My Take on Visual Studio 2005 SP1 and Windows Vista


Over the last couple of days, many people have asked for my take on the fact that Visual Studio 2005 SP1 requires admin privileges to run on Windows Vista, and pops up a dialog saying so when it starts up.


 


So, here’s my take, and I don’t work for the Developer Division!


 


VS2005SP1 was developed while Windows Vista was being developed, and because of potential late-breaking regressions in the OS (which can happen), the VS team decided to simply do what most service packs do – fix bugs that stop people doing their jobs. Now that Vista has shipped, the VS team is working on an SP1 that works better as a non-admin on Windows Vista, and this is goodness.


 


Now to the pop-up that recommends you run as an admin. In my opinion, the VS team was simply being very conservative, because some scenarios simply do not work well as a non-admin. For example registering a COM control, installing or debugging a service, or performing admin tasks against SQL Server and so on all require elevated capability, as they very well should!


 


I probably spend 75% of my time writing and debugging C++ code, 20% of the time using C# and 5% doing SQL, and I always run as a non-admin. In fact I ran as non-admin for prior versions of Visual Studio on Windows XP! 99% of what I do works perfectly well. For the 1% of the time I need to do some admin task, I run an elevated VS.


 


In closing, the dialog is a little alarming, just do what I did – uncheck the option to display the dialog box and get on with life :-)


 

One more thing, the VS team has provided a list of known issues with VS on Windows Vista.

Comments (11)

  1. C Gomez says:

    It’s correct that it’s important to let people get on with their work.  The difficulty lies in continuing the "developer education" that MSFT has been spearheading on best practices for secure development.

    The reality is, whether MSFT had a dialog or not, the same number of developers would be developing as non-admin.  Why?  Well, many developers are either uneducated on the matter or simply choose to ignore it.  Really.

    I can’t count the number of developers who, instead of looking for security bugs in their own development, will say:

    1) Run as non-admin!  Heh, that’s impossible with Windows.  Maybe if it was a secure OS like Linux (99.5% of time from someone who has never used Linux).  Our users run as admin so what’s the difference?

    2) SQL Injection (replace with any common name of vulnerability)?! Hmm, I don’t think you can inject SQL into this code.  Besides, even if you can, it wouldn’t work (demonstrates poor example attack), so we’re okay.  The attacker would just get an "Invalid SQL" VBScript error, so that’s okay, they didn’t get any data.  Hopefully the new SQL Server (replace with any MSFT product of choosing) is more secure or has less bugs, but then again its MSFT.  This is just what we have to live with.

    I’m glad that getting VS2005 to work in most scenarios without admin rights is a priority.  I’m glad that there are people out there who see the dialog and cringe.  At the same time, with or without the dialog, plenty of developers would just blame MSFT anyways.

  2. JC says:

    Does the popup say to run as an admin or non-admin?  I’m assuming the former but you said "admin" in paragraph 1 and "non-admin" in paragraph 4.

  3. michael_HOWARD says:

    JC, good catch – thanks. I have updated the text.

  4. JJ says:

    Mike, I have a different take on this, and I don’t work for developer division either. I find this very disturbing. The dialog is quite unequivocal. It says specifically "Visual Studio 2005 Service Pack 1 requires… administrative permissions." This is patently NOT true.

    Visual Studio 2005 does NOT *require* administrative permissions. It requires administrative permissions IF you want to use certain features, namely those listed at http://msdn2.microsoft.com/en-us/vstudio/aa948853.aspx?lcid=1033. Most of those will not affect a normal developer unless you write and debug COM code.

    The dialog is misleading. It will drive people to run VS as admins, and develop apps that only run as admins. It should say "You can perform the vast majority of standard development tasks as a non-admin, but for certain tasks you need to be an administrator. Click here for more information on tasks that require administrative privileges." That is not at all the message you get from the dialog. The dialog, as currently designed, will serve only to perpetuate the number of people developing as admins. If they tried running as non-admin now, then get told they can’t, and switch back to using admin privs,  what are the chances that they will stop when the update comes out? My guess is that the number that will change their habits later is asymptotically approaching zero.

  5. When I have something that seems impossible.. I call it "A windmill" My windmills range from getting

  6. Warren says:

    Why would you NOT run VS as an administrator at all times?

    As a developer, I spend enough time on my own work. I don’t need to be spending ONE second switching profiles, typing passwords, or wondering when something fails whether it is a security issue or not.

    I know many developers, and not a single person I know develops as non-admin. Since VS2005 needs to run as Admin, I’d be willing to bet that 99% of the Visual Studio team does the same thing too.

    (and yes, I own (and read) Writing Secure Code, and I do keep a low-privilege account to test my apps, so I’m not *totally* ignorant about security issues)

  7. I recently posted something to SC-L that I thought I would share with my readers. Hey guys, Last month I blogged (http://silverstr.ufies.org/blog/archives/000989.html) about my disappointment with the fact that the new service pack for Visual Studio 2005,

  8. I’m perplexed by a statement made by one of the commentors on a recent Michael Howard blog posting .

  9. Chris King says:

    I just want to see that damn sp1 vista update get out of beta! Or at least someone in a position to know, give us a more clear estimate on timelines.

    Not just someone with MVP (or M**) in their title :-)

    -ck

    LVP

  10. JC says:

    Chris, the Visual Studio 2005 SP1 update went commercial on 12/14/2006 if that’s what you’re talking about.