"What's the deal with UAC (Windows Needs Your Permission scree

**Colo2008**

"Alan Simpson" wrote:

Well said Jimmy. But just a couple minor additions. Using a computer in a
limited account for day-to-day stuff has been a security "best practice" for
many years, and totally ignored outside the corporate environment for just
as many years. Basically Vista makes that practice security best practice
automatic and as painless as possible by letting you temporarily elevate
on-the-fly on an as-needed basis.

Also, for home users, there's a tie-in to parental controls here. From a
password-protected administrative account you can set parental controls on
children's standard accounts and monitor their computer and Internet use.
The kids can't get to any of that from their standard accounts (without an
administrative password). So they can't tamper with any of that.

"Jimmy Brush" wrote in message
...
Hello,

I've noticed that a lot of the questions in these newsgroups are either
directly or indirectly related to UAC (User Account Control). In this
post, I will go over what UAC does, how it works, the reasoning behind it,
how to use your computer with UAC on, why you shouldn't turn UAC off, and
answer some common questions and respond to common complaints about it.

* What is UAC and what does it do?

UAC mode (also known as Admin Approval Mode) is a mode of operation that
(primarily) affects the way administrator accounts work.

When UAC is turned on (which it is by default), you must explicitly give
permission to any program that wants to use "administrator" powers. Any
program that tries to use admin powers without your permission will be
denied access.

* How does UAC work

When UAC mode is enabled, every program that you run will be given only
"standard user" access to the system, even when you are logged in as an
administrator. There are only 2 ways that a program can be "elevated" to
get full admin access to the system:

- If it automatically asks you for permission when it starts up, and you
click Continue
- If you start the program with permission by right-clicking it, then
clicking Run As Administrator

A program either starts with STANDARD rights or, if you give permission,
ADMINISTRATOR rights, and once the program is running it cannot change
from one to the other.

If a program that you have already started with admin powers starts
another program, that program will automatically be given admin powers
without needing your permission. For example, if you start Windows
Explorer as administrator, and then double-click on a text file, notepad
will open and display the contents of the text file. Since notepad was
opened from the admin explorer window, notepad WILL ALSO automatically run
WITH admin powers, and will not ask for permission.

* What's the point of UAC?

UAC is designed to put control of your computer back into your hands,
instead of at the mercy of the programs running on your computer.

When logged in as an administrator in Windows XP, any program that could
somehow get itself started could take control of the entire computer
without you even knowing about it.

With UAC turned on, you must know about and authorize a program in order
for it to gain admin access to the system, REGARDLESS of how the program
got there or how it is started.

This is important to all levels of users - from home users to enterprise
administrators. Being alerted when any program tries to use admin powers
and being able to unilaterally disallow a program from having such power
is a VERY powerful ability. No longer is the security of the system
tantamount to "crossing one's fingers and hoping for the best" - YOU now
control your system.

* How do I effectively use my computer with UAC turned on?

It's easy. Just keep in mind that programs don't have admin access to your
computer unless you give them permission. Microsoft programs that come
with Windows Vista that need admin access will always ask for admin
permissions when you start them. However, most other programs will not.

This will change after Windows Vista is released - all Windows Vista-era
programs that need admin power will always ask you for it. Until then, you
will need to run programs that need administrative powers that were not
designed for Windows Vista "as administrator".

Command-line programs do not automatically ask for permission. Not even
the built-in ones. You will need to run the command prompt "as
administrator" in order to run administrative command-line utilities.

Working with files and folders from Windows Explorer can be a real pain
when you are not working with your own files. When you are needing to work
with system files, files that you didn't create, or files from another
operating system, run Windows Explorer "as administrator". In the same
vein, ANY program that you run that needs access to system files or files
that you didn't create will need to be ran "as administrator".

If you are going to be working with the control panel for a long time,
running control.exe "as administrator" will make things less painful - you
will only be asked for permission once, instead of every time you try to
change a system-wide setting.

