Disable UAC - Windows 7

[KIA]

Have never read any threads either, where people have got malware etc. Just because they had uac disabled. The only threads I ever read where people have spyware/viruses is due to them not having an AV or just a crap one installed and/or no firewall at all.

UAC can help to contain an infection. Running every executable as administrator is absolutely stupid. It's like being a Linux user and running as root instead of a standard user account, you'll get laughed at.

Oh and imo AV is essential, no matter how knowledgeable you may be with software, computers etc. there have been a few sites (not dodgy ones either) where the banners have triggered nod's real time protection and instantly blocked or quarantined the spyware/virus.

Did you bother to investigate further? It was probably just a silly script. It's 100% possible to run without A/V once a person has the right knowledge.

 

[Nexus18]

That's because they (stupidly) don't feel the need to mention it or, when asked, they deny ever disabling it. The former are those who are still in denial that UAC provides any level of protection for them, and the latter are those who actually start using UAC once they've reinstalled or cleaned the infection.

What a bizarre thing to say.......

Why on earth would people not mention if they had disabled it? Do you honestly think they aren't telling the truth? Even though they will want to get their system back to normal as soon as possible with the least amount of effort involved and therefore would answer all questions truthfully surely?

If it were me, I would admit that UAC was disabled especially if I wasn't knowledgeable in software, PC's etc.


Ok, well lets just say that they are "lying", what about my friends laptops then, which got infected despite having UAC enabled? And I KNOW that it was enabled because it was I who set the laptops up for them when they got them, I just left UAC as it was and the other security stuff as well, one of them doesn't have a clue about PC stuff and hence his laptop got infected the same way as mrk's cousin's laptop and the other one who is a bit more knowledgeable and knows not to install/run dodgy things etc. still got infected.

Do you honestly think that UAC by Microsoft is the almighty security protection and that there is no need for anything else?

UAC can help to contain an infection. Running every executable as administrator is absolutely stupid. It's like being a Linux user and running as root instead of a standard user account, you'll get laughed at.

Did you bother to investigate further? It was probably just a silly script. It's 100% possible to run without A/V once a person has the right knowledge.

Nope, no need to do anything, nothing pops up asking me a hundred times if I want this to run or not, it is simply a tiny notification, which tells me that it has blocked/quarantined something and I continue to browse as normal

Well, you can take that chance, but when you install NOD or better, you may get a few little surprises during a full scan


Just like my friend who decided to turn off the firewall and the AV because it wasn't letting him connect to the internet, and guess what? Next day laptop was running extremely slowly, had hardly any space on his drive left and constantly got pop ups etc. I had to install an AV, spyware terminator software and after a few hours, he had several viruses and a ton of spyware on his laptop (oh and he had UAC enabled, SHOCKER!), in the end I just did a fresh install of 7, disabled UAC, put comodo, peerblock and some free AV on his laptop and he hasn't had a problem since then and this is well over 2 years ago now

Just like my set-up, which is years old now as well and is still as fast, smooth and problem free, almost as if it were a brand new system


Anyway, why does it offend you 2 so much that people dare to turn of the almighty UAC? Does it really matter? Some users may need/want it, others don't and we have perfectly good reasons not to have it on either, just like the reasons people keep it on.

I just find it bizarre that some find it to be the best there is for security and that there is no need for anything else despite my experience with it UAC etc.

 

[NathanE]

There is actually UAC-aware malware now. Yes, malware that can run without needing elevation.

They work by firstly exploiting a vulnerability in a old Flash or Acrobat brower plugin. From there, they drop their executable binaries into your user's "Temp" folder. Then they modify your file types so that whenever you run a .exe file it gets routed through the malware's executable in a sort of transparent fashion. The malware also hooks onto the explorer.exe process as a means of staying memory resident.

It's basically one way of creating a elevation-not-needed "user-mode rootkit". Memory resident and hooking all .exe executions.

The good thing is that it is also ridiculously easy to disinfect. And I did just that within 10 minutes for a friend (running W7 with UAC on full).

If he hadn't been running UAC the infection could have been far far worse. Possibly requiring a complete format.

I have since informed him that Flash and Acrobat are the least secure items on any Windows PC. That they are more important to keep up to date than even Windows itself. He now runs Chrome which keeps those two components always updated.

 

[NathanE]

Do you honestly think that UAC by Microsoft is the almighty security protection and that there is no need for anything else?

