Is there any way to get it to stop asking me if I want to allow a
program to make changes?
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
On 3/27/2024 8:20 PM, John C. wrote:
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
We call this the Windows 98 problem.
Microsoft have broken enough of the features, it's
just not worth addressing your question any more,
with a certain suite of solutions. Nothing works as it once did.
Click the UAC button and move on.
*******
It's ridiculous to run permanently at Administrator level.
Even in trivial cases (badly written code, bad selection
of parameters), you could have a disaster on your hands.
You could be stamping files with Administrator ownership.
You could erase both John and Marys files on a shared
computer.
To do this, run inverted:
*******
net user administrator /active:yes # The "real administrator" is nothing special.
# The account is normally left disabled.
# As "Elevated John", you can turn it on.
# Issue the command from an Administrator Group terminal or command prompt.
net user administrator * # Set a password. A real password, not 12345.
net user username # this shows the details of some account
whoami /user /priv # This allows you to *compare* accounts and see exactly
# how much different they are. Most of the time, "Elevated John"
# has the same privs as "Real Administrator" (so-called).
# But running as "real administrator", any malware you run,
# will have a field day.
*******
To profitable use that last set of notes,
you would use DropMyRights. Written in the WinXP era, it
"allows an Administrator, to read their mail safely".
Archive.org is down right now, so I can't walk this link
backwards and give you a trusted copy at the moment.
"DropMNyRights"
http://msdn.microsoft.com/en-us/library/ms972827.aspx
If you log in as Administrator:NewAdministratorPassword , you could
safely run a browser like this:
dropmyrights firefox
and the profile folder created, will be in C:\Users\Administrator .
As Elevated John, you belong to "Administrators Group", whereas
in the case of the Real Administrator account, the *owner* part
of the cred, is Administrator.
500:500
^ ^
| |
owner group
\ \
\ Elevated John is using the 500 from here
\
Real Administrator uses the 500 account number from here
Files can be stamped such that multiple "owners" can access them,
but files can also be stamped with particular "groups" for sharing
with your cubicle mates at work.
Note that, a few programs have been written, as net nanny programs,
and they check whether they are being launched as "real administrator",
they deny the attempt, put a nastygram on the screen and quit.
So while you might think you are a God, a Developer will slap you down :-)
The DropMyRights paradigm means you can't use a lot of GUI features
easily, without ending up elevated. Your brain casing is going to get
warm, from all the "thinking about defensive driving", if you run
inverted all the time. If you double-click the Firefox icon
on the desktop, no DropMyRights gets included. Firefox then runs as Admin. Any "browser exploit" ??? Machine, destroyed.
*******
The UAC prompt is there to "warn you of an attempt to elevate".
If the thing you are using, should not be elevating, you say
to yourself "Hay, wait a minute...". I've had Seamonkey web browser
make such an attempt, and it's actually the Upgrade.exe code which
is doing that, and not the main browser itself. The browser by itself,
does not ask for Administrator, nor should a UAC prompt appear. If I
see a UAC... it's time to investigate.
None of this security theater matters a bit, but the
model is what it is. For Black Hats, this model is
"no problem at all to defeat". You can tell from the
way Black Hats laugh in a discussion thread, which
parts of the security model are useless. You can tell
from their responses, why all the Restore Points must be
deleted, if they visit. Even the most pitiful malware,
infects Restore Points, which is why you can't use them.
Paul
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
John C. wrote:
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
My thanks to Oliver and Newyana2 for their helpful replies. However, I
guess at this point there really is no solution other than to turn UAC completely off. Maybe at some point in the future, M$ will make UAC less intrusive.
John C. wrote:
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
My thanks to Oliver and Newyana2 for their helpful replies. However, I
guess at this point there really is no solution other than to turn UAC completely off. Maybe at some point in the future, M$ will make UAC less intrusive.
John C. wrote:
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
My thanks to Oliver and Newyana2 for their helpful replies. However, I
guess at this point there really is no solution other than to turn UAC completely off. Maybe at some point in the future, M$ will make UAC less intrusive.
This automates the Task Scheduler method: https://www.majorgeeks.com/mg/getmirror/uac_pass,1.html
John C. wrote:
My thanks to Oliver and Newyana2 for their helpful replies. However, I
guess at this point there really is no solution other than to turn UAC
completely off. Maybe at some point in the future, M$ will make UAC less
intrusive.
I always keep it off completely; on all my MS systems. I've been doing
that for years; and never met the slightest sign of a problem.
Mind you, I have excellent firewall and AV, and do full regular scans.
As to MS planning to make it less intrusive, I doubt that very much.
They've had it in place for about 15 years, and, as far as I know, never altered a jot in it.
