DonationCoder.com Forum
Main Area and Open Discussion => General Software Discussion => Topic started by: cyberdiva on July 19, 2011, 02:12 PM
-
I've come late to the Windows 7 party, and so it's only now that I'm starting to gnash my teeth over the UAC (before Win7, I happily used WinXP Pro, which didn't have UAC). At first, I thought UAC was a minor annoyance that was probably worth putting up with for the added protection it provided. Today, I turned it off, and my temptation is to leave it off.
It was annoying enough when I wanted to check Malwarebytes for updates, and each time UAC would pop up and ask "Are you sure you want to run this program?" Having assured it that I was, I then checked for updates, after which I wanted to run a Malwarebytes quick scan. Up popped UAC again, to ask whether I was sure I wanted to run this program. Yes, I again assured the Alzheimers-ridden UAC, I am sure. OK, I've learned to tolerate forgetfulness--that's an ailment I increasingly share with many of my friends, so why not the UAC?
What finally made me turn UAC off was my inability to use ActiveWords to insert blocks of text into html files in Dreamweaver. I would type the ActiveWords shortcut I had set, hit the key to enable it....and nothing happened. The same version of ActiveWords and Dreamweaver had worked fine in WinXP Pro, and each of them works fine in Windows 7. But not together. I decided to see what would happen if I turned UAC off. Sure enough, I can now insert my ActiveWords into Dreamweaver. I'd be happy to toggle UAC on and off, but apparently changing UAC's state requires rebooting the computer each time. Thanks but no thanks.
So how much danger am I courting by leaving UAC off? I managed to run WinXP Pro for many years without getting infected. Then again, I used both a PITA firewall (Outpost Pro) and a PITA antivirus program (McAfee Enterprise Edition), whereas I'm trusting my Windows 7 64-bit computer to the Windows firewall and Microsoft Security Essentials, plus Malwarebytes Pro. So can I/should I live with UAC turned off? I'd welcome some informed opinions.
-
You could run the apps as Administrator (right-click menu) to alleviate the problems and only get prompted once. UAC isn't a huge help if you don't go around the depths of the internet downloading everything ending in .exe, but it can sometimes catch something trying to run in the background that wants to change something and you didn't want/it *is* malicious.
FWIW: I have UAC off. My dad's machines have it on.
-
I have yet to see UAC actually stop anything bad. In theory it's useful and increases security. In practice I've still seen plenty of infected Win7 machines, and even had some brushes with infection myself (as an IT professional I feel more comfortable taking risks sometimes, and sometimes I need to clean up messes I make :D).
I think one reason UAC doesn't often help is that most attack vectors these days are through existing installed software that you trust, e.g. PDF reader, Java, your web browser. Most malware is smart enough not to expose itself by running a random EXE or trying to inject into a process that Windows would flag. Or at least that's been my experience.
That being said I've left UAC on for most of my machines for the time being. But now that you mention it I'm thinking of turning it off. Basically I left it on after a mass migration of all my systems to Win7 6 months or so ago, with the intention to evaluate UAC for usefulness and act accordingly. So I can say my eval period is over and I don't see UAC as actually being that effective in practice. ;)
- Oshyan
-
Thanks, wreckedcarzz, for your response. However, I'm pretty sure that the account I normally use is an Administrator account, and I still couldn't get ActiveWords to work with Dreamweaver until I turned UAC off. Are you saying that the Windows firewall and Microsoft Security Essentials won't stop some baddie trying to run in the background that wants to change a crucial setting? I also have Malwarebytes Anti-malware Pro and WinPatrol PLUS on the computer, but I think of the main line of defense as the firewall and MSE.
I don't go around clicking wildly on unknown .exe files, but I *am* something of a software nut, and so I do download a lot of programs. I never open them before scanning them, however.
-
I'm using the default created user account, which I would assume is administrator-level. I'm not totally sure how that works out, but over multiple machines, it works the same for me. Win Firewall and MSE are good (I'd keep Malwarebytes handy though, MSE doesn't catch a lot of off-the-wall stuff). Neither one will stop changes to crucial system settings, though.
If you want to drop UAC, I'd get a VM or sandbox tool (I use Sandboxie). Run unknown software in sandbox, if it's bad, kill the sandbox, delete contents, done.
-
Turning off UAC puts you in the same position as an admin user on Windows XP.
If you were happy on Windows XP there is no real reason to not turn off UAC if it annoys you - so long as you assume the risk that something may install without a warning.
Personally I leave it switched on - the one positive is it is much less irritating than it was in Vista.
-
If you guys are like me, and most of you are, in that we have used Windows for most of our lives, and we are known as the "computer geeks" in our circles, I don't think things like UAC affect us one way or another. To me, it's simply a nuisance, period. It's not like I ever try to install something accidentally, and even if I did double-click on it accidentally, I'd just cancel the wizard at some point. Also, as JJ said, our comfort with computers makes us comfortable with installing a bunch of different programs to try. I don't use sandboxing or vm's. i tried at one point, but it was too much of a headache. Look, I know if something I'm installing is fishy. i don't need UAC to tell me or anyone else. I just hope that even if i do intentionally try to install something that is fishy, my AV or other security software will catch it. And it has for the most part. Some things have slipped through, as I've talked about here on the forums, but even those were due to some pretty odd circumstances.
