Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Benefits of Vista's User Access Control?

Cliff posted more than 7 years ago | from the what-do-you-really-lose-if-it's-turned-off dept.

Security 118

Abtin Forouzandeh asks: "Having used Vista for a few months, something keeps nagging me about the user account control. For the UAC to be useful, the user needs to have a fair amount of knowledge about: what the UAC is; what application it is blocking; the consequences of blocking the action; and an alternate approach if the blocked action did something useful. Anyone who has ever worked with end-users can tell you that they are generally disinterested in learning anything about computer usage beyond how to use word and make a spreadsheet. Frankly, even as a highly technical user, I nearly always approve the UAC dialog, even if I don't know the consequences. Since users lack knowledge, and Vista keeps asking esoteric/ambiguous questions, then users will always approve UAC dialogs. Since the UAC so clearly fails in its goal of making computing more secure, and substantially increases complexity, why is it common wisdom that turning off UAC is 'not recommended'? For 99% of users, is there any true downside? Has the community come up with ways to make UAC useful?"

cancel ×

118 comments

Sorry! There are no comments related to the filter you selected.

Serves it's purpose (4, Insightful)

Carter313 (745300) | more than 7 years ago | (#18178578)

I suppose it's useful from Microsofts point of view, if a lot of security is put into the users hands, it is the users fault when something goes wrong.

Re:Serves it's purpose (3, Informative)

linds.r (895980) | more than 7 years ago | (#18178630)

I tend to agree - they can still quote increased security, with UAC on of course, who would turn it off, you want less security? while the great majority of users turn off the misimplemented annoyance factory.

Re:Serves it's purpose (2, Insightful)

jackharrer (972403) | more than 7 years ago | (#18178956)

Honestly, what's the difference if it's on or off if users always click Allow anyway?

Re:Serves it's purpose (3, Insightful)

omicronish (750174) | more than 7 years ago | (#18179002)

Honestly, what's the difference if it's on or off if users always click Allow anyway?

There's a difference to the programmer: Oh, my program is popping a UAC prompt, I'd better fix it.

Re:Serves it's purpose (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18180016)

Except if the programmer has also turned UAC off because it's too annoying...

Re:Serves it's purpose (3, Insightful)

PopeRatzo (965947) | more than 7 years ago | (#18179616)

who would turn it off, you want less security?


I wonder if liability isn't involved here. When you think of the costs to our economy due to Windows' vulnerabilities, it's quite possible that MS was afraid that if they put another flimsy OS on the market they might get held responsible (finally).

Whenever I hear of a fix that's not really a fix, I wonder if liability wasn't involved.

Re:Serves it's purpose (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18179360)

Which leads into the major problem of Microsoft starting to rely upon UAC for basic security. Soon enough there will be a vulnerability and microsoft's inital workaround will be to turn on UAC whilst they get some patch ready. Thats not security, thats avoiding the issue.

So i'm leaving UAC on. Not because I need it or want it, but because i'm worried that security in vista will come to rely on it (just like xp came to rely on it's built in firewall).

Re:Serves it's purpose (1)

Goaway (82658) | more than 7 years ago | (#18185042)

Blaming the user? Pshaw, Microsoft is just ripping of Linux again!

Re:Serves it's purpose (1)

gig (78408) | more than 7 years ago | (#18188812)

UAC has the same purpose as EULA.

How about... (1, Funny)

Anonymous Coward | more than 7 years ago | (#18178584)

Your computer feels like its really interested in what you think?

Easy answer! (5, Funny)

earthbound kid (859282) | more than 7 years ago | (#18178606)

The benefits? You have to ask? Pssh, it's simple:

With Windows 98 and, to a lesser extent, 2000, we /.ers could smugly mock Microsoft users by making "Blue Screen of Death" jokes. When Windows XP came out, we kept making these jokes, but as time went on, they got less and less funny due in no small part to the fact that the BSoD has become a less frequent part of the Windows experience. Needless to say, this sucks for those of us who use OS X or Linux! What are we gonna rag on?

Well, then Microsoft went and did a big favor to the alternative OS community: UAC. Now, we can all get a big ol' chuckle (and "+5 Funny" mod points) out of saying, "Cancel or Allow?" in any thread whatsoever. It doesn't even have to be a thread about Vista or Microsoft. Apple even made a commercial about it! It's great. It's like Microsoft declared free karma Christmas!

"Mod me +5 Funny: Cancel or Allow?"!

And that's the benefit of UAC.

Re:Easy answer! (3, Funny)

Trillian_1138 (221423) | more than 7 years ago | (#18178778)

You are attempting to make a meta-joke on the benefits of Vista's User Access Control. Canel or Allow?

Re:Easy answer! (1)

Stormx2 (1003260) | more than 7 years ago | (#18179096)

You are attempting to flog an old horse. Cancel or Allow?

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18179730)

At least get the fucking joke right. The prompts are 'continue' and 'cancel'. Idiot.

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18180240)

I thought the joke (i.e. from the Apple ad where "cancel or allow" originated) was that "cancel or allow" is even worse than what MS put in place in Vista.

The joke-within-a-joke is that none of the Apple fanboys on Slashdot have seen Vista*, and only the Apple ad, and therefore haven't even seen what they're taking the piss out of.

Even funnier is that you want truth in humour...

*me included

Re:Easy answer! (1)

DarkJC (810888) | more than 7 years ago | (#18180590)

No it definitely IS cancel or allow. There are two different dialogs, one with continue, and one with allow.

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18180624)

I call shennanigans. I've only ever seen "Continue" and "Cancel". Please document your claim.

Re:Easy answer! (1)

Matchstick (94940) | more than 7 years ago | (#18181440)

See a picture here:

http://www.windowsdevcenter.com/windows/2006/04/04 /graphics/figure1.png [windowsdevcenter.com]

And the spelling here:

http://en.wikipedia.org/wiki/Shenanigan [wikipedia.org]

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18184076)

1. Thanks for the pic. I don't believe it since I haven't seen it with my own eyes but I'll keep my eyes open next time I'm playing with Vista and hopefully I'll encounter it. I can't believe they don't have consistancy on a security interface.

2. I don't fucking care how it's spelled. I can't believe you'd waste time correcting and posting a link. Why do people do this? Is it just a side effect of the nerd show off know it all gene?

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18181376)

You are attempting to cancel an action. Cancel or Allow?

Re:Easy answer! (1)

chiskop (926270) | more than 7 years ago | (#18179388)

You are attempting to preview your post. Cancel or Allow?

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18180804)

I saw funny thing on TV. Duh! I repeat it like a silly little monkey even though it's wrong. Duh!

UAC asks Continue or Cancel.

Re:Easy answer! (1)

scoot80 (1017822) | more than 7 years ago | (#18179726)

You are attempting to come up with another original "cancel or allow" joke. Cancel or Allow?

Re:Easy answer! (3, Informative)

Bios_Hakr (68586) | more than 7 years ago | (#18178926)

The BSoD went away and was replaced with the "automatic reboot". I think there is an option or something to show the BSoD vice rebooting. For most people, the info in the BSoD is useless anyway.

