User account control is DRIVING ME NUTS!!!! I tried turning it to the
second from the bottom setting, but that only stops the system from
pestering me when *I* make changes to the system settings. I don't want
to have to resort to turning UAC completely off like I did in W7, but
the continual disruptions to my workflow is really starting to frustrate
the heck out of me.

Is there any way to get it to stop asking me if I want to allow a
program to make changes?

IMO, this is something that Microsoft designed very, very poorly.

--
John C.

On Wed, 27 Mar 2024 17:20:42 -0700, "John C." <r9jmg0@yahoo.com> wrote

> Is there any way to get it to stop asking me if I want to allow a
> program to make changes?

set myprogram=C:\path\to\your\program.exe
set mydir=C:\path\to\your\data\dir\
set myfile=name-of-your-file

This pulls up UAC when you run that program:
%myprogram% %mydir%%myfile%

This skips UAC when you run that same program:
c:\windows\system32\runas.exe /user:administrator /savecred "%myprogram% %mydir%%myfile%"

You can also use the task scheduler to eliminate UAC.

"Oliver" <ollie@invalid.net> wrote

| You can also use the task scheduler to eliminate UAC.

The most complete nag-stopper as far as I know is to go into
user settings and set UAC to the lowest setting. After
saving that, open regedit.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Create that key if it doesn't exist.
Create a value EnableLUA as dword and set it to 0.
Reboot.

That's the semi-secret cleanup of UAC. But watch out.
If you later open user settings and don't close it by
cancelling, LUA (limited user account) will be back and
you'll need to reset it.

I found out about this due to a strange behavior: A program
I wrote allows for files and folders to be dropped into the window.
But it's run elevated, and normal me doesn't have a right to
drop files in a program being run by elevated me. (You can't
make this stuff up!) So drag/drop doesn't work with LUA enabled.
It shows a circle-with-line-through-it cursor.

On 3/27/2024 8:20 PM, John C. wrote:
> User account control is DRIVING ME NUTS!!!! I tried turning it to the
> second from the bottom setting, but that only stops the system from
> pestering me when *I* make changes to the system settings. I don't want
> to have to resort to turning UAC completely off like I did in W7, but
> the continual disruptions to my workflow is really starting to frustrate
> the heck out of me.
>
> Is there any way to get it to stop asking me if I want to allow a
> program to make changes?
>
> IMO, this is something that Microsoft designed very, very poorly.
>

We call this the Windows 98 problem.

Microsoft have broken enough of the features, it's
just not worth addressing your question any more,
with a certain suite of solutions. Nothing works as it once did.

Click the UAC button and move on.

*******

It's ridiculous to run permanently at Administrator level.
Even in trivial cases (badly written code, bad selection
of parameters), you could have a disaster on your hands.
You could be stamping files with Administrator ownership.
You could erase both John and Marys files on a shared
computer.

To do this, run inverted:

*******
net user administrator /active:yes # The "real administrator" is nothing special.
# The account is normally left disabled.
# As "Elevated John", you can turn it on.
# Issue the command from an Administrator Group terminal or command prompt.

net user administrator * # Set a password. A real password, not 12345.

net user username # this shows the details of some account

whoami /user /priv # This allows you to *compare* accounts and see exactly
# how much different they are. Most of the time, "Elevated John"
# has the same privs as "Real Administrator" (so-called).
# But running as "real administrator", any malware you run,
# will have a field day.

*******

To profitable use that last set of notes,
you would use DropMyRights. Written in the WinXP era, it
"allows an Administrator, to read their mail safely".

Archive.org is down right now, so I can't walk this link
backwards and give you a trusted copy at the moment.

"DropMNyRights"
http://msdn.microsoft.com/en-us/library/ms972827.aspx

If you log in as Administrator:NewAdministratorPassword , you could
safely run a browser like this:

dropmyrights firefox

and the profile folder created, will be in C:\Users\Administrator .

As Elevated John, you belong to "Administrators Group", whereas
in the case of the Real Administrator account, the *owner* part
of the cred, is Administrator.

500:500
^ ^
| |
owner group
\ \
\ Elevated John is using the 500 from here
\
Real Administrator uses the 500 account number from here

Files can be stamped such that multiple "owners" can access them,
but files can also be stamped with particular "groups" for sharing
with your cubicle mates at work.

