Windows 9 (And Pandora) appreciation thread
-
Also, are you sure stuff isn't actually launching elevated? One of the things they did in 7 is to reduce the number of things to which Administrators get access rights; there are folders that only TrustedInstaller can write by default, for example. I wouldn't be surprised to see that pattern extended in Windows 8.
-
Then try to edit it No elevation request! It's just a normal read-only file. But here's the thing--you wouldn't have gotten a UAC prompt anyway, just a Save As dialog to change the name, with the default permission.
Thanks FrostCat. So the security group a user is in has full control but that just means they can save over it only if they run the editor elevated but if an individual user account has full control then they can save over it without having to do so. I would never have guessed. (And that is fucked up.)
-
if an individual user account has full control then they can save over it without having to [elevate] ... that is fucked up
This follows from the design of UAC, which gives user accounts in the Administrators group two security tokens each: one that confers only standard user privileges for normal use, and another for elevated use. Only the second one behaves as if it were actually a member of Administrators.If you think of elevation as actually becoming the Administrators member you thought you were all along, most of UAC's behavior makes more sense.
-
That makes sense.
The point is, I don't need any of that shit for my personal computer. No running online services + knowing not to download iffy shit takes care of 99% of attack vectors out there. Additional headache isn't worth the remaining 1%.
-
Also, you want to talk fucked-up? I'll give you fucked-up. First go read this. That's OK, I'll wait.
Back so soon? Good. Now you need to re-read the part where the guy says "As we mentioned above, the standard user account now has the ability to
run any application as Administrator without entering a password (using
the runas /savecred command to launch any .exe file), so bear that in
mind."Contemplate that for a while.
And yes indeed, you're not mistaken: he said any exe file, and he meant it. Windows contains a mechanism deliberately designed to facilitate privilege escalation exploits.
And not only that: as far as I know, there is no scriptable way to undo the effect of a /savecred short of trashing the entire folder that Windows uses to save credentials in "securely". Such as those used for proxy servers and online logons.
But the fun doesn't end there. If you're using a workstation upon which somebody has done a /savecred using a domain account - say, one with staff-level access rights on your file server - and you log on to a less privileged account - say, one with only student-level access rights on your file server - and the logon script does not explicitly specify the username in any drive mappings it performs: those drive mappings happen using the saved credentials, in preference to those of the user logging on.
And that is fucked up.
-
This is all true in theory.
It's all true in practice too and you did ask "What's the worst that can happen?" and then gave something that wasn't nearly the worst as the answer (a bit pedantic perhaps but not completely). This shit does happen to people.
If there was an epidemic of this going on, you'd have a point.
That depends on your definition of epidemic. Nobody has precise figures but it certainly looks like one to me.
You still need to start editor as Administrator if you want to be able to save.
Or, as FrostCat mentioned, give your specific user account full control.
Which makes me think you UAC people just like the security theater of the UAC warning screens and never actually tried using PC without it.
True but a lot less effort than monitoring processes frequently and more likely to prevent the nasty shit from happening. Monitoring processes is less likely to catch a problem and only after the event when it may be too late.
But see, the problem is UAC doesn't tell you that.
Agreed. It would be much better if it did but others have spoken about the difficulty of doing that.
No slowdowns. No suspicious running processes. No popups jumping up. No one stole my identity or credit card numbers. The usual.
The first three are not likely to appear. A good worm these days does none of those things. If someone had stolen your identity or credit card numbers (or access accounts for public facing servers at work) then it would be too late. And those aren't the worst threats that hackers pose.
The same way you know there's no obsessed stalker following you and watching your every move. Not by building a moat around your property and hiring armed guards, but by just not noticing apparent problems and presuming everything's OK, so you can move with your life. Like a normal person.
I don't agree with that analogy. There's very little similarity. There are millions of people who will try to given a chance and are milliseconds away from you and will not make it known to you that they have until money goes missing and complaints from the public/press/police etc start arriving. That's not true of stalkers. And not turning off UAC is hardly building a moat and hiring armed guards.
Serious questions: how do you know that one of the installers that you gave admin privileges didn't install any of the things you specified? Or that no one has figured out an exploit through one of many holes that NSA had apparently forced Microsoft to leave open?
I'm not too concerned about Microsoft or the NSA. I think I explained clearly who the threat is and what the danger is. I think it's safe to trust Microsoft not to steal my money or to use my computer for hosting child pornography. So, that is is how. I am more careful with installers from less reputable sources.
-
1%
Sometimes, 1% is quite a high percentage. Of course, the risk/hazard analysis is up to you. My original point that your hazard analysis was way out: it's a lot worse then just having to reinstall an OS. The risk analysis is different for everybody.
-
But the fun doesn't end there. If you're using a workstation upon which somebody has done a /savecred using a domain account - say, one with staff-level access rights on your file server - and you log on to a less privileged account - say, one with only student-level access rights on your file server - and the logon script does not explicitly specify the username in any drive mappings it performs: those drive mappings happen using the saved credentials, in preference to those of the user logging on.
I was skeptical so I thought I'd check. This Technet Article: Cached and Stored Credentials Technical Overview says at the very end:
When the operating system attempts to connect to a new computer on the network, it supplies the current user name and password to the computer. If this is not sufficient to provide access, Credential Manager attempts to supply the necessary user name and password. All stored user names and passwords are examined, from most specific to least specific as appropriate to the resource, and the connection is attempted in the order of those user names and passwords. Because user names and passwords are read and applied in order, from most to least specific, no more than one user name and password can be stored for each individual target or domain.
Combined with credentials being stored for the machine as whole and not an individual store for each user, it is extremely fucked up.
The moral of the story, change important passwords frequently or don't use Windows.
-
It's all true in practice too and you did ask "What's the worst that can happen?" and then gave something that wasn't nearly the worst as the answer (a bit pedantic perhaps but not completely). This shit does happen to people.
Ok, so your worst case scenario is, let's say you're running a business based on Windows and bad guys get an access and they siphon off your private customer information and ruin you.
The issue is, where did I ever talk about business use case for UAC?
From my original post:
I'll step out on the side of turning off UAC on my personal computer.
Notice the emphasis. Taking care of things on a business network is a whole different issue. In that case, you're better off setting up unprivileged accounts and managing them through Windows domain policies. I'm not too familiar with that. I'm not sure it's even considered UAC in that context.
My case against UAC is more in the context terms of an individual competent user, on a personal PC.
That depends on your definition of epidemic. Nobody has precise figures but it certainly looks like one to me.
How about anecdotes? How about UAC prevented something bad that wouldn't have been caused by user doing things they shouldn't do?
True but a lot less effort than monitoring processes frequently and more likely to prevent the nasty shit from happening. Monitoring processes is less likely to catch a problem and only after the event when it may be too late.
Yeah but once something passes through UAC screen (let's say, through a hacked installer), you're not getting any additional warnings from it. Since you don't get the specific list of permissions to allow for, the installer will have ensured the virus/keylogger/botnet never needs another UAC request again (running under Admin compatibility mode or whatever).
So you're in the same boat in terms of taking an occasional look at the process list, only with a feel-good security theater to ease you into sloppiness.
The first three are not likely to appear. A good worm these days does none of those things. If someone had stolen your identity or credit card numbers (or access accounts for public facing servers at work) then it would be too late. And those aren't the worst threats that hackers pose.
What's worse than that for a normal user (not business)?
I don't agree with that analogy. There's very little similarity. There are millions of people who will try to given a chance and are milliseconds away from you and will not make it known to you that they have until money goes missing and complaints from the public/press/police etc start arriving. That's not true of stalkers. And not turning off UAC is hardly building a moat and hiring armed guards.
You're paranoid. Sure, there are millions of automatic scripts fishing for easy botnet or bitcoin miner resources. What you're describing is different. I've never heard of a fully automated virus/rootkit able to infiltrate your system and steal your money without someone actually investing personal effort into the operation (social engineering etc). And that doesn't scale and is about as likely as getting mugged on the streets. Not worth carrying a handgun over IMO.
If you have, then fork out some evidence. UAC annoyance would be worth it if this was a real thing.
So, that is is how. I am more careful with installers from less reputable sources.
What does that even mean? UAC doesn't give you enough information or control to "be more careful". You can either trust the installer completely or not.
Unless you're willing to take the time to set up a VM and execute the install there, then monitor the changes and.... blah blah. Not worth it.
-
The issue is, where did I ever talk about business use case for UAC?