Re:Easy answer! (1)

SCPRedMage (838040) | more than 7 years ago | (#18179746)

No, there's still a BSoD there; you can set it to NOT reboot automatically if you want, and sometimes you can see the BSoD for a split second before the reboot. But the BSoD is still there.

Re:Easy answer! (1)

endianx (1006895) | more than 7 years ago | (#18180100)

Regardless of whether or not you get the blue screen or a reboot, the situation is much more rare. I know many people who have never seen it happen in XP. I have only seen it 3 or 4 times myself.

I believe that is the point the poster was trying to make.

Re:Easy answer! (1)

user24 (854467) | more than 7 years ago | (#18181068)

not true: check this site out to find out exactly why your box is crashing. saved me a few times.
http://www.aumha.org/win5/kbestop.php [aumha.org]

Re:Easy answer! (0)

Anonymous Coward | more than 7 years ago | (#18183198)

not true

Which bit of what he said isn't true?

1) MS did indeed change the XP option to autoreboot, so the BSOD was no longer shown by default
2) There is indeed an option to show the BSOD information, for those that want it
3) It's a small minority that know what to do with the information - he didn't say it wasn't useful

So...?

Re:Easy answer! (1)

Trogre (513942) | more than 7 years ago | (#18186348)

FWIW, XP SP2 still BSoDs for me on different machines regularly.

of Red Hats and Yellow Pants (0)

Anonymous Coward | more than 7 years ago | (#18183064)

Exactly so, you are 100% correct. The /. community has an incredibly vested interest in continuing the anti-MS FUD, no matter how anti-reality it turns out to really be. If we can keep bashing Windows, we never have to acknowledge the fact that Linux, as a desktop operating system, is still, in a great many respects, chasing Windows 95's very distant tail lights.

Why is this scary? Because it's a great deal of hard work getting cross-distro and user friendly installation packages to work on the same level of reliability (meaning no manual config changes or file moves) which MS has had since way back in the heyday of MS-DOS, not to mention Windows 3.0. And how about "plug and play"? Why can't Linux auto-config and auto-install new hardware? Because it's hard, tedious work which the much-lauded "community" would prefer someone else do.

Every person writing yet another goddamned text editor weakens Linux, in the exact same way every Slashdotter trying to tear down Windows weakens Linux. "The Community" needs to start jumping the bar set over a decade ago by Windows 95 before they can talk about supposed faults in Vista. Tend to your own garden first: that's the exact reason Linux is not ready for the desktop (just ask Munich).

I found it to be useless (3, Informative)

Nichotin (794369) | more than 7 years ago | (#18178716)

I have been helping a Norwegian magazine write a 100 page Vista Special, one of my articles was about UAC. In the beginning I was very excited about this feature, thinking that it would provide some safety. Then, after a while, two things happened:
1) I got tired of the constant nagging and the need to enable admin mode by default on several apps by default to avoid compatibility issues, and
2) I realized that I clicked 'Allow' on anything anyway, the only exception would be a UAC dialog popping up from nowhere. This approach would make me wide open for attacks by supposedly trusted installers anyway.

So I turned it off! I still havent had any malware or viruses (Symantec Corporate kills most of that anyway). My life got all jolly and happy again. I can only imagine that the same "always allow" mentality will be the same for less savvy users. You want to do your work, right?

useless but still the right thing (1, Interesting)

acidrain (35064) | more than 7 years ago | (#18178930)

You want to do your work, right?

Agreed, and smart users will do the same. However, in the long run applications will have to avoid causing UAC prompts and eventually it will be possible to secure the "windows ecosystem" without breaking common programs. So I'd say Microsoft is doing the right thing, just that doing the right thing when it comes to security is rarely popular. Possibly I'm being optimistic, but I think they may have thought this one through.

Ok, here is what I'm wondering. If you have a single-user desktop and administer it yourself, what is the point of having a seperate administrative account? Any program that acquires *your privileges* will have access to all the sensitive data on the machine. So you are screwed anyhow.

Honestly I'd argue that running your OS in a virtual machine and having a virus and rootkit scanner running from outside that virtual machine is much more meaningful desktop security. At least that way you have some still security left after handing off administrative powers to random daily operations like installing windows stuff off the net.

Lets face it, forget technology, Linux is more secure simply because you typically download all your programs from a single distro's repository and those programs are already trained to handle limits on their permissions.

Re:useless but still the right thing (2, Informative)

FJGreer (922348) | more than 7 years ago | (#18179212)

I use a separate user/admin account in windows for the same reason I do not use root as my user account in Linux: I don't want random programs running amok! And most programs (except video games and window's 95/98 era apps) work fine in a limited account once they have been installed. I rather like knowing that the most the bug riddled piece of software I just wrote can only mess up my account (saves restore time from my backup DVD).

I haven't used Vista yet, but as long as it has at least WinXP grade access controls (properly configured ACL's can do wonders for limiting a virus's ability to sow chaos) I don't see the need for the Allow/Deny box to begin with--especially with a decent firewall/AV software--especially when that software already does useful things like say "We have stopped this program from running because it is infected with the DestroyYourHarddriveVirus/EvilTrojan, do you want to delete it?" (product plug: F-Prot AV makes Symantec look like trash IMHO).

Anyway, if I know most computer users, anything that asks them a question that will allow whatever they're doing to continue, they are going to hit yes with about 0% by volume thought

Re:useless but still the right thing (2, Funny)

jimicus (737525) | more than 7 years ago | (#18179336)

Just like today, when your ISP's stock helpdesk answer is "Disable any firewalls and then try it"?

Re:useless but still the right thing (1)

kiddygrinder (605598) | more than 7 years ago | (#18180136)

It wouldn't be the stock answer if it wasn't for bloody norton internet security

Re:useless but still the right thing (1)

semifamous (231316) | more than 7 years ago | (#18181276)

I wouldn't suggest it so frequently if it didn't fix the problem.

I always find it funny when I'm talking to someone who doesn't really know what they have and call it "Anti-Norton Virus."

Anti-Norton. =)

That's great. =)

Re:useless but still the right thing (4, Informative)

cornjones (33009) | more than 7 years ago | (#18179666)

Mod the parent up
in the long run applications will have to avoid causing UAC prompts and eventually it will be possible to secure the "windows ecosystem" without breaking common programs.

That is the important point here. There is no reason for many of these programs to be asking for 'administrative' access to do any of this shit. MS can't just cut it off b/c it will break most of it's install base. This is a way to guide software companies into writing programs with a thought to security, rather than just doing it the 'easy way'.

Re:useless but still the right thing (1)

JoelMartinez (916445) | more than 7 years ago | (#18185074)

yes, well said. People don't realize that half of windows' problems are caused by the programs that run on windows, not windows itself

Re:useless but still the right thing (1)

techno-vampire (666512) | more than 7 years ago | (#18185442)

Yes, but that still means that half of the problems you have are caused by Windows itself. Back in the old DOS days, before GUIs, 99.44% of all problems were caused by programs because DOS was well behaved. If we've learned so much since then, why can't Microsoft make a version of Windows that's as well behaved as DOS?

Re:useless but still the right thing (1)

JoelMartinez (916445) | more than 7 years ago | (#18185668)

It's not windows that's misbehaving (or at least who initiates the misbehaving) ... it's the little bastard that comes over after school to play, convinces windows to light his parent's curtains on fire, then convinces his parents to blame windows for the fire.