They often are lying yes. As they don't like to admit they were wrong about UAC. It's as simple as that. Sometimes people do admit it (if even just to themselves) and then change their ways and start using UAC.

And no, UAC is not a silver bullet. Nothing is. But if traditional AV software is like firing blanks on a film set, then UAC is like firing an AK-47 or something. UAC actually works and provides real benefits. Of course if the user is so incompetent that they can't aim the gun correctly (ala. clicking Yes to everything) then of course they aren't going to hit anything.

Most other security measures (especially those associated mostly with a commercial industry) are largely snake oil products that are not worth having.

Indeed most AV products actually meet the exact definition of malware because they:

- install kernel hooks
- monitor I/O activity
- hog large amounts of memory
- cause the system to perform slower
- phone home to their creators
- popup annoying dialog boxes at random (often about a .txt cookie file that supposedly contains malware but of course .txt's aren't executable)
- pester you about "renewing your subscription".
- use bizarre non-standard GUIs that blatantly don't comply with Windows Logo standards in terms of accessibility, ease of use and esoteric hardware such as high DPI displays.

The only AV I've ever known that doesn't do the majority of the above on that list is Microsoft's Security Essentials. Whether it is actually any good at detecting malware through signatures etc is another matter that I really don't care about. AV to most people is just a box. As long as it is ticked, they feel all safe and can sleep at night. So if I'm supporting a friend/family member with perhaps a new PC install for them, if they insist on AV then MSE is what they get. Ticks the box. At least if they then get a malware infection they can't blame me for not installing an AV.

 

[gillywibble]

UAC is completely pointless.

The experienced user doesnt' want to see invasive pop ups every time they try to run something, and the inexperienced user will just click Yes every time, thus defeating the object.

 

[NathanE]

Define experienced.

I don't know of any experienced IT professional that runs without UAC.

If by experienced you mean "I can build a PC, overclock it, install drivers, therefore that makes me a geek and gives me the right to disable UAC because I know best" then no. That's not experienced.

 

[trickycurve]

I disable it because I don't like it popping up whenever I want to install and/or run something. I'd also say I'm pretty sensible when it comes to using my PC and don't go on or download from dodgy websites. I've never had an issue since installing Windows 7 near the end of 2009.

 

[Burnsy2023]

There needs to be some sort of 'whitelist' even if it's hidden deep that let's you manually specify programs that can run elevated without user input.

Namely 7zip

Like Nathan_E said, a whitelist will never happen because it's treating the symptoms (permissions elevations) without curing the root cause (bad coding of the app). Tell 7zips devs that they need to make it UAC complaint.

 

[KIA]

Nope, no need to do anything, nothing pops up asking me a hundred times if I want this to run or not, it is simply a tiny notification, which tells me that it has blocked/quarantined something and I continue to browse as normal

AKA a false positive. Silly events like that trick the user into believing that the product is doing something useful.

Well, you can take that chance, but when you install NOD or better, you may get a few little surprises during a full scan

I have survived for many years without an A/V product. How? A few simple steps are taken to protect my machine.

- Router
- Windows Firewall
- UAC
- Software incl OS is updated as soon as a patch is released
- There's always virustotal and virtualbox for testing suspicious binaries

Just like my friend who decided to turn off the firewall and the AV because it wasn't letting him connect to the internet, and guess what? Next day laptop was running extremely slowly, had hardly any space on his drive left and constantly got pop ups etc. I had to install an AV, spyware terminator software and after a few hours, he had several viruses and a ton of spyware on his laptop (oh and he had UAC enabled, SHOCKER!), in the end I just did a fresh install of 7, disabled UAC, put comodo, peerblock and some free AV on his laptop and he hasn't had a problem since then and this is well over 2 years ago now

An inexperienced user managed to infect his machine? Not a surprise.

Just like my set-up, which is years old now as well and is still as fast, smooth and problem free, almost as if it were a brand new system

Ditto but without unnecessary software.

Anyway, why does it offend you 2 so much that people dare to turn of the almighty UAC? Does it really matter? Some users may need/want it, others don't and we have perfectly good reasons not to have it on either, just like the reasons people keep it on.

I just find it bizarre that some find it to be the best there is for security and that there is no need for anything else despite my experience with it UAC etc.

