MZ Vista Force (Tweaking Guide)

if you elevate the privileges, all security changes are gone. just hope britney isn't something evil..

virtualisation is overrated and only useful for non-secured systems mainly. vista, and so win2008, are technically very similar to virtualized systems.

vista allows whitelisting. it does allow all sort of security settings. but it doesn't change the fact that a vista with uac on in it's default installed configuration can nearly not get harmed, except if you agree on a UAC prompt.

and i don't agree that the whitelisting and all further increases security. it further limits what users can do. and maybe further secures the users data. but vista is secure independent on the app you run until you click yes on the uac prompt. anything else does not increase the security of the os (or the installed apps which are in the uac savety by default. steam is a well known counterexample who disables uac for itself).

 

I am a little confused about UAC now, after reading through the last four pages.

So all UAC does it make sure that you give permission to whatever your computer is about to do?

If I am the lone user of my computer, do I need to enable UAC?

I do not have powerpoint installed on this computer yet davepermen, could you please give me a run down on Fixing UAC Bugs?

 

Oh please. I am well aware of the formal distinction, but the word "hacker", like it or not (and I, like you, happen to not like that) has come to be taken as synonymous with "cracker" in popular lingo.

I'll concede that point to you, in part. Yes, Vista can be made even more secure (I happen to tighten down some of the security on my own systems as well). On the other hand, I still claim that Vista security is perfectly sufficient for standard uses. If you have higher demands, then you should know what you need, and also how to achieve it. In most cases you can achieve the level of security we need without any third party software. In those cases where somebody really needs more, I just hope s/he will not rely on a consumer application...

Nonsense. Please don't try to impress me with high-school logic here. The fact that you cannot prove a negative does not apply to this situation, since I do not have to prove a universal negative to demonstrate the validity of my statement. You may want to think about this yourself, I won't bore the rest with a lengthy explanation here.

True. Nevertheless, in my experience (and I have quite a bit) for many, many people anti-virus software creates more problems than it solves. Certainly it creates more problems than it would ever have the opportunity to solve if people ran their systems in a secure configuration, and not commit the lunacy of habitually running as an administrator...

Nonsense. An application crash (which is all I talked about, mind you) is evidence for the application being poorly written, and potentially having corrupted its private memory space. This has no implications for the system. None.

Anti-virus solutions do provide some icremental security over and above UAC, true. In my opinion, however, the additional security afforded by these programs is minimal, and certainly not worth the hassle. You know, you could install an anti-virus program on an OSX machine, too. Very few people do. Why do you think that is?

Huh? Now that's a non sequitur if I ever saw one!

 

Interesting remark. You may or may not know that Microsoft actually considered that route (I think the name of the project was Palladium, or something like that), but ultimately rejected it, for obvious reasons. Heck, if you have people crying bloody murder about UAC, can you imagine the uproar if Microsoft had followed through on this idea?

 

This thread is too full of smug, "i-am-smarter-then-you" attitude.

 

one thing about UAC: it may not be perfect, but it's, contrary to vire scanners, perfect in how it reacts in an inperfect case: a vire scanner does nothing if he doesn't detect the virus. UAC prompts while you don't even try to hurt the system.

so UAC is "too secure" when vire scanners are "too less".

but UAC normally only prompts when you access the system files. if not, learn how to change the behaviour. it's not hard (but actually file permissions are quite hard to grasp).

 

I apologize for being smarter th an you. :tongue: :laugh:

 

yes it is.. and i'm no better, that's true. but i still try to stay with facts, instead of "i don't like so i bash" like some do/did.

 

It's human nature to react defensively when someone is overly aggressive. Presenting facts in a more passive style will definitely convince more people then out-right bashing them.

 

Yep! It only installed to the hardisk. Some space i think a few MBs is needed.
But when come to protection, it is ZERO resources.
Read this, http://www.javacoolsoftware.com/spywareblaster.html#Principles

UAC and non-UAC... What a pain... Better keep quiet.

Intelligence and Bashing topic???
sounds like magician versus warrior.

 

I know. I'm still learning.

 

hm..

written by some marketing guy of some strange application that has "Blaster" and "Spyware" in its name. really makes the statement not believable at all.

i prefer to trust the vendor of my operating system, who makes billions over billions with it, and huge corporations trust it with the billions they have to have saved trough it, than some nice marketing guy who writes "it doesn't slow down".

they don't state _how_ it doesn't slow down. for UAC i know exactly HOW it doesn't slow down. it does only slow down at the moment of the prompt, as the moment, the os gets a "not sufficient rights" exception at some file access, instead of just canceling out and saying "can't do", it reacts with "try again with admin rights?".

that, sir, is by it's very logic, something that does NOT cost any system resources while not prompting. the other app doesn't explain that. maybe another link would help?

still, no matter how much links, it's still "just written on some webpage", which doesn't make it right, or true (they can believe in it, but they may have failed to implement it in a 100% way, what ever they did).

i am btw a developer, does sometimes help to "see trough" invalid statements of software vendors. certain stuff isn't possible. realtime file protection with signatures and heuristics without overhead f.e. isn't.