All these things like UAC are really for the 95% of the population who are not very comfortable with computers. They don't understand the whole system, with the drivers, files, folders, program files, application data, etc. It's all foreign to them. So UAC and similar things are very good for them. But even then, i doubt how effective these things actually are. I suspect that more often than not, these messages just make people nervous and want to call their computer geek friend to check and see if they should or should not install this thing.
-
I forego security software (minus Windows Firewall) and just use my head, and sandbox things I don't know about (game trainers come to mind). I'd rather have an on-demand solution, rather than a constantly-running solution. I want the computer to be as snappy as possible/output the highest FPS possible/boot up faster than I can sit down and get comfortable. The only time I install an anti-malware app is when I suspect I've been too trusting to something I shouldn't have, or if I just want to make sure I've got a clean slate.
Anyways: I've only had UAC save me once, and that wasn't really much of a save either; I knew I was stupid and gotten myself infected already, UAC just stopped a minor change. I keep it off even though I never do any system changes (except app updates, or Steam game installs), it interferes with CCleaner/Defraggler running via Task Scheduler. Up until I figured out UAC was messing that up, I had it turned on (a few months). It doesn't really provide much protection though.
-
Thanks very much, wreckedcarzz, Oshyan, Carol, and superboyac, for your advice. After reading what you've said, I think I'll leave UAC off even though I'm not as knowledgeable about dealing with computer problems as the rest of you are. But I haven't found UAC at all useful, and at times (like its preventing ActiveWords from working with Dreamweaver) it's been exceedingly unhelpful. It's a pity that Microsoft hasn't been able to devise a better tool after all this time.
Again, many thanks!
-
I am pretty sure even with an Admin account, UAC will prompt for certain responses if it is on - not unlike SUDO or other similar mechanisms. In fact, If you want to use UAC, it seems to me it is best NOT to be an Admin account, and just use UAC to elevate privlages as needed (or set certain programs to run as Admin always if necessary, but that generally means poorly programmed software).
FWIW - If you turn off UAC, I think you are giving up one of the main reasons to switch to 7 in the first place. Most everything still runs on XP as the lowest common denominator, and the only reasons I can think of to switch are for 1) increased security or 2) have to switch due to lack of XP driver support. Also note, all that I said is theoretical...I haven't really played with Win7 to know how good or stupid UAC et.al. are in that product. :P
-
Personally I leave it switched on - the one positive is it is much less irritating than it was in Vista.-Carol Haynes
If you haven't cranked UAC to the maximum setting, you might as well almost just turn it off - unless Microsoft have been a-fixing things, it's pretty easy to turn it all the way off programmatically.
The only time I install an anti-malware app is when I suspect I've been too trusting to something I shouldn't have, or if I just want to make sure I've got a clean slate.-wreckedcarzz
That's too late - if you've already got a nasty bugger, anti-malware might not be able to detect it. Be proactive!
Anyway, as to what UAC does: it doesn't stop stuff from running on your computer; it prevents stuff from going form LUA (Limited User Account) privileges to full administrative privileges. Not all malware needs admin privs to be effective - but the stuff that's nastiest to detect & remove does. And of course there's been a few privilege escalation exploits in Windows, letting you bypass UAC. Needless to say, bugs like that have a pretty high fixing priority.
Thus, UAC isn't an end-all-be-all. It's a mitigating factor (just like Windows Firewall and Windows Defender, and the various kernel enhancements that been added from 2003-server until Winy), and you'll want as many mitigating factors as there is (within performance reasons, of course).
It's a pity that Microsoft hasn't been able to devise a better tool after all this time.-cyberdiva
It's a pity 3rd party developers are ***hats who don't want to follow official programming guidelines - if they did, we wouldn't need administrative privileges (and thus an UAC popup) nearly as often.
As for the ActiveWords problem, that's a bit curious. But one added part of security is restricting how programs can interact with eachother - there's all sorts of attacks you can do by messing with other applications, so you generally DON'T want a low-privilege application messing with a high-privilege one. Is DreamWeaver, by any chance, started with administrative privileges? Even if it isn't, try starting ActiveWords with administrative privileges.
-
It's a pity that Microsoft hasn't been able to devise a better tool after all this time.
-cyberdiva
Correct, even when knowing that the 'doors with all the locks' that are now named and enforced by UAC end filesystem virtualization have basically been there ever since Windows NT 4.0 (and maybe even in 3.5, but that only had about 3 1/2 users or so) was released. Yes, that's quite some years before Windows 2000 or XP where here >:( And now we all suffer with all this idiocy of counter measures because MS never enforced the available security.
-
It's a pity that Microsoft hasn't been able to devise a better tool after all this time.-cyberdiva
It's a pity 3rd party developers are ***hats who don't want to follow official programming guidelines - if they did, we wouldn't need administrative privileges (and thus an UAC popup) nearly as often.-f0dder
I'll 2nd that. Glad to see you back f0dder!
And now we all suffer with all this idiocy of counter measures because MS never enforced the available security.
-Ath
It's not Microsoft's job to enforce security, that's up to the Admin. MS generated tons of documentation on how to properly setup Windows in a secure fashion ... Most folks were just to lazy to read it. Or whined constantly because it was too hard to use the Run as... command.
UAC is enabled for me. :) ...Because familiarity breeds contempt ... And just because I know a bunch of stuff, don't mean I know everything. It usually just means the scope and scale of the screw up when it happens is quite high.
Best to have a "net".