Okay, But... (1)

DJ_Adequate (699393) | more than 7 years ago | (#18186662)

Vista's UAC prompt seems a little overly paranoid even for that. Why, for example, do I have go through several prompts when changing the Windows Time setting using MS's own control panel? All I want to do is have it sync up with my other clocks and that doesn't really feel like a security threat.

Re:Okay, But... (1)

soundvessel (899042) | more than 7 years ago | (#18187834)

Vista's UAC prompt seems a little overly paranoid even for that. Why, for example, do I have go through several prompts when changing the Windows Time setting using MS's own control panel? All I want to do is have it sync up with my other clocks and that doesn't really feel like a security threat.
It is a big deal though. So much custom software relies on the time/date setting. Can you imagine a targeted virus that set back the clock five seconds every hour on, lets say, securities trading systems, to allow backdated transactions?

That's not a real world example since the software is more complex than that, but in many business applications the time/date is crucial to many transactions and calculations. The user may see it as nothing more than the same thing as the calendar on his desk or the clock on the wall, but it has a much wider role.

Having edited the HOSTS file (5, Insightful)

RzUpAnmsCwrds (262647) | more than 7 years ago | (#18178752)

Vista does make editing the HOSTS file more complex. I've done it five times today on my Vista box (migrating a server and testing before DNS updates). It's kind of a pain. But it's not nearly as bad as the article implies.

My procedure:
Start -> Right click on EMEditor (my text editor, it's pinned to the menu so it's always there) -> Choose "Run as Administrator"
Click "Continue"
File -> Open -> C:\windows\system32\drivers\etc\hosts
Edit File
Save

On XP:
Start -> Run
Type: "notepad C:\windows\system32\drivers\etc\hosts"
Click "OK"
Edit File
Save

Basically, you can't write to the hosts file by default, so you have to elevate an application (text editor, notepad, cmd.exe) to edit it. This is similar to Linux, where you have to use "sudo" or "su", except that there are better/more text-mode editors on Linux (although Vim/Nano/EMACS do run on Windows, you have to install them first).

Now, EMEditor is Vista compatible (certified even), but it would be nice if it could elevate when a write operation fails due to incorrect permissions. Then you could just edit the file as usual, and elevate when you save.

I've said it once, and I'll say it again: UAC is going to get better over time. Lots of applications require elevation now (even some games), but as developers update their programs, we'll see fewer and fewer UAC prompts. VMWare, for example, used to require elevation in the 6.0 betas, but it doesn't anymore. Give it a year or two. Apps will stop requiring elevation except for the things that really do affect the system.

UAC means that software developers will write software that doesn't need elevation. That can only be a good thing in the long run.

Re:Having edited the HOSTS file (5, Interesting)

Mortimer82 (746766) | more than 7 years ago | (#18179054)

Haven't used Vista yet myself, but as someone who has tried in the past to run Windows XP under a normal user account, I believe the objective with Vista's UAC is not so much to help users decide if software is safe, but rather to convince software writers to write their code correct so it doesn't work without administrator access when it doesn't actually need it for a good reason.

Re:Having edited the HOSTS file (0)

Anonymous Coward | more than 7 years ago | (#18181692)

Vista does make editing the HOSTS file more complex. I've done it five times today on my Vista box (migrating a server and testing before DNS updates). It's kind of a pain. But it's not nearly as bad as the article implies.

So it's basically the same as an XP machine that's properly configured with a non-admin account?

Lots of applications require elevation now (even some games), but as developers update their programs, we'll see fewer and fewer UAC prompts.

I don't have Vista, so I can't say for sure, but I suspect they don't actually require elevation. Set up a 2000 or XP machine with a limited user account and turn on failure auditing. You'll see a number of programs fail to gain admin privileges or otherwise blindly attempt naughty things. They work just fine anyway 99% of the time.

Re:Having edited the HOSTS file (1)

springbox (853816) | more than 7 years ago | (#18182740)

um, well. I run in a user account in XP, so I have to type in the admin password when I want to modify system files. Same thing with Linux unless you're always running as root. I think UAC is making it too easy for you to just arbitrarily modify files in the windows directory.. It doesn't even ask for a password to elevate your permissions.

Re:Having edited the HOSTS file (1)

Ahnteis (746045) | more than 7 years ago | (#18183578)

>>It doesn't even ask for a password to elevate your permissions.

If you are already running as admin it doesn't. If you are running as a normal user, it *does* ask for administrator credentials.

Re:Having edited the HOSTS file (1)

mosschops (413617) | more than 7 years ago | (#18183556)

Now, EMEditor is Vista compatible (certified even), but it would be nice if it could elevate when a write operation fails due to incorrect permissions. Then you could just edit the file as usual, and elevate when you save.

The biggest problem with elevation is that it's not something you can do from an existing process, without launching a completely new process as elevated. Task Manager relaunches itself when you click the Show Processes From All Users, rather than doing any magic. Elevated processes can't return to a limited token either, which causes much grief for setup programs - there's a horrid work around involving scheduling a new task, just so it runs as a normal user with a filtered token again!

The text editor could still support it, but it would need to launch a separate helper application just for saving (and loading?). All data to save/load would have to be passed from the main editor to the helper, probably using RPC. If only the elevation could be done per-thread, it would be so much easier...

Re:Having edited the HOSTS file (1)

RzUpAnmsCwrds (262647) | more than 7 years ago | (#18184018)

Elevated processes can't return to a limited token either, which causes much grief for setup programs - there's a horrid work around involving scheduling a new task, just so it runs as a normal user with a filtered token again!

Agreed - this is a significant problem with UAC. Of course, I have always thought that a "launch this application after setup completes" option was kind of a bad idea anyway.

I don't know how this works with MSI packages, either, because elevation doesn't occur in the same way.

The text editor could still support it, but it would need to launch a separate helper application just for saving (and loading?).


EMEditor already has a helper application (EEAdmin.exe) that it uses for certain operations (e.g. changing file association) which require elevation.

When I was working on a wireless connection manager for Linux (GTKWifi), this is exactly what I did, except that I used sudo instead of UAC. If only more Linux apps did this - why should I have to run Synaptic as root if I'm just browsing packages - it's a better idea to split out the UI and browsing functionality from the part of the code that actually installs packages, and create a well-defined interface between the two.

If only the elevation could be done per-thread, it would be so much easier...


This would be a huge security problem. Threads do not have their own protected memory space, so it is impossible to prevent a lower-privileged thread from screwing with the code or data of an elevated thread.

Now, you could argue that we should create thread with its own protected memory space, file resources, and other handles. Guess what? That's excatly what a process is.

Maybe we could come up with something in the middle, but you're talking about an entirely type of construct. That makes migration and backwards compatibility even harder.

Re:Having edited the HOSTS file (1)

mosschops (413617) | more than 7 years ago | (#18184282)

I don't know how this works with MSI packages, either, because elevation doesn't occur in the same way.

Windows Installer has a service component, which is already running elevated. I guess it just impersonates the user for any normal running, though it also has the new Session 0 restrictions to work around to interact with the desktop.

EMEditor already has a helper application (EEAdmin.exe) that it uses for certain operations (e.g. changing file association) which require elevation.

