@Rasheed187 below is a "sampling" of executables that can auto elevate to admin level that exist in the Win System32 directory. For some reason, the strings utility went bonkers when it encountered MRT.exe, so I couldn't show all .exes that elevate. So are "you covered" with your security solutions on all that are shown? Remember that software like OSArmor is only protecting you against "known" .exe's that can be misused:
Continuing with one of above screenshot processes, fodhelper.exe, it also can be exploited. Start reading in the below linked article beginning with: and again, the author notes: http://soclevelone.com/index.php/2019/01/14/bypassing-windows-uac/ In other words, assume most of the system auto elevating processes can be like exploited.
I guess @Rasheed187 has limited awareness of what are LOLbins/LOLscripts and how easily they can be exploited. There is a reason why I use Appguard and block the execution of all of them.
In general I disagree. If you want YOUR PC to do that, I have nothing against the idea. AV software misses too much stuff though. I would not want to see this for the general public.
Yes it should be optional. But I'm afraid both of you are misunderstanding. Let's say you go to your favorite and trusted software download website, let's say Softpedia. You download 10 apps (with installer). AV and SmartScreen say they are all clean. So now you are going to install them. Does it make any sense to see the UAC alert asking for elevation? No it doesn't, because you already know you are going to click on yes. It wouldn't make any difference whether the AV is wrong or not. Come on guys, this isn't rocket science. I'm not that worried about "unknown" system tools that can be abused. The easiest way to explain it, is that auto-elevation is the least of my worries. Why do you think I still to choose to run as admin? The key is to control which apps are able to run, and to control app behavior.
You're right, it isn't rocket science. It's blind trust in AV and SmartScreen. Ok, you know you're going to click yes. Most people will . That's part of the problem.If there was a foolproof system there would be no need for UAC. However, the universe keeps making better fools. I'd say that in your case, I would just disable UAC, run as full admin, and consider that the closest solution you are going to get. My problem is that I do not trust any AV/SmartScreen to deal with threats on a 100% trust level. Everyone wants a zero effort 100% reliable solution. If you can figure out how to make that happen,you will be a very rich individual. I would buy that solution.
The only 100% effective way to do so is by employing a HIPS. You set it to learning mode to create rules for all system and app processes. Note that at this stage, the learning period must be long enough and extensive enough to record all process behavior. You then "pray" that nothing will infect you during this time period since it will by default have allow rules created for it. At the end of the training period, you set the HIPS to either Policy mode which will unconditional block any activity for which an allow rule does not exist or; Interactive mode which will generate an alert for an any activity for which an allow rule does not exist. If the system existed in a perpetual "frozen" state from this point on, the above would be a viable approach. Obviously, this is not the case. If Interactive mode is deployed, the user must know what is safe and unsafe process activity. No one that I am aware has such knowledge for every Windows process and activity that can or potentially be malicious.
@Rasheed187 you are here since so long like most of us, debating about various PoC/malware cases posted by @itman, how can you say such thing "if AV and smartscreen... Blablabla.." they can be defeated just by a stolen certificate, I don't even talk about exploits... Lol. If you want real control, follow my way, use SRP/Applocker or equivalent like Appguard. You won't have full control with anything interactive or that need to be trained, by design they have a potential flaw: allow button and whitelisting. I don't really need UAC, but I keep using it because I use SUA and I like it gives me control over auto-elevation in case my "trusted" app was compromised.
This is starting to get confusing. Let's say you download and install 10 of your favorite apps from Softpedia, then how are you going to decide whether they are infected with malware or not? Isn't AV + SmartScreen your only option? How will UAC help with this? And yes, I know that you can't rely 100% on AV's, so that's how I ended up on this forum, I started looking for other ways to stay safe, and HIPS/behavior blockers were the best solution for me. There is no 100% effective way, because all HIPS can be bypassed. And I never use any learning mode, I simply run all of my apps and make rules for them. Also, knowing what's normal and suspicious app behavior isn't rocket science, trust me.
We were talking about a system without any extra protection tools remember? Even then I wouldn't enable UAC, I would simply rely on Win Def and SmartScreen. I know they are not foolproof, but that's not the point. Once again you're not making any sense. How the heck are you going to run or install any apps without allow button? I have always used: White-listing, firewall, HIPS and sandbox. Not a single problem in 15 years, so don't worry about me. If you run in SUA, then you have no choice but to deal with UAC. But I have always run as admin, never had any problems keeping the system malware free, that's all I'm saying. This doesn't mean I don't understand why some people choose to use SUA, or choose to enable UAC on admin account.
SRP doesn't use whitelisting and doesn't prompt. So no chance to mistakenly allow a malware. You set a policy, then done. This is what I mean by full control. Want install something new, crosscheck/test the new program first, add a new policy rule to the SRP.
Well, I prefer white-listing. Like I said, when you install software, you have already made sure that it's not malware with the help of AV and/or behavior blocker. And I now hope you all understand that all of those self triggered UAC alerts won't help against malware either. BTW, guess I'm not that crazy after all, turns out that M$ already has the "don't prompt for elevation on app installer" option, itman already posted it: https://www.ghacks.net/2013/06/20/how-to-configure-windows-uac-prompt-behavior-for-admins-and-users/