Most of the regulars in this group will tell you the same. It's for
babies! It's more for show than real use. "Hey, good old MS providing
all that safeguard and security!".
Ed
"Ed Cryer" <ed@somewhere.in.the.uk> wrote
|
| I always keep it off completely; on all my MS systems. I've been doing
| that for years; and never met the slightest sign of a problem.
Me, too. I went from Win98 with a firewall and limited
browser script to XP with the same. I'm still running XP
on FAT32 in order to avoid problems.
Recently I've been setting up a new Win10 machine,
figuring out all the tweaks and adjustments to stop it getting
in my way. I'm finding it reasonably usable, once I ran Win10 Privacy, Classic Shell and WinAero Tweaker.... and researched several
tweaks to stop being harassed by inane notices.
Though I have still found
a need on multiple occasions to remove file restrictions in
order to accomplish something. One case was simply to access
images in order to change the log-in image. That has nothing at
all to do with security. It has to do with making sure that
employees in a corporate setting can't change anything that
affects others. The trouble is that most of us are not corporate
lackeys. We're SOHo users who own our own computers.
| As to MS planning to make it less intrusive, I doubt that very much.
MS approach is far less problematic than Linux. I was installing
a firewall recently on Suse and had trouble for days. It finally turned
out that I had to install as root but then not open the program
until I logged in as lackey, because once I opened the program it
would create files only accessible to the current user! The Linux fans
seem to just assume that people know about such nonsense.
I've minimized the hassle by using "ok" for all passwords, but it's
still a ridiculous amount of demanding passwords and using console
commands.
The MS approach is more flexible. They lock it down but set
it up so that people willing to hunt down the tweaks can control
it for themselves. MS have always accommodated what they used
to call power users. So there are corporate admins, power users
and regular users. The corporate admins don't necessarily know
the system well, but they know how to do their job and run updates.
A good example is that I don't have to have a password on Win10.
(Though it took some searching to find how to stop the system
from periodically demanding that I change my no password to
no password. :)
On Linux there are only two kinds of people: Surly computer
scientists and idiots who have no business trying to understand
how Linux works because then they'll only screw it up give Linux
an even worse reputation than it already has.
So, count your blessings. It could be worse. I expect it will
eventually be worse. Adding security restrictions is not only
in the interest of safety and stability. It's also a very good way
to convert Windows to a services kiosk device. Look at how it's
already changed: You have no access to system files but Microsoft
can change them remotely.
"Paul" <nospam@needed.invalid> wrote
| You don't have to break anything to get your way.
|
Different points of view. I also don't have a blade guard on my
table saw. It's not because I'm ornery or macho or contrarian or
reckless. I work that way because I can't accurately see the
cut otherwise.
It's the same with computers. The security options are fine and
they're especially sensible for people who don't know what they're
doing. Anyone who wants to use them should do so. But I'm
not interested in people who want to tell me that I'm doing it wrong,
like children peer pressuring each other about what they're "supposed
to" do. There's no "supposed to".
It's my computer and I understand the risks. I'm also much more
careful in general than the average person, restricting script online
and avoiding having data like credit card numbers on my computer.
I've never had a virus or malware. I've never accidentally deleted
System32. I also haven't used AV since about 2000. I
use firewalls and I disable all remote functionality. I don't allow
any local network functionality. Those are all precautions that most
people wouldn't even consider taking.
For those people, getting
Microsoft's dripfeed updates and running with lackey file restrictions
is pretty much the only protection they have. Most people like that
are not really using their system, anyway. They go to gmail for their
email and use a browser to download their airline tickets or buy
things on Amazon. That's pretty much it. So it makes sense to have
the system locked down.
The log-in picture is a good example of the issues. I
didn't find a way to change it so I decided the easiest
way would be to just replace the source image. The status
quo view is that that's a dangerous thing to do. But is it?
Do people actually think before they say that?
I figured out where the picture was and what format it
was. (If I remember correctly it was something weird, like
a JPG named as a PNG.) Windows wouldn't let me into
those folders because it was all-users app data. So I
removed restrictions on that area.
No security risk. No functionality risk. No risk of any
kind, except that I could end up with a log-in screen
that I didn't like. Of course, I already had that. :) So
why are those folders restricted? Because Microsoft's
design assumes that I'm a corporate lackey writing MS
Word docs, that it's not my computer, and that I have no
right to affect other people who might use the same
computer, by changing their log-in screen.
John C. wrote:
John C. wrote:
User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate >>> the heck out of me.
Is there any way to get it to stop asking me if I want to allow a
program to make changes?
IMO, this is something that Microsoft designed very, very poorly.