The worst-case scenario was not a business use case. You call it paranoid later on. I don't (see below). But, businesses aren't just internal networks: working from home is a common thing; having remote access to servers is a common thing. Security of employees' home computers can be as much a concern for a business as security on their own internal devices.
But I wasn't just talking about that. If you don't use your home computer for anything at all important then, ok, but very many people do. I know of multiple people who have lost email accounts because they were hacked. They have no recourse to getting them back. A relatively minor but very common example.
And if even you don't, the worst-case scenario is still the same (worse than losing lots of money)...
My case against UAC is more in the context terms of an individual competent user, on a personal PC.
Mine is for both.
How about anecdotes? How about UAC prevented something bad that wouldn't have been caused by user doing things they shouldn't do?
It's probably happening all the time but you don't hear the prevented viruses and the damage they would have done or the viruses that don't get noticed, only if they are successful and do something that gets them noticed. That makes such anecdotes impossible.
Yeah but once something passes through UAC screen (let's say, through a hacked installer), you're not getting any additional warnings from it.
Indeed. It is just a layer of protection but a useful one.
What's worse than that for a normal user (not business)?
I told you: your computer becomes part of network used for illegal activity: hacking other computers, spreading the worm, hosting files that would be your worst nightmare, etc, etc. I'm very surprised you don't realise this. Malware has moved on a lot since the 20th century. A lot of it is extremely sophisticated.
I've never heard of a fully automated virus/rootkit able to infiltrate your system and steal your money without someone actually investing personal effort into the operation (social engineering etc).
That's what. for one example of many, Zues is. So no, I don't think it is paranoid. I think it's far more likely than getting mugged on the streets and potentially far more damaging (and I bet you do take some precautions against that on occasions).
What does that even mean?
It means that if I'm installing something that isn't from a reputable source (or indeed if something starts installing unexpectedly) then if it asks for elevated permissions then I get a warning. That means that I can chose then not too proceed with the install or if I chose to proceed I can be wary of it and inspect what it has done and maybe then be vigilant about checking processes, etc. Without UAC I don't see how you would know.
I understand your opinion. What you do with your computer is your choice and weighing up the risks is not scientific. But what you said the hazard was (the worst-case scenario) was far short of the truth in my opinion. However small the risks, the worst-case is a living nightmare.
-
I was skeptical so I thought I'd check.
I was more gobsmacked than skeptical. One school workstation was demonstrating a mysterious ability to access staff resources even with a student logged on, and I eventually tracked down the cause to my having experimented with the use of /savecred on that workstation to do something completely unrelated six weeks earlier.
Silly me for buttuming that /savecred would obviously have to function something like an adaptive self-configuring sudo, as opposed to O HAI KIDS WOW LOOK U CAN EASY FUCK UP THE WEEKLY PLANNER IF U SIT HERE.
-
My case against UAC is more in the context terms of an individual competent user, on a personal PC.
All of us are incompetent from time to time. I don't run my personal Linux desktop environments logged in as root for that very reason; I have never found cause to assume a different risk/benefit analysis applies to Windows.
-
But I wasn't just talking about that. If you don't use your home computer for anything at all important then, ok, but very many people do. I know of multiple people who have lost email accounts because they were hacked. They have no recourse to getting them back. A relatively minor but very common example.
OK, good point.
Buy to me, the root of this particular problem is more the way internet identity works these days (emails hosted by giant companies, with no tangible thread back to you), than the fact someone can guess/steal your password. If I absolutely couldn't afford to lose email account, I would't rush to install UAC and 100 antiviruses on every machine I own, as if that's even possible. I would pay for a real email account with my real name and identity behind it, on the domain I own.
I told you: your computer becomes part of network used for illegal activity: hacking other computers, spreading the worm, hosting files that would be your worst nightmare, etc, etc. I'm very surprised you don't realise this. Malware has moved on a lot since the 20th century. A lot of it is extremely sophisticated.
Yeah, I mentioned botnet. This is detectable through traffic and process activity patterns. Certainly you can detect it once it becomes an issue on your end and shut it down.
It's probably happening all the time but you don't hear the prevented viruses and the damage they would have done or the viruses that don't get noticed, only if they are successful and do something that gets them noticed. That makes such anecdotes impossible.
Really? I was thinking of something like: "There I was minding my own business, when an UAC warning pops up. Uh-oh! It's some process I don't recognize nor remember executing, asking for admin rights! It must be a virus. I better write a blog article about this, so people would know!"