:)
-
I run UAC cranked up to max. Personally I don't find it obtrusive at, try running a Mac or Linux and you'll get many many more prompts for a password, that makes to occasional yes/no box seem like a Godsend.
Sometimes it is annoying when you have to quit a program and restart because it needed to be launched a administrator for a particular thing, but more and more powertools are including a "Restart and Administrator" button somewhere.
Personally I say put it to max and leave it there. If you have a badly written app that needs Admin privileges always then select that checkbox in the shortcut compatibility tab. Sure you'll have to ok it every time it runs, but at least you won't ever forget it manually have to right click and say "Run as Administrator".
-
Personally I say put it to max and leave it there. If you have a badly written app that needs Admin privileges always then select that checkbox in the shortcut compatibility tab. Sure you'll have to ok it every time it runs, but at least you won't ever forget it manually have to right click and say "Run as Administrator".
-Eóin
:Thmbsup:
-
Personally I say put it to max and leave it there. If you have a badly written app that needs Admin privileges always then select that checkbox in the shortcut compatibility tab. Sure you'll have to ok it every time it runs, but at least you won't ever forget it manually have to right click and say "Run as Administrator".
-Eóin
I have no idea whether the apps I use such as Malwarebytes Anti-Malware Pro, Revo Uninstaller Pro, Dreamweaver, Babylon Pro, Everything Search, and a bunch of others are badly written. I know they work well and are highly regarded by people I respect. Nonetheless, even though I have an administrator account, I have to OK these programs every time I use them. Indeed, even if I've OK'd them for one task, I have to OK them two minutes later to perform a second task. I've been willing to do that in the interest of enhanced security (even though I almost never have security problems), but I'm NOT willing to turn off the UAC and reboot my computer every time I want to use Dreamweaver and ActiveWords together, and then turn UAC back on and reboot again. I tried the suggestion to "run as administrator" (even though I have an administrator account), but that didn't help. I've decided that continually resetting UAC and rebooting is simply not worth it. I hope I'm right. :)
-
There's something odd going on it sounds like. If you run both Dreamweaver and ActiveWords as an Administrator, and ok both UAC prompts, then they should work just as they do when UAC is turned off altogether.
Rebooting everything would be crazy I agree with you, but there must be an easier solution without disabling UAC altogether.
-
There's something odd going on it sounds like. If you run both Dreamweaver and ActiveWords as an Administrator, and ok both UAC prompts, then they should work just as they do when UAC is turned off altogether.
-Eóin
Eóin, thanks VERY much for posting. Something odd was going on. I thought it was enough to click on the "run as administrator" option available from a right click either from the taskbar or from LaunchBar Commander (I tried both), but doing that didn't make the two programs work together. Your message prompted me to try one more thing. In the right-click Compatibility tab, I put a check mark in the "Run As Administrator" box in both programs. That worked! Why that worked when the other similar approaches didn't, I don't know. I'll add that to the 149,376 other things I still don't understand about my computer. :-[
-
"Everything" needs to run with admin priviledges because of the way it indexes NTFS volumes.
There are a number of workarounds to get "Everything" (and any other app you want) to run without UAC prompts. The trick is to set up a scheduled task and then either invoke it at startup or login or create a shortcut to start the task as required.
The reason this works is that you can set scheduled tasks to run with admin settings without using UAC prompts.
Eóin is correct, there is something odd going on on your system - if you start an app with elevated privileges then any child processes should automatically get those privileges too. At least that seems to be the way it works on my system.
-
Thanks, Carol, for your message. I can understand why Everything, Revo, and Malwarebytes need my OK, though why Dreamweaver and, especially, Babylon Pro need this isn't so clear to me. But I'm willing to put up with the minor inconvenience of having to click on YES, even the multiple YESES for Malwarebytes. Indeed, what surprises me is how many programs seem not to need UAC approval--ActiveWords, for example.
Anyway, as you've probably seen from my previous message, I finally did succeed in getting ActiveWords and Dreamweaver to work together. I have no idea why my earlier attempts to get them to Run as Administrator didn't work, but putting a check mark in the right place in the Compatibility tab seems to have done the trick.
Thanks for the suggestion about scheduled tasks. My problem is that I rarely schedule tasks. I much prefer to do them when it's convenient for me, and that's something I usually can't predict. :)
-
Any malware that changes your hosts file will be able to do so without you getting prompted if you turn off UAC. This file can only be edited as an administrator, and when changed could make it look like you are on a certain website (say paypal) while in reality you are using some one elses.
You could combine the prompts if you run both from another UAC'ed process (not sure if you can elevate a batch file)
-
Thanks, justice. I think WinPatrol PLUS is set to warn me about attempts to change my HOSTS file and some critical System files, so even without UAC, I've got some protection. However, as I've reported in an earlier message, I finally did get the two programs to run as administrator and work together.
Thanks for the suggestion about running both prompts together, but I don't really object to OK'ing each one separately. What made me turn off UAC was the need to re-set the UAC and reboot each time I wanted to use Dreamweaver and ActiveWords together. Now that that's no longer a problem, I've got UAC back on.
-
cyberdiva: DreamWeaver shouldn't need to run with admin privs, it should only be necessary to run ActiveWords with those elevated privileges. IMHO it makes a lot of sense that only elevated programs should be able to try and control the other applications running on the system...