Maybe just a new RPC interface needed to that, and save/load could be done as you described? :-)

This would be a huge security problem. Threads do not have their own protected memory space, so it is impossible to prevent a lower-privileged thread from screwing with the code or data of an elevated thread.

Hmmm, that's true! I was thinking that VirtualProtect could block untrusted callers from making code areas writeable, but just having writeable data could be enough to cause problems. Not being able to return to filtered token must just be because it's per-process, and could cause all sorts of problems if things started failing due to insufficient rights.

I just wish they'd provided a ShellExecuteEx verb for running non-elevated, to match the "runas" used to elevated. I can't think that would be a security risk, and it would make life so much easier in the cases it is needed.

Time to stop complainging (3, Funny)

pembo13 (770295) | more than 7 years ago | (#18178776)

How many articles have there been complaining about Vista this week alone? Seriously, it isn't as if you guys are the customers, you're just the consumers more than willing to pay for it. Maybe if there were no alternatives, or it was a project paid for with tax dollars all this complaining would be meaningful, but it is niether; it is a product produced by a for-profit company.

Windows has been out long enough that it has long since gotten boring to be complain about it. Microsoft's business practicies are a lot more worthy of complaint; even I know there are intelligent engineers doing what one would assume to be their best, inside of Microsoft.

If Vista is rubbish, do what most people do with rubbish: throw is out, and not discuss it with company. Windows isn't a Linux distro, loud complaining isn't going to change anything

Peace

Re:Time to stop complainging (1)

Nichotin (794369) | more than 7 years ago | (#18178798)

In the perfect world, maybe. But some of us live in the real world, with real jobs, and really ambitious IT staff that are keen to migrate. Plus, Vista has a lot of good things too, and it is a damn shame to loose out on that just because some well advised feature is bugging you. Besides, UAC can be turned off.

Unexpected actions (3, Insightful)

caitriona81 (1032126) | more than 7 years ago | (#18178792)

What it is most useful for is stopping privileged operations from happening behind your back - malware theoretically has to make at least some noise to infect at a systemwide level with user account control turned on. If it's turned off entirely, you might not get that extra "something's not right here" warning before your antivirus gets disabled and that nasty rootkit gets installed.

Also, as someone already pointed out, this makes programs that require administrator rights unnecessarily much noisier, and provides a support incentive to software publishers to fix their software so it works unescalated.

Not great from a usability perspective but for a company that's almost ignored security until recently it's a start.

Re:Unexpected actions (1)

PrescriptionWarning (932687) | more than 7 years ago | (#18180376)

but if less than say 0.1% of all actions should probably require a Cancel instead of Allow, how many people really are going to keep an eye out for the bad one... cept maybe the OCD group.

"User Access Control"? (1)

bcmm (768152) | more than 7 years ago | (#18178820)

The summary gives two different definitions for UAC, which is more than there should be if you aren't making any Doom jokes. Which is correct?

What the hell is the point? (5, Interesting)

RzUpAnmsCwrds (262647) | more than 7 years ago | (#18178834)

What the hell is the point of all of these articles? Linux users aren't going to switch to Vista. Mac users are already convinced that their OS is Job's gift to man. And Windows users are going to switch to Vista when they buy a new computer.

Vista is here. The DRM features don't stop me from playing my MP3s, XVID videos, or from running FairUse4WM. It doesn't bring my modest 1.8GHz single-core Athlon 64 box to its knees, even with the Aero Glass UI (of course, my $40 Radeon X1300 helped that - the GeForce 6100 IGP was kind of sluggish. It hasn't stopped me from installing Ubuntu, ripping DVDs, using Daemon Tools, installing unsigned drivers, or doing anything else that I would do to a Windows system.

UAC hasn't prompted me for anything in the past 4 hours. I see - maybe - 1 or 2 prompts per day. Perhaps that's because I don't go trying to put files in "C:\windows" or screw with system DLLs.

Firefox works. So does Thunderbird, Office 2003, Visual Studio, Paint Shop Pro, VMWare, Virtual PC, Maple, EMEditor, WinSCP, PuTTY, AVG, SmartFTP, Microangelo, iTunes, Quicktime, Daemon Tools, TI Connect, WinRAR, ATITool, SpeedFan, RMClock, PowerStrip, Prime95, Paint.NET, uTorrent, Opera, NSIS, Java, Flash, Adobe Reader, 3DMark, Warcraft III, Steam, and WoW.

Oh, and all of my hardware works. On both of my desktops and my notebook.

So what doesn't work? Display aspect ratio selection doesn't work with NVIDIA's shitty drivers (one reason my desktop has an ATI card now). PDFCreator refuses to work, as does VNC.

Vista is the next version of the OS with the broadest hardware and software compatibility. $109 is a pretty cheap price for that.

Re:What the hell is the point? (2, Insightful)

omicronish (750174) | more than 7 years ago | (#18178954)

UAC hasn't prompted me for anything in the past 4 hours. I see - maybe - 1 or 2 prompts per day. Perhaps that's because I don't go trying to put files in "C:\windows" or screw with system DLLs.

My average experience is even less; I can go for several days without a prompt. I've only seen them today due to testing installation of a program I'm writing.

I see a lot of UAC complaints on Slashdot but very little on details as to what the person is doing to garnish so many prompts. So here's my proposal to Slashdotters: If you've seen more than 5 UAC prompts in one day, what were you doing to cause them?

Yes, certain scenarios will display a crapload of UAC prompts, such as running your favorite software that prompts, trying to move stuff around in Program Files, installing every app you find on SourceForge, etc., and some of those scenarios are of genuine concern and have noticeable user impact. However, I'm interested in getting these actual experiences and separating them from the rediculous and vague second-hand claims that prompts are spawning faster than bunnies.

Re:What the hell is the point? (1)

the unbeliever (201915) | more than 7 years ago | (#18179636)

Agreeing with you completely.

I ran into more than my fair share of UAC prompts in the 3-4 days following my Vista install, mostly because I was installing programs (openoffice, etc etc) and it prompted me.

After that, I haven't received any, except when running windows update.

Re:What the hell is the point? (1)

Carnildo (712617) | more than 7 years ago | (#18184570)

I see a lot of UAC complaints on Slashdot but very little on details as to what the person is doing to garnish so many prompts. So here's my proposal to Slashdotters: If you've seen more than 5 UAC prompts in one day, what were you doing to cause them?


Most recently? Debugging the uninstaller for the software I'm developing. I get:
1 UAC prompt when I run the remote debugger -- it needs to listen for network connections on port 6969
2 UAC prompts when I run the installer
2 UAC prompts when I run the uninstaller
At this point, the debugger attaches to the uninstaller.
1 UAC prompt when I move the files the uninstaller missed from the Program Files directory to the recycle bin
1 UAC prompt when I empty the recycle bin

And because the debugger crashes after each run, I get all seven prompts every single time.

Re:What the hell is the point? (1)

Nightspirit (846159) | more than 7 years ago | (#18179030)

Apparently /. users like to change the system font every 15 minutes.

