Slashdot Mirror
Windows 7 To Dial Down UAC
Barence writes "Engineers working on Windows 7 have admitted Vista's User Account Control was too intrusive, and are promising to tone it down in the forthcoming Windows 7. 'We've heard loud and clear that you are frustrated,' says Microsoft engineer Ben Fathi. 'You find the prompts too frequent, annoying, and confusing. We still want to provide you control over what changes can happen to your system, but we want to provide you a better overall experience.' According to Fathi, when Vista first launched, 775,312 unique applications were producing prompts — so some may be annoyed that it won't be scrapped entirely, but at least Microsoft is listening. The comments echo those of Steve Ballmer, who admitted at a conference in London that 'the biggest trade-off we made was sacrificing security for compatibility. I'm not sure the end-users really appreciated that trade-off.'"
Does it really have to prompt me every single time? After prompting me to run the same program 5 times, couldn't it just ask me if I want to white list that program until the executable changes?
t
Actually, their plan was to make it annoying in order to force developers to fix their apps so they don't require so much administrator access.
It's hard to fault them for their motivation, even if the execution perhaps left something to be desired.
After the system, software is setup and running, I hardly run into any UAC prompt, except for one of the bank applications that for unknown requires admin privilege.
If Vista didn't push for that, we will need admin privileges to run Windows, forever, because of the bad design of applications!
There are, definitely, room for improvements, for example, combining the ActiveX Install prompt with UAC, reducing two to one. Combing the warning of running the Internet downloaded .exe and UAC, and allows a Explorer.exe to have the admin token for a while once granted, for those file manipulation operations.
All in all, I love UAC! It's more convenient than typing "sudo ..." for every commands i need to run at root's right.
Yes, Linux does it right. The problem for Microsoft, however, is this: most programs written to run on Linux are written such that they can run without root-level privileges. Most programs written before the advent of Vista assumed that Administrator privileges were available by default.
That assumption is no longer true. Since the number of programs is so enormous (the 775k mentioned in the summary), it's easier to deal with the privilege-escalation by putting in something like UAC than it is to fix every faulty application. Hopefully, developers have now learned to assume least privileges, so new programs won't require elevated privileges.
I don't think anyone will agree that UAC was the best way to handle the situation, but it sure was the easy way out. As an earlier poster said, better sandboxing could handle the issue better, but it's obvious that the investment (money and potential schedule problems) wasn't worth it from MS's point of view.
Help find a cure for cancer. Join the [H]orde
If you're trying to get permissions correct to eliminate these type of prompts in a corporate environment (or make an app work in a locked down pre-Vista environment) I can't recommend LUA Buglight highly enough. Basically it provides a way to record exactly what rights an application is requesting as you run it. I've used it mostly to get temperamental programs running as locked down users under Citrix but it should work fine to help reduce the amount of UAC messages under Vista.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I have been forced to use vista (since beta) on my machine at work. UAC comes up:
when you install software
when you are getting to the management section (users, groups,etc)
when you run regedit
If you add new desktop to the wallpapers folder
If you run a program that is accessing the 'protected' sections of the computer
That is it for me. When you first get a computer, you set it up the way you want it. You ARE accessing the protected sections. UAC is doing what is was written to do. Once you are finished setting up the computer how often does UAC come up? It comes up for me now when I am remotely managing someone else's computer or I am putting some new software on. That is it. I have 5 people here that think they are using XP since I change the UI to classic. Which is really sad if you think about it. I had to tell the VP as he was complaining how vista sucked and XP on his desktop worked that his machine that we replaced 7 months ago was vista with the classic UI turned on. I think I might be looking for a new jobs soon.....
UAC is as simple as sudo. Except, sudo will remember that you just typed in your password 5 minutes ago so it won't ask again. UAC asks every time.
But you're right, it's not a pain in the ass, and the people who are bitching about it are whiners. OR, maybe they don't know the trick that I know - set the administration password to a null password. That way, UAC doesn't require you to type anything at all. Just click the box and it's gone. You should know why the box popped up. It's your machine, so you should know the password, so asking for it is pointless. If you click on a UAC message without knowing why it's there, that's your fault.
And no, a NULL password is not the same as an empty password. You can send me an empty password theoretically with a string containing just a single null terminator. But how do you send me no password at all? That's like going to the mailbox and seeing it's empty, but just then your mom calls and asks if you didn't get the letter she didn't send you, and you reply that yes, you got no letter. Very Zen.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Exactly! It is like trying to troubleshoot based on those worthless XP error boxes. You hit details and what do you get? The same rundll32 and NTdll no matter what application crashes. I swear those stupid hex codes they used in the old days were more useful! At least with those you could look up the hex code and get a rough idea which subsystem is screwing up. Now I keep dependency walker,diskmon and filemon just to try to figure out a bug.
ACs don't waste your time replying, your posts are never seen by me.
Really, the big problem is that Windows wasn't setup with security in mind in the first place. When Microsoft started to add security, they discovered that the developers were abusing administrator privileges. Sooner or later this was going to happen.
/home. Unfortunately, the occasional program would still try to save user information in Program Files. Now when we make Program Files an administrator only area we have problems.
Between using Windows and Linux, I've noticed that Windows is becoming more Linux/Unix like with every release. With XP the Documents and Settings folder really started to feel like
The UAC issue is an issue that every company has when it does something wrong and tries to fix it. The users and developers get used to doing it the wrong way and it's very difficult to get them to do it right. Microsoft has to go through this pain if it wants to be a serious operating system.
I've seen similar problems in manufacturing. When we try to bring a process under control, the operator at that station will resist and say, "but I've been doing it that way for 20 years!" Then we have to explain that they have been doing it wrong for 20 years. It's very difficult to change your way of doing this after that long. Some companies have tried, but weren't successful. It's painful at the moment, but it will improve. Windows will become a better product because of it.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
You can't really be vague about a file. If I want to gain access to a system file, I pretty much have to do it by name. Also, Windows is blocking it for some reason. Why does that reason have to be hidden?
"Oh, I see you have peon user rights, but you need power user rights to gain access to c:\winnt\notepad.exe"
"______ program needs access to a restricted part of the registry to be able to read/write data.
Cancel/Allow?
(Click here to more details on the requested operation) >>
someapp.exe is trying to request access to HKLM\Software\Microsoft\Windows\CurrentVersion\ProductKey"
And while we are on it... you should at least be able to specify conditional allowance. (Cancel | Allow This | Allow All)
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
No, they specifically broke runas in a command prompt window in vista in favor of the right click -> run as administrator (bing UAC) route.
It was a totally stupid idea. Even going with a runas which then triggered UAC to gain the required privileges would have been a better plan that no runas command.
Bryn
Or words to that effect