Windows Mojave!

[Darkwave]

I quoted it and replied to it, not sure how you got the idea that I ignored anything. I know about the secure desktop etc, it's been gone over enough times.

I meant when Fire Wizard explained why UAC does things like blocking you and dimming the screen etc. to prevent hostile programs from "spoofing" (which I assume means confirming the dialog for you and rendering it useless).

To me this sound like a good measure. Obviously not for users on the level of people on this forum though, which is why we have the option to turn it off (or run it passively with TweakUAC, something I only found out about today).

 

[Caged]

My issues aren't even with that though (I have written them previously in this thread). It's that the secure desktop doesn't fade in which would add more polish to the whole process, and that sometimes the UAC prompts load in the background so you have to hunt it out in the taskbar to accept it. Once these get fixed then it should be a nice enough system.

 

[Darkwave]

secure desktop doesn't fade in which would add more polish to the whole process

People would only whinge that it's taking an extra half second out of their day.

and that sometimes the UAC prompts load in the background so you have to hunt it out in the taskbar to accept it

I've not seen this happen myself but I definitely agree that needs fixing.

 

[Caged]

It's easy enough to replicate, if you click on something that you know is going to need elevation then quickly click on another window, the UAC prompt will just flash in the taskbar.

Considering how many annoying Windows apps steal focus, it can't be too hard to prevent UAC doing this.

Regarding the fading on the secure desktop - Vista would be just as useful if everything looked like Windows Classic (let's ignore the 3D acceleration part of Aero), but the devil's in the details. The more polished the experience the nicer it is to use.

 

[Darkwave]

It's easy enough to replicate, if you click on something that you know is going to need elevation then quickly click on another window, the UAC prompt will just flash in the taskbar.

I believe you, but I can't seem to get it to happen if I try to launch CCleaner from my pinned start menu items then quickly click or alt-tab to another window. The prompt comes up. Could this have been fixed in SP1?

 

[Caged]

I'm running SP1 of x64, so I doubt it. I can get it to do it every time if I'm in the Control Panel (where only 1 click is needed to request elevation).

 

[Darkwave]

I'm running SP1 of x64, so I doubt it. I can get it to do it every time if I'm in the Control Panel (where only 1 click is needed to request elevation).

I managed to get it to do it if I click on one of the firewall sub-menus and then alt-tab very quickly, but I still can't get it to happen from clicking. Without sounding cheeky I hope, what CPU and how much RAM are you using?

Edit: LOL, I think I know why it's doing it now. My "flexy-windows and fading menus" and stuff have somehow re-enabled themselves I think, I had them disabled before.

Edit 2: Nope it wasn't those effects, lol. I turned them back off and I could still do it with alt-tab.

 

[Caged]

4GB RAM, Core 2 Duo E8300. It's not a slow system . I also have random issues of delete confirmations opening underneath the folder window that I'm deleting an object from, so it might be part of a bigger issue. Damned if I know what it is though.

 

[Fire Wizard]

I don't have an axe to grind, I'm merely presenting an alternative view to the people who think UAC is perfection when it's far from it.

Hello Caged, I respect yours and anyone's opinion on any subject and to tell you the truth, it's sometimes nice to hear other people's opinion and views on certain subjects because you never know, what someone may say maybe quite an important point. Theirs also the fact that, If people just went along with things as they currently stand, we wouldn't progress very far.

I meant when Fire Wizard explained why UAC does things like blocking you and dimming the screen etc. to prevent hostile programs from "spoofing" (which I assume means confirming the dialog for you and rendering it useless).

Hello Ulfhedjinn, my post was fairly vague so I apologise but hopefully the below statements will clear your query up:

Securing the Elevation Prompt:

The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows Vista. Only Windows processes can access the secure desktop. In addition to the recommendations for administrators and standard users, Microsoft also strongly recommends that the User Account Control: Switch to the secure desktop when prompting for elevation setting should be kept enabled for higher levels of security.

When an executable requests elevation, the interactive desktop (also called the user desktop) is switched to the secure desktop. The secure desktop renders an alpha-blended bitmap of the user desktop and displays a highlighted elevation prompt and corresponding calling application window. When the user clicks Continue or Cancel, the desktop switches back to the user desktop.

It is worthwhile to note that malware can paint over the interactive desktop and present an imitation of the secure desktop, but when the setting is set to prompt for approval the malware does not gain elevation should the user be tricked into clicking Continue on the imitation. If the setting is set to prompt for credentials, malware imitating the credential prompt may be able to gather the credentials from the user. Note that this does also does not gain malware elevated privilege and that the system has other protections that mitigate malware from automated driving of user interface even with a harvested password

Source - Here.

1. Malicious code that spoofs the elevation UI – you can easily imagine that just about anyone with a minimum of Photoshop skills could easily replicate the elevation UI. So you could then imagine that this piece of malicious code downloads itself into your user session when you browse a web page and tries to get you to install it. This code could damage your session and your profile without a full machine install, but it wants a bigger target: your entire machine.

So, it launches its install code and waits for the elevation UI to pop up. On the user desktop, it could very easily overlay its version of the elevation UI to make it look like something that’s trustworthy. So you take a look, see what appears to be Microsoft Windows Update and decide that, of course, you want to allow it to continue (why wouldn’t you?). That won’t happen when the elevation UI is shown on the Secure Desktop. You are protected from these types of spoofing attacks.

2. Malicious code that spoofs the mouse cursor – Believe it or not, it’s not very difficult to manipulate the mouse cursor and that’s the way it was intended so that you can customize the pointer to whatever fits your style. You can hide the real one and show a fake one just about anywhere on the screen. The net result is that the “hot spot” (i.e. the pixel at which the mouse actions truly work on) may not be where you think the mouse is pointing.

So how does this spoofing attack work? You hide the real mouse cursor and show a fake one some number of pixels offset to the real one. So now when the user mouses over the elevation UI attempting to cancel it since the malicious software could brazenly announce itself as “I’m gonna own your PC.exe”, what’s really happening is that the hot spot of the mouse is invisibly over the “Allow” button. Click! Not what you thought would happen. This type of attack is also blocked on the Secure Desktop.

Source - Here.

Obviously not for users on the level of people on this forum though, which is why we have the option to turn it off (or run it passively with TweakUAC, something I only found out about today).

Out of interest, why do you say that User Account Control is not for the level of users on this forum?

 

[Darkwave]

Yeah it's definitely not your machine then, but I still don't get how you're clicking fast enough to do that. I can only do it with alt-tab and that's only if I go Spiderman speed on it.

Out of interest, why do you say that User Account Control is not for the level of users on this forum?

I'm sure it's good for anyone of any proficiency if they want the extra peace of mind.

I just think that more than a few people on this forum are capable of running a computer securely without even using things like UAC, Windows Defender, antivirus software etc. This is why I don't use UAC, at least on my home machine.

It's a common joke on another forum that I use, that the best antivirus software is Common Sense 2008.