Re:What the hell is the point? (1)

omicronish (750174) | more than 7 years ago | (#18179066)

It doesn't bring my modest 1.8GHz single-core Athlon 64 box to its knees, even with the Aero Glass UI (of course, my $40 Radeon X1300 helped that - the GeForce 6100 IGP was kind of sluggish.

My AMD Athlon 2700+ with 1 GB RAM, Radeon 9800 Pro, and Vista installed on a 20 GB partition also runs Vista fine. I'm at 1920x1200 with full Aero. Oh and I built the machine in the summer of 2003, nearly 4 years ago. All the Slashdot bashing that Vista requires new hardware and uber specs is absurd.

Re:What the hell is the point? (1)

W2k (540424) | more than 7 years ago | (#18179680)

You are my fscking hero, seriously. I have that EXACT CONFIGURATION and was just contemplating whether or not it would be able to run Vista well.

Re:What the hell is the point? (2, Insightful)

shaitand (626655) | more than 7 years ago | (#18179318)

okay. So Vista didn't destroy your computing experience. Great.

'Vista is the next version of the OS with the broadest hardware and software compatibility. $109 is a pretty cheap price for that.'

Can you think of any compelling reason why you should be paying $109 for a new version of the OS instead of receiving a free service pack that updates the driver database with new drivers?

Re:What the hell is the point? (1)

RzUpAnmsCwrds (262647) | more than 7 years ago | (#18184388)

okay. So Vista didn't destroy your computing experience. Great.

'Vista is the next version of the OS with the broadest hardware and software compatibility. $109 is a pretty cheap price for that.'

Can you think of any compelling reason why you should be paying $109 for a new version of the OS instead of receiving a free service pack that updates the driver database with new drivers?


Presumably you are referring to Mac OS X, because in Windows, you don't need a "service pack" to get new drivers - they come on a CD with the hardware you buy, or you get them of the Internet. That's why XP is still clicking with hardware that was released 5 years after it.

And, yes, I can think of some compelling reasons:
  • New UI. Crap on Aero Glass all you want, but I think that it looks pretty damn nice. Taskbar thumbnails are nice, flip 3D is handy (though not as nice as Expose, which is why I have a third-party Expose ripoff installed on Vista), and the animations look cool without being annoying.
  • Hybrid suspend. This is a big deal on my notebook, because S3 Suspend drains the battery in 3-4 days, and with 1.25GB of memory, it takes ~20s to resume from hibernation. Now my notebook sleeps for 6 hours and then hibernates. I have to resume from disk about once a day, rather than 5-6 times. Oh, and I can switch batteries, too, without worrying about losing data.
  • New networking stack. Vista roams better on wireless networks, it doesn't make you enter the WEP/WPA key twice, and I can customize the firewall/discovery options for various different networks (so no one is screwing with my file shares unless I'm on my WPA home network).
  • Search, search, search. I can search by pressing a single key, launch programs without looking through the Start menu, and filter the control panel and folders easily.
  • New Explorer. Thumbnails that actually seem to work (e.g. the video thumbnailer doesn't stupidly choose the first frame, which is usually black). Network file operations that don't cause Explorer to lock up. A places sidebar that I can customize.
  • New audio stack. I can mute Firefox so that stupid Flash ads and Quicktime movies don't make noise (and, no, I don't want to disable Flash or have to click to load Flash files). Input settings that actually make sense. Control over audio effects and channel levels without using the crappy proprietary Realtek UI.
  • New GDI subsystem. Video drivers don't crash the system anymore
  • SMB 2.0. Network transfers don't fail just because the network had blip. I can start a transfer on the wireless, switch to the wired connection, and continue right where I left off. Very useful when screwing with the network topology at LAN parties.
  • Presentation mode. Stops notifications ("Windows updates are available!") from coming up during presentations.
  • Windows Update. No longer a website that takes forever to load and breaks often.
  • malloc that no longer sucks. 40% faster in my informal testing.
  • New setup routine. Takes about 1/2 the time, and you can run it without having to be prompted 5 times during the install.



  • Those are some of the things that I think are pretty compelling. No, there isn't an "uberfeature". But, then again, such a thing cannot exist in a relatively mature OS. Vista, like the latest release of Mac OS X, is a little better in a lot of ways. There are hundreds of changes that I could list which each make the OS work just a bit better.

    But, hey, it's not like anyone on Slashdot has actually used Vista.

Re:What the hell is the point? (1)

shaitand (626655) | more than 7 years ago | (#18185598)

'Presumably you are referring to Mac OS X, because in Windows, you don't need a "service pack" to get new drivers - they come on a CD with the hardware you buy, or you get them of the Internet. That's why XP is still clicking with hardware that was released 5 years after it.'

If you are willing to settle for that then you could skip even the service pack. However I was referring to updating the included driver database so that you don't need to load a disk for every common piece of hardware you plug in. I realize plug and play has been a pretty terrible concept on windows from the get go and that hardware actually being loaded and available upon plugging it in is a rare experience under windows but that doesn't mean you should give up on the concept altogether.

Re:What the hell is the point? (0)

Anonymous Coward | more than 7 years ago | (#18184590)

Oh, so Vista is PURELY an update to a driver database. I guess I'll switch to Linux now!!

Seriously, who modded this insightful? Just like ANY program which asks you to pay for a major revision, Vista has added and updated many things and is much more than a "driver database" update (whatever the heck THAT is supposed to mean).

Re:What the hell is the point? (3, Informative)

chabotc (22496) | more than 7 years ago | (#18179934)

"Oh, and all of my hardware works. On both of my desktops and my notebook."

Oh then please tell me why Vista degraded my nice SB FX DSP diving my 7.1 system into a software rendered piece of crap which is barely able to keep up with a 0.10$ intergrated sound chip

All the DRM made direct access to the DSP 'illegal', so it can't be used anymore in vista, nor will it likely ever be

Creative is advising every game creator to use OpenAL, to bypass this piece of crap situation DRM has brought us, so much for 'vista the ultimate gaming platform' :-)

Re:What the hell is the point? (1)

RzUpAnmsCwrds (262647) | more than 7 years ago | (#18184062)

All the DRM made direct access to the DSP 'illegal', so it can't be used anymore in vista, nor will it likely ever be


Please understand what the hell you are talking about. Vista's user-mode audio framework no longer allows DirectSound3D to run directly on the hardware. This has to do with the fact that the audio subsystem is no longer in kernel space, not DRM.

Creative is advising every game creator to use OpenAL, to bypass this piece of crap situation DRM has brought us, so much for 'vista the ultimate gaming platform' :-)


Creative has been advising the use of OpenAL for years. Under Vista, they have an application that translates DirectSound3D EAX calls to OpenAL calls so that you can use your hardware accelerated audio.

But, hey, it's not like you should read Creative's FAQ or their well-written forum post.

Re:What the hell is the point? (1)

Floritard (1058660) | more than 7 years ago | (#18180550)

Whoa hold on hold on. Microangelo is still around? God that takes me back. Can't you just use bitmaps for icons now anyway? And by now I mean like, since win95...

Re:What the hell is the point? (0)

Anonymous Coward | more than 7 years ago | (#18183110)

... with the Aero Glass UI ... $109 is a pretty cheap price for that.
Except the $100 upgrade version of Vista is for Vista Home Basic, which doesn't include Aero, which is just about the only reason anyone would consider upgrading if they had a choice. Vista without Aero is a turd that Microsoft should have kept hidden whenever possible, not sold as its own product.