In short:

- Run command prompt as admin when you need to run admin utilities
- Run setup programs as admin
- Run programs not designed for Vista as admin if (and only if) they need
admin access
- Run Windows Explorer as admin when you need access to files that aren't
yours or system files
- Run programs that need access to files that aren't yours or system files
as admin
- Run control.exe as admin when changing many settings in the control
panel

* UAC is annoying, I want to turn it off

Having to go through an extra step (clicking Continue) when opening
administrative programs is annoying. And it is also very frustrating to
run a program that needs admin power but doesn't automatically ask you for
it (you have to right-click these programs and click Run As Administrator
for them to run correctly).

But, keep in mind that these small inconveniences are insignificant when
weighed against the benefit: NO PROGRAM can get full access to your system
without you being informed. The first time the permission dialog pops up
and it is from some program that you know nothing about or that you do not
want to have access to your system, you will be very glad that the Cancel
button was available to you.

* Answers to common questions and responses to common criticism

Q: I have anti-virus, a firewall, a spyware-detector, or something
similar. Why do I need UAC?

A: Detectors can only see known threats. And of all the known threats in
existence, they only detect the most common of those threats. With UAC
turned on, *you* control what programs have access to your computer - you
can stop ALL threats. Detectors are nice, but they're not enough. How many
people do you know that have detectors of all kinds and yet are still
infested with programs that they don't want on their computer? Everyone
that I have ever helped falls into this category.

Q: Does UAC replace anti-virus, a firewall, a spyware-detector, or similar
programs?

A: No. Microsoft recommends that you use a virus scanner and/or other
types of security software. These types of programs compliment UAC: They
will get rid of known threats for you. UAC will allow you to stop unknown
threats, as well as prevent any program that you do not trust from gaining
access to your computer.

Q: I am a system administrator - I have no use for UAC.

A: Really? You don't NEED to know when a program on your computer runs
with admin powers? You are a system administrator and you really could
care less when a program runs that has full control of your system, and
possibly your entire domain? You're joking, right?

Q: UAC keeps me from accessing files and folders

A: No, it doesn't - UAC protects you from programs that would try to
delete or modify system files and folders without your knowledge. If you
want a program to have full access to the files on your computer, you will
need to run it as admin. Or as an alternative, if possible, put the files
it needs access to in a place that all programs have access to - such as
your documents folder, or any folder under your user folder.

Q: UAC stops programs from working correctly

A: If a program needs admin power and it doesn't ask you for permission
when it starts, you have to give it admin powers by right-clicking it and
clicking Run As Administrator. Programs should work like they did in XP
when you use Run As Administrator. If they don't, then this is a bug.

Q: UAC keeps me from doing things that I could do in XP

A: This is not the case. Just remember that programs that do not ask for
permission when they start do not get admin access to your computer. If
you are using a tool that needs admin access, right-click it and click Run
As Administrator. It should work exactly as it did in XP. If it does not,
then this is a bug.

Q: UAC is Microsoft's way of controlling my computer and preventing me
from using it!

A: This is 100% UNTRUE. UAC puts control of your computer IN YOUR HANDS by
allowing you to prevent unwanted programs from accessing your computer.
*Everything* that you can do with UAC turned off, you can do with it
turned on. If this is not the case, then that is a bug.

Q: I don't need Windows to hold my freaking hand! I *know* what I've got
on my computer, and I *know* when programs run! I am logged on as an
ADMINISTRATOR for a dang reason!

A: I accept the way that you think, and can see the logic, but I don't
agree with this idea. UAC is putting POWER in your hands by letting you
CONTROL what runs on your system. But you want to give up this control and
allow all programs to run willy-nilly. Look, if you want to do this go
right ahead, you can turn UAC off and things will return to how they
worked in XP. But, don't be surprised when either 1) You run something by
mistake that messes up your computer and/or domain, or 2) A program
somehow gets on your computer that you know nothing about that takes over
your computer and/or domain, and UAC would have allowed you to have
stopped it.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode