UAC: The Greatest Thing Since the Gag Reflex

It seems that everywhere I turn, the computer press keeps implying that the only people who leave UAC turned on are people who don’t really understand computers. In June 2008, for example, it’s #6 on their list of tips (page 64 in the print edition):

6. Turn off annoying prompts. Vista added the “A Program Needs Your Permission to Continue” prompt to help prevent you from inadvertently installing malware or making unauthorized changes to your computer. It’s annoying to see that dialog box constantly pop up. If you’re computer savvy, you can turn it off by deactivating User Account Control in the User Accounts Control Panel.

Et tu, PCMag?

Clearly, we understand that there are a lot of people who are going to turn off UAC. But coercing people to turn off a feature that helps them by implying that not doing so means they aren’t computer savvy… yowzers. I consider myself computer savvy, but I would never turn it off. I just do not trust the public Internet or everything I download from it to be an Administrator on my computer. UAC gives me a means to express my inherent mistrust.

Because it turns out it actually does help prevent you from inadvertently installing malware.

And of course I know you can just be more careful. But, if you think about it, being secure means going through a decision every time you launch something. You can either do a mental prompt before you take any action (does clicking this thing put me at risk, since I’ll be giving it admin rights?) or to some smaller subset of actions which explicitly gain admin rights. So, with UAC, I have prompts, but I think less, because I only have to think when the prompts tell me to.

And if I’m not thinking, just doing – well, am I really being computer savvy?

What can I say, I’m lazy. I think saying yes every now and again requires far fewer cognitive resources than being mindful of each and every thing that I do on my computer, despite the vast differences in trust I allocate to each action based on its source.

My colleague Gerrard Lindsay described the “annoyance” in a way that really caught my eye:

Some annoying things that are still worth it:

  1. Alarm clocks
  2. The rumble strips on the edges of highways
  3. The gag reflex
  4. Fire Alarms
  5. Door Locks
  6. Not running as an administrator on XP

Just some food for thought. You can be computer savvy and enable UAC. It won’t make you more popular, better looking, or drive a nicer car, but it will help you think less.

UAC: the greatest thing since the gag reflex.

Man, good thing I don’t have a job in marketing.

Springboard Live! Real Talk about Windows Vista Deployment

I’ll be joining the panel of bloggers discussing real world challenges deploying Windows Vista. If you’re going to be at TechEd 2008, join us Thursday, June 12 at 10:00 am!

Comments (10)

  1. Joe Enos says:

    I agree 100%.  I personally am not a Vista fan – I tried it for a few months, and switched back to XP like a lot of people, but during the time I was using it, I kept those notices on.  An extra click every now and then doesn’t disrupt my experience, and it actually made me feel better about my security.

    One thing I didn’t like, and never really looked into closely was the prompting for administrative tasks relating to the file system.  For example, renaming or deleting a file in certain locations prompted me for confirmation every time.  If there’s a way to turn that off without turning off the rest of the security features, that would be ideal.

  2. cjacks says:

    Hi Joe,

    We’re actively tracking the issues that cause the most prompts and identifying scenarios which we clearly need to fix. For example, creating a new folder shouldn’t be one elevation prompt to create a folder named "New Folder" followed by a second elevation prompt to give it a real name. Things like that. But we clearly can’t just let you modify the file system unelevated, otherwise the bad guys would do that too. So, while we can stop asking you multiple times for one atomic operation (and SP1 includes some of these fixes) I’m not sure what you’re asking for here.

    Trust me, we’re constantly digging in the SQM data to identify more opportunities to make it easier for you!

    Not sure how you can go back to XP, though. Feels so primitive to me now. Heck, I can barely use Vista without DWM. Rendering directly to the screen and having all of that screen tearing just feels so clunky and 20th centruy now…. But, to each his/her own!

    (I’ve even got my gaming machine running Vista x64 now. I figured I’d have to revert to x86 within a week, but so far everything is going strong!)


  3. Joe Enos says:

    The main reason I went back to XP is that I didn’t have a "built for Vista" machine – it’s a decent machine – Pentium D with 2GB RAM – but apparently it wasn’t good enough for Vista.  Simple tasks such as clicking the Start Menu were taking 2-3 times longer than XP – sometimes more…And my display driver must not have been supported, because .AVI video clips would lock up the display, and displaying image folders in thumbnail view would also cause the system to hang.

    I really like the user experience in general, so the next new machine I get, I’m sure Vista will be just fine, as long as it meets the hardware requirements.

    Regarding my earlier comments: I agree that if a back-end process is attempting to delete or rename a file, I’d like to know about it.  However, if I physically right-click on a file and say "Delete", then I definitely want to delete a file.  The "bad guy" situation doesn’t apply, unless a process takes over your mouse and keyboard, in which case they can just as easily click the "Accept" button.  Shouldn’t it be possible for the OS to see that an action was performed by a mouse/keyboard in Windows Explorer, and trust that the person is doing it on purpose?

    Thanks for your reply

  4. cjacks says:

    Hi Joe,

    Yeah, on underpowered machines it does lose a bit of its umph.

    Since Explorer runs as you, then it will be running into the same security context as you. That means medium IL, which means any other app running as medium IL will be able to send window messages to drive Explorer. It’s not direct from the hardware interrupt – the interrupt translates it to a window message, and that’s what we deliver to Explorer. Explorer can’t tell that the message came from hardware instead of from another app. So, the bad guy scenario does apply. 🙂

    It’s a detail of implementation, yes, but that detail is very unlikely to change any time soon. Driving the UI with physical hardware is not explicitly a trusted behavior.



  5. Joe Enos says:

    That makes sense…Thanks for the explanation.

    Next time I dive into Vista (or Windows 7, depending on when I buy my next machine), I’ll spend a little more time getting to know the advanced security topics – I never really got that far before.

  6. Mark Sowul says:

    In my experience, it’s the people that turn off UAC who don’t know what they’re doing.  (Except they think they do know what they’re doing – a little knowledge is a dangerous thing).

  7. cjacks says:

    Well, Mark, I’ve actually seem hella smart people turn UAC off and be able to defend that decision quite well. So I wouldn’t make pejorative attributions in the other direction either! 🙂

  8. Mark Sowul says:

    Well I should have said, "the people that advise turning off UAC…," just as we’ve seen all the other bogus "tweaks" over the years ("clear the prefetch folder," "set the prefetch registry key to 5," not to mention all the "memory optimizer" programs that "free up memory").  Anyway even if it’s that annoying (what are you running anyway?), UAC shouldn’t be turned off – it should at least be set to auto-elevate .  This way things like Protected Mode still work.  But whatever.

  9. cjacks says:

    Now I’m totally with you, Mark! I’m happy to bust on people for coercing people with bad advice, but reticent to bust on them for making a choice that works for them.

    And yeah – what are they running anyway? Perhaps I’m fortunate to not have to run too many apps with LUA Bugs.

    Alas, Microsoft Bob needs to run as admin.

  10. Mark Sowul says:

    "Alas, Microsoft Bob needs to run as admin."

    The implications of you knowing that are scary…

    I still say it’s better to not turn off UAC, and to instead either auto-elevate or install the application compatibility toolkit so that you can allow specific problematic programs to auto-elevate.

    Oh, and I think developers should almost certainly not turn off UAC, because then they’re far more apt to write software that requires admin privileges, which is the very reason why we are in this situation in the first place!