-
Hey, thanks very much, f0dder, you're right! After reading your message, I removed the "run as administrator" checkmark from Dreamweaver and then tried to see whether ActiveWords would still work with it. It does. I should add, however, that with or without the elevated status, Dreamweaver still gets challenged by UAC every time I start it.
-
I'm not that familiar with Dreamweaver (tried it once and didn't like it), but it may be trying to get write access to a key in HKLM (which tends to grab UAC's attention). It might be worth a shot to give yourself permission to the Dreamweaver registry keys (HKLM/Software/[author]/Dreamweaver/...)to get UAC to hush when it loads.
-
I should add, however, that with or without the elevated status, Dreamweaver still gets challenged by UAC every time I start it.-cyberdiva
Aaaah, there you've got your problem, then - DW have been running with administrative privileges all the time, which is why AW couldn't control it until you ran that with administrative privileges as well.
The thing to keep in mind is that UAC 'dumbs down' your administrative account pretty much to the level of a Limited User Account - so by default, applications don't have a lot of control.
Haven't used DW since version 2, but it was already fast becoming a monster back then. Dunno why it would require admin privs, can't think of a good reason for it, but as Stoic Joker says it could be (stupid) registry access, or it could be (stupid) attempts at accessing folders it really shouldn't be accessing :)
-
Aaaah, there you've got your problem, then - DW have been running with administrative privileges all the time, which is why AW couldn't control it until you ran that with administrative privileges as well.
-f0dder
I'm not sure I follow you. Why do you say that DW has been running with administrative privileges all the time?
Yes, I agree, DW is something of a monster, but it's the monster I know :) . It was bought for me at work some years ago, and I've used it ever since. I suspect that if it were to go belly up, I wouldn't shell out the big bucks to replace it, but as long as it works, I'm happy with it.
-
It might be worth a shot to give yourself permission to the Dreamweaver registry keys (HKLM/Software/[author]/Dreamweaver/...)to get UAC to hush when it loads.
-Stoic Joker
Thanks, Stoic Joker, for this interesting suggestion. However, I try to limit messing with the Registry to times when I really have to. Since I've more or less gotten used to UAC's "do you want to use this?" stupidity, I'm probably best off leaving well enough alone. But I do plan to bookmark your suggestion in case my patience starts to wear thin. :)
-
Aaaah, there you've got your problem, then - DW have been running with administrative privileges all the time, which is why AW couldn't control it until you ran that with administrative privileges as well.-f0dder
I'm not sure I follow you. Why do you say that DW has been running with administrative privileges all the time?-cyberdiva
As soon as you click "yes" on an UAC prompt, the application that's prompting is granted administrative privileges.
-
As soon as you click "yes" on an UAC prompt, the application that's prompting is granted administrative privileges.
-f0dder
Ah, I see. Thanks.
-
Another (long) shot to try is to virtualize the DW / AW combo on XP and use the result on Windows 7.
The Cameyo virtuaization software gives you the option to lock this combo down after it is done virtualizing. By locking down, I mean that no access to registry or secured folders is allowed. Actually, DW still thinks it has access to the registry, but in reality it is constrained to its "sandbox".
Using the virtualized version in Windows 7 should not trigger UAC notifications anymore.
However I have to include this disclaimer:
Virtualizing multiple applications into one does not always work, so your mileage will vary.
-
Thanks, Shades, for the suggestion. However, at the moment I consider clicking on the UAC prompt a minor annoyance and thus not worth trying to circumvent via virtualization, Registry changes, or other efforts. I'm really pleased to know that these possibilities exist, but I don't think I'll pursue them for something as minor as having to click on a UAC prompt.
-
Which DreamWeaver version are you using, by the way? Perhaps somebody else has figured out a way to get rid of UAC prompts from it :)
-
I'm using the version that was bought for me at work some years back, MX2004.
-
It will not be compatible with Windows 7 because that didn't exist at the time of making MX2004. Since then we've had Dreamweaver CS, Dreamweaver CS2, Dreamweaver CS3, Dreamweaver CS4, Dreamweaver CS5.
-
Even Dreamweaver CS4 is not compat with windows 7 64-bit (according to MS WIn7 compat list) but it is with 32 bit. It doesn't mention earlier versions except DW 8 which is not comap with Windows 7 at all and that is newer than MX2004 which isn't even mentioned.
See http://www.microsoft.com/windows/compatibility/windows-7/en-us/default.aspx
Having said that I have CS 3 which seems to work on WIndows 7 Pro 64-bit (though I haven't used it much).
According to Adobe the only products tested to work correctly in Windows 7 are the CS3-CS5 products. And even then there are some issues with CS3. See http://kb2.adobe.com/cps/508/cpsid_50853.html
Why not run an XP VM and run your Dreamweaver in there?
-
Why not run an XP VM and run your Dreamweaver in there?
-Carol Haynes
Thanks for the suggestion, Carol, but I haven't found any serious problems running my version of Dreamweaver on Win 7 64-bit. I expected to have problems with lots of programs, since I have some dating back to the 1990s. But so far, I think the only thing I couldn't run was a program related to my Canon SD1000 camera that shows me what's on my camera's memory card and allows me to transfer the files I want to my hard drive. But I can get all the information I need just by going to My Computer and looking at the listings for my camera's memory card. So I don't see any compelling reason to install an XP VM. I might add that I'd like to keep this computer as lean as possible (a challenge, since I'm a software nut :) ).
