Jump to content

UAC control, I don't understand the TechQuickie video

DavidGretzschel

 

So the video tells me that this I shouldn't disable them, but I just don't understand why.

Uhm.... I wrote a YouTube comment, which gets at my confusion, but eh.... sorry for the tone.

[I'm posting here, because I didn't get a response there]

 

"I am sorry, but I do not think you explained why this feature should not be turned off, in any clarity.
I don't get any new information from the prompt. When I run an installer or start a program, I obviously trust it.
If "Intel Extreme Tuning Utility" demands an UAC prompt every time, I don't trust Intel any less, I trust Windows less.
How does the UAC prompt (which turns up for pretty much anything I install) protect me from anything? 
If I trust something I shouldn't, I would click "yes", anyway. The UAC prompt gives me zero useful information.

It is not actionable!
You're basically telling me that should I break into Intel HQ, head office, lockpick their drawer and look for the file "hidden evil master Xtreme Tuning masterplan", just in case.
Or mabye track down and interrogate every developer of software I install. But maybe you do, but I don't have that kind of time on my hands, I got work to do!
You tell me that "malware could run in the background completely undected", but doesn't Windows know, that I was the one who double-clicked something?
It seems that if something can run an installer by itself, my security is already compromised.

Especially as you just told me, that software can be writtten without triggering any UAC prompt."

Link to comment
Share on other sites

Link to post
Share on other sites

uac doesnt let any software get high level access to your system unless you allow it

if it was useful give it a like :) btw if your into linux pay a visit here

 

Link to comment
Share on other sites

Link to post
Share on other sites

you shoudn't turn it off because if you get malware on your machine it can just wreck and destroy everything if UAC is off. if it's on it should prompt you before running and if you click no it can't wreck the system. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites


 

1 hour ago, Ashley xD said:

you shoudn't turn it off because if you get malware on your machine it can just wreck and destroy everything if UAC is off. if it's on it should prompt you before running and if you click no it can't wreck the system. 

But how could I possibly get malware on my system, if I didn't install it first?

If I think something isn't malware (but it actually is), I would also click the UAC prompt without hestiation.

So how is this not a waste of everyone's time?

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, DavidGretzschel said:

But how could I possibly get malware on my system, if I didn't install it first?

If I think something isn't malware (but it actually is), I would also click the UAC prompt without hestiation.

Since Vista, no one is true Administrator. This is a model that is applied to all modern OS. In fact, Vista was HUGELY late to implement it. It was common for OSs even before Windows XP was released. 

 

UAC does 2 roles. Its main role is the last line of defense on your system. In other words, some of things it provides is:

  • It prevents an application which you are trusting, taking an unexpected action to your system, without you knowing. Yes, it has happened in Windows XP days.
  • It prevent application that get compromised from a security flaw, from taking action on your system files. You may recall, many security issues with Adobe Reader, Adobe Flash, Java, and even Office as those are (or were in the case of Flash) widely used applications making them a nice target. Any malware is now limited to the user account, and can't affect the whole system, allow the user to take action to remove it, and know about it. Example, an image and video files with a virus included itself, to take advantage of a security flaw in a popular program to view them, to use it as a vehicle to make the application do what it wants on your system.
  • It creates a barrier between users within the same system. By forcing application application to no longer write stuff where it should not, like on shared locations between users, like where the program is installed, because the dev decides to be lazy and not do things properly, it create privacy between users. One user cannot open say, your picture viewer application of choice, or web browser under their account, and see what files or website you visited.
  • You get an e-mail, from a family member, with a picture to check out, you open that attachment, not realizing that the picture file was really "so_funny.jpg.exe", and not realizing that the family member e-mail was compromised or just fake (as you can actually put what you want in the "from" e-mail field, there is no verification process. I can send you an email with: security@fbi.com, if you want. The only thing stopping you is the e-mail client interface, but nothing stops you of making your own, and put what you want), and you double click on it. Bam, UAC prompt! And hopefully you go "Wait!... and image should not require admin privileges...." and deny it.