Experienced users do not run everything with admin rights as it is a recipe for disaster. As NathanE pointed out, malware running as a standard user is easy to contain. Windows 7 UAC is non-intrusive and rarely prompts the user to elevate permission. As an individual interested in security, I am always keen to know when and why a particular application isn't content running under my standard user account.

 

[NathanE]

I often keep an elevated Command Prompt window around. As any commands I run from there inherit its elevated permissions. Handy if I'm doing lots of nitty gritty commands that would otherwise need elevation one-by-one.

 

[ecksmen]

My day to day account is a standard user account, it is not a member of any other local security groups other than "users". I have a second account, which is a full administrator. If I'm planning on making some big changes then I will "fast user switch" to my administrator account so I don't have to keep typing in my password.

I rarely see any prompts on my user account, none of the programs I use ever require prompting and if I do do anything that requires it I just enter my administrator credentials.

Personally, I think people are making a big deal out of nothing over UAC and for most programs these days that don't work with UAC (either natively or a work via work around) are not worth using.

So, UAC should be on IMO.

 

[mike1210]

I run as a standard user with UAC on and use NOD32. I think on Win 7, fully patching and running UAC is more impotant than AV software now. If you need to install stuff then it's easy enough to right click and "run as admin" or just log in as another user.

 

[Mattus]

Ok, well lets just say that they are "lying", what about my friends laptops then, which got infected despite having UAC enabled?

Do you honestly think that UAC by Microsoft is the almighty security protection and that there is no need for anything else?

I don't think anybody's saying it is. Nobody's arguing that UAC can single-handedly prevent your PC from getting any malware (especially if you're the type of user who clicks 'yes' to the prompts without reading them anyway!)

What it is is a useful layer of security - and one which doesn't have an awful lot of drawbacks, unless you use apps which still haven't been updated to work with UAC. Plenty of people will use antivirus software - which uses RAM, uses CPU and potentially costs money - but they won't use a fundamental security feature that's built into Windows!

 

[NathanE]

Totally proper use of UAC can go almost the whole way to preventing virulent malware infections. Only stopping short of malware that exploits a zero-day privilege escalation vulnerability in Windows, for instance. Thankfully such vulnerabilities are few and far between on Windows thanks to NT's excellent security model. But when they do occur they are patched quickly.

The key to operating with UAC is building up a level of common sense, security awareness and computer literacy that allows one to properly and expertly make use of the UAC functionality. (And this extends to even having control over yourself in a drunken state ) I should probably also state that anyone suggesting to disable UAC and replace it with plastic snakeoil Made In Taiwan crapware like "Comodo" and "Peerblock" patently does not possess these skills. So you can safely write off their opinion immediately.

As I said earlier, malware exists today that doesn't actually need UAC elevation in order to successfully cause infection. The difference between these types of malware and more virulent kinds is in how hard they are to disinfect. Unelevated malware cannot nest itself into your system very deeply at all (and it can only infect the current user) and so disinfection is something anyone familiar with tools like Regedit, Autoruns, Process Explorer can do. If you really get stuck (but you shouldn't) then cleanup is as easy as deleting your user account and creating a new one. Likewise it makes the cleanup task substantially easier for snakeoil products that perform automated malware removal. To be honest, it is these types of malware that they remove best. If the malware managed to get elevated, then you'll be very lucky to have automated removal work using your snakeoil product.

 

[Fire Wizard]

There security isn't really that good (yet) and why use it when you can get much better security from other companies for free or/and for a small amount of money?

When it comes to security, it's best to take a layered approach, meaning having multiple defence mechanisms in place. The type of functionality which one piece of software from a particular company offers may be different to that of another. Choosing one of them may mitigate the risk of certain types of attacks, but it may leave you vulnerable to others. This is why it's best to have multiple layers of defences.

What User Account Control helps users to do is to run as a standard user. That in itself is beneficial from a security perspective. Restricting what code can do on the system is the most basic of security principles. If you're running as a full blown administrator, any type of defence mechanisms you have on your system can be circumvented with ease.

The way in which User Account Control helps users to run as standard users is primarily down to the elevation dialogs. Without the elevations dialogs, whenever a user needs to perform an operation which requests administrative rights, they would need to switch to a administrator account to perform that particular operation and then switch back to their standard user account. This would most likely result in the vast majority of users using an administrator account for all of their tasks because they feel it's far to inconvenient to have to switch accounts whenever they need to perform administrative operations.