 

You know it is ZERO resources?
I think you don't obviously.
Because the Blocking stuffs is mixed/live-in to your internet browsers. Your browsers is now readily to block spywares.
The protection is passive not active. Thus, it just like UAC kind of stuffs that uses ZERO resources.

I have checked my services and processes list and there is no such thing as SpywareBlaster thingy in the list.
Which mean it doesn't use resources.

 

well, they don't state that on the page really. have read trough it. and even then, it may be bluff. for UAC, i know it. because i've used just what uac uses years ago for "fun" on xp. testing out how to secure a company with user rights management.

if the protection is passive, will it be EVERYWHERE where an app can harm the system? if so, it is uac, and you can just drop the app and use uac. if not, then it WILL not be perfect, so it's even less than uac.

 

Anyone, please?

 

Of course it does less than UAC.
But it consume 0 resources as I told you.
I checked the services and processes list. NOTHING related to SPYWAREBLASTER can be found.
When browsing internet, if there is a pop-up, it would auto-block it.
Can be see clearly. The pop-up windows appear but blank(blocked).
I tried disabling the passive protection and ah-ha the pop-up windows appears with content and pictures.

Moreover, SPYWAREBLASTER is recommended by Baserk, http://forum.notebookreview.com/showthread.php?t=190538

PLEASE DON'T UNDERESTIMATED OTHER SOFTWARES UNLESS YOU CREATE A EXTREMELY STRONG AND POWERFUL 1! I DO NOT UNDERESTIMATE UAC AS WELL. PLEASE RESPECT!

 

first: i don't have powerpoint right now on my laptop myself haha.. sorry good spliff.

second: there is a powerpoint viewer, free to download from microsoft. it's a quite small download.

third:

uac is, simply said, about that:
you're by default never the admin, but an ordinary user. the ordinary user has no write access to c:\program files, c:\windows and some other system relevant folders.
while you run around your system, you may hit some stuff you do that affects the whole system (like, a tweaking example, changing the boot logo, or installing an app).
at this moment, the user will get hit by the file/process/etc permissions to not be allowed to do that.

so far, nothing changed since nt/2000/xp when you run a normal user accound. but NOW, once the permissions hit in and say "no, user, you're not allowed to do that", the os switches into a secure mode. it's a second desktop which disables everything except keyboard and mouse, so no one can act on that except you, as a user, in front of the system.

and there it asks, are you sure, do you want to get more power, to do that systemwide change that may harm your system. or in short: continue/cancel .

this change to secure desktop, and asking if you may want to do it anyways is systemwide, as its just part of the system wide rights management, aka user permisssions.

and once you said "continue", you leave that secure desktop, and get the app restarted with admin rights.


so what you get out of this?

all your apps run without admin rights => nothing can harm your system. (it still may harm your own files like music/pics/etc as it runs with your rights).

the moment running an app without admin rights is not enough, it asks you and only you to grant the right, for that specific app.

that's UAC. only the tiny bit after "you don't have enough rights" is uac. the asking if you want more rights, then. any os pre vista didn't ask, but just failed. so it's the first os that makes it for the ordinary user usable, to not be admin all day long.


the gain: any virus that sneakes in any way into your system first has to get admin rights to harm the system. to get that, it HAS to go to the uac prompt and ask you.

 

not being visible in the taskmanager doesn't mean no resources used. we have symantec installed in our systems at work, non-visible to the taskmanger. it does hide itself completely from the system by rewriting parts of the process manager and the file manager. really nasty beast.

and even if it just attaches itself to existing software, it doesn't mean it doesn't need resources. because SCANNING FOR MALWARE OF ANY FORM NEEDS RESOURCES. and only uac doesn't scan an exe at all, it just doesn't run them without your acceptance. that's what makes it "dump", but "always working", and "non-resource-eating".

plain logic, sir.

and i do respect you, no problem. it's just some logic that you maybe fails to see. anything that has to analyze data needs resources. any form of scanner, how ever passive, needs to analyze the data => it eats resources. it has to access it's database from disk, or loads it into memory. so it's a disk hog slowing down with diskaccesses, or a memory hog. but it needs its database. or it's heuristic, then it needs computationtime to analyze the data.

eigher way, it's not "free". uac is. file permissions of ntfs aren't free btw. but uac in an ntfs land is free.