 

Malware is not "installed", you don't go to 'malware.com', and download "setup_malware_pack11.exe", and you go through a setup process and now you have a series of malware on your system. Malware is typically injected into things. For example, and this is an example of UAC failure (and this applies to all OSs who don't force a universal location/store/repo to get programs from), ASUS Live Updater, pre-installed on all ASUS laptops, their server got compromised. Being an updater, it runs as elevated privileges all the time (it is a service), and so has delivered malware instead of software updates, compromising systems. You can read more about it here: https://securelist.com/operation-shadowhammer/89992/  This is where the store/repo model is (on paper) safe. You hope that the repo and store owner know their shit, know what security is, and ensure that their stuff is behind high security and means to delivery of update or the software are also safe. This has been working perfectly well, so far, for Apple, Google (Android with its Google Play Store), and Microsoft Store. Not to mention: Windows Update, Android manufactures update servers/system, iOS and MacOS/OSX update system, and more. Now Stores do have flaws as well, which is how malware is delivered on phones, but that is more, people installing "games" or "apps" disguised as one, by is really malware.  This can also happen in popular Linux repos technically. It is all about "fooling the system". For example, Apple who manually validate each applications, approved an application which exploits the super fast finger reader behind the screen. There was an app that "predicted your future" in some way, asking users to place finger/thumb at a certain location on the screen, and when they did, the application triggered an Store API call to charge the customer $200 US on their credit card, which was approved as their finger was on the finger print reader. Apple fixed that by now requiring the user lift the finger/thumb from the screen before starting to scan process for purchase approval. The app was of course removed, but damage done. In Google case, as the process for validating apps is automated, it is a game for malware makers to fool the automated system. They are many cases that this has happened. Luckily, the impact, while affected hundreds or thousands of people, it is a small percentage compared to all user base, and most don't install some random game from an unknown developer (and usually the game or app picture presented on the game just sucks, making unappealing, despite the fake reviews).

 

Quote

So how is this not a waste of everyone's time?

Oh boy, please don't use Linux then... now you'll know what waste of time is. :)

But to answer your question, 98%+ (make that 99.99% for the majority of users), you should not be prompted for elevation. You should not have it on a daily basis. Only if you'll update, install or remove a program (unless you get it through the Store, or the program is installed at a user level), and maybe some system changed here and there to setup your environment to your liking (and even then), but that is about it. These are not typically daily activity.

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, DavidGretzschel said:

But how could I possibly get malware on my system, if I didn't install it first?

plug in a random usb drive, browse the wrong sites, accidentally open a malicious email, etc etc etc

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, GoodBytes said:

But to answer your question, 98%+ (make that 99.99% for the majority of users), you should not be prompted for elevation. You should not have it on a daily basis. Only if you'll update, install or remove a program (unless you get it through the Store, or the program is installed at a user level), and maybe some system changed here and there to setup your environment to your liking (and even then), but that is about it. These are not typically daily activity.

you're wrong. if you open MSI afterburner for example, which i do almost daily if i had UAC on i'd get prompted. i have it off because i find it annoying and i do regular virus checks and i don't plug in random drives etc in my computer, like i accept that risk. but there are certain things i do like re-imaging flash drives, Afterburner, etc that i'd get prompted for daily if i had UAC on. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

47 minutes ago, Ashley xD said:

you're wrong. if you open MSI afterburner for example, which i do almost daily if i had UAC on i'd get prompted. i have it off because i find it annoying and i do regular virus checks and i don't plug in random drives etc in my computer, like i accept that risk. but there are certain things i do like re-imaging flash drives, Afterburner, etc that i'd get prompted for daily if i had UAC on. 

The problem is with MSI Afterburner. The OC software should be split into two parts: A service which will handle the OC, and the GUI which communicates with the service.

 

The problem is that MSI Afterburner and EVGA Precision (same), are a weird software. While this maybe no longer completely true as they have added specific features for their own line GPUs, they are essentially the same software under the skin they sport. Their foundation is a skin on top another OC overclocking software made by some guy who started it ages ago (the name escapes me) which was just a GUI interface over Nvidia GPU API called: NvAPI. NvAPI is the one that actually does the OC and fan control and all that (https://developer.nvidia.com/nvapi - This the public version, which is limited in features and abilities, there is a private/registered dev version, but requires approval process.) So it is a sandwich layer application, based off some aged old application. Both companies are probably paying him (or used to) for feature request. The original software they are both based on were from pre-Vista days. So the author didn't do the correct way (mentioned above) to do things, and opted for laziness (probably never though it would take off, and just having some fun), and that was never fixed since.