Note that, a few programs have been written, as net nanny programs,
and they check whether they are being launched as "real administrator",
they deny the attempt, put a nastygram on the screen and quit.

So while you might think you are a God, a Developer will slap you down :-)

The DropMyRights paradigm means you can't use a lot of GUI features
easily, without ending up elevated. Your brain casing is going to get
warm, from all the "thinking about defensive driving", if you run
inverted all the time. If you double-click the Firefox icon
on the desktop, no DropMyRights gets included. Firefox then runs as Admin.
Any "browser exploit" ??? Machine, destroyed.

*******

The UAC prompt is there to "warn you of an attempt to elevate".
If the thing you are using, should not be elevating, you say
to yourself "Hay, wait a minute...". I've had Seamonkey web browser
make such an attempt, and it's actually the Upgrade.exe code which
is doing that, and not the main browser itself. The browser by itself,
does not ask for Administrator, nor should a UAC prompt appear. If I
see a UAC... it's time to investigate.

None of this security theater matters a bit, but the
model is what it is. For Black Hats, this model is
"no problem at all to defeat". You can tell from the
way Black Hats laugh in a discussion thread, which
parts of the security model are useless. You can tell
from their responses, why all the Restore Points must be
deleted, if they visit. Even the most pitiful malware,
infects Restore Points, which is why you can't use them.

Paul

Paul wrote:
> On 3/27/2024 8:20 PM, John C. wrote:
>> User account control is DRIVING ME NUTS!!!! I tried turning it to the
>> second from the bottom setting, but that only stops the system from
>> pestering me when *I* make changes to the system settings. I don't want
>> to have to resort to turning UAC completely off like I did in W7, but
>> the continual disruptions to my workflow is really starting to frustrate
>> the heck out of me.
>>
>> Is there any way to get it to stop asking me if I want to allow a
>> program to make changes?
>>
>> IMO, this is something that Microsoft designed very, very poorly.
>>
>
> We call this the Windows 98 problem.
>
> Microsoft have broken enough of the features, it's
> just not worth addressing your question any more,
> with a certain suite of solutions. Nothing works as it once did.
>
> Click the UAC button and move on.
>
> *******
>
> It's ridiculous to run permanently at Administrator level.
> Even in trivial cases (badly written code, bad selection
> of parameters), you could have a disaster on your hands.
> You could be stamping files with Administrator ownership.
> You could erase both John and Marys files on a shared
> computer.
>
> To do this, run inverted:
>
> *******
> net user administrator /active:yes # The "real administrator" is nothing special.
> # The account is normally left disabled.
> # As "Elevated John", you can turn it on.
> # Issue the command from an Administrator Group terminal or command prompt.
>
> net user administrator * # Set a password. A real password, not 12345.
>
> net user username # this shows the details of some account
>
> whoami /user /priv # This allows you to *compare* accounts and see exactly
> # how much different they are. Most of the time, "Elevated John"
> # has the same privs as "Real Administrator" (so-called).
> # But running as "real administrator", any malware you run,
> # will have a field day.
>
> *******
>
> To profitable use that last set of notes,
> you would use DropMyRights. Written in the WinXP era, it
> "allows an Administrator, to read their mail safely".
>
> Archive.org is down right now, so I can't walk this link
> backwards and give you a trusted copy at the moment.
>
> "DropMNyRights"
> http://msdn.microsoft.com/en-us/library/ms972827.aspx
>
> If you log in as Administrator:NewAdministratorPassword , you could
> safely run a browser like this:
>
> dropmyrights firefox
>
> and the profile folder created, will be in C:\Users\Administrator .
>
> As Elevated John, you belong to "Administrators Group", whereas
> in the case of the Real Administrator account, the *owner* part
> of the cred, is Administrator.
>
> 500:500
> ^ ^
> | |
> owner group
> \ \
> \ Elevated John is using the 500 from here
> \
> Real Administrator uses the 500 account number from here
>
> Files can be stamped such that multiple "owners" can access them,
> but files can also be stamped with particular "groups" for sharing
> with your cubicle mates at work.
>
> Note that, a few programs have been written, as net nanny programs,
> and they check whether they are being launched as "real administrator",
> they deny the attempt, put a nastygram on the screen and quit.
>
> So while you might think you are a God, a Developer will slap you down :-)
>
> The DropMyRights paradigm means you can't use a lot of GUI features
> easily, without ending up elevated. Your brain casing is going to get
> warm, from all the "thinking about defensive driving", if you run
> inverted all the time. If you double-click the Firefox icon
> on the desktop, no DropMyRights gets included. Firefox then runs as Admin.
> Any "browser exploit" ??? Machine, destroyed.
>
> *******
>
> The UAC prompt is there to "warn you of an attempt to elevate".
> If the thing you are using, should not be elevating, you say
> to yourself "Hay, wait a minute...". I've had Seamonkey web browser
> make such an attempt, and it's actually the Upgrade.exe code which
> is doing that, and not the main browser itself. The browser by itself,
> does not ask for Administrator, nor should a UAC prompt appear. If I
> see a UAC... it's time to investigate.
>
> None of this security theater matters a bit, but the
> model is what it is. For Black Hats, this model is
> "no problem at all to defeat". You can tell from the
> way Black Hats laugh in a discussion thread, which
> parts of the security model are useless. You can tell
> from their responses, why all the Restore Points must be
> deleted, if they visit. Even the most pitiful malware,
> infects Restore Points, which is why you can't use them.
>
> Paul