My thanks to Oliver and Newyana2 for their helpful replies. However, I
guess at this point there really is no solution other than to turn UAC
completely off. Maybe at some point in the future, M$ will make UAC less
intrusive.
I always keep it off completely; on all my MS systems. I've been doing
that for years; and never met the slightest sign of a problem.
Mind you, I have excellent firewall and AV, and do full regular scans.
As to MS planning to make it less intrusive, I doubt that very much.
They've had it in place for about 15 years, and, as far as I know, never altered a jot in it.
Most of the regulars in this group will tell you the same. It's for
babies! It's more for show than real use. "Hey, good old MS providing
all that safeguard and security!".
What if M$ was able to come up with a proprietary HASH code to assign to programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?
What if M$ was able to come up with a proprietary HASH code to assign to programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?
"John C." <r9jmg0@yahoo.com> wrote
| What if M$ was able to come up with a proprietary HASH code to assign to
| programs a person runs on a regular basis, then before pestering enc
| users every time they try to run a third party program, check to see if
| that HASH is on a list of safe programs to run?
|
In some ways that's what UWP/RT/Metro is intended to be.
They're safe because they're crippled by design, unable to
access much of the WinAPI. That's always been the idea
with Java, as well. And ActiveX/COM. Of course, it's not
easy to make something safe. And now Microsoft are using
UWP applets for system settings. Go figure.
John C. wrote:
What if M$ was able to come up with a proprietary HASH code to assign to
programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?
How would you police those HASH codes? How would you distinguish genuine
from fake?
They'd attract scammers, and be fairly open and vulnerable.
John C. wrote
What if M$ was able to come up with a proprietary HASH code to assign to
programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?
In some ways that's what UWP/RT/Metro is intended to be.
They're safe because they're crippled by design, unable to
access much of the WinAPI. That's always been the idea
with Java, as well. And ActiveX/COM. Of course, it's not
easy to make something safe. And now Microsoft are using
UWP applets for system settings. Go figure.
John C. <r9jmg0@yahoo.com> wrote:
[...]
What if M$ was able to come up with a proprietary HASH code to assign to
programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?
Don't know about Windows 10, but Windows 11 sort of have such (a) feature(s): Smart App Control [1] and Reputation-based protection [2] (multiple categories).
[1] 'What is Smart App Control?' <https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003>
[2] There's no 'Learn more' link for this, but it shouldn't be too hard
to find more information if you're interested.
Ed Cryer wrote:
John C. wrote:
What if M$ was able to come up with a proprietary HASH code to assign to >>> programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?
How would you police those HASH codes? How would you distinguish genuine
from fake?
They'd attract scammers, and be fairly open and vulnerable.
Well then, let's give up and keep having to put up with continual interruptions from that god-damned UAC.
I tried turning it all the way off yesterday and it STILL pestered me to death when I was simply trying to move shortcuts around on my Start Menu.
I read recently that appliance makers are getting disillusioned
with computerized appliances because no one is using the
functions. We recently got a new washer. The instructions
say we should download "the app". Why? So we can check
on progress while we're upstairs!
"Hello? Washer? How ya doing? Almost finished?"
"Getting there."
"OK, great. Thanks so much. Carry on."
I wouldn't mind, but I suspect this machie will die long
before the actual mechanical parts die. It takes several
minutes to survey the load in order to set size, rather than
just letting me spec the poad size. I can imagine a time,
perhaps not far off, when the camera or laser used to check
the height of the dirty clothes pile malfunctions, and then
the whole thing refuses to work.
John C. wrote:
Ed Cryer wrote:
John C. wrote:
What if M$ was able to come up with a proprietary HASH code to
assign to
programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if >>>> that HASH is on a list of safe programs to run?
How would you police those HASH codes? How would you distinguish genuine >>> from fake?
They'd attract scammers, and be fairly open and vulnerable.
Well then, let's give up and keep having to put up with continual
interruptions from that god-damned UAC.
I tried turning it all the way off yesterday and it STILL pestered me to
death when I was simply trying to move shortcuts around on my Start Menu.
Mine's been OFF for years; and I get NO mention nor sign from it.
Ed
It's my computer and I understand the risks. I'm also much more
careful in general than the average person, restricting script online
and avoiding having data like credit card numbers on my computer.
I've never had a virus or malware. I've never accidentally deleted
System32. I also haven't used AV since about 2000. I
use firewalls and I disable all remote functionality. I don't allow
any local network functionality. Those are all precautions that most
people wouldn't even consider taking.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 406 |
Nodes: | 16 (2 / 14) |
Uptime: | 113:23:12 |
Calls: | 8,529 |
Calls today: | 8 |
Files: | 13,212 |
Messages: | 5,920,732 |