 

What you can do, however, as a workaround, which I am surprised that the MSI didn't at least do this with their setup process. Is simply register it as a Task Scheduler task. In there you can set that the program launch silently (in the back) if you want to (or not up to you), at startup, and run as elevated credentials. This should fix the UAC issue you are having. Typically, programs uses: " /s " as argument/parameter to tell it to run minimized or on the system tray. 

Link to comment
Share on other sites

Link to post
Share on other sites

40 minutes ago, GoodBytes said:

What you can do, however, as a workaround, which I am surprised that the MSI didn't at least do this with their setup process. Is simply register it as a Task Scheduler task. In there you can set that the program launch silently (in the back) if you want to (or not up to you), at startup, and run as elevated credentials. This should fix the UAC issue you are having. Typically, programs uses: " /s " as argument/parameter to tell it to run minimized or on the system tray. 

i don't want it to run on startup so.. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Ashley xD said:

i don't want it to run on startup so.. 

Why not? You don't have to overclock your GPU at startup. You can keyboard map to profiles.

Profile 1 - No OC

Profile 2 - Your OC

Then. for example, You can set I don't know, Ctrl+Shift+1 for Profile 1, and Ctrl+Shift+2 for Profile 2.

 

If that doesn't fit your needs, then complain to MSI, Tell them that Vista was released back in end of 2006. It has been 14 years, its time to fix their shit.

 

[edit]

I just checked, if you pick "Start with Windows" in the options of MSI Afterburner, it creates the task scheduler entry mentioned for you.

Link to comment
Share on other sites

Link to post
Share on other sites

I agree,  the UAC prompt is ultimately rather useless - I install a lot of unsigned code and it never prompts anything - like wouldn't that be exactly where it *should* pop up, uhh...?

 

That said it doesn't bother me, it's part of my daily routine... > MSI command center > no UAC prompt > deny update > set fan curve (why it refuses to apply the fancurves automatically at startup is beyond me but that's MSI for you I guess),  MSI Afterburner (which by the way is only MSI software by name, otherwise they have nothing to do with it - common knowledge I would think) > UAC opens > yes > apply OC > close > open Steam > my PC is ready to go,  yay! How convenient thanks to the ultra modern OS that is windows 10 lmao. 

 

So no, it doesn't bother me personally, and you shouldn't turn it off because as has already been pointed out it can stop malicious code to be executed and that even if far from 100% is surely worth clicking the dreaded "yes" once in a while. 

 

PS: im pretty sure you can turn it off for specific programs,  but not 100% sure (should be right click > properties > run as administrator / or something like that)

 

 

 

 

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, Mark Kaine said:

I agree,  the UAC prompt is ultimately rather useless - I install a lot of unsigned code and it never prompts anything - like wouldn't that be exactly where it *should* pop up, uhh...?

It has nothing to do with unsigned code. You are confusing with SmartScreen, which only opens on select cases, like getting an executable from the web where you didn't previously allow it.

 

UAC is only for requiring system file access.

If you are coming from Linux or Mac, it is like doing sudo and then type your password to each command line commands under your terminal.

 

5 minutes ago, Mark Kaine said:

PS: im pretty sure you can turn it off for specific programs,  but not 100% sure (should be right click > properties > run as administrator / or something like that)

Nope. It is a global setting.

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, GoodBytes said:

It has nothing to do with unsigned code. You are confusing with SmartScreen, which only opens on select cases, like getting an executable from the web where you didn't previously allow it.

Ah, I see,  thanks for the clarification,  though it's weird,  I don't get Smart screen prompts for these kind of programs either most of the time. Also sometimes the UAC asks you on install then never again, and other times it does every time you open a specific program (like Afterburner for example) so it's just a mess in my eyes and I understand why many people turn it off,  but just like smart screen I'd definitely advise against turning it off as it can catch stuff someone maybe unconsciously tries to install, etc.

8 minutes ago, GoodBytes said:

Nope. It is a global setting

Damn. 

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, Mark Kaine said:

 Also sometimes the UAC asks you on install then never again,

That is exactly what you want. You are installing a program to the system, which typically installs it for all users on the system. So it puts it in  (by default and typically) "Program Files" or "Program Files (x86)", which are 2 locations, shared by all users, designated for programs, that requires elevated credentials to put stuff in, so that non-elevated credentials programs can't modify files on your back. The setup program can sometime install additional system level files it requires for the program to operate correctly, so it may write things in other directories.

 

You may notice that when you install a program from the Store, that UAC prompt is not presented. This is because the program is installed at a user level. If you install a program, switch to another account, it won't be there. You'll need to install it there as well (or add your account to that account in the Store account list, to download for free any purchased apps, so that you don't need to buy it again). Store apps are also put into a sandbox environment as a protection system, to prevent cross app modification, hence why games acquired from the Store can't be modded unless the game specifically allows it (UAC can't help you there either). As for program that needs files on system files, well... this is a limitation of the Store currently, this is why you don't have Office or Visual Studio for example in the Store.

 

Once the program is installed, then the program doesn't need elevated credentials to run, as there is no system level task that it needs to do.

 

Quote

and other times it does every time you open a specific program (like Afterburner for example) so it's just a mess in my eyes and I understand why many people turn it off,  but just like smart screen I'd definitely advise against it as it can catch stuff someone maybe unconsciously tries to install.

Damn. 

Yup. This is because the program was poorly designed. It is fine for system tweak tools, as typically, the user run it once or twice to set things up to your liking and never touch it again. From the dev perspective, it is not worth the extra work needed. But for program that you use often that need elevated credentials, they should either register itself to run under highest privileges under Task Scheduler, or ideally, have a service (which once installed, always runs as admin), and have the program interact with it. You can technically do it via a driver, which is what anti-cheat system in games do, but that opens a huge cans of security issues to deal with, which is why it requires massive trust by the user, and experience has been very negative due to poor past implementations (example, causes BSODs for example, even outside of the game, as the driver always runs, due to the driver crashing). Which is why many people are against anti-cheat systems. You are essentially giving permission to a program (driver) that has total view of your system. Anything you do, you type, including password can be tracked.

 

So yea, going with a service approach is easier. Or, as mentioned, make it a start up program via Task Scheduler, which MSI Afterburner does if you enable "Startup with Windows" option.  Just make it not OC at startup (if you don't want that). And open it up and pick your profile when you want to OC, or setup a keyboard shortcut for switching profiles. 

Link to comment
Share on other sites

Link to post
Share on other sites

 

@GoodBytes

Thank you for the response. Lots of text. Trying to make sense out of it.

 

I quite often install (or uninstall, which is also an UAC prompt) software.

Most of that software isn't from the Microsoft Store. I periodically forget that the store even exists.

On average I probably get an UAC prompt every day.

Cause e.g. Intel Extreme Tuning Utility asks me every time.

Occasionally I'll also run a console in Administrator mode.

Pressing alt+y has been muscle memory for a long time.

 

"it prevents an action that I'm trusting from taking an unexpected action"

How so? It never tells me, what any program does. Sometimes an app needs me to click "yes" for the UAC prompt.

Cause the Microsoft gods, have deemed this so. Naturally, I will click yes. So there's no defense.

"flawed Adobe crap"

I have lots of Adobe stuff installed. But if they give me an UAC prompt, I'll also click yes.
I'm in no position to make some kind of Adobe security audit, to check if Photoshop or whatever is somehow compromised.

"barrier between users"

I don't share my computer.

"compromised emails"

I wouldn't click a "funny picture.jpg.exe".

 

Also if my Lenovo software wants an update, I'd have no way of telling, if there's malware injected.

(Also of course, it's spying on me, it's Chinese! If I gave a damn, I wouldn't have bought Lenovo.)

 

So.... does that mean, I can disable UAC?

I'm just very easily annoyed by things like that.

I hate answering stupid questions, filling out forms or digging holes and filling them back up again.

 

If I somehow manage to get Ransomware installed, I'd just restore the system from an automated backup.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×