No.

--
John C.

John C. wrote:
> User account control is DRIVING ME NUTS!!!! I tried turning it to the
> second from the bottom setting, but that only stops the system from
> pestering me when *I* make changes to the system settings. I don't want
> to have to resort to turning UAC completely off like I did in W7, but
> the continual disruptions to my workflow is really starting to frustrate
> the heck out of me.
>
> Is there any way to get it to stop asking me if I want to allow a
> program to make changes?
>
> IMO, this is something that Microsoft designed very, very poorly.
>

My thanks to Oliver and Newyana2 for their helpful replies. However, I
guess at this point there really is no solution other than to turn UAC
completely off. Maybe at some point in the future, M$ will make UAC less
intrusive.

--
John C.

On 3/28/2024 7:52 AM, John C. wrote:
> John C. wrote:
>> User account control is DRIVING ME NUTS!!!! I tried turning it to the
>> second from the bottom setting, but that only stops the system from
>> pestering me when *I* make changes to the system settings. I don't want
>> to have to resort to turning UAC completely off like I did in W7, but
>> the continual disruptions to my workflow is really starting to frustrate
>> the heck out of me.
>>
>> Is there any way to get it to stop asking me if I want to allow a
>> program to make changes?
>>
>> IMO, this is something that Microsoft designed very, very poorly.
>>
>
> My thanks to Oliver and Newyana2 for their helpful replies. However, I
> guess at this point there really is no solution other than to turn UAC
> completely off. Maybe at some point in the future, M$ will make UAC less
> intrusive.
>

The summary should be "you can run the OS with security design intent" or "not".

If you turn off UAC, you're not secure. If you run
inverted, there's a risk you will not be secure (have to be
careful what you click). Using DropMyRights is still secure,
as long as you're careful to always use it. For example, you
could design shortcuts to put on your desktop for it.
(A shortcut to Firefox with a dropmyrights in front of it).

Windows 98 was that insecure. WinXP running on a FAT32 C: drive,
was that kind of insecure. You've run OSes where things were
that insecure in the past, and you've probably seen visual symptoms
over the years, hinting that "something happened".

There are not quite as many of those "something happened" experiences
on Windows 10. Although I did have something on Windows 11 that
looked pretty suspicious. But over time, the symptoms correlate
with some part of the desktop (but not the whole machine),
running out of RAM. The visual symptoms were from a RAM issue
(the icons on the Task Bar start dancing around, and they
dance so quick, you can't click them). If this happens to you,
use alt-F4 and select shutdown from the menu it presents.

UAC is no different than sudo on Linux. And
Microsoft recently announced they are adding
sudo to something on Windows itself. Good times.
Not all of the Linux community is happy with the
notion of running computers using sudo. Only some
are happy doing that.

Whether a design is an "allow" type, or a "deny" type,
it still affects user workflow. An alternative, is
to use an account which does NOT belong to the
Administrator Group, and then... no more UAC prompt.
But there will be notifications on the screen
about not being able to do what you want, because
your account lacks the permissions for the operation.
You still cannot "escape" from the security model.
There are still things to click and dismiss.

There is always some sort of price to pay.
No matter what you do.

The price on Win98 was "being tipped-over occasionally".