Oh, and all of my hardware works.
My $150 Media Center Edition 2005 Hauppauge WinTV PVR-150 doesn't work with Vista except in fullscreen mode. My $500 GeForce 8800 GTS crashes every twenty or thirty seconds with Vista. My $150 Soundblaster X-Fi does only software rendering. My Athlon 64 X2 4600+ with a gig of RAM on a dedicated SATA II drive takes over six minutes to quiet down after booting. This is all on a clean installation.

It doesn't matter how much Vista gets talked up. For a huge number of people Vista runs like shit, has poor hardware support and offers a far worse experience. It really grates on me to hear "Totally, it's like so totally cool, it totally runs great, totally, you should totally install it, just go ahead, it's totally awesome," because it completely ignores the fact that there is a great chance it's going to run like complete shit.

Considering the five years that went into it, the billions of dollars, and the unending hype about creating world peace (see the Microsoft "Wow" commercial), Vista is a flop. Vista is like your friends' ugly baby. No one wants to tell them their baby is ugly, no matter how much they trot out pictures and talk about how beautiful they are. You can put a pig in a dress, but it's still a pig.

Re:What the hell is the point? (1)

rTough (316345) | more than 7 years ago | (#18187090)

I can't more than agree. I don't find UAC annoying so far. It's not as good as linux or mac, but much better than XP.

Vista has however so far showed a few examples why it cannot yet be deployed in the company I work (no surprise)..

Among the things that make i undeployable.
- Loosing trust with a windows 2003 domain.
- Activation not working.

Activation is the most annoying part. If they feel the need to implement it ok, but if I as a corporate user is so annoyed as I am then it failed miserably.

However, these feel like things they will fix in SP1.

$109 (1)

massysett (910130) | more than 7 years ago | (#18188622)

What interests me about that $109 is just how expensive it is compared to the cost of everything else in the computer. Windows last saw a major update five years ago. Back then, even if we forget about inflation, a retail box of Windows cost less than $109. So the price of Windows has gone up.

Meanwhile, the cost of every single other thing in the computer has gone down, and the value provided has gone up. Processors: cheaper and faster. Optical drives: cheaper, faster, more capacity. RAM: cheaper, more capacity. Screens: cheaper, bigger, more resolution. The list goes on and on. Now one can spend just a few hundred dollars and get a good desktop, or just a little more and get a decent laptop.

Software has gotten cheaper too. Much of it is available free of charge via download or through a Web app. A lot has changed in five years.

A lot, that is, except Windows. Sure, it picks up some new features. But everything else has gotten lots of new features and has dropped in price. Windows, meanwhile, picks up a few features and gets more expensive.

That $109 doesn't seem much of a bargain to me.

Now I finally know (4, Funny)

WetCat (558132) | more than 7 years ago | (#18178846)

What was in that large boxes with marking "UAC" in game "DOOM 1".
Looks like it was Vista...

Useful? Sure. (1, Funny)

Farmer Tim (530755) | more than 7 years ago | (#18178866)

Has the community come up with ways to make UAC useful?

Yes. I can now easily condition people to incessantly push a button without having to resort to all those messy endorphins.

It serves the same purpose... (3, Insightful)

drsmithy (35869) | more than 7 years ago | (#18178898)

...As the lower-privileged user and graphical sudo equivalents in OS X and some Linux distributions. It allows the user to run at a lower level of privileges by default and elevate when necessary, limiting the amount of damage malicious code can do on its own.

Similarly, it suffers exactly the same weakness - the user can inadvertently raise the privilege level of malicious code.

Hopefully more developers will write their code properly and the number of spurious UAC prompts will drop over time. Given that most developers haven't made any effort to make their applications LUA-friendly in the preceding decade, however, I'm not holding out much hope Vista making it _easier_ for them to get away with it will create any more inventive.

Re:It serves the same purpose... (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18179068)

Given that most developers haven't made any effort to make their applications LUA-friendly in the preceding decade

That indeed is a big shame.
I can understand that Windows programming has attracted a bunch of hobbyist programmers that already are happy when the program they have written performs its (niche) task without logic errors, and do not care about or understand more complex topics like security, error handling, etc.
However, the same mistakes still appear in "supposedly well written" programs like telebanking applications.

For example, ABN-AMRO bank distributes an application called "ABN OfficeNet" (for businesses) that is a total piece of crap.
It does not work correctly in LUA in Windows 2000 or XP. It creates its temporary files in the WINDOWS directory. Its error reporting in case of access problems is a total disaster.
These people do not understand at all what they are writing and supporting. Their helpdesk losers just state that "you have to have Administrator rights to run this program". Having a company policy that office workers do not get Administrator rights on their WS is just "your problem, not theirs".

However, now they have found their crap does not work on Vista at all :-) :-)
We are not running Vista, and are not planning to do so in the near future, but I am anxious to see how they wrestle themselves out of this "problem".
Hopefully someone fires the hobbyists in their software department and hires someone who understands the matter and the importance of security.

Of course, those are the same folks who always claim that their computing security is perfect and that every mishap is always the fault of the customer until he can prove that it is the fault of the bank (for which he will not get insight in the sourcecode and technical documentation of their software).

Re:It serves the same purpose... (1)

ednopantz (467288) | more than 7 years ago | (#18179954)

They probably aren't hobbyists. They are probably C++ geeks who are "stuck" working on Windows at their day job, hate it, don't respect it, and don't bother to learn it. I have seen it before.

Re:It serves the same purpose... (1)

dpilot (134227) | more than 7 years ago | (#18181018)

I would argue that they are neither hobbyists nor C++ geeks, because either of those groups would have done a better job of meta-management of their application. More to the point might be "corporate programming drones who got into software because they thought the money would be good." Keep the eyes on the tube, fingers on the keyboard, work to the schedule, and put the check-mark on the list when "done."

End Users 'Disinterested'? (2, Insightful)

Naughty Bob (1004174) | more than 7 years ago | (#18179072)

Anyone who has ever worked with end-users can tell you that they are generally disinterested in learning anything about computer usage beyond how to use word and make a spreadsheet.
That's generally because they use computers as a means unto an end, rather than for their own implicit wonderousness. And it's "uninterested". A disinterested judge listens to both sides equally, an uninterested one is asleep.

Re:End Users 'Disinterested'? (1)

hey! (33014) | more than 7 years ago | (#18179946)

Actually, users usually appreciate training. What they don't appreciate are roadblocks with time consuming circumvention procedures.

Speaking as a past IT manager, there are times when IT guys and users have completely opposite agendas. The user wants to get the proposal out by the last FedEx pickup. The IT guy want the user to never, ever come to him with this same question again. They're both legitimate aims, but at some times one objective will have to take precedence over the other. In this exchange the IT guy, who has the knowledge, has the power and should have discretion.

The best thing is to get the training out before it is needed.

