"What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was an administrator"

[Jimmy Brush]

Hello,

I've noticed that a lot of the questions in these newsgroups are either
directly or indirectly related to UAC (User Account Control). In this post,
I will go over what UAC does, how it works, the reasoning behind it, how to
use your computer with UAC on, why you shouldn't turn UAC off, and answer
some common questions and respond to common complaints about it.


* What is UAC and what does it do?

UAC mode (also known as Admin Approval Mode) is a mode of operation that
(primarily) affects the way administrator accounts work.

When UAC is turned on (which it is by default), you must explicitly give
permission to any program that wants to use "administrator" powers. Any
program that tries to use admin powers without your permission will be
denied access.


* How does UAC work

When UAC mode is enabled, every program that you run will be given only
"standard user" access to the system, even when you are logged in as an
administrator. There are only 2 ways that a program can be "elevated" to get
full admin access to the system:

- If it automatically asks you for permission when it starts up, and you
click Continue
- If you start the program with permission by right-clicking it, then
clicking Run As Administrator

A program either starts with STANDARD rights or, if you give permission,
ADMINISTRATOR rights, and once the program is running it cannot change from
one to the other.

If a program that you have already started with admin powers starts another
program, that program will automatically be given admin powers without
needing your permission. For example, if you start Windows Explorer as
administrator, and then double-click on a text file, notepad will open and
display the contents of the text file. Since notepad was opened from the
admin explorer window, notepad WILL ALSO automatically run WITH admin
powers, and will not ask for permission.


* What's the point of UAC?

UAC is designed to put control of your computer back into your hands,
instead of at the mercy of the programs running on your computer.

When logged in as an administrator in Windows XP, any program that could
somehow get itself started could take control of the entire computer without
you even knowing about it.

With UAC turned on, you must know about and authorize a program in order for
it to gain admin access to the system, REGARDLESS of how the program got
there or how it is started.

This is important to all levels of users - from home users to enterprise
administrators. Being alerted when any program tries to use admin powers and
being able to unilaterally disallow a program from having such power is a
VERY powerful ability. No longer is the security of the system tantamount to
"crossing one's fingers and hoping for the best" - YOU now control your
system.


* How do I effectively use my computer with UAC turned on?

It's easy. Just keep in mind that programs don't have admin access to your
computer unless you give them permission. Microsoft programs that come with
Windows Vista that need admin access will always ask for admin permissions
when you start them. However, most other programs will not.

This will change after Windows Vista is released - all Windows Vista-era
programs that need admin power will always ask you for it. Until then, you
will need to run programs that need administrative powers that were not
designed for Windows Vista "as administrator".

Command-line programs do not automatically ask for permission. Not even the
built-in ones. You will need to run the command prompt "as administrator" in
order to run administrative command-line utilities.

Working with files and folders from Windows Explorer can be a real pain when
you are not working with your own files. When you are needing to work with
system files, files that you didn't create, or files from another operating
system, run Windows Explorer "as administrator". In the same vein, ANY
program that you run that needs access to system files or files that you
didn't create will need to be ran "as administrator".

If you are going to be working with the control panel for a long time,
running control.exe "as administrator" will make things less painful - you
will only be asked for permission once, instead of every time you try to
change a system-wide setting.

In short:

- Run command prompt as admin when you need to run admin utilities
- Run setup programs as admin
- Run programs not designed for Vista as admin if (and only if) they need
admin access
- Run Windows Explorer as admin when you need access to files that aren't
yours or system files
- Run programs that need access to files that aren't yours or system files
as admin
- Run control.exe as admin when changing many settings in the control panel


* UAC is annoying, I want to turn it off

Having to go through an extra step (clicking Continue) when opening
administrative programs is annoying. And it is also very frustrating to run
a program that needs admin power but doesn't automatically ask you for it
(you have to right-click these programs and click Run As Administrator for
them to run correctly).

But, keep in mind that these small inconveniences are insignificant when
weighed against the benefit: NO PROGRAM can get full access to your system
without you being informed. The first time the permission dialog pops up and
it is from some program that you know nothing about or that you do not want
to have access to your system, you will be very glad that the Cancel button
was available to you.


* Answers to common questions and responses to common criticism

Q: I have anti-virus, a firewall, a spyware-detector, or something similar.
Why do I need UAC?

A: Detectors can only see known threats. And of all the known threats in
existence, they only detect the most common of those threats. With UAC
turned on, *you* control what programs have access to your computer - you
can stop ALL threats. Detectors are nice, but they're not enough. How many
people do you know that have detectors of all kinds and yet are still
infested with programs that they don't want on their computer? Everyone that
I have ever helped falls into this category.