Paul

On 28/03/2024 11:52, John C. wrote:
> John C. wrote:
>> User account control is DRIVING ME NUTS!!!! I tried turning it to the
>> second from the bottom setting, but that only stops the system from
>> pestering me when *I* make changes to the system settings. I don't want
>> to have to resort to turning UAC completely off like I did in W7, but
>> the continual disruptions to my workflow is really starting to frustrate
>> the heck out of me.
>>
>> Is there any way to get it to stop asking me if I want to allow a
>> program to make changes?
>>
>> IMO, this is something that Microsoft designed very, very poorly.
>>
>
> My thanks to Oliver and Newyana2 for their helpful replies. However, I
> guess at this point there really is no solution other than to turn UAC
> completely off. Maybe at some point in the future, M$ will make UAC less
> intrusive.
>
This automates the Task Scheduler method:
https://www.majorgeeks.com/mg/getmirror/uac_pass,1.html

John C. wrote:
> John C. wrote:
>> User account control is DRIVING ME NUTS!!!! I tried turning it to the
>> second from the bottom setting, but that only stops the system from
>> pestering me when *I* make changes to the system settings. I don't want
>> to have to resort to turning UAC completely off like I did in W7, but
>> the continual disruptions to my workflow is really starting to frustrate
>> the heck out of me.
>>
>> Is there any way to get it to stop asking me if I want to allow a
>> program to make changes?
>>
>> IMO, this is something that Microsoft designed very, very poorly.
>>
>
> My thanks to Oliver and Newyana2 for their helpful replies. However, I
> guess at this point there really is no solution other than to turn UAC
> completely off. Maybe at some point in the future, M$ will make UAC less
> intrusive.
>

I always keep it off completely; on all my MS systems. I've been doing
that for years; and never met the slightest sign of a problem.
Mind you, I have excellent firewall and AV, and do full regular scans.

As to MS planning to make it less intrusive, I doubt that very much.
They've had it in place for about 15 years, and, as far as I know, never
altered a jot in it.
Most of the regulars in this group will tell you the same. It's for
babies! It's more for show than real use. "Hey, good old MS providing
all that safeguard and security!".

Ed

MikeS wrote:

> This automates the Task Scheduler method:
> https://www.majorgeeks.com/mg/getmirror/uac_pass,1.html

Nice find!
https://sites.google.com/site/freeavvarea/uac-pass/uac-pass
https://www.majorgeeks.com/files/details/uac_pass.html
https://www.portablefreeware.com/forums/viewtopic.php?t=22030
https://www.softpedia.com/get/System/System-Miscellaneous/UAC-Pass.shtml

Paul wrote on 3/27/24 9:34 PM:
> On 3/27/2024 8:20 PM, John C. wrote:
>> User account control is DRIVING ME NUTS!!!! I tried turning it to the
>> second from the bottom setting, but that only stops the system from
>> pestering me when *I* make changes to the system settings. I don't want
>> to have to resort to turning UAC completely off like I did in W7, but
>> the continual disruptions to my workflow is really starting to frustrate
>> the heck out of me.
>
> Click the UAC button and move on.
> Paul
>

+1

--
....w¡ñ§±¤ñ

On Thu, 28 Mar 2024 11:45:46 -0500, Ed Cryer <ed@somewhere.in.the.uk> wrote:

> John C. wrote:
>>
>> My thanks to Oliver and Newyana2 for their helpful replies. However, I
>> guess at this point there really is no solution other than to turn UAC
>> completely off. Maybe at some point in the future, M$ will make UAC less
>> intrusive.
>>
>
> I always keep it off completely; on all my MS systems. I've been doing
> that for years; and never met the slightest sign of a problem.
> Mind you, I have excellent firewall and AV, and do full regular scans.
>
>
> As to MS planning to make it less intrusive, I doubt that very much.
> They've had it in place for about 15 years, and, as far as I know, never
> altered a jot in it.
> Most of the regulars in this group will tell you the same. It's for
> babies! It's more for show than real use. "Hey, good old MS providing
> all that safeguard and security!".
>
> Ed
>

+1

"Ed Cryer" <ed@somewhere.in.the.uk> wrote

|
| I always keep it off completely; on all my MS systems. I've been doing
| that for years; and never met the slightest sign of a problem.

Me, too. I went from Win98 with a firewall and limited
browser script to XP with the same. I'm still running XP
on FAT32 in order to avoid problems.