If UAC was truly useful, you would expect many hero-stories like this. But no, it's just people bitching about annoying warnings and being trained to click Allow without reading.
Hell, I had problems coming up with even that contrived example. Most cases where UAC does anything is for the shit you download and run yourself. In which case you already expect UAC warning and just click through.
That's what. for one example of many, Zues is. So no, I don't think it is paranoid. I think it's far more likely than getting mugged on the streets and potentially far more damaging (and I bet you do take some precautions against that on occasions).
OK that one seems nasty. Still haven't heard it become an epidemic. You hear someone getting dinged with about the same frequency as someone getting mugged on the street. So, no reason to worry IMO.
It means that if I'm installing something that isn't from a reputable source (or indeed if something starts installing unexpectedly) then if it asks for elevated permissions then I get a warning. That means that I can chose then not too proceed with the install or if I chose to proceed I can be wary of it and inspect what it has done and maybe then be vigilant about checking processes, etc. Without UAC I don't see how you would know.
But if the program isn't from a "reputable source", why do you run the installer in the first place? Don't you know the source in advance? How does UAC help you there?
"Alllllright, I have tissues and hand lotion ready, now just to download and run this
bitches-with-balloon-tits-hot-xxx[cracked]-setup.exeand I'm good to go.... What's this? UAC says the file requires admin privileges? Oh shucks! I was hoping for some hot mammas action, but since this is from non-reputable source, I better abort. Thank you UAC! You saved my life again!"If something start running unexpectedly is the real use case for UAC, but in my experience, that has yet to happen.
-
All of us are incompetent from time to time. I don't run my personal Linux desktop environments logged in as root for that very reason; I have never found cause to assume a different risk/benefit analysis applies to Windows.
Ok, true. The thing is, there are already enough steps along the way where I can stop and think "Do I really need to download and run this thing?" I don't need another one.
Funnily, I don't mind root/userland separation on Linux. I guess they have better, deeper rooted procedures for doing things securely than Windows. It doesn't feel like afterthought.
Although, from my limited experience with MacOS, I can tell you that dealing with this shit from a purely graphical interface can be just as big of a pain as on Windows (maybe even bigger).
-
Funnily, I don't mind root/userland separation on Linux. I guess they have better, deeper rooted procedures for doing things securely than Windows.
It's a cultural thing. Unix has always had an absurdly simple and therefore easily understood fundamental privilege model: a single superuser account to which no restrictions apply. It's always had a similarly understandable fundamental impersonation model (effective user and group IDs and the setuid and setgid bits) to go with that.
Windows has a far more complex privilege and impersonation model that's been imposed piecewise on a development culture with long-established expectations of being able to operate as a superuser all the time.
Windows has had privilege separation inbuilt since 1993, but it took the forced removal of default superuser powers that arrived with UAC in Vista to make e.g. the big accounting software providers start taking it the slightest bit seriously.
The typical Windows user's emotional reaction to UAC is almost identical to that of the typical Linux user toward SELinux: "too hard, WTF, I don't need this shit, how do I turn it off?"
I think that's a completely normal human reaction to having unaccustomed restrictions imposed, and I think the arguments pro and con that rage back and forth on both these things are informed more by established cultural norms than by solid technical reasoning. To the extent that there are technical reasons to dislike either UAC or SELinux, most of them derive from the bolted-on nature of both those designs.
-
The typical Windows user's emotional reaction to UAC is almost identical to that of the typical Linux user toward SELinux: "too hard, WTF, I don't need this shit, how do I turn it off?"
I think that's a completely normal human reaction to having unaccustomed restrictions imposed, and I think the arguments pro and con that rage back and forth on both these things are informed more by established cultural norms than by solid technical reasoning. To the extent that there are technical reasons to dislike either UAC or SELinux, most of them derive from the bolted-on nature of both those designs.
I don't think so.
In my case, I just decided that the cost of having to click on the UAC screens isn't worth the benefit.
Note that I'm still working as my own local account. I still have to right-click "Run As Administrator" if I want to mess with the system. If this was some kneejerk irrational reaction, I would have just used the Administrator account all the time and had the same experience as on Windows 7/XP.
I think the separation of the Administrator account from the Administrators group is a good thing. I just don't think UAC prompts are worth it.
So, more like a no-password sudoer instead of running as root all the time. IMO that's a good compromise for a home computer.