Security and Safety features (1)

IT 073571 (1069570) | more than 7 years ago | (#18179634)

The programs on Windows are not written properly and so there's a need for UAC and those other security and safety features. There's just too many complex programs which their functions have long been forgotten and so when Microsoft tries to fix the imperfections by editing or taking out the existed codes, something else goes wrong. Until Microsoft finally starts programming a new OS from scratch, we should expect more and more of these so called security and safety features to be created for us by microsoft. This is why when our machines are infected, Microsoft points finger at us because it is our own fault since they have already provide to us all these security and safety features. Sure there's benefits of these features, but they are inconvience for us since they do bug us on what we want them to do (such as those popup messages).

Re:Security and Safety features (1)

kabdib (81955) | more than 7 years ago | (#18181364)

Who does an OS from scratch? Why on earth would you want to?

(Yes, I can name a few reasons: You want ".NET or Java or Smalltalk or LISP all the way to the metal," or you have some nifty hardware for which no existing kernel or porting layer will work, or you have an embedded system where you need to control every CPU cycle, or you simply want to learn how to write an OS. All valid).

I'll bet that less than 1 percent of /. readers have any code in any OS-level stuff, including device drivers and school projects. Until you've been down near the metal you have no clue about what's going on; talk is cheap.

A new OS means you don't have driver support (unless you leverage existing ones with a compatibility layer -- good luck on that), your development tools probably suck for a long time during bringup, you have to deal with real world issues of badly designed hardware, buggy chipsets and undocumented, murky corners where the people you need to talk to are either sealed-up behind corporate walls or (ahem) have better things to do than talk to whiners.

We definitely need new OS research. Unix essentially killed fundamental OS research for fifteen years in the late 70s and 80s because it was just too easy to do a port of something (yes, I'm aware of MACH and a bunch of other stuff in that time-frame, but so much more could have been done had grad students not been playing rogue all the time :-) ). What the heck happened to decent database integration? (Ans: Unix I/O and file system support sucked for /decades/; this is an area where you really want your OS to provide services to make transactions and messaging really cheap, and it didn't bloody start happening until the late 90s). Don't get me started on zero-copy TCP/IP, timers or prioritized I/O. Man.

As usual, Microsoft misses the point (3, Insightful)

Alex Belits (437) | more than 7 years ago | (#18179674)

Following the example of two of the most annoying programs ever, ZoneAlarm and Norton Firewall, Microsoft implements a feature that requests a permission to do something from the person least likely able to make an informed choice, and absolutely not interested in knowing about it -- current desktop user. However in ZoneAlarm the reason for this is psychological -- if ZoneAlarm didn't constantly remind user that something is threatening his precious computer, user wouldn't know if ZoneAlarm does anything useful at all. In Vista it's pointless because it's not like user has a choice of buying or not buying some feature with it.

There are few specific APPLICATIONS, explicitly called by the user, that may have to run with elevated privileges, and beyond them there is nothing that is supposed to access system settings, write configuration files or executables. If anything other than those few select applications try to do that, user shouldn't be asked -- the action should be denied, just like it always was in Unix and occasionally even in Windows. If someone has to edit any system files, he knows that he has to run editor as administrator -- and if he doesn't, he has no reason to manually edit them in the first place. If someone runs installer, installer always has to run as administrator.

The reason why Gnome and KDE desktops have password dialogs is not to ask user if he does or doesn't want to do something privileged -- of course, he does if he just started some administrative application. It's to ask him for a password that malicious application or user with no sudo access can't enter by themselves, and to give him the application's name so he can be sure that the application that will run is the same application that he just asked for. The dialog can just as well be a captcha for users that can't remember their own passwords -- the point is to confirm that a program is started by a real human user in front of the keyboard. A piece of malware can run gksudo, and user will see the dialog with a program that he didn't run -- it's assumed that he will cancel it if he doesn't recognize the name. But this is actually a suboptimal use of sudo, a limitation of typical sudoers file configuration. A much better idea will be to supply sudoers file with all possible applications and arguments that may be used in this manner -- then anything else will be simply denied without any user's interaction, or user will be just notified that something tried to run gksudo with invalid arguments.

While the decision that administrative application may still run at reduced privileges unless it does something that requires true administrative access is a good idea, switching between those modes is not something that should be asked from user -- it should be asked at the very beginning when application starts, and should be done only for administrative applications.

Re:As usual, Microsoft misses the point (1)

Actually, I do RTFA (1058596) | more than 7 years ago | (#18183676)

It's to ask him for a password that malicious application or user with no sudo access can't enter by themselves, and to give him the application's name so he can be sure that the application that will run is the same application that he just asked for."

Actually, that's exactly what ZoneAlarm does on my system. "iTunes.exe wants to access the internet, Allow or Deny?"

And if I allow something to access the internet, it can access the LAN. If it can run as a server on the internet, it can access the internet. Actually, I think it's the best UI I've seen for permissions.

Re:As usual, Microsoft misses the point (1)

jp10558 (748604) | more than 7 years ago | (#18186002)

And the best part IMHO, and the part that Microsoft missed, is that it A) can save your answer and automatically apply it in the future - and matches a program hash to make sure it's the same program and b) per program.

This all gets down IMO to the need for per process permissions, such as what CoreForce tries to do.

Re:As usual, Microsoft misses the point (1)

Alex Belits (437) | more than 7 years ago | (#18186372)

As I have explained, the problem is, user can't make an informed decision when in the middle of running a program he gets this question. iTunes accesses the Internet because iTunes is supposed to -- so if someone really thinks that there should be a "firewall" that keeps some applications from accessing the Internet, LAN or whatever else, the decision should be made even before the application is installed. Worse yet, some applications are not supposed to be interactive in the first place, yet they have to talk to the network, so having this dialog waiting for weeks when some application is trying to download its first update is something opposite to good security policy.

With administrative applications, of course, things are even easier -- there are few of them and they are easy to identify.

Re:As usual, Microsoft misses the point (1)

jp10558 (748604) | more than 7 years ago | (#18186034)

Interesting, Sudo For Windows does allow a list of allowed apps and a regular expression for the allowed arguments.

What about PowerShell? (1)

Yuioup (452151) | more than 7 years ago | (#18179718)

I'm a casual Ubuntu user and when you try to do something in Ubuntu you have to do "sudo blablabla". You fill in your password once and it doesn't ask you again until you open another terminal. In the user-interface you have to fill in your password for any action you do on screen.

But... what if Windows users got accustomed to PowerShell and decided to do everything from the command line. What happens then? I haven't tested it to see what happens but what if an ubuntu-like solution could be built into PowerShell?

Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

PS C:\>sudo freeporn.exe
Password:

You now have free pr0n!
PS C:\>

Re:What about PowerShell? (0)

Anonymous Coward | more than 7 years ago | (#18180474)

Windows has the same thing: right click on the cmd program and choose run as Administrator.

Re:What about PowerShell? (1)

jp10558 (748604) | more than 7 years ago | (#18186078)

There is also a program called Sudo for Windows that allows configurable credential caching time.

Shift of responsibility (1)

ThePhilips (752041) | more than 7 years ago | (#18180056)

the UAC to be useful, the user needs to have a fair amount of knowledge about: what the UAC is; what application it is blocking; the consequences of blocking the action; and an alternate approach if the blocked action did something useful.

Mod me down, but UAC is another excuse M$ came up with to be able to say "Users are lame: we have warned them but they still clicked confirm."

