desktop search feature, according to the tweaks sticky thread.

I use both, but if I were forced to choose between UAC and antivirus software, I'd choose UAC. I'd rather not worry about malware detection rates, and just not give it permission to do anything much in the first place.

Agreed.

I hope you have an external backup as well, since malware can easily erase or mess up your data partition too. It is part of the filesystem, after all.

But if you want to take the position that you'd rather have a higher risk of infection and just make backups, then fine... but you could say that about any security measure. It has nothing to do with being a novice or not, it's just a matter of how much effort you're willing to make to reduce the risk of malware infections. Still, employing some security measures is certainly better than employing none.

 

My position on the matter is that the threat of a virus/malware is way overblown. The annoyance factor of UAC, since it is continually popping up, far outweighs any benefit it gives you.

 

You ARE kidding right? I guess that means that the tens of thousands of users machines that have been turned into robots doing the bidding of criminal groups around the world is just a figment of our collective imaginations. Your suggesting that UAC is "continually" popping up is just a tab bit of hyperbole. IMHO, this sort of "advice" does a grave disservice to a community such as this, that attracts a lot of "less than seasoned" users. Let me guess, you were also among the folks who railed against Microsoft for being weak on security.

Go ahead, turn off UAC, hell turn off your firewall, virus protection and anti spyware to. We don't care. But do NOT sluff off the threats as if they were meaningless. That is just ridiculous.

Gary

 

Yeah..ZaZ, I really can't value your advice because it seems a bit naive. The average user is extremely vulnerable to an attack. To say that is overblown actually made me laugh out loud.

 

I do tech support on the side to earn extra money. In the last five years I've had exactly one customer who got a virus only because she was downloading her email via Outlook instead of using the web interface which I always recommend people do. These are not people I would consider to be tech savvy.

People are far more likely to gunk their systems up by installing free games/apps which install all kinds of extras, but are not malware in the traditional sense.

My point is as long as you have a decent firewall and virus/spyware protection all of which are freely available on the internet that's good enough for most people. You should always have a good backup as well.

As UAC pops up every time a small system change occurs people will start to ignore it anyway. That's been my experience. Feel free to disagree with me at any point. If you like and want to use UAC I got no problem with it, but it's not for everyone. The annoyance of it far outweighs any benefit in my opinion.

 

UAC does continually pop up; every time you need to do something that requires admin rights or poses a potential threat to security. Its a clumsy imitation of Linux UAC with an inherent flaw; after a while users just start clicking "OK" mindlessly. Apparently this is supposed to enhance security and destroy any liability MS has for designing a secure OS in that respect (although from a security standpoint Vista is an improvement). Vista's UAC is an inferior but clever idea that fools consumers.

Also, nobody here has advised you to turn off your firewall, so get rid of the sarcasm.

 

I never claimed that UAC was perfect or even good. But what I have said and will continue to say is that anyone who advocates to users that they should turn off UAC is doing a disservice to the larger community here. You can call that having a hissy fit if you'd like. But I know the number of folks here to whom such advice is ill advised exceeds the number of those that might be served by it. I have no objection to such advice if it is carefully couched with caveats, but a naked assertion like this is a really a bad idea.

Gary

 

If UAC isn't effective as you say, then you'll agree with me that its not worth it, right? After all, I've just demonstrated to you how ineffective a security feature it is, and you don't seem to be disagreeing; and yet you're advising that people leave it on? You are contradicting yourself.

 

It doesn't "continually" pop up. It does pop up every time you need to do something that requires admin rights. For the first week or so after installing Windows, that's pretty often. After that, why do you need admin privileges all the time? You shouldn't need to install software or change control panel settings many times a day. And if you're getting prompted often for moving, copying, or accessing files, then you can fix it by setting file and folder permissions appropriately.

If clicking "OK" is too quick and easy for you, that's easily fixed; just run as a standard user (instead of the default admin user), and it'll prompt you to enter a password each time instead of just clicking ok. That's what I'm doing on my system.

But they made it just a single mouse-click in the default configuration in order to avoid having everyone complain that UAC was too onerous. But everyone complains about that anyway. It gets attacked by people saying both that it's too onerous and that it's useless because it's too easy to dismiss the UAC prompt. And astonishingly, it's often the same people making both criticisms.

