RE: ANS: "What's the deal with UAC (Windows Needs Your Permission scre
"Jimmy Brush" wrote:
> I've noticed that a lot of the questions in these newsgroups are either
> directly or indirectly related to UAC (User Account Control). In this post,
> I will go over what UAC does, how it works, the reasoning behind it, how to
> use your computer with UAC on, why you shouldn't turn UAC off, and answer
> some common questions and respond to common complaints about it.
> * What is UAC and what does it do?
> UAC mode (also known as Admin Approval Mode) is a mode of operation that
> (primarily) affects the way administrator accounts work.
> When UAC is turned on (which it is by default), you must explicitly give
> permission to any program that wants to use "administrator" powers. Any
> program that tries to use admin powers without your permission will be
> denied access.
> * How does UAC work
> When UAC mode is enabled, every program that you run will be given only
> "standard user" access to the system, even when you are logged in as an
> administrator. There are only 2 ways that a program can be "elevated" to get
> full admin access to the system:
> - If it automatically asks you for permission when it starts up, and you
> click Continue
> - If you start the program with permission by right-clicking it, then
> clicking Run As Administrator
> A program either starts with STANDARD rights or, if you give permission,
> ADMINISTRATOR rights, and once the program is running it cannot change from
> one to the other.
> If a program that you have already started with admin powers starts another
> program, that program will automatically be given admin powers without
> needing your permission. For example, if you start Windows Explorer as
> administrator, and then double-click on a text file, notepad will open and
> display the contents of the text file. Since notepad was opened from the
> admin explorer window, notepad WILL ALSO automatically run WITH admin
> powers, and will not ask for permission.
> * What's the point of UAC?
> UAC is designed to put control of your computer back into your hands,
> instead of at the mercy of the programs running on your computer.
> When logged in as an administrator in Windows XP, any program that could
> somehow get itself started could take control of the entire computer without
> you even knowing about it.
> With UAC turned on, you must know about and authorize a program in order for
> it to gain admin access to the system, REGARDLESS of how the program got
> there or how it is started.
> This is important to all levels of users - from home users to enterprise
> administrators. Being alerted when any program tries to use admin powers and
> being able to unilaterally disallow a program from having such power is a
> VERY powerful ability. No longer is the security of the system tantamount to
> "crossing one's fingers and hoping for the best" - YOU now control your
> * How do I effectively use my computer with UAC turned on?
> It's easy. Just keep in mind that programs don't have admin access to your
> computer unless you give them permission. Microsoft programs that come with
> Windows Vista that need admin access will always ask for admin permissions
> when you start them. However, most other programs will not.
> This will change after Windows Vista is released - all Windows Vista-era
> programs that need admin power will always ask you for it. Until then, you
> will need to run programs that need administrative powers that were not
> designed for Windows Vista "as administrator".
> Command-line programs do not automatically ask for permission. Not even the
> built-in ones. You will need to run the command prompt "as administrator" in
> order to run administrative command-line utilities.
> Working with files and folders from Windows Explorer can be a real pain when
> you are not working with your own files. When you are needing to work with
> system files, files that you didn't create, or files from another operating
> system, run Windows Explorer "as administrator". In the same vein, ANY
> program that you run that needs access to system files or files that you
> didn't create will need to be ran "as administrator".
> If you are going to be working with the control panel for a long time,
> running control.exe "as administrator" will make things less painful - you
> will only be asked for permission once, instead of every time you try to
> change a system-wide setting.
> In short:
> - Run command prompt as admin when you need to run admin utilities
> - Run setup programs as admin
> - Run programs not designed for Vista as admin if (and only if) they need
> admin access
> - Run Windows Explorer as admin when you need access to files that aren't
> yours or system files
> - Run programs that need access to files that aren't yours or system files
> as admin
> - Run control.exe as admin when changing many settings in the control panel
> * UAC is annoying, I want to turn it off
> Having to go through an extra step (clicking Continue) when opening
> administrative programs is annoying. And it is also very frustrating to run
> a program that needs admin power but doesn't automatically ask you for it
> (you have to right-click these programs and click Run As Administrator for
> them to run correctly).
> But, keep in mind that these small inconveniences are insignificant when
> weighed against the benefit: NO PROGRAM can get full access to your system
> without you being informed. The first time the permission dialog pops up and
> it is from some program that you know nothing about or that you do not want
> to have access to your system, you will be very glad that the Cancel button
> was available to you.
> * Answers to common questions and responses to common criticism
> Q: I have anti-virus, a firewall, a spyware-detector, or something similar.
> Why do I need UAC?
> A: Detectors can only see known threats. And of all the known threats in
> existence, they only detect the most common of those threats. With UAC
> turned on, *you* control what programs have access to your computer - you
> can stop ALL threats. Detectors are nice, but they're not enough. How many
> people do you know that have detectors of all kinds and yet are still
> infested with programs that they don't want on their computer? Everyone that
> I have ever helped falls into this category.
> Q: Does UAC replace anti-virus, a firewall, a spyware-detector, or similar
> A: No. Microsoft recommends that you use a virus scanner and/or other types
> of security software. These types of programs compliment UAC: They will get
> rid of known threats for you. UAC will allow you to stop unknown threats, as
> well as prevent any program that you do not trust from gaining access to
> your computer.
> Q: I am a system administrator - I have no use for UAC.
> A: Really? You don't NEED to know when a program on your computer runs with
> admin powers? You are a system administrator and you really could care less
> when a program runs that has full control of your system, and possibly your
> entire domain? You're joking, right?
> Q: UAC keeps me from accessing files and folders
> A: No, it doesn't - UAC protects you from programs that would try to delete
> or modify system files and folders without your knowledge. If you want a
> program to have full access to the files on your computer, you will need to
> run it as admin. Or as an alternative, if possible, put the files it needs
> access to in a place that all programs have access to - such as your
> documents folder, or any folder under your user folder.
> Q: UAC stops programs from working correctly
> A: If a program needs admin power and it doesn't ask you for permission when
> it starts, you have to give it admin powers by right-clicking it and
> clicking Run As Administrator. Programs should work like they did in XP when
> you use Run As Administrator. If they don't, then this is a bug.
> Q: UAC keeps me from doing things that I could do in XP
> A: This is not the case. Just remember that programs that do not ask for
> permission when they start do not get admin access to your computer. If you
> are using a tool that needs admin access, right-click it and click Run As
> Administrator. It should work exactly as it did in XP. If it does not, then
> this is a bug.
> Q: UAC is Microsoft's way of controlling my computer and preventing me from
> using it!
> A: This is 100% UNTRUE. UAC puts control of your computer IN YOUR HANDS by
> allowing you to prevent unwanted programs from accessing your computer.
> *Everything* that you can do with UAC turned off, you can do with it turned
> on. If this is not the case, then that is a bug.
> Q: I don't need Windows to hold my freaking hand! I *know* what I've got on
> my computer, and I *know* when programs run! I am logged on as an
> ADMINISTRATOR for a dang reason!
> A: I accept the way that you think, and can see the logic, but I don't agree
> with this idea. UAC is putting POWER in your hands by letting you CONTROL
> what runs on your system. But you want to give up this control and allow all
> programs to run willy-nilly. Look, if you want to do this go right ahead,
> you can turn UAC off and things will return to how they worked in XP. But,
> don't be surprised when either 1) You run something by mistake that messes
> up your computer and/or domain, or 2) A program somehow gets on your
> computer that you know nothing about that takes over your computer and/or
> domain, and UAC would have allowed you to have stopped it.
> - JB
> Vista Support FAQ