 

i believe vista by default makes your starting account an administrator (at least it did for me) and disables the built-in admin account.

 

Yes, I think that's true.

Technically if you wanted you could take the higher Admin account to make yours a normal user account

 

Heheh, technically you can also make your first account a standard user account using the MMC snap-in, and this way lock yourself out of the system. It's a re-install of the OS after that...

 

I am still very confused. davepermen, I read your entire UAC thread from your sig and I still don't quite comprehend what I should do.

I am the lone user of a 64bit Vista Home Premium Dell Studio XPS 1640 laptop. I currently have Norton Anti-Virus and Windows Defender running.

My question to you is, "Is it necessary for me to have UAC enabled?"

If so, must I deal with the constant prompts or is there a way to safely edit the settings where I am still safe?

A simple breakdown is appreciated. I am little tech-n00b so if you could explain to me as if I was 10 please.

 

Neccessary is the point of debate.

It is highly recommended to leave UAC turned on to keep your operating system protected.

 

I see. I am now leaning towards leaving it enabled. My new question is: what is to stop anyone else from simply pressing 'continue'? Are you saying a UAC prompt for something I do not know could suddenly come up while I am using my computer?

 

Yes.
If say a malicious programme were to launch - requiring Admin rights/permissions the UAC window should and would just pop up - as you haven't started the application you should then abort it.

About applications not being able to select it - Dave told me it opens a second "special screen" - but I think he can tell you more about it.

 

Sadly true, I won't do the same, however.

I'm sure you're also totally aware of the fact that if security increased in general, security solutions that once were secure would suddenly give a smaller increase in security, so you'd have to raise the bar again. Well, that's basically what happened in (recent) IT history.
Should be impossible to get a perfect solution.

I don't agree. It's the case that you might be able to very good guess that there might not be an infection, but you can't prove it. Is there a misunderstanding here? Further explanation, please.

So true, you just made me remember all the people I've seen whose anti-virus solutions constantly complained about months-old anti-virus databases because no one before ever taught them how it works. No security concept will ever work if the user just turns it off or renders it unusable. Therefore it's extremely important to make it possible for people who are not affiliated with IT very much to understand how their security solution works, in an easy way. Now if that only wouldn't be so difficult... I guess if it was possible to do that as easy as installing a "human brain patch", most security problems would be solved.

But then again, if brain patching was possible, there would be more possibilities and problems to think about.

See for instance Wikipedia:Buffer_overflow, which are one of the biggest reasons for security problems.

In short, if any application gets data from outside (like a webbrowser, for example, or even a document reader) and does not verify that data thoroughly, the data may get executed although it shouldn't.

As always, it depends on the case. I set security as a top priority, therefore I always suggest people to use an anti-virus solution. And I think that's the best way to go, despite any problems that may occur. You may do different, I think there's no point in debating this at this time.

At least there still aren't as many "professional" (not to be understood technical, but malicious-software-benefit-wise) viruses for OS X that aim at kidnapping or stealing your data or your money, making OS X more secure than Windows - at the moment! You may be interested in: http://www.h-online.com/security/Ex...o-increase-its-security-efforts--/news/113489 (Despite the "Expert says" in the headline: that's a pretty reliable source for information).

Yes, I can remember that. No, I can't imagine the uproar that had happened had Microsoft really done this - It would have been to big! It was already very much when Microsoft just said they'd do it...
It had multiple names, actually. "Palladium" was the Microsoft part, which is now called NGSCB (Next-Generation Secure Computing Base). For now, good thing that BitLocker is the only that's left of that in Vista. Though with TPMs being built into many computers already, I think Microsoft could actually be planning to implement this "from below"...

Why does this happen whenever I'm discussing something? I'm sorry for that. There are so many things that most people are better at than I am.

I wish I wouldn't sound like this. Sorry.

Well, tell the software developers! There are still too many applications out there in the wild that ask for more privileges than needed.

I think that's actually one of the best points in here so far. Sometimes it's so complicated to talk about something. Well, at the moment I have the time to do this.

In Vista, there are actually three kinds of accounts (four if you count "guest" separately):

• Administrator
• Administrator in Admin approval mode (This is what the default account is)
• Standard User

(The names may vary, I can't remember the exact English terms)
Administrators in Admin approval mode only have the rights of Standard users unless they need higher rights. When higher rights are needed, they have to be explicitly granted by the user - a UAC dialog will appear.