Q: Does UAC replace anti-virus, a firewall, a spyware-detector, or similar
programs?

A: No. Microsoft recommends that you use a virus scanner and/or other types
of security software. These types of programs compliment UAC: They will get
rid of known threats for you. UAC will allow you to stop unknown threats, as
well as prevent any program that you do not trust from gaining access to
your computer.


Q: I am a system administrator - I have no use for UAC.

A: Really? You don't NEED to know when a program on your computer runs with
admin powers? You are a system administrator and you really could care less
when a program runs that has full control of your system, and possibly your
entire domain? You're joking, right?


Q: UAC keeps me from accessing files and folders

A: No, it doesn't - UAC protects you from programs that would try to delete
or modify system files and folders without your knowledge. If you want a
program to have full access to the files on your computer, you will need to
run it as admin. Or as an alternative, if possible, put the files it needs
access to in a place that all programs have access to - such as your
documents folder, or any folder under your user folder.


Q: UAC stops programs from working correctly

A: If a program needs admin power and it doesn't ask you for permission when
it starts, you have to give it admin powers by right-clicking it and
clicking Run As Administrator. Programs should work like they did in XP when
you use Run As Administrator. If they don't, then this is a bug.


Q: UAC keeps me from doing things that I could do in XP

A: This is not the case. Just remember that programs that do not ask for
permission when they start do not get admin access to your computer. If you
are using a tool that needs admin access, right-click it and click Run As
Administrator. It should work exactly as it did in XP. If it does not, then
this is a bug.


Q: UAC is Microsoft's way of controlling my computer and preventing me from
using it!

A: This is 100% UNTRUE. UAC puts control of your computer IN YOUR HANDS by
allowing you to prevent unwanted programs from accessing your computer.
*Everything* that you can do with UAC turned off, you can do with it turned
on. If this is not the case, then that is a bug.


Q: I don't need Windows to hold my freaking hand! I *know* what I've got on
my computer, and I *know* when programs run! I am logged on as an
ADMINISTRATOR for a dang reason!

A: I accept the way that you think, and can see the logic, but I don't agree
with this idea. UAC is putting POWER in your hands by letting you CONTROL
what runs on your system. But you want to give up this control and allow all
programs to run willy-nilly. Look, if you want to do this go right ahead,
you can turn UAC off and things will return to how they worked in XP. But,
don't be surprised when either 1) You run something by mistake that messes
up your computer and/or domain, or 2) A program somehow gets on your
computer that you know nothing about that takes over your computer and/or
domain, and UAC would have allowed you to have stopped it.


- JB
Vista Support FAQ

[Kerry Brown]

Very well said. Do you mind if I put this on my web site? Or better yet
could you put it on your site and I'll link to it?

I find UAC not very intrusive at all if you run as a standard user using
"Run as administrator" when needed. There should rarely be a need to
actually logon as an administrator. I can't remember the last time I logged
on as root on my Linux system. Likewise I rarely logon as an administrator
in my SBS domain. A properly setup and secured OS should rarely need someone
logged on with system level access.

[Jimmy Brush]

Unfortunately, this is a problem that has no simple resolution. :(

There is no way for you to allow certain programs to always run as
administrator, because Microsoft doesn't want software to be able to mimic
this behavior and be able to set programs to always run as administrator
without you knowing about it.

For right now, this is a situation where you will have to either live with
this behavior, or turn UAC off, until the software manufacturer updates
their program to be vista-compatible.

The correct way of doing this from a programming perspective is to install a
service that does the administrative tasks and then have the startup program
talk to the service when it wants to do a restricted task. This is
essentially how virus scanners and the like work.

[Jimmy Brush]

I will be putting this on my website shortly, I will post the address when I
do.

Anybody is welcome to copy and publish this post ... the more people that
know, the better :)

[Jimmy Brush]

Pretty simple:

If you were doing something that involves changing files and settings on
your computer or having full access to your computer and you get a prompt,
click Allow. Examples: Changing system settings in the control panel and
changing what programs start when your computer starts.

If you are trying to run a program that isn't working quite right that needs
access to your computer, but it doesn't ask you for permission, and you
trust it to have full access to your computer, right-click it and click run
as administrator.

If you are NOT doing administrative tasks (for example, you are browsing the
internet, reading e-mail, or writing a document) and a screen pops up asking
you for permission, CLICK CANCEL. You KNOW you weren't doing anything
special - and that you weren't starting a program - so don't give anything
permission to run.