Recently I've been setting up a new Win10 machine,
figuring out all the tweaks and adjustments to stop it getting
in my way. I'm finding it reasonably usable, once I ran Win10 Privacy,
Classic Shell and WinAero Tweaker.... and researched several
tweaks to stop being harassed by inane notices.

Though I have still found
a need on multiple occasions to remove file restrictions in
order to accomplish something. One case was simply to access
images in order to change the log-in image. That has nothing at
all to do with security. It has to do with making sure that
employees in a corporate setting can't change anything that
affects others. The trouble is that most of us are not corporate
lackeys. We're SOHo users who own our own computers.

| As to MS planning to make it less intrusive, I doubt that very much.

MS approach is far less problematic than Linux. I was installing
a firewall recently on Suse and had trouble for days. It finally turned
out that I had to install as root but then not open the program
until I logged in as lackey, because once I opened the program it
would create files only accessible to the current user! The Linux fans
seem to just assume that people know about such nonsense.
I've minimized the hassle by using "ok" for all passwords, but it's
still a ridiculous amount of demanding passwords and using console
commands.

The MS approach is more flexible. They lock it down but set
it up so that people willing to hunt down the tweaks can control
it for themselves. MS have always accommodated what they used
to call power users. So there are corporate admins, power users
and regular users. The corporate admins don't necessarily know
the system well, but they know how to do their job and run updates.
A good example is that I don't have to have a password on Win10.
(Though it took some searching to find how to stop the system
from periodically demanding that I change my no password to
no password. :)

On Linux there are only two kinds of people: Surly computer
scientists and idiots who have no business trying to understand
how Linux works because then they'll only screw it up give Linux
an even worse reputation than it already has.

So, count your blessings. It could be worse. I expect it will
eventually be worse. Adding security restrictions is not only
in the interest of safety and stability. It's also a very good way
to convert Windows to a services kiosk device. Look at how it's
already changed: You have no access to system files but Microsoft
can change them remotely.

On 3/28/2024 2:54 PM, Newyana2 wrote:
> "Ed Cryer" <ed@somewhere.in.the.uk> wrote
>
> |
> | I always keep it off completely; on all my MS systems. I've been doing
> | that for years; and never met the slightest sign of a problem.
>
> Me, too. I went from Win98 with a firewall and limited
> browser script to XP with the same. I'm still running XP
> on FAT32 in order to avoid problems.
>
> Recently I've been setting up a new Win10 machine,
> figuring out all the tweaks and adjustments to stop it getting
> in my way. I'm finding it reasonably usable, once I ran Win10 Privacy,
> Classic Shell and WinAero Tweaker.... and researched several
> tweaks to stop being harassed by inane notices.
>
> Though I have still found
> a need on multiple occasions to remove file restrictions in
> order to accomplish something. One case was simply to access
> images in order to change the log-in image. That has nothing at
> all to do with security. It has to do with making sure that
> employees in a corporate setting can't change anything that
> affects others. The trouble is that most of us are not corporate
> lackeys. We're SOHo users who own our own computers.
>
> | As to MS planning to make it less intrusive, I doubt that very much.
>
> MS approach is far less problematic than Linux. I was installing
> a firewall recently on Suse and had trouble for days. It finally turned
> out that I had to install as root but then not open the program
> until I logged in as lackey, because once I opened the program it
> would create files only accessible to the current user! The Linux fans
> seem to just assume that people know about such nonsense.
> I've minimized the hassle by using "ok" for all passwords, but it's
> still a ridiculous amount of demanding passwords and using console
> commands.
>
> The MS approach is more flexible. They lock it down but set
> it up so that people willing to hunt down the tweaks can control
> it for themselves. MS have always accommodated what they used
> to call power users. So there are corporate admins, power users
> and regular users. The corporate admins don't necessarily know
> the system well, but they know how to do their job and run updates.
> A good example is that I don't have to have a password on Win10.
> (Though it took some searching to find how to stop the system
> from periodically demanding that I change my no password to
> no password. :)
>
> On Linux there are only two kinds of people: Surly computer
> scientists and idiots who have no business trying to understand
> how Linux works because then they'll only screw it up give Linux
> an even worse reputation than it already has.
>
> So, count your blessings. It could be worse. I expect it will
> eventually be worse. Adding security restrictions is not only
> in the interest of safety and stability. It's also a very good way
> to convert Windows to a services kiosk device. Look at how it's
> already changed: You have no access to system files but Microsoft
> can change them remotely.