The elevation dialog aspect of User Account Control alleviates some of this inconvenience while maintaining a reasonable level of security. If a user is launching administrative operations from a standard user account, the Over The Shoulder elevation dialog will appear which will ask them to enter the credentials of an administrator user of the system to continue with that particular administrative operation. However, it is important to be aware that whenever you elevate, you're introducing an insecurity to the system and any malware which is running in that account has the potential of gaining administrative rights due to the opportunities which elevation presents.

This is the standard case of affairs though, elevation is simply there as a convenience to the user, it has absolutely nothing to do with security. If you're not happy with the insecurity's which elevation introduces, you can always choose to trade off convenience for security by performing administrative operations in a dedicated administrator account. Assuming there are no security vulnerabilities in Windows, malware which has infected a standard user account will be constrained to within it.

*Snip*

However, let’s be clear that no matter how difficult to pull off, the mere possibility of such a breach of a sandbox wall implies that ILs, in and of themselves, do not define security boundaries. What’s a security boundary? It’s a wall through which code and data can’t pass without the authorization of a security policy. User accounts running in separate sessions are separated by a Windows security boundary, for example. One user should not be able to read or modify the data of another user, nor be able to cause other users to execute code, without the permission of the other user. If for some reason it was possible to bypass security policy, it would mean that there was a security bug in Windows (or third-party code that allows it).

It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries. Microsoft has been communicating this but I want to make sure that the point is clearly heard. Further, as Jim Allchin pointed out in his blog post Security Features vs Convenience, Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use.

*Snip*

For instance, having your elevated AAM processes run in the same account as your other processes gives you the convenience of allowing your elevated processes access to your account’s code and data, but at the same time allows your non-elevated processes to modify that same code and data to potentially cause an elevated process to load arbitrary code.

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

*Snip*

PsExec, User Account Control and Security Boundaries

I like the last paragraph which Mark Russinovich has written because it clarifies User Account Control's purposes whilst addressing those ridiculous, sensationalist, "Oh my god, UAC is by-passable, thus making it completely useless" type articles.

A couple of other articles regarding User Account Control which some people may be interested in.

Inside Windows Vista User Account Control - Mark Russinovich

Inside Windows 7 User Account Control - Mark Russinovich

Security Features vs. Convenience - Jim Allchin

 

[KatanaDV20]

Ive always disabled it on Vista and disabled it from the day I got W7 (which was on launch day). I find it annoying and Ive never ever ever had problems without it.

Many will disagree but this works fine for me

 

[Slyman2k4]

I had been using a separate User account and UAC elevating it every time I needed to do an admin task, but I got fed up with it about a month ago. I now just run a default admin account with UAC turned off through the control panel.

It was the constant niggles that put me off it. UAC broke application functionality for me unfortunately, and the most noteworthy ones were:

EVGA Precision - would cause precision to randomly crash/close on occasion without warning/error dialog. Unaware of fan temps being monitored and controlled.

EVGA Precision - prevented on occasion, autostart with windows again leading to my gfx card to ramp up the heat.

OCCT - Could never store it's log files correctly, as when you're elevated as admin it treats you as that account. Your writes et al are treated as the admin account and saved there, which ends up a mixed bag of settings in the user account and admin account between apps.
Not only that some of the files getting saved there too which quite rightly wouldn't sit well with me if it wasn't my admin account too.

Is there any reason it does this, instead of elevating your user account to admin privileges for the task and performing the tasks while still treating you as the actual account you're logged in as?

Windows Task Manager - Open task manager as a user, elevate "Show processes for all users" with your admin account, right-click a process, open file location.

That one was the pinnacle of reason to turn it off for me, if they themselves can't get it right why should I trust it.

 

[NathanE]

Windows Task Manager - Open task manager as a user, elevate "Show processes for all users" with your admin account, right-click a process, open file location.

That one was the pinnacle of reason to turn it off for me, if they themselves can't get it right why should I trust it.

 

[gigeorge]

I just use the Windows Firewall (alongside router), does a decent job and asks for access permissions for new apps and things

What he said,

no need for uac !

 

[KIA]

Windows Task Manager - Open task manager as a user, elevate "Show processes for all users" with your admin account, right-click a process, open file location.

That one was the pinnacle of reason to turn it off for me, if they themselves can't get it right why should I trust it.

What? You had to manually elevate to gain access...