Windows Vista Upgrade story

[grateful1]

Turn it off and you lose more than just the UAC prompts, unfortunately. Say goodbye to file-system and Registry virtualization goodies (that help old software be Vista-compatible), say goodbye to Protected Mode on IE7, and say goodbye to a major safeguard against exploits. I see very few people who understand the full ramifications of disabling UAC... they just think they're getting rid of the Continue / Cancel prompts, which they generally resent as some kind of nanny feature aimed at noObs

At my other hangout, every serious computer-security guy I've seen, including a chief software architect at Symantec, views UAC as beneficial and useful. People who've never run any version of Windows in a secure fashion (low-rights account, elevating as needed) don't get it. But I think it was a necessary move to shed the "Administrator-by-default" mode of operation, in light of the dangers in today's world. And it is working, even if it seems a bit ruthless... software makers are letting go of their "my program MUST be run on an Administrator account OR ELSE" attitude. Interesting blog entry

The main problem - aside from the pop-ups - is that it slows the computer down. Every time I've disabled it the pc is more responsive.

I will add, if you do disable it(or at least add programs to the exclude list)...get third party software for protection. Also try somehting other thatn IE. Of Windows 7 note here's a interesting article: PDC 2008: Sinofsky acknowledges Vista UAC is a problem, Windows 7 adds options...right from MS.

Now, people go back and forth on these 'hot topics' all the time. Many a blog and report are written. To the user commmunity...make sure you read the instructions and find out the ramifications first.

Heck - would you put a battery in your flashlight, if you weren't sure it took it?

 

[kaichu dento]

According to Logitech's info, the only Bluetooth mouse they make is the V470. The VX Nano is garden-variety 2.4GHz wireless, so I think it's going to need its specific USB nano-reciever, unless I'm totally missing something.

Thanks for finding that out for me. I kept going back in and trying to figure out how to get it work.

 

[mechBgon]

The main problem - aside from the pop-ups - is that it slows the computer down. Every time I've disabled it the pc is more responsive.

I will add, if you do disable it(or at least add programs to the exclude list)...get third party software for protection. Also try somehting other thatn IE. Of Windows 7 note here's a interesting article: PDC 2008: Sinofsky acknowledges Vista UAC is a problem, Windows 7 adds options...right from MS.

Better advice: if you want to disable UAC, then also create a Standard User account and use that Standard User account for all daily-driver use of the computer. Reserve the Administrator-level user account only for Admin duties, such as installing/removing software and hardware, system maintenance, and nothing else. If your version of Vista supports Software Restriction Policy (SRP), add that as shown here. And sure, use antivirus software too.

A non-Admin account plus SRP is particularly powerful. There's no detectable performance impact, no cost, no signature updates needed, entirely proactive and arbitrary protection. Plus it allows the use of conventional security measures (firewall, antivirus, antispyware) without conflict, and protects those other security measures from attack or tampering. Windows 7 will also have an enhanced version of SRP called AppLocker. For those who cannot use SRP, using a non-Admin user account is still a very powerful layer of defense, and that goes for every desktop OS, including Mac, Linux and Windows :tinfoil:

Regarding UAC being a "problem," Microsoft says that, to some extent, it's a transitory problem caused by software that doesn't work without Admin privileges, and they see that rapidly changing. As for the UAC prompts that are necessary for Windows security, well... there will always be people who resent security prompts, because that's not how Windows95 worked :shrug:

Impact on the software ecosystem

UAC has resulted in a radical reduction in the number of applications that unnecessarily require admin privileges, which is something we think improves the overall quality of software and reduces the risks inherent in software on a machine which requires full administrative access to the system.

In the first several months after Vista was available for use, people were experiencing a UAC prompt in 50% of their "sessions" - a session is everything that happens from logon to logoff or within 24 hours. Furthermore, there were 775,312 unique applications (note: this shows the volume of unique software that Windows supports!) producing prompts (note that installers and the application itself are not counted as the same program.) This seems large, and it is since much of the software ecosystem unnecessarily required admin privileges to run. As the ecosystem has updated their software, far fewer applications are requiring admin privileges. Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149.

Read more here. As noted, Windows 7 will add more UAC options. As a pure speculation, I think you might see them in SP2 for Vista as well, but I don't know, and if I did, I would be obligated not to tell

 

[Alaric Darconville]

Better advice: if you want to disable UAC, then also create a Standard User account and use that Standard User account for all daily-driver use of the computer. Reserve the Administrator-level user account only for Admin duties, such as installing/removing software and hardware, system maintenance, and nothing else. If your version of Vista supports Software Restriction Policy (SRP), add that as shown here. And sure, use antivirus software too.