-
It will not be compatible with Windows 7 because that didn't exist at the time of making MX2004. Since then we've had Dreamweaver CS, Dreamweaver CS2, Dreamweaver CS3, Dreamweaver CS4, Dreamweaver CS5.-justice
A silly argument.
All it takes to be compatible with Win7 (and 64bit versions too) is pretty much sticking with application design guidelines that have been around since NT4. Sure, you won't be utilizing jumplists and libraries, but you'll be running without problems.
-
I don't see any compelling reason to install an XP VM. I might add that I'd like to keep this computer as lean as possible (a challenge, since I'm a software nut :) ).
-cyberdiva
Maybe not an XP VM just for Dreamweaver. But you might want to consider installing something like the more versatile VirtualBox if you're a software nut. Why settle for just one OS when you can have several? That would allow you to set up virtually any host environment you want to test any software that catches your fancy. And without running the risk of screwing up your machine. Just let the clock toll midnight, so to speak, and your snazzy VM turns back into a pumpkin. No harm done - no matter what.
Lots to like. 8)
-
Why settle for just one OS when you can have several? That would allow you to set up virtually any host environment you want to test any software that catches your fancy. And without running the risk of screwing up your machine.-40hz
+111 :D
@f0dder - I saw that one coming (hehe). Here's one of my favorite examples Jasc Image Commander written in 1996, running perfectly on Windows 7, without using any compatibility mode support.
[ You are not allowed to view attachments ]
-
I've reread the thread an amn't fully clear about admin vs. user accounts.
The thing to keep in mind is that UAC 'dumbs down' your administrative account pretty much to the level of a Limited User Account - so by default, applications don't have a lot of control.
-f0dder
so is it okay securitywise to use UAC at highest setting with an admin account - or better to do it with a user account?
- newly installed Win7, all I need is one account, but if I make that one user, I presume I have to create an admin account as well (first).
-
UAC effectively turns admin accounts into user accounts but with automatic prompts to elevated security when required.
-
I guess you already figured this out, but I felt it could use repeating:
Just because your account is an administrator account doesn't mean every program you run is run with Administrator privileges.
For the problematic applications, you should still go into the compatibility settings and check the "Run this program as an Administrator" option. Then it will always give you a UAC prompt when it first runs, but shouldn't have any problems doing what it needs to do after that.
EDIT: I'm not sure how it took me ~15 minutes to write this tiny post, but Carol's post just above mine wasn't here before I wrote this. Naturally she said exactly what I was trying to say, but was more succinct. :Thmbsup:
EDIT2: Aha! I didn't notice that there were 2 pages to this thread. That explains why I didn't see Carol's post. :-[
-
thanks Carol + Deo - I guess I'll stick with my admin account then, makes startup easier with just one account...
I guess you already figured this out, but I felt it could use repeating:
Just because your account is an administrator account doesn't mean every program you run is run with Administrator privileges.
For the problematic applications, you should still go into the compatibility settings and check the "Run this program as an Administrator" option. Then it will always give you a UAC prompt when it first runs, but shouldn't have any problems doing what it needs to do after that.
EDIT: I'm not sure how it took me ~15 minutes to write this tiny post, but Carol's post just above mine wasn't here before I wrote this. Naturally she said exactly what I was trying to say, but was more succinct. :Thmbsup:
-Deozaan
my emphasis
I know what you mean (succinct I am not) but your longer version helped the implications sink in fully.
EDIT2: Aha! I didn't notice that there were 2 pages to this thread. That explains why I didn't see Carol's post. :-[
-Deozaan
. . . gotta find another excuse there Deo :p - you were answering my post [ I think :-[ ] which was already on page #2 :D
-
EDIT2: Aha! I didn't notice that there were 2 pages to this thread. That explains why I didn't see Carol's post. :-[
-Deozaan
. . . gotta find another excuse there Deo :p - you were answering my post [ I think :-[ ] which was already on page #2 :D
-tomos
Actually I was just providing the general info to Cyberdiva, who at the beginning (first page) of the thread didn't seem to understand why UAC would prompt her for admin privileges (or why it would be necessary to use the "Always run as Administrator" option) when she was already using an Administrator account.
But it looks like you also just happened to be wondering the same thing. :Thmbsup:
-
EDIT2: Aha! I didn't notice that there were 2 pages to this thread. That explains why I didn't see Carol's post. :-[
-Deozaan
. . . gotta find another excuse there Deo :p - you were answering my post [ I think :-[ ] which was already on page #2 :D
-tomos
Actually I was just providing the general info to Cyberdiva, who at the beginning (first page) of the thread didn't seem to understand why UAC would prompt her for admin privileges (or why it would be necessary to use the "Always run as Administrator" option) when she was already using an Administrator account.
But it looks like you also just happened to be wondering the same thing. :Thmbsup:
-Deozaan
(https://www.donationcoder.com/forum/esmileys/gen3/1Small/WHISTLE.GIF) there I go for getting smart :D
-
One of the things that really freaks me out using UAC is that the screen goes black before the dialogue box shows - the void seems to vary in length depending on the "extremity" of what you're trying to do.
If it's just a flash of a black screen it's fine - but when the screen just goes black and looks like it's going to stay that way, my blood (still) runs cold. I mean it's maybe only a second but still.... I could do with as little torture as possible at the moment, especially what with recovering from a sudden-pc-death and trying to adjust to a new OS.