You just have to be aware of what's going on - if you know you are working
with your computer, you should expect the prompts. Most of them should say
"Microsoft Windows" as the publisher - this means that the application was
made by microsoft.

If you see a prompt with an orange or red bar at the top, and Windows tells
you that the application publisher can't be verified, CLICK CANCEL unless
you are *absolutely sure* you know what that program is.

But, Windows is not making any policy decision. UAC has nothing to do with
deciding what should run on the system.

All it is doing is enforcing what you are doing. If you are starting a
program that is requesting admin access, you are expected to click continue
:). The only time there is a bit of "warning guidance" is when the program
being launched is unsigned, in which case the OS cannot guarantee that the
program that you are lauching hasn't been replaced by some malware when it
gets executed.

UAC is protecting you when either a program would launch that you did not
start, and you click cancel, or you notice a different looking prompt for a
program that you expected to prompt (a normal signed prompt vs. an unsigned
prompt, for example), and you click cancel.

This certainly does not stop you from running malware, it just stops stuff
from running that you did not start. UAC allows other really cool things to
work, like programs isolated into seperate privilege levels on your desktop,
and it also works in conjunction with other more traditional security
products to create multiple levels of security.

And for what it's worth, I could care less if others do as I do ... I would
just like people to really understand what UAC is doing before they decide
to turn it off :).

[mayayana]

Those are decisions made by Windows without
my approval. I clicked an icon. That tells Windows
"run this program". I didn't ask it to ask me for
confirmation ... I don't want to hear about Microsoft's
"digital signature" scam ... I don't want to be reminded
that my crash helmet chin strap should be tightened
before proceeding ... I just want to run the darn
software! I'll worry about the malware, Thank-You-Very-Much.

If Microsoft wants to help prevent malware infections,
they could create one nag that would actually help:

Put a big red button on
Internet Explorer. Clicking the button would show a message
that says, "You are about to enable scripting. Are you sure
you want to do that? You should only enable scripting
when absolutely necessary." Then, even if scripting is
enabled, it will be disabled at the next website.

And of course, the setting to disable that nag will
be hidden somewhere like:

HKLM\Software\Microsoft\Internet Options_
IExplorer\JScriptWarningOptions\Security_
ToolBarButton\DisableJSCriptWarningToolbarButton

Then setting the value DisableJSCriptWarningToolbarButton
to the DWORD avalue of 16439 will return control of
browser scripting to the user. :)

[Jimmy Brush]

This is a common misconception people have :).

I think this is the main reason people have a hard time grasping UAC, is
because they believe this to be true, and at first glance it does seem like
this would be something obvious the computer should be able to do without
any problems.

Unfortunately, it isn't ... Windows does not know that you are the one
starting a program even if you double-click on it in explorer. That is
exactly why UAC prompts you, to ascertain this.

If this could be done without a prompt, it would be very cool indeed, and
then the only prompt that would be needed would be the case where the
program is unsigned.

However, this is a much bigger technical problem than it appears at first
glance.

[Bob]

Exactly...and we both know it's best to have at least two anti-spyware
programs in addition to an AV program.

" Windows Defender can only stop 'known' malware. It checks a database that
is updated often when a new threat is discovered. Defender is not an
anti-virus program.
Neither Defender nor UAC are designed to replace a good anti-virus program."

[Steve Thackery]

Here is what you should do. You should contact the vendor and get an
updated version of the program, because it is INCORRECTLY WRITTEN.

It breaks the XP programming guidelines. Yes, I said the *XP* guidelines,
which were published years ago.

XP was lax and let such programs run anyway. Vista polices those guidelines
much more rigidly, for security reasons.

If you insist on turning off UAC, simply type 'vista turn off uac' into
Google! I've done it for you -

[Richard]

I need to boot directly from hibernate or sleep into a running program,
without the USERNAME icon appearing and requiring a keystroke from me. I
have my computer set to automatically wake up at 9AM and start trading stocks
on an automated protram basis. Please Help or direct me to remove that Icon
from appearing.

[Camper]

You also need to learn to trim a post before hitting the send button.

Camper


"Richard" <Richard@discussions.microsoft.com> wrote in message
news:252884B6-2D45-4D52-A7DA-64301F89BFA4@microsoft.com...
>I need to boot directly from hibernate or sleep into a running program,
> without the USERNAME icon appearing and requiring a keystroke from me. I
> have my computer set to automatically wake up at 9AM and start trading
> stocks
> on an automated protram basis. Please Help or direct me to remove that
> Icon
> from appearing.
>