No security system works that way. That's why impersonation was introduced into OSs (NT included) long time ago. Accounts are setup for particular tasks with limited set of privileges. Depending on the work user does, he log-ins under different account. This is not perfect, but best what people came up with.

And that works for Unix and MacOSX - and nobody's complaining. But M$... It seems to me priority of M$ is not to make system people can use and feel safe (if they do nothing extraordinary), but to create a better platform fitting to ActiveX. UAC serves no other purpose and achieves nothing else.

M$ did take user's complain literally: before in Win9x/NT times ActiveX might have worked in background w/o user knowing that something was brewing up. Now users are notified with nice UAC dialogs that something is happening - and what is happening identified with 32 digit GUID... Very user friendly, I'd say.

Re:Shift of responsibility (0)

Anonymous Coward | more than 7 years ago | (#18180206)

Yeah cause telling some n00b to type something like

sudo rm -rf /*

Is really different than UAC prompts? Ok so maybe it asks for a password (or not if you're on an ubuntu live cd for example)

(the above rm command might be wrong because im a semi-n00b in linux, and ive never wiped all the files in my root directory, but you get the idea)

DoS (4, Interesting)

zebs (105927) | more than 7 years ago | (#18180146)

Could malware create a DoS by launching random tasks - each one requiring admin level access. Would this then repeatedly prompt the user for admin permissions?

No password asked... (2, Informative)

descubes (35093) | more than 7 years ago | (#18180476)

One big difference between UAC and "sudo" or the MacOSX security dialog is that UAC does not ask for a password. Minor convenience (well, probably serious convenience given how frequently UAC pops up today), but major risk. I can leave my Mac or Linux box to someone that does not know the password, without instantly making him / her an administrator on my machine. The same is not true with Vista + UAC.

Re:No password asked... (1)

Dilly Bar (23168) | more than 7 years ago | (#18181610)

UAC asks for a password unless you are an administrator level account. By default you will run as a non-admin and UAC will prompt for an admin username/password.

It's a deeper difference than that... (2, Informative)

argent (18001) | more than 7 years ago | (#18182764)

An OS X "Administrator" account is not like a Windows "Administrator" account. Under OS X, when you provide an administrator account and password to this kind of dialog what it is actually doing is granting you the permissions, at the OS level, to perform the action. Without going through this dialog even an "administrator" doesn't actually have the rights to perform it.

That is, in OS X this dialog is authorizing you to perform the action. If you are already authorized (that is if you were careless enough to run as root - the only real "administrator" account in the Windows sense) you shouldn't be presented with a dialog at all, because it's not asking you to *approve* an action you're already authorized to perform.

The difference between authorization and approval dialogs is obscured by dialogs like the UAC one that are sometimes authorization and sometimes approval dialogs.

But it's an important one. Approval dialogs are never necessary, technically, they're just there to try and give the user a "last chance" to keep a program from doing something that's possibly dangerous and may be irreversible. Whenever they exist, they should be a red flag, and an indication that the program may need to be restructured so the dangerous or irreversible operation doesn't happen.

For example, instead of deleting a file, move it to a location to be deleted later. Give the user the opportunity to look in that location and restore the files.

AND WHEN YOU HAVE DONE THAT, REMOVE THE APPROVAL DIALOG YOU DON'T NEED ANY MORE.

Sorry for shouting, but I still can't believe that someone thinks it's a good idea for Windows to ask you if you want to move a file to the trash.

Security people should read this presentation (3, Insightful)

GauteL (29207) | more than 7 years ago | (#18182038)

I just recently found a very interesting and scary presentation about security and phishing [auckland.ac.nz] .

Basically computer software has conditioned us to automatically press Ok in any dialog and there is nothing we can do about this. Automated actions by the user is inevitable and is present in every action in our life.

Nobody remembers if they locked the door or not and if you put "If you reach under your chair you will find $500" in a popup dialog, nobody is going to notice it.

From what I think I got from the presentation:
* If you want warnings to be at all effective, avoid "false positives" at all costs. That is: Never show the user popups like: "you are sending information unencrypted over the network" (or whatever the IE dialog says) when you press a submit form on a web site, because people don't care and they will learn to ignore all such popups, even the important ones. The UAC is extremely guilty of this.
* Some good insight into decision makers by users. Hint: people generate options one at a time and reject options that don't work. They never compare options but take the first one that works. This is called singular evaluation approach and is heavily taken advantage of in marketing. Software makers and web site creators should learn from this and modify their web sites accordingly.

LImited options (2, Insightful)

cdrguru (88047) | more than 7 years ago | (#18182828)

Microsoft clearly had limited options for "increasing security" as an objective. If you think back a long ways you can see the effects of some of these choices on other platforms.
  1. The obvious choice would have been to break compatibility and force everyone to buy new software. Nothing from Windows XP would work on Vista if it did anything that required "rights" above those of a ordinary user.
  2. It might have been possible to not break compatibility completely but to heavily restrict the API in ways that actually would break many, many applications. This wouldn't be unexpected because Microsoft has said over and over not to go outside of the Win32 API - but everyone does it. Again the result would likely be massive numbers of applications would fail.
  3. Finally, what they did was something that was possible without breaking any compatibility. If the program wants to do something restricted, just warn the user and let it. For many (if not most) applications this means putting a blanket wrapper around the install which has been done. Not very effective but almost zero application breakage.

Apple has in recent memory broken compatibility twice. The latest processor switch doesn't seem to have made much of a difference in hard-core Mac users - after all, they were punished with the PowerPC switch not very long ago and stuck around. However, the prospect of re-buying all the software for most people and companies isn't an attractive one. Certainly for security, emulation wouldn't be an available option. Apple, perhaps not completely a result of these compatibility breakages but nevertheless a factor, has about 4% of the personal computer market.

IBM has had an extremely long run with the same external processor architecture. Today, if you buy a IBM mainframe system it runs essentially a superset of the System/360 instruction set. A program that was written for OS/360 in 1965 stands a very good chance of running today. IBM has had since the 1960's such a commanding lead in the mainframe market so as to push all other vendors out of the business completely, or to force them to jump through IBM's hoops by being completely compatible. It is unthinkable today to even look at a mainframe system that would not be IBM-compatible. For practical purposes, IBM has 100% of the market.

OK, so which model makes the most sense? Apple with 4% or IBM with 100%? Periodic breaks in compatibility requiring new software or continuous software compatibility for 50 years? There are clearly differences between the personal computer and mainframe markets, but the similar effects of a break in compatibility are quite instructive.


Why do you think Microsoft has stuck with compatibility for the last 20 years and pushed other considerations aside? Could it be they really like having nearly 100% of the market?

Malware havoc without elevated privilege? (1)

Kazoo the Clown (644526) | more than 7 years ago | (#18184796)

Can't malware cause plenty of pain even without the need to elevate it's privilege? How does UAC keep malware from deleting or inserting spam in files the user doesn't need elevated privilege to edit?

Value of UAC (1)

rlp (11898) | more than 7 years ago | (#18185164)

It improves the perception of security. That way marketing has a bullet item to use in advertising and sales presentations. On a more positive note, it's provided marketing collateral for Apple as well ("Cancel or Allow"). Too bad no one at Microsoft noticed how Linux handles authorization for administrative tasks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>