You don't have to break anything to get your way.

For example, to look around (everywhere), do a Macrium backup,
mount the C: from the .mrimg as K: and there is a tick box
to "remove restrictions". Now, you can inspect K: as you wish.

That's for reads.

For writes, I can do some of those from Linux (where permissions
have not been implemented for NTFS). Files with New Compression,
cannot be touched. Compression can be turned off, system wide,
reducing the number of affected files. But you can't get rid of
all of them.

To change the background image to a flat color (on an unactivated
Win10), you can highlight an image file and the context menu
has an option to "make this image the background", and then
you can have a flat color for a background. I use that in
VMs, to make it easier to take pictures of menus and stuff.

This is one reason I'm not visiting the Security tab on
a file all that often.

With the icacls utility, you can snapshot the permissions
on a file tree, and... put them back later after you've
been fooling around. Classy IT people do it that way. After
they've hacked the OS.

Paul

"Paul" <nospam@needed.invalid> wrote

| You don't have to break anything to get your way.
|

Different points of view. I also don't have a blade guard on my
table saw. It's not because I'm ornery or macho or contrarian or
reckless. I work that way because I can't accurately see the
cut otherwise.

It's the same with computers. The security options are fine and
they're especially sensible for people who don't know what they're
doing. Anyone who wants to use them should do so. But I'm
not interested in people who want to tell me that I'm doing it wrong,
like children peer pressuring each other about what they're "supposed
to" do. There's no "supposed to".

It's my computer and I understand the risks. I'm also much more
careful in general than the average person, restricting script online
and avoiding having data like credit card numbers on my computer.
I've never had a virus or malware. I've never accidentally deleted
System32. I also haven't used AV since about 2000. I
use firewalls and I disable all remote functionality. I don't allow
any local network functionality. Those are all precautions that most
people wouldn't even consider taking.

For those people, getting
Microsoft's dripfeed updates and running with lackey file restrictions
is pretty much the only protection they have. Most people like that
are not really using their system, anyway. They go to gmail for their
email and use a browser to download their airline tickets or buy
things on Amazon. That's pretty much it. So it makes sense to have
the system locked down.

Newyana2 wrote:
> "Paul" <nospam@needed.invalid> wrote
>
> | You don't have to break anything to get your way.
> |
>
> Different points of view. I also don't have a blade guard on my
> table saw. It's not because I'm ornery or macho or contrarian or
> reckless. I work that way because I can't accurately see the
> cut otherwise.
>
> It's the same with computers. The security options are fine and
> they're especially sensible for people who don't know what they're
> doing. Anyone who wants to use them should do so. But I'm
> not interested in people who want to tell me that I'm doing it wrong,
> like children peer pressuring each other about what they're "supposed
> to" do. There's no "supposed to".
>
> It's my computer and I understand the risks. I'm also much more
> careful in general than the average person, restricting script online
> and avoiding having data like credit card numbers on my computer.
> I've never had a virus or malware. I've never accidentally deleted
> System32. I also haven't used AV since about 2000. I
> use firewalls and I disable all remote functionality. I don't allow
> any local network functionality. Those are all precautions that most
> people wouldn't even consider taking.
>
> For those people, getting
> Microsoft's dripfeed updates and running with lackey file restrictions
> is pretty much the only protection they have. Most people like that
> are not really using their system, anyway. They go to gmail for their
> email and use a browser to download their airline tickets or buy
> things on Amazon. That's pretty much it. So it makes sense to have
> the system locked down.
>
>
>

I take your overall message, but I have to disagree about the saw blade
guard. That's stepping into a different category of safety.
There are all kinds of sudden noises that can cause a body jerk; door
slams, car backfires, somebody suddenly shouts for you. And I don't
think you'd get much sympathy at A&E if you turned up there with one
hand in a bag.

Ed

"Ed Cryer" <ed@somewhere.in.the.uk> wrote

| I take your overall message, but I have to disagree about the saw blade
| guard. That's stepping into a different category of safety.
| There are all kinds of sudden noises that can cause a body jerk; door
| slams, car backfires, somebody suddenly shouts for you. And I don't
| think you'd get much sympathy at A&E if you turned up there with one
| hand in a bag.
|

Same situation. People have to know what they're
doing and be careful. Your hands should never be
close enough that a sudden surprise could make you
cut off your finger. Of course it *could* happen, but
that would likely be from spacing out. Similarly, you're
at high risk allowing script indiscriminately, allowing
HTML email, not running a firewall, etc. But how many
people take those precautions?

