Do you disable UAC?

Discussion in 'other anti-malware software' started by Overkill, Mar 2, 2016.

Thread Status:
Not open for further replies.
  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, you're right and thanks for clarification.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No you're misunderstanding. By design, all app installers need admin rights. And some apps that are already installed, may also need admin rights in order to function correctly. For example, system monitors that need to load a driver dynamically. This all has got nothing to do with bad software design.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I agree, that's why I don't understand all the fuzz about it. You don't need it to stay secure, security tools and common sense are way more important. But of course UAC is useful in some cases, especially on multiple user systems.

    You probably already know this, but when you disable UAC on Win 8 and 10, it goes into "silent mode", so all UAC related security technologies stay active. This is not the case on Win Vista and 7, unless you use the TweakUAC tool: http://www.winability.com/tweak-uac/

    Yes, I read about this, but I wonder if it's the right mentality after 10 years of UAC. I doubt that developers will all of a sudden start to develop in a way that apps do not run correctly anymore when running in LUA.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This has been my main complaint, it would be cool if not all app installers required admin rights. This can only be done by making certain folders (and perhaps registry keys) writable for standard users. If some app needs to perform privileged actions like installing a service or driver, it should simply ask for elevation.

    If it does not need high privileges, it will install correctly, and you will simply not get to see a UAC alert. This will result in less UAC alerts since most apps don't actually need admin rights. Other ways to avoid UAC alerts and to make it less annoying, is by giving a white-listing option for (portable) apps that need admin rights every time they are launched.

    Interesting idea, but I wonder if it would be possible to mark certain folders as "Trusted Folder". Apps launched from these folders shouldn't trigger any UAC alerts. But this Trusted Folder must somehow be launched from an elevated explorer.exe process, so this means that a separate instance of explorer.exe must run with high rights. This would be similar to how Sandboxie is able to sandbox Windows Explorer.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    On second thought, this wouldn't work since apps need only high privileges to perform certain actions, they don't need to run with high privileges all of the time. So technically this idea would be too complex.

    BTW, can you explain this a bit more? How do Universal Apps fit into this discussion?

    https://en.wikipedia.org/wiki/APPX
     
  6. guest

    guest Guest

    because they run in Appcontainer , the lowest integrity level, by design they are restricted to certain locations (called capabilities, if my memory is good), just the ones necessary for their purpose; UAC then isn't needed.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I understand, but the question is if it's realistic that one day all apps will run in Appcontainer. What if they need more privileges or need to communicate with each other?
     
  8. guest

    guest Guest

    it is realistic, Chrome can already run in Appcontainer via a tweak; now for softwares that goes deep in the system (drivers, etc...) , it will needs time, both the OS and apps' developers aren't ready yet...

    Microsoft insist "heavily" that Windows Apps must be prioritized; in fact, they want copy Linux and its repositories.
     
    Last edited by a moderator: Apr 3, 2016
  9. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Is there a way to lock UAC slider in default position?
    Even for users with admin rights.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, it's interesting from a technical point of view. But I wonder if there is a need for all apps to run in Appcontainers, I can't picture it. Windows would probably need a huge redesign, so I ain't see this happening anytime soon.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  12. guest

    guest Guest


    I dont know if you are familiar with the Appcontainer and lowbox token mechanism; to be very simple:

    On Windows (since vista), each process has given a Token (containing its informations , integrity level, privileges)

    AppContainer (being an integrity level itself) differs lightly with the others in a way that it implements the "Lowbox" token, which assign "capabilities" to the app ; capabilities are areas (internet access, picture/music/etc.. libraries, webcam, microphone, removable storage, etc...) the app may access or not (decided by its dev).
    A list of those capabilities here : https://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx

    In Win8-10 , a broker check the original token of the process, and if possible, transform it to the Lowbox token.

    some infos there: http://recxltd.blogspot.com/2012/03/windows-8-app-container-security-notes.html

    So i think in the near future , the capabilities could be extended to more areas , possibly making almost all apps running under AppContainer.

    the real question is : "does the devs are willing to do it?"
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I have read about it, but not into details. But who knows if in the future, most apps can perhaps run in AppContainer, with the advantage that it's harder to exploit them, plus they would be portable, so no need to elevate, because there is nothing to install. But what if they need higher privileges, I don't believe this is supported at the moment. So I don't see the need for it, the current process architecture is already quite good, but M$ should be able to reduce UAC alerts with the ideas that I mentioned.
     
  14. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @Minimalist :
    THX for pointing me to the thread in technet forum.
    Unfortunately the suggested solution does not work for me.
    Not even the crude way, masking user account in contol panel shows an effect.

    anyone?
     
  15. guest

    guest Guest

    i don't think they will ask for higher privileges , capabilities would set the authorizations from the start.
     
  16. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Hiltihome :

    As Admin you are Admin.
    If it's the bypasses you have in mind, then you need to go the route of maxing UAC or Standard User Account.

    The domain joined restrictions won't do you any good.
    Setting to ask for credentials won't do you any good either, because on default UAC you won't be asked on the problematic silent auto-elevations. That's the whole problem with default UAC level.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Do you only want to make sure that nobody can move the slider (even Admins) but they can still approve UAC prompts? If this is what you want then you can just hide UAC settings in Control Panel and even admins won't be able to change the settings.
     
  18. Tornado AMR

    Tornado AMR Registered Member

    Joined:
    Feb 22, 2016
    Posts:
    7
    UAC is a very good way to block unwanted changes to the registry and only allowing certain programs to do certain things. I have it on 'Always Notify' and find it very useful.
     
  19. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Minimalist :
    Hiding a UI element, will not lock anything.
    The user is still admin, and can alter anything he/she wants.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, but user will have to find how to unhide that element so he can change settings. Or is there any other way to change UAC settings without that element in Control Panel? I guess that other Admin user is not konwledgeable and doesn't know about Gpedit tricks.
    I'm also talking only about changing settings of UAC (moving slider) not about approving UAC prompts...
     
  21. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @Martin_C @Minimalist :
    I only want to lock UAC at default position.
    The targeted users are not smart enough to figure out how to unlock...
     
  22. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Minimalist & @Hiltihome :

    Hiding it will only give a false sense of security.
    Since user are admin, then he/she can approve a request for elevated privileges and that application has access. Should further prompts appear, then the admin user can just approve them also.

    And since it's on default level, then unfortunately it's possible to bypass completely.

    So an actual lock of UAC level are not possible, without using a account with less privileges.

    How about setting UAC to only elevate signed and validated applications ?
    Less possible problems for the user.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, I have done some testing, and it indeed does work correctly. So installers that are launched from an elevated file manager do indeed launch without UAC alert, and after install + restart they run with medium rights. So this "Trusted Folder" idea should be possible.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Here are some more tools that were designed to make UAC less annoying. With TweakUAC and UAC Snooze you could quickly disable it when you're about to configure Windows or install lots of apps.

    Smart UAC is basically a "dumbed down HIPS", but I already came to the conclusion that this idea was not feasible, because UAC is meant to block elevation, not to monitor behavior. And finally, Norton User Account Control is what UAC should have been like, I believe it gives a white-listing option.

    https://www.maketecheasier.com/4-to...-annoying-without-compromising-your-security/
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see, but for stuff like installing a driver you will always need admin rights. But I guess not all tools are meant for AppContainer. But the cool thing is that they can only read and write to their own directory, that would be a security benefit.

    I just noticed that some apps that are already installed in the sandbox will also present an UAC alert, so even white-listing Sandboxie wouldn't help in this case, ridiculous. And yes, I know it's expected, but that's not the point.
     
    Last edited: Apr 4, 2016
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.