A non-Admin account plus SRP is particularly powerful. There's no detectable performance impact, no cost, no signature updates needed, entirely proactive and arbitrary protection. Plus it allows the use of conventional security measures (firewall, antivirus, antispyware) without conflict, and protects those other security measures from attack or tampering. Windows 7 will also have an enhanced version of SRP called AppLocker. For those who cannot use SRP, using a non-Admin user account is still a very powerful layer of defense, and that goes for every desktop OS, including Mac, Linux and Windows :tinfoil:

Regarding UAC being a "problem," Microsoft says that, to some extent, it's a transitory problem caused by software that doesn't work without Admin privileges, and they see that rapidly changing. As for the UAC prompts that are necessary for Windows security, well... there will always be people who resent security prompts, because that's not how Windows95 worked :shrug:

You're one of the (all too) few people to recommend that people not use admin rights for their day-to-day tasks. It's as if people think checking their email and playing World of Warcraft are administrator tasks.

I still use XP, and use the "RunAs" function quite a bit (and made an "su.bat" to simplify things.)

What bothers me is there is still a large amount of (poorly-written) software that requires admin rights to both install AND to run. Many of those can be 'fixed' by using cacls to give members of the Users group "Change" access to that program's directory, as well as modifying its Registry keys, but that's still a hassle. I have to question why software really needs Administrator rights to run it, particularly games and apps like "UPS Worldship" (the latter causing a huge battle at a former employer where they wanted to add their shipping staff to the Administrators group just because they needed that software. I fixed it with the change in the access controls for the Registry keys and prevented their unnecessary 'promotion'.)

Unfortunately, so many users simply think it's "cool" to be logged in as Administrator 24/7. Many of them are the first to get WinAntiVirus Pro 200x infections or otherwise suffer a "change in ownership" on their computers...

 

[mechBgon]

You're one of the (all too) few people to recommend that people not use admin rights for their day-to-day tasks. It's as if people think checking their email and playing World of Warcraft are administrator tasks.

I still use XP, and use the "RunAs" function quite a bit (and made an "su.bat" to simplify things.)

What bothers me is there is still a large amount of (poorly-written) software that requires admin rights to both install AND to run. Many of those can be 'fixed' by using cacls to give members of the Users group "Change" access to that program's directory, as well as modifying its Registry keys, but that's still a hassle. I have to question why software really needs Administrator rights to run it, particularly games and apps like "UPS Worldship" (the latter causing a huge battle at a former employer where they wanted to add their shipping staff to the Administrators group just because they needed that software. I fixed it with the change in the access controls for the Registry keys and prevented their unnecessary 'promotion'.)

Unfortunately, so many users simply think it's "cool" to be logged in as Administrator 24/7. Many of them are the first to get WinAntiVirus Pro 200x infections or otherwise suffer a "change in ownership" on their computers...

Touching on what you mentioned about software like WorldShip: if it can't be resolved in any other way, another option on WinXP Professional Edition or Media Center Edition is to cook up a special shortcut that launches that particular app using an Admin account's credentials. At least it'll be the only app flyin' around with the Admin rights.

You may already have considered this method, here's how it goes for those who haven't looked into it. Does not work on WinXP Home Edition, and does require that the Admin account has a password:

1) make a shortcut to the program, then right-click the shortcut and choose Properties (pic below)

2) in the Target box, add runas /user:name of Admin account /savecred in front of the existing target

3) in the Start in: box, change the location to somewhere that the non-Admin account has privileges to, such as its folder within C:\Documents and Settings.

The first time the app is run, it should put up a command-line prompt asking for the password of the Admin account. The /savecred switch causes that to be stored, so subsequent launches won't prompt for a password. The doctored shortcut can be moved and copied to wherever it's needed. Noteworthy side effect: The program that's being run in this fashion will "see" the file system from the perspective of the Admin account, so for example, the "My Documents" and "My Pictures" and "Desktop" will be those of the Admin account, not of the non-Admin account. From within the program, a user could browse the file system with Admin-level powers.

When I was a sysadmin, I used this method to solve an impasse with QuickBooks, which was adamant about requiring Admin access. I hope they're eating a big slice of humble pie over at Intuit now... :thumbsdow

Interestingly enough, my old Mechwarrior4 games and FarCry have problems running in a non-Admin account on WinXP (MW4 will not start, FarCry will not save games without modifying privileges), but they both work fine on non-Admin accounts in Vista, undoubtedly because of UAC's file-system and Registry virtualization that humors the problem software and lets it think it's got Admin privileges when it really doesn't.