-
You might try taking your UAC settings down a notch (to one up from the bottom). As I understand it, you get notified just as often as with the setting above it, but your screen doesn't go black at all.
-
You might try taking your UAC settings down a notch (to one up from the bottom). As I understand it, you get notified just as often as with the setting above it, but your screen doesn't go black at all.-cyberdiva
Doing that renders UAC pretty much useless. And while the flicker-to-black is a bit annoying, it's a sign that UAC really is kicking in and you aren't being faked :)
-
Doing that renders UAC pretty much useless. And while the flicker-to-black is a bit annoying, it's a sign that UAC really is kicking in and you aren't being faked :)
-f0dder
F0dder, I think "pretty much useless" is an overstatement. You get the same notifications that you'd get in the next highest setting, but without the screen going black. Microsoft explains that because the UAC dialog box isn't on the secure desktop with the setting I suggested, "other programs might be able to interfere with the dialog's visual appearance. This is a small security risk if you already have a malicious program running on your computer." The risk is obviously more than with a higher setting, but I don't think I'd say that UAC is rendered "pretty much useless" with the lower setting.
I don't mind the screen going black, but tomos seemed to find it very unpleasant, and it apparently lasted longer on his computer than on mine. If having the screen go black really bugs someone, they might well wind up turning UAC completely off. That would render it useless.
-
Microsoft explains that because the UAC dialog box isn't on the secure desktop with the setting I suggested, "other programs might be able to interfere with the dialog's visual appearance.-cyberdiva
Um... If it's not on the secure desktop (e.g. isolated secondary session), it's not secure, period. Because under attack, when the bugg is trying to get in, it can simply respond to the prompt for you.
If everybody is on the same desktop (e.g. session), then whoever is quickest wins (and the software will be). It really is just that simple.
This is a small security risk if you already have a malicious program running on your computer." The risk is obviously more than with a higher setting, but I don't think I'd say that UAC is rendered "pretty much useless" with the lower setting.-cyberdiva
The question is can you keep it out when it comes-a-knocking. The answer - in that configuration - is no.
-
Doing that renders UAC pretty much useless. And while the flicker-to-black is a bit annoying, it's a sign that UAC really is kicking in and you aren't being faked :)
-f0dder
I wonder, is Windows 7 default UAC setting secure enough or is still advisable to kick the slider up a notch?
-
Most secure is to leave the machine unplugged ...
-
The question is can you keep it out when it comes-a-knocking. The answer - in that configuration - is no.
-Stoic Joker
I don't rely on UAC as my only defense. I've got a firewall, AV software, and whatever firewall function the router has, along with Malwarebytes in real time, and WinPatrol Plus (which, among other things, keeps watch over my HOSTS and critical systems files). And, of course, my own experience and common sense. So yes, I guess I do feel that when it comes a-knocking, it's unlikely to get in the door. (She says, crossing her fingers. :) )
-
Real-time scanners & AV software only serve to slow the machine down (typically to a crawl). And in so doing can only catch what they (have signatures for) know about. Anything new that comes down the pike is a heuristics crap-shoot.
The only truly effective method (outside of common sense), is reduced permissions. Because the bugg will only have as much permission as you do. So if you don't have permission to break the machine... Neither. Does. The. Bugg.
You have an entire application running full time, grinding up CPU cycles, Just to monitor "System Files". System files that would be completely untouchable by a standard user account ... Which requires 0 CPU time.
The only "safe" trade-off for those that persist in doing day-to-day activities with administrative rights, is UAC. But it must be allowed to isolate itself from you, to be able to defend the machine effectively. Other wise if you're both sharing the same desktop/session it ends up being the same ineffectively silly light speed foot race to the kill switch that you have with AV software. Bugg comes in, slits the AV's throat, and sets up shop. I see this cycle repeated again and again.
Lady brought a laptop in today; on it she had a veritable laundry list of security applications, UAC set to the max, and 3 root kits. She lacks the most important common sense layer of security and tends to click on whatever gets her to where she wants to be the quickest...Because she is "Protected". By Elfin Magic I guess... *Sigh* ...Must be where the term Sheeple came from. :)
-
Okay, UAC at top level it is.
This may be a very silly question, but it has to be asked :):
if I dont use a password (admin account) is it all a waste of time anyways?
-
This may be a very silly question, but it has to be asked :):
if I dont use a password (admin account) is it all a waste of time anyways?
-tomos
Yes. But if you wish to avoid having to type in a password every time it boots, you can use the old control userpasswords2 trick to set it to auto-login with a default account.
Auto-Login to Windows 7 (http://channel9.msdn.com/Blogs/coolstuff/Tip-Auto-Login-Your-Windows-7-User-Account)
Just don't forget the password or you may get locked out if you lock the console with Win + L.
-
Thanks SJ
I hate passwords :-[
-
Thanks for your response, SJ. I agree with you that common sense is vital. I think that over the years it has been and continues to be my most effective weapon.
I haven't found that the security software I currently use "only serve to slow the machine down (typically to a crawl)." Not at all. My computer is delightfully fast and responsive. And WinPatrol Plus is not on my machine "just to monitor System files." I use it primarily for a variety of other functions; it happens to also offer the option of protecting the Internet HOSTS and key System files. Again, I haven't noticed that selecting this option negatively affects the performance of my computer.