-
I have single user admin account and UAC off, and things don't run as Administrator by default.
As I posted waaaaaaaaaay up towards the top of this thread, you are Administrator. The "problem" you are encountering is that there is now two levels of Administrator, and you're the wrong level. I'd tell you how to get the right level, but since you don't seem to know how Windows permissions work at all, I'm just going to stay mum and see if you can figure it out on your own. I don't want to be responsible for you fucking up your system.
-
UUuuuh, I wonder what this security policy does...
-
In my case, I just decided that the cost of having to click on the UAC screens isn't worth the benefit.
Riiight. I don't know what you're doing but if you're getting UAC popups so regularly that they're annoying you then you're doing something wrong.
I mean, seriously, what do you do? Install and uninstall a driver every 10 minutes? Modify system files every minute?
This attitude of yours is laughable and moronic.
And if you actually still have to click "run as administrator" even after you disabled UAC then you have just gotten yourself the worst of both worlds: You still have to elevate processes manually and you're not notified if something requests elevated access rights.
How does that even make sense? That's like saying: "Oh, I myself still have to use sudo but if some malware comes along, that will get admin rights automatically!"
-
Thanks FrostCat. So the security group a user is in has full control but that just means they can save over it only if they run the editor elevated but if an individual user account has full control then they can save over it without having to do so. I would never have guessed. (And that is fucked up.)
No, it's exactly like *nix. Adminstrators have write perms by default, regular users don't, to protect both the users and the system. If you want to edit the file, run your editor as an administrator/root. Services file is the exact same way.
-
This follows from the design of UAC
In the case of files like hosts, it, again, has nothing whatsoever to do with UAC. It's strictly NTFS permissions. It's just that MS decided at some point, maybe those files shouldn't be writable by anyone out there, and that if you want to make a change, you should do it as a privileged user.
An administrative user editing the hosts file won't get a prompt, because he already has Full Control permissions.
Bash UAC where it deserves it. Don't blame it for things it's not relevant to.
-
If you think of elevation as actually becoming the Administrators member you thought you were all along, most of UAC's behavior makes more sense.
Oh, but of course, this is how it actually is, yes.
-
And not only that: as far as I know, there is no scriptable way to undo the effect of a /savecred short of trashing the entire folder that Windows uses to save credentials in "securely". Such as those used for proxy servers and online logons.
No scriptable way, but it turns out there is a way:
rundll32.exe keymgr.dll KRShowKeyMgr
This lets you remove credentials individually.
Actually if you were brave/foolhardy enough you probably COULD script it by reading the contents of the list box.
-
Right. My point is that as a netadmin who writes startup and logon scripts I have no reasonable way to close up the /savecred privilege-escalation exploit hole without also causing my users potential inconvenience by discarding all their IE-saved passwords.
But it turns out that very few of them notice I've done just that, because the default browser at the school has been Firefox since two months after I started there in 2007, and Firefox has its own credential manager inbuilt.
-
no reasonable way
Just for the hell of it you should see if it IS scriptable, or at least drive-able.
-
In the case of files like hosts, it, again, has nothing whatsoever to do with UAC. It's strictly NTFS permissions.
If NTFS permissions were the only thing going on here, that Access Denied result wouldn't have happened; the Owner user account on this box is a member of the Administrators security group. UAC provides the mechanism whereby Owner gets two security tokens, only one of which has Administrators membership, and uses the unprivileged one by default.
-
UAC is what provides the mechanism whereby Owner gets two security tokens and uses the unprivileged one by default.
Ah, yes, that's probably it. I tested by giving my own named account full perms.
Of course, the dual-token thing serves precisely to keep idiots or the malicious from doing just what you couldn't do.
-
Riiight. I don't know what you're doing but if you're getting UAC popups so regularly that they're annoying you then you're doing something wrong.
I mean, seriously, what do you do? Install and uninstall a driver every 10 minutes? Modify system files every minute?
I'm not getting UAC. That's the point. I see the fools who for some reason don't disable UAC and I pity them, as I enjoy my interruption free desktop experience.
This attitude of yours is laughable and moronic.
And yours is laughable and spineless.
And if you actually still have to click "run as administrator" even after you disabled UAC then you have just gotten yourself the worst of both worlds: You still have to elevate processes manually and you're not notified if something requests elevated access rights.