I'm not sure if I got that question right, but in case you are asking how to prevent other people that are near your computer from pressing "Continue", there's a way to do so by setting UAC to show a "Credential Prompt" instead of a "Consent Prompt". The "Credential Prompt" will ask for a password instead of asking to click continue. However, UAC's main purpose is still not to prevent the user from doing something (it can be used for that, useful for multi-user environments, for instance) but to prevent "changes to the computer" by software that wasn't meant to be executed.
Do you wish further information on credential prompts?

Yes, that's possible.
You may want to read the beginning of "UAC's Goal" on http://technet.microsoft.com/de-de/magazine/2007.06.uac(en-us).aspx, but it's getting a bit techy pretty soon after that part.

The UAC prompt by default is displayed on a separate desktop, the so-called "Secure Desktop". This is done to prevent other software that is running from interfering with the interaction between UAC and the user, so no evil software that wants something to run with administrative rights can play tricks on the UAC dialog. The Secure Desktop is what you see when the display darkens when a UAC dialog is displayed. At that moment, all other windows in the background are just a screenshot.

Don't you get tired to write that again?


Some kind of collaborative, comprehensive document about all this is needed.

 

Boy, and I thought I was long-winded! Looks like I've got competition for the crown.

 

You have a crown for long-windedness? I wonder what it looks like! I guess it's very... long!

 

Yup! Sorta like the hood on an old 1970's Lincoln Mk IV


the view just goes on forever, and they put a sparkly little ornament at the tip of the hood so you can get a good estimate on where the nose ends!

 

Ok. So how do I edit UAC so it is more user friendly? I have windows vista home premium 64bit. Do I have to just deal with the prompts or is there a way to stay safe with less prompts?

 

If I recall correctly, there is basically very little variability to the UAC levels in _Vista - typically, it either runs, or it doesn't run - I believe that this has been changed for Win7, where the UAC security levels will have some customizability.

Quite honestly, though, I've been running on _Vista Home Premium 64-bit - standard OEM installation with no tweaks - have installed and uninstalled some stuff, and really haven't found the UAC prompts to be much of a problem to deal with. So far I've not had one pop up when I didn't expect it to (which would happen if something was trying to covertly install itself), and clicking through it when it pops up when I do expect it to (e.g., I just ran an installer for something) is not that big of an imposition on my time.

 

j00 are r!ght, Windows 7 has the same security of UAC but with less interruptions for senseless stuff like renaming a folder!

Win 7 FTW

 

What folders did UAC pop up on when you tried to rename them?

 

Probably one of the folders that users aren't supposed to mess with, like the Windows folder

 

Windows 7 indeed has different "annoyance" settings regarding UAC. But If you're using the default setting of UAC in Windows 7, you won't have any real security at all.

The highest setting in Windows 7 is what's default in Vista. The default setting of Windows 7 is the same as the highest one, except for the fact that there's a whitelist of things that are allowed to elevate privileges automatically. The problem: malicious software can start one of the whitelisted applications (which will then automatically start elevated without any prompt or notice appearing at all) and use DLL injection to tell that application whatever it wants it to do. This way, the malicious software will gain administrative rights without a UAC dialog appearing. If UAC is set to the highest setting in Windows 7, this will not work without displaying UAC dialogs. In Vista, this will not work without displaying UAC dialogs.

 

Not necessarily - there is a tiny UAC flaw here.

If a file is written by another user or by an Account with UAC off, turning UAC on may result in a command prompt.
I had that - I was originally running without UAC - nowadays its with...
I had to take ownership of my external HDDs I believe...

 

you're not the sole user. the apps running on the system are. they may be started by you, or some virus. even while you're the sole user, you can at any time harm the system with arbitary tweaking, deleting of system relevant stuff, what ever. uac then tells you "are you sure", and you notice "oh crap, wrong folder" or what ever.

constant prompts? WHAT CONSTANT PROMPTS??? that's the sole biggest lie about uac. there are no constant prompts. one promt per system wide manipulation (like installation, like changing systemwide settings).

if you go around looking at all the funky xp pc's that are spyware, malware, vire riddled. most of them are from sole users. so yes, leave uac on, so that the system has at least some savety guard to not let that sole user go havok. a sole user is the only harm a system can have



but non-the-less. not everything i said about UAC is true. UAC is sort of hackable. i've added a link from mark russinovich, ultimate guru of microsoft, at my sign. he explains every detail.

 

disabling uac and then re-enabling can lead to such behaviour. as well as accessing data from pre-vista days, like xp. which by default only made everything readonly for ordinary users. annoying in the case of external hdds, f.e.