 

I am disagreing, I never said it wasn't effective. So, no I won't agree that it is not worth it. I do agree it could be better. For example I'd like to be able to tell it that it needn't remind me again about a specific pop up instance. All I am saying is it is MUCH better than having NO protection. For the average Joe or Jane, the likelihood that they will see many UAC popups after they initially configure their machine is rather small. Certainly not often enough to create the "automatic click" scenario you and others have postulated.

I think the argument that no protection is better than some protection is ridiculous.

Gary

 

Did you just create a new user after installing Vista? What about user-specific installed programs? How did you do this exactly?

 

No one here advocated that one have no protection, but rather a decent firewall coupled with virus/software protection is sufficient for most people. Somehow in the last few years I've managed to not get a virus, without the benefit of UAC because XP doesn't offer it, just using a firewall with virus protection.

It is because UAC is so completely annoying from the beginning that users will start to ignore it. I've seen it happen. People click right through it.

 

Basically, I started with my default account, called "nick". I installed all my programs in that account, and then went to:
Control Panel > User Accounts > Add or remove user accounts
I created a new account called "admin". (So right at this point I have two admin accounts.)
Then I selected my regular account ("nick") and clicked "Change the account type". Choose "standard user". I think you then log out and log in again for that change to become effective.

So... I circumvented most potential user-related installation issues by installing programs first, then changing the account type. The funny thing is, I wasn't really thinking about that... it just worked out nicely that way.

If by "user-specific installed programs" you meant restrictions on which user can run what program... I never really had the need to restrict any user account from running any program, but I'd expect that you could do so by setting file permissions in Explorer.

But if you just meant how will programs deal with being installed under one account and used under another... I haven't really installed much software since changing the account type... so I'm not sure how that'll go, now that the installation user will be different from my standard user account... but I think it should be mostly ok. I used to run XP as a standard user, and switch to an admin user to install software, so it should work pretty much the same. Here's how that went. A good installer will let you choose whether to install the program for all users... so just choose that. If a program only installs for the current user (which would be the "admin" user under my current setup), then you can just add a shortcut to the desktop of your standard user. Occasionally I'd get a slight bit of weirdness, like being prompted to register the program separately for each user, or the settings I selected during installation not being applied to the standard user... but it was never anything that couldn't be fixed in a few minutes in the program's configuration options and by using Explorer to manage users' shortcuts and startup menus.

Oh yeah... on that XP setup I only had one program that wouldn't work as a standard user, and that was the crappy software that came with my old Toshiba mp3 player... I just switched to an admin account when I needed to run that. I don't plan to install that program on my Vista machine, but if I encounter that problem with another program, I'll go into the Properties for the shortcut or executable, and check the box labeled "Run as administrator". (Or, preferably, find a different program to use instead.)

 

Here's an article that explains why UAC doesn't offer a setuid-like feature... in other words, why Orlando Guy can't tell Windows to always allow the temperature monitor to run:

http://blogs.msdn.com/aaron_margosis/archive/2007/06/29/faq-why-can-t-i-bypass-the-uac-prompt.aspx

I have to say, the Windows developers do have some good reasons for their decision... although unfortunately it does mean that putting a temperature monitor on your desktop just isn't very practical with UAC.

 

That makes perfect sense. The problem is that average joe user doesn't know how, or even why, they should get a free antivirus/firewall solution. They just want the computer to run out of the box without having to know about the inner workings of the OS. They especially don't want to deal with viruses. Therefore, unless someone is helping them with security software, there's a good chance they'll go home without it.

In a college town, the amount of tech support calls for virus/spyware issues is very high. The main reason is that people are using torrents, p2p, or other file-sharing techniques without protection.

UAC may not be perfect, but if it stops that user from installing a trojan with their bootlegged movie, then it did its job.

 

This is what I think is a decision with a multi-user design in mind; it doesn't assume that there will only be one user needing admin rights. Thanks for the info; I've given you rep. I'll try this out for sure.

 

The way I see it, people have different perceptions of computers; the people you speak of regard computers as mere tools that shouldn't require any maintainance. Professionals, enthusiasts, and (sometimes) gamers appreciate the complexity and know how to really use computers. In order to bridge this gap in perception, we just need to push harder in our efforts to educate people... especially since we can agree that computers will not always do what we expect them to do.