How does that even make sense? That's like saying: "Oh, I myself still have to use sudo but if some malware comes along, that will get admin rights automatically!"
No, it's the best of both worlds. I keep using normal account, so I don't accidentally screw something up, Also, I am kept aware what the normal users will actually experience, in case I'm doing some Windows dev. For example, you can't open up a port any longer without escalation, which I wouldn't know until deployment if I just went full admin on my PC.
On the other hand, when I do decide to elevate a program, I don't need to click through a fucking screen asking me whether I really want to do WHAT I'VE ALREADY DECIDED TO DO WHEN I OPENED THE DAMN PROGRAM.
As for "some malware comes along".... wtf? What is my PC, a train station? I run programs or I don't. And when I do, I know whether I trust them or not. If malware can just "come along", I have deeper problems than the lack of UAC prompt.
-
I have UAC turned on. I deal with one prompt semi-regularly (like every time I reboot, but that's like a monthly thing, invariably) and that's just to restart WampServer.
Call me TRWTF if you must but I have no problems with this.
-
Just for the hell of it you should see if it IS scriptable, or at least drive-able.
OK, this was all dredged out of the memory hole from a time when I was still running XP on all those workstations. Looks like 7 comes with cmdkey.exe built in, which should do the job. I'll play with it for a bit and update my startup script.
-
I have UAC turned on. I deal with one prompt semi-regularly (like every time I reboot, but that's like a monthly thing, invariably) and that's just to restart WampServer.
Call me TRWTF if you must but I have no problems with this.
If you don't mind it, that's great.
If you do, however, you should be able to turn it off and proudly stand before the world and shout I RUN WHAT I WANT AND THERE'S NOTHING YOU CAN DO ABOUT IT. And all UAC advocates should have a tear roll down their cheek and say "We don't have your courage sir, but one day we hope we will". And they should go on with using UAC and you should go on not using UAC and there would be no preaching about bullshit useless security theater on either side.
-
As for "some malware comes along".... wtf? What is my PC, a train station? I run programs or I don't. And when I do, I know whether I trust them or not. If malware can just "come along", I have deeper problems than the lack of UAC prompt.
With your setup, malware can indeed just come along. That you have deeper problems is pretty much a given.But nice to see that you finally recognize your failings. And with that, I think I'm done with your level of stupidity.
-
With your setup, malware can indeed just come along. That you have deeper problems is pretty much a given.
But nice to see that you finally recognize your failings.
Whatever. Go crawl back into your secure hidey-hole, if you can't stand to bask in the torrent of my wisdom.
-
and that's just to restart WampServer.
WampServer is broken then. You should use software that isn't broken.
(Nah, I know what you mean: back when I was working with *shudder* Java, the only way to run Tomcat locally was to do the UAC gambit. But I didn't have a choice, and it's not like you'd expect a Java web server to not be a piece of fucking shit anyway.)
-
If you do, however, you should be able to turn it off and proudly stand before the world and shout I RUN WHAT I WANT AND THERE'S NOTHING YOU CAN DO ABOUT IT.
You sound like the typical Linux user/idiot. Why don't you just get the fuck out of our Windows biznus if you hate it so much.
But stop calling UAC "security theater" because it's so not (you not understanding how it makes your computer more secure is not the same thing as it not making your computer more secure), and it weakens the term when applied to things that actually are security theater, like the TSA.
Also stop trying to be Blakeyrat. There ain't no Blakeyrat but Blakeyrat.
-
You sound like the typical Linux user/idiot. Why don't you just get the fuck out of our Windows biznus if you hate it so much.
Who says I hate it? See how much fun I'm having?
But stop calling UAC "security theater" because it's so not (you not understanding how it makes your computer more secure is not the same thing as it not making your computer more secure), and it weakens the term when applied to things that actually are security theater, like the TSA.
Fair enough, it's not a COMPLETE security theater. But the warning prompt is pretty damn useless in most cases.
Also stop trying to be Blakeyrat. There ain't no Blakeyrat but Blakeyrat.
I wouldn't dream of. Too little alcohol, too many obligations.
-
Too little alcohol, too many obligations.
I drink way too much alcohol and have pretty much zero obligations right now.
Which goes to show what a terrible Blakeyrat you are.
-
I drink way too much alcohol and have pretty much zero obligations right now.
Which goes to show what a terrible Blakeyrat you are.