As for the UAC, which is how this thread started, once I found I could get ActiveWords to work with Dreamweaver without turning off UAC, I put UAC back on its default setting (one notch down from the top). I'm content to leave it there. My suggestion to tomos about dropping it down a notch was in response to his strong dislike of the blackened screen. You've convinced me that that might be more risky than the Microsoft description led me to believe. Many thanks.
-
Not *useless* at lower level (non-secure session / black screen), but it is certainly also not secure. It is very helpful though to prevent accidental damage from user and application mishaps, which are nearly as dangerous as malware at times ;p. Also, you certainly can't assume malware has all been adapted to auto-respond to the dialog for you. So... a lot less secure.. not useless.
Of course, if you simply run in a Limited User account all the time anyway, then you're best off. That is really what people should be doing, from a security perspective. Windows 7 does pretty well at asking for an administrator to login (via password prompt and then using a 'runas') when required for installs or other operations that require such elevated rights.
I keep my wife running as a Limited user on her systems, she never has a problem. If something needs installed, it prompts for an administrator to login and run-as -- as I said. Works great. Most all Windows applications are designed to run in limited user contexts these days. Of course, 90% of people don't stray far from their simple web browser anyway, making this recommendation doubly warranted.
-
I haven't found that the security software I currently use "only serve to slow the machine down (typically to a crawl)." Not at all. My computer is delightfully fast and responsive. And WinPatrol Plus is not on my machine "just to monitor System files." I use it primarily for a variety of other functions; it happens to also offer the option of protecting the Internet HOSTS and key System files. Again, I haven't noticed that selecting this option negatively affects the performance of my computer.-cyberdiva
Okay, I was being a bit harsh with the broad brush ... But I'm sure you've seen the type of baby-sitter security suite infested machine I was eluding to. I just wasted 6 hours onsite today because of a client's machine that was a few generations past it's prime, that had a full suite of crippleware running at full blast on it. There is never a truly effective way of disabling these silly things ... So you're always stuck with it unless you're willing to eat the time to remove and reinstall it.
Fortunately for the client it was a contract job. Or the bill would have been close to the price of a decent new machine. I got home an hour late, and the job still ain't done. *Joy*...
:D
-
I have not read this whole thread, so forgive me if I am repeating things others have said, or am just simply talking more than I listen.
Security software eating system resources is a pet peeve of mine. The bitter irony is that most of the time it does NO GOOD anyway, else all these people wouldn't be getting infested with malware. Think about it -- has the malware problem been 'abated' in any way by all these security solutions? Nope.
The #1 mistake novices make is installing more than one security suite. That is a huge no-no. It does NOT make you doubly protected. It makes you doubly slow, and doubly prone to potential strange problems.
My recommendation to all users, novices and advanced, is to adopt Microsoft Security Essentials. Since I am the author of an EXE compressor that is sadly abused by malware authors at times (despite my best efforts), I keep in touch with the security companies to help them combat this problem by 'scanning inside' compressed EXEs. I have really liked what I've heard from the PM for Security Essentials at Microsoft. They are doing it right -- trying to avoid the *very problematic* issue of false positives, while keeping people protected and using *minimal* system resources. And you know if anyone can make sure things are done as efficiently as possible on Windows, it will be Microsoft.
Security Essentials is 100% free and has just a few options. The options it has are the *critical ones* though. You can disable real-time scanning (the biggest impact on system performance), or tune it down to a number of different levels. You can exclude specified paths or file types. Perfect. They know this is needed to keep systems running optimally. You need to tell it to scan the risky stuff (such as incoming downloads and attachments, or removable media) .. and leave the rest of the system alone. After all, while it is theoretically more secure to keep rescanning every darn file that is opened, it is a bit absurd. Tune it down to only scan the incoming files, and be careful -- and you're gonna be ok in most cases.
I do not want to 'pick favorites' since I also deal with other companies, so I must also mention that if you want more ADVANCED controls and need even more enhanced security, the other companies -- you know the names (list removed as I feared I'd leave somebody out) --are getting better and constantly improving their software. They are also aware that they need to 'speed things up' and have offered similar options to help users do that through more selective real-time scanning.
So, that's my recommendation on the security products part of this discussion... which seems wholly OT, but ....
-
which seems wholly OT, but ....
-db90h
.... worth reading. Thanks for the input.
-
so forgive me if I am repeating things others have said,
-db90h
That's OK - if it is worth saying it is probably worth SHOUTING more than once.
Actually I pretty much agree with you on security software and now I am mostly recommending to clinets that they use Microsoft Security Essentials and Windows Firewall.
Given that most people don't really know what they are doing I just tell them to install and forget about it (leaving default settings).
For the most part this is at least as effective as the well known security brands.
I spend a fair amount of my week clearing out malware - almost invariably they have a big name security suite (or two or even three) installed and they simply don't protect people any more - at least not effectively enough to be worth the performance hit.
The only solution to this is common sense and education - neither of which are in abundance in the real world for the average user - esp. if they have kids using their computer too!
-
+1
For the non-tech users, I see more problems caused by security suites than I do by malware.
As Carol recommends, just install Microsoft Security Essentials, use Windows' built-in firewall, stay caught up with your system updates - and be done with it. That and a little common sense about what attachments you open and what software you install will more than suffice for 99.9% of all users. And it will do so without the headaches 3rd-party security suites can cause.
Time to stop the insanity.