 

[Crenshaw]

I upgraded so that I could change my computer from Japanese to English, while retaining the Japanese keyboard with dedicated keys for switching languages and changing kanji display modes. :twothumbs

ahhh, at least you have a legitimate reason for doing so..

Crenshaw

 

[Alaric Darconville]

Touching on what you mentioned about software like WorldShip: if it can't be resolved in any other way, another option on WinXP Professional Edition or Media Center Edition is to cook up a special shortcut that launches that particular app using an Admin account's credentials. At least it'll be the only app flyin' around with the Admin rights.

Unfortunately, the savecred switch opens up a huge weakness. Once the Administrator has saved those credentials, the other user can subsequently go to the Run box and type "runas /user:%computername%\name of local Administrator /savecred cmd.exe", and then he's got a command prompt open under the auspices of the Administrator. From there he can just type lusrmgr.msc and then add himself to the Administrators group. Aside from that, he can can do a "start iexplore" in some cases to launch a web browser as Administrator (this depends on the "browse new process" Registry key, but that's easy to set for the Administrator account as Regedit becomes available with full access to the Administrator's "current user" keys. He can run control panel applets, the device manager (devmgmt.msc), the computer manager (compmgmt.msc)... savecred is sadly a giant gaping security hole. Granted, it requires the user have some modicum of knowledge about runas to take advantage of it that way, but there are plenty of "junior hackers" out there that can figure that out.

 

[grateful1]

"What bothers me is there is still a large amount of (poorly-written) software that requires admin rights to both install AND to run."

This is a biggy right here. Not really for the everyday user...but for business users.

In time I'm sure UAC will be much better. Heck, even Norton (Symantec) is looking at it's own version. :thumbsup:

 

[mechBgon]

Unfortunately, the savecred switch opens up a huge weakness. Once the Administrator has saved those credentials, the other user can subsequently go to the Run box and type "runas /user:%computername%\name of local Administrator /savecred cmd.exe", and then he's got a command prompt open under the auspices of the Administrator. From there he can just type lusrmgr.msc and then add himself to the Administrators group. Aside from that, he can can do a "start iexplore" in some cases to launch a web browser as Administrator (this depends on the "browse new process" Registry key, but that's easy to set for the Administrator account as Regedit becomes available with full access to the Administrator's "current user" keys. He can run control panel applets, the device manager (devmgmt.msc), the computer manager (compmgmt.msc)... savecred is sadly a giant gaping security hole. Granted, it requires the user have some modicum of knowledge about runas to take advantage of it that way, but there are plenty of "junior hackers" out there that can figure that out.

Or for that matter, he could launch executables/etc as Admin by browsing to them using the elevated program, and using their right-click menus. It's certainly not perfect In the case of my QuickBooks user, she was the conscientious type who certainly wouldn't try to mess with security.

 

[meuge]

So there is a good ending to this story, I guess.

After my motherboard was replaced, I was able to install Vista without much problems using my home-made bootable DVD. It activated without a problem using the key I purchased, so everything worked out in the end.

I still installed Ubuntu 8.10 over it, for serious work... but so far both gaming and general use have been very favorable on Vista... even despite it being the 64-bit version.

Nonetheless, I highly recommend that anyone who intends to purchase an "upgrade" version of windows, does plenty of research to ensure that they don't have to jump through ten million hoops to install their software.

 

[h_nu]

As big as hard drives are now there is no good reason not to try Linux if you are computer savvy. If not, someone you know might be able to help.

I still have an XP partition but usually use Debian Etch for AMD64. My XP has a limited rights user for general use. I only use the root account for installing programs.

I don't have a compelling reason to try Vista yet since my hardware works so well with Debian and madwifi.

 

[NA8]

I find it's good to take your time upgrading. Win2k was up to service pack 3 before I became a user. I'm happy to see that the Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149; but I'd just as soon wait for that 168,149 to drop some more.

 

[tiktok 22]

I refuse to "upgrade" to Vista from XP and "might" consider Windows 7 when it's available. I am running Ubuntu 8.10 on my other desktop and love it. If Ubuntu was a little more pollished or had more third party vendor support, I would say goodbye to windows altogether.

 

[meuge]

I find it's good to take your time upgrading. Win2k was up to service pack 3 before I became a user. I'm happy to see that the Customer Experience Improvement Program data from August 2008 indicates the number of applications and tasks generating a prompt has declined from 775,312 to 168,149; but I'd just as soon wait for that 168,149 to drop some more.

UAC prompts don't bother me much, actually. It's not different than "sudo" prompts in Linux. The only problem is that entirely too much software wants higher-level access in Windows. In Linux, you only get prompted if you change settings, or install, delete, or alter software.