I can get behind drinking and no job, but UAC is a dealbreaker, I'm afraid.
-
No, it's the best of both worlds. I keep using normal account, so I don't accidentally screw something up, Also, I am kept aware what the normal users will actually experience, in case I'm doing some Windows dev. For example, you can't open up a port any longer without escalation, which I wouldn't know until deployment if I just went full admin on my PC.
On the other hand, when I do decide to elevate a program, I don't need to click through a fucking screen asking me whether I really want to do WHAT I'VE ALREADY DECIDED TO DO WHEN I OPENED THE DAMN PROGRAM.
So, let me get this straight: rather than use UAC, you use an account without admin permissions and have to reenter the administrator password every time you do something that requires elevation (I trust you don't save the credentials!).
Many people regard that as more of a PITA than UAC and that's why a lot of people don't but know that if you do log on routinely as an administrator then having UAC on is probably wise.
Some may call you paranoid and spineless for going to such lengths, if it weren't the other perfectly valid reasons that you gave for doing it that way.
-
So, let me get this straight: rather than use UAC, you use an account without admin permissions and have to reenter the administrator password every time you do something that requires elevation (I trust you don't save the credentials!).
No, my user is AN administrator, it's just not THE Administrator. The difference being that my user must explicitly request admin access to admin-level resources, while THE Administrator is always running with full admin rights and can just do whatever the fuck it wants anytime anywhere.
In practical sense, if I want to edit
hostsfile, I have to:- Right click notepad, "Run as Administrator"
- No password prompt, because I'm AN administrator
- No UAC screen either, because I know what I'm doing and have it disabled
- Open the file and edit it
... while THE Administrator can just double-click the file and it automatically starts the default editor in privileged mode, because EVERYTHING is running in privileged mode.
You can also make AN Administrator act as THE Administrator, but that knowledge is hidden behind Blakey's trail of cryptic clues and is not meant for mere mortals. For Blakey is a benevolent God and your well-being is deeply rooted in his heart.
-
No, my user is AN administrator, it's just not THE Administrator. The difference being that my user must explicitly request admin access to admin-level resources, while THE Administrator is always running with full admin rights and can just do whatever the fuck it wants anytime anywhere.
Ah, that's very much like being a normal Unix user that is a member of group
wheel, using the way the classicsuworked. Nobody does things that way now; it's too insecure.sudois better, as it allows a lot finer grained control and has more informational logging.
-
WampServer is broken then. You should use software that isn't broken.
(Nah, I know what you mean: back when I was working with *shudder* Java, the only way to run Tomcat locally was to do the UAC gambit. But I didn't have a choice, and it's not like you'd expect a Java web server to not be a piece of fucking shit anyway.)
WampServer runs Apache which binds to port 80. Last I checked, that was a privileged port.
-
WampServer runs Apache which binds to port 80. Last I checked, that was a privileged port.
I use XAMPP all the time, it has no problems binding Apache to port 80 without elevation/UAC. Thought it runs as an application and not a service, so maybe that's the difference.
-
WampServer runs Apache which binds to port 80. Last I checked, that was a privileged port.
Fine; but why isn't it running as a Service under a service account?
-
I deal with one prompt semi-regularly (like every time I reboot, but that's like a monthly thing, invariably) and that's just to restart WampServer.
Java update also used to very heavily insist on elevating itself. Either it doesn't now, or I just have a blind spot for that prompt.
If you do, however, you should be able to turn it off and proudly stand before the world and shout I RUN WHAT I WANT AND THERE'S NOTHING YOU CAN DO ABOUT IT.
Do you also do
On Error Resume Nextsince you can't be bothered with handling those useless exceptions?
Filed under: i still think he's trolling us all, but it's more fun to play along
-
Fine; but why isn't it running as a Service under a service account?
Because I don't want it all the time?
-
Sure, Java still does this. Except these days... I have no need for Java.
-
Because I don't want it all the time?
So... don't run it all the time?
Am I in crazyworld? You are aware you can start and stop Services, right?
-
So... don't run it all the time?
Am I in crazyworld? You are aware you can start and stop Services, right?
Yes. Except in my world, I pinned WampServer to my start menu, the result is that with literally 3 clicks, including the UAC prompt, I can start the multiple services it starts.
Can you improve upon that? Maybe my world isn't quite so crazy, you know.
-