Take the money you save by not purchasing Norton or McAfee and buy yourself a nice little USB hard drive so you can finally start doing those backups you keep putting off. 8)
-
In large measure, I agree with what Carol and 40hz have recommended regarding Microsoft Security Essentials and the Windows firewall. Indeed, that's what I currently have on my Win7 desktop and my Win7 netbook. But I find myself worrying about the popularity of these programs, especially MSE. If the overwhelming majority of people use the same anti-virus program, be it MSE or any other, doesn't that make it easier for the bad guys to develop malware specifically designed with that particular AV program in mind? (Hmmm...perhaps I should change my username from cyberdiva to worrywort :( )
-
Currently the vast majority of users seem to use either Norton or McAfee. There are other suites available but none of them seem to stop the ongoing problems with malware and never really will.
The whole area is plagued with two problems:
1) Just about all security suites are reactive solutions - these are fairly easily breached
2) Any heuristic solutions seems to cause more problems than the threats for the general population.
For a long time now I have strongly recommended to clients that they remove third party firewalls. Why - because the majority of users can't manage them and if they are allowed manage themselves they inevitably break connections (esp. file sharing). 99% of the time users I have seen with a third party firewall simply click Allow when prompted because they don't know the answer to the question being asked (or usually know what is being asked).
As for antivirus solutions virtually none of them seem to stop the most pervasive pests out there - in particular fake security applications (and that seems to apply cross platform - not just windows).
The lesson security conscious and savvy users have learned is that most security issues are caused by the user. No antivirus will stop you doing something stupid (such as manually disabling the antivirus while you install a virus ridden torrent download) or clicking on an infected webpage and then giving permission for malware to be installed.
To get back a little on track this also applies to UAC - for most users it is little more than an irritation - most people don't read the prompts and just click the 'who cares' button - at which point UAC works against the user's interest, not for it.
The only solution is education.
The whole response to security issues used currently strikes me as a similar response used by governments to problems - add a layer of bureaucracy that affects and irritates everyone and makes it more difficult to do anything.
As an aside - I used to work as an outdoor education instructor in the UK. All outdoor centres (and even lone instructors) working with under 18s have been obliged to be licensed in the UK following a tragedy where 4 young people lost their live sea kayaking. The licensing scheme was hugely bureaucratic and very expensive to manage, requiring constant license renewals and physical inspection of licensed centres and activities. The fact that outdoor adventure activities had been incredibly safe for many years, with virtually 0% accident rate, didn't mitigate the government response - an accident occurred therefore ANYONE involved in providing this sort of service was walloped with the overheads required by a stupid scheme now estimated to cost £2.5m per year in the UK. Finally the current government has seem some sense and plans to repeal the legislation and introduce a simple code of conduct.
Seems to me this is similar to the way viruses etc. are dealt with currently and the repeal is long overdue. It is hard to imagine that companies such as Symantec and McAfee will lead the educational charge since they have a vested interest in maintaining the level of fear - and occasional infections are bound to keep that level raised!
-
:greenclp: Well ya ain't gotta smack me with a fish :trout: I'll drink to that! :drinksmiley: :greenclp:
:D
-
Very well said, Carol. I often question how much I can get away without having any security things running constantly. My computer sure runs faster without them.
-
But I find myself worrying about the popularity of these programs, especially MSE. If the overwhelming majority of people use the same anti-virus program, be it MSE or any other, doesn't that make it easier for the bad guys to develop malware specifically designed with that particular AV program in mind? (Hmmm...perhaps I should change my username from cyberdiva to worrywort :( )
-cyberdiva
It's a legitimate concern. However, it's relatively moot since, in practice, it's far easier and more productive to try to discover and exploit an unknown vulnerability in the underlying OS than it is to try to fox or disable an AV utility. And the malware writers know that.
Today, most systems are fairly secure by default. And with the addition of any decent AV package they're remarkably secure. Add in some common sense - plus a smart user - and they're virtually impregnable.
The weakest ink in the lineup is the user. That's why so many documented "successful exploits" rely so heavily on "social engineering" - which is a fancy way of saying "tricking the user into doing something dumb."
Day Zero exploits are a whole 'nother issue. Fortunately, most of the really dangerous ones are spotted and dealt with long before they fully activate.
Keeping your system fully updated will protect you from "zero" exploits most times unless you're one of the unlucky early victims that sounded the warning cry to the rest of the pack. (Let's face it: we all knew that, sooner or later, the snakes were gonna get lucky and take out at least one meerkat - even if we didn't think it would end up being Flower.) Not much you can do about that except restore from backups if it happens to you. But again, it's a long shot you'll ever end up being in that category if you're doing everything else right security-wise.
Stuff happens. Best just do what you can do to avoid problems. After that, try not to worry about it too much. Sharing a glass of fine Merlot (or a microbrew) with friends who aren't always talking about computers helps too. Highly recommended, :)
-
Personal experience with UAC.
It drove me crazy in Vista so I turned it off, but recently I was doing a reinstall of Win 7 on daughter's laptop, and (my own fault) the flash drive I keep all my downloads on got infected without my realising it, before the AntiVirus had completed installing. When I put the flash drive back into the desktop, it immediately tried to infect that with continually changing .exe's.
UAC stopped it dead and I was able to track it down and kill it without damage.
So, I will continue to run UAC in Win 7 and Win 8 and put up with the nuisance value, knowing that it does work.
Cheers, Rob