What keeps you awake?

Okay I’ve heard the argument against Vista’s UAC “but you don’t connect to umpteen networks as a consultant” and “I have work to do” and “I clicked it 100 times a day untill I turned it off” and I’m like… okay.. so?


What’s so wrong about a click?  If Vista’s UAC is so annoying to you that you can’t click through a UAC warning, what else do you find annoying?  Do you find cleaning up malware annoying too?  Perhaps investigating if a workstation is a bot controlled by Russians?  Do you find antivirus that is only cleaning/finding stuff some of the time annoying too? 


If the IT industry is concerned about “Zero Day attacks” why aren’t you just as concerned when an IT professional says “I found it annoying and shut off UAC” and thereby turned off COMPLETELY the IE in protected mode.


What keeps me awake at night is that I see many IT professionals (and by default each one of you is a security professional as well) say that they get “annoyed” by UAC, and yet in the same breath complain about security, patching, etc.  It’s your choice to make. Your risk analysis to choose.  IE in protected mode, or not.


The IT industry is concerned about zero day attacks, and yet I hear the “it’s too annoying” regarding UAC.  It’s a click folks..or a couple of clicks.. or a 100 clicks that take a milisecond of time out of our lives.  Why is that so annoying?  Especially when on a normal Vista users box at home I’m not seeing these prompts?


What’s more annoying?  A protected machine or an owned system you have to notify clients about and clean up?


P.S. Like I said before…if you are going to shut it off.. at least do this way instead.

4 Thoughts on “What keeps you awake?

  1. Bucky on August 8, 2007 at 4:32 pm said:

    Prompts for UAC (not a complete or exhaustive list)
    Task Manager – Show All Processes for Users
    Task Manager – Resource Monitor
    Regedit
    Network adapter properties

    Any MMC (including)
    Active Directory Users and Computers
    Group Policy Management Console
    Event Viewer
    Computer Management
    Windows Firewall
    Services
    Device Manager

    Software Installation
    All Users desktop Icons
    All Users Start Menu Icons
    Computer Properties, Change Settings
    Sysinternals Process Explorer

    Three problems with Microsoft UAC v1

    1. There isn’t a way to exempt an application. Why must I approve an application *every time* I run it? Try starting Sysinternals Process Explorer under Vista to get a UAC prompt. Follow that up by putting a shortcut to it in the Startup folder and be prepared for the “Blocked startup programs” annoyance pop-up every time you logon.

    2. Elevated rights run in a separate administrator session. Map a network drive, and then start an elevated command prompt or an application requiring elevated rights. Try to open or save a file to the mapped network drive. Note that the drive isn’t mapped for the application running with elevated rights, but is under the user’s default environment. Another way to test this is to start three command prompts; one standard and two elevated cmd windows. Map a drive in cmd 1; note that cmd 2 and 3 don’t have drive mapped. Map a different drive in cmd 2 and note that the drive is mapped in cmd 3, but not in cmd 1.

    3. There isn’t a way to have UAC automatically elevate for a period of time. When I make network configuration changes to my Linux machine I get an administrative prompt that can be configured to remember those rights for a period of time (e.g. 10 minutes). This is helpful if I’m planning to change quite a few settings and don’t want be prompted each time. Yes, you could solve this in Windows by turning UAC off and on, but that isn’t a good solution and is prone to human error.

    I appreciate the concepts behind UAC and am glad that Microsoft is finally taking the necessary steps towards fixing this issue on their platform. Hopefully some of these issues are ironed out in Microsoft UAC v2.

  2. Darren on August 8, 2007 at 8:57 pm said:

    As an SBSC, I can certainly deal with the UAC. I don’t personally find it that terribly annoying or invasive in my day-to-day business computing.

    One thing that does irk me to no end though is IE7 on Vista’s insistence on opening trusted sites in new window. Even if I launch a new instance of IE knowing that I’m hitting my Intranet site, IE7 launches my Intranet site in a new window.

    I find this behavior extremely annoying.

  3. “What’s so wrong about a click? If Vista’s UAC is so annoying to you that you can’t click through a UAC warning, what else do you find annoying? ”

    I’ll tell you what’s so wrong about a click. When the click is not a click but a series of clicks ( which is what we are really talking about ) it breaks your concentration. It would be like trying to read a book where every ten seconds someone sticks their hand in front of your eyes. Or trying to watch a movie or show on television in 2007 when just after coming back from a commercial or just before going to a commercial or 2 minutes into the program some friken banner or cartoon or animation SOME WITH SOUND pops up on the screan and ruins your enjoyment of the friken show or movie !

  4. bradley on August 9, 2007 at 10:46 pm said:

    Turn off the volume.

    I’m on a Vista here and have been working for now going on 4 hours with no clicks.

    And I need to do a follow up blog post on mapping…because that issue was and is the same in XP, because it’s a different session.

    I think the real problem is that for the first time we in the IT world have to better understand the concept of roles, permissions and sessions..something we haven’t needed to know or care about before.

    And if it’s so hard on you to click..change that policy.

    It’s that simple folks.

Post Navigation