 

and i'm not 100% sure anymore if this is still true, or if dll injection would work in vista, too? or not anymore in win7. but i don't like that default change, as it gives another place where bugs may appear.

but full detail in my link to mark russinovich (and after posting this some times, i can actually spell the name )

 

Windows 7 UAC Code Injection Vulnerability Video Demonstration Source Code Released/

that little video shows why i don't like the new win7 version of uac. because it fails.

 

The specific attack method described isn't working in Vista and neither Windows 7 RC with highest UAC setting. In Windows 7 RC with default UAC setting, any malicious software will be able to use this to run code with administrative rights without any UAC prompts appearing.

So far, it is unlikely that this will be improved before Windows 7 final, and also unlikely after its release.

I will refrain from posting any additional information here, as that may collide with the forum rules.

I can't reach that site through the link. However, looking at the URL, I guess it's the following: http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx, is it? And by the way: what's the name of that home server? "BJÖRN ELECTRÅ"?

 

Could you edit that to make the the statement more clear? It's possible that this will be misunderstood. I guess you are aware that it's not that UAC in general is broken in Windows 7, it's the new default setting with less prompts that's broken.

If you set UAC to "Always Notify" (highest setting) in the Control Panel of Windows 7, it is as safe as it is in Vista.

 

it's called 'server'.

reason: i manage 3 homeservers. one at my parents home, one at mine, one at the club. all are called the same, so all links to \\server, all rdp settings, all other shortcuts work without a problem.

but i plan on printing a sticker "RÄV" with a foxy logo on it (in IKEA font ).

the link works for me, just retested. and yes, its the one you posted.

i'm so tempted in abusing the knowledge on how the uac of win7 fails to do some funky harm but i don't want it to happen. win7 looks like it is the best thing that happens for microsoft. now a big worm that can only spread on win7 but not vista would not be really good for its reputation. and they deserve good reputation after what they got for vista, while delivering something great.

so, once some worm kills all win7 installations but no vista installations, i will with one part of me laught "I KNEW IT", but on the other hand be very sad for microsoft. and help out all the ones in trouble, of course..

 

as it's broken in the default settings, it is, essentially, broken. it will be on close to 100% of the systems on this world.

wait for win7 sp2, which will enhance the security then again, just like in xp days watch it raise the default settings of uac

 

Yes, turned out it was a problem over here.

Seen that way, yes.
I was talking about the technical implementation of UAC itself. While UAC in Windows 7 is Broken By Default (TM) ( ), luckily it's at least still possible to get it into a state that is as secure as it is on Vista.

It's so sad to see this happen, because it means that Microsoft seems to have taken focus off of security again. UAC doesn't serve any purpose at all anymore in Windows 7 (every malicious software will be adopted to abuse the whitelists) unless you know how it works and what you have to do. So I wonder why UAC prompts are still there at all by default, as they won't give any huge security benefit. To me, it seems as if Microsoft is playing tricks on the public again.

"To do some funky harm"? Please tell me you're not serious...

 

of course i'm not serious

(have to state that in public even if it would be a lie, not? )

no, seriously. it does give a bit of the "i'd like to hit them, just to show them how dump their action was" feeling. but i wouldn't do it. not that i'm really capable of that kind of thing, too lowlevel for me to do by myself. but the proof of concept works without issues, and that itself should be scary enough

 

A proof of concept exists, Microsoft was informed about that. Enough said!

No, you don't have to. The logical conclusion is that by that, you would make clear that your thoughts are evil.
You don't seem to want them to be, though.



Just In case you're implying I'd not state such things just to keep it secret, I have to say that that is not true.

I won't support or perform illegal actions.

 

obviously i have no illegal or evil plans at all. but the thoughts are there, not active, but simple "what if i would be evil" thoughts. and it's good to have them, to know what could happen from someone else who is evil. so i'm prepared for the fact that the chances are VERY high that win7 gets such an attack before christmas for biggest hurt. the stuff is documented and working right now, and i guess the evil hacker community is just waiting for the moment it'll hurt the most.

i hope it to not happen. i prefer to see hackers go against iphones, they deserve it much more


if i would write such a thing, i would write it so that it turns UAC back up to the max, and spread as much as possible. i would, if at all, write "good" virii. not that i even would do that, though.. but if at all..

and yes, really, if at all, i would do good 'harm'...

 

I'll defer to you on the point of actual security (which is particularly easy as I made no claims about actual security under UAC ). As far as I'm concerned, solid, basic security starts and ends with the brain that clicks the buttons. If the brain is a security risk, then almost no amount of "nannying" via UAC or anything else is going to provide complete security.

 

that's why i teach the brains what it is and what it means. but then, uac is better than silent installing without any visible window of stuff you don't want, or deleting/overwriting system files that are of importance without noticing.

not?