It's also an analogous situation in the sense that it's
up to me to decide. I've decided that I can't realistically
make precise cuts with my view of the blade obscured,
so I do what seems best to optimize both security and
efficiency. Someone else maybe has a table saw that
they use occasionally to cut tomato stakes. The blade
guard saves them from having to really pay attention
and really learn saw safety. (Though of course, such a
person might get speared through the stomach because
they didn't know enough not to stand behind the blade.
But then their surviving spouse can at least sue the saw
company for not including a "stand guard". So it's all good. :)

I don't have any problem with people using blade guards,
but there's a difference between
disagreement and the scolders who say, "You're wrong
and it's irresponsible to give other people the idea."
There's a lack of actually thinking about the issues.

People get addicted to the false security cocoon of
merely following rules. Path of least resistance. We
secretly imagine that God, or the local spirits, or
Zeus, or whatever, won't let anything bad happen to
us because we're behaving.

The log-in picture is a good example of the issues. I
didn't find a way to change it so I decided the easiest
way would be to just replace the source image. The status
quo view is that that's a dangerous thing to do. But is it?
Do people actually think before they say that?

I figured out where the picture was and what format it
was. (If I remember correctly it was something weird, like
a JPG named as a PNG.) Windows wouldn't let me into
those folders because it was all-users app data. So I
removed restrictions on that area.

No security risk. No functionality risk. No risk of any
kind, except that I could end up with a log-in screen
that I didn't like. Of course, I already had that. :) So
why are those folders restricted? Because Microsoft's
design assumes that I'm a corporate lackey writing MS
Word docs, that it's not my computer, and that I have no
right to affect other people who might use the same
computer, by changing their log-in screen.

That's a great design for corporate workstations. But
I'm not using a corporate workstation. Windows Home
and Pro shouldn't be designed that way, but it's become
the default template for OS layout, presumably since
mainframes. Servers and workstations. So MS do it. Linux
does it. And MS groupies, as well as Linux disciples,
feverishly assert that anything else is wrong. They're
unwilling to actually think about what they're doing.
Meanwhile, hundreds of millions of people are using their own
personal computer, which is far from being optimized for
the way they use it.

That's a funny thing about human society. When people
get together in groups, no matter what age, there are
always leaders and followers. We're essentially pack animals.
Leaders assert the status quo while followers support them.
There will be an alpha male and female. Betas serve as their
sidekicks. Swarms of acolytes are grateful to be valued...

Anyone can be either
a leader or a follower, but woe to the outlier who doesn't
follow along. The leaders and followers both take it as a
personal attack, because now they're faced with the
awkward and tedious fact that they could and should
think for themselves. Now they're faced with the fact that
they still experience the results of their actions, even if
they felt they were just following rules...

Funny thing about those log-in images. I came across
what looks like a high altitude Peruvian pond image that's
striking and decided to use that. But then when I got it set
up and rebooted, I noticed that the picture had a red hiker's
backpack in the foreground, right at the bottom of the image.
I had to crop the image and reset it. I notice that for some
reason MS seem to like such tacky images. There's another one
of a beautiful beach, but with a yuppie jogging across it. Maybe
the idea is consumerism: "Picture yourself hiking in the Andes
or jogging in Maui. Windows 10 is just that good! What do you
want to experience today?"

Newyana2 <Newyana2@invalid.nospam> wrote:
[...]

> The log-in picture is a good example of the issues. I
> didn't find a way to change it so I decided the easiest
> way would be to just replace the source image. The status
> quo view is that that's a dangerous thing to do. But is it?
> Do people actually think before they say that?
>
> I figured out where the picture was and what format it
> was. (If I remember correctly it was something weird, like
> a JPG named as a PNG.) Windows wouldn't let me into
> those folders because it was all-users app data. So I
> removed restrictions on that area.
>
> No security risk. No functionality risk. No risk of any
> kind, except that I could end up with a log-in screen
> that I didn't like. Of course, I already had that. :) So
> why are those folders restricted? Because Microsoft's
> design assumes that I'm a corporate lackey writing MS
> Word docs, that it's not my computer, and that I have no
> right to affect other people who might use the same
> computer, by changing their log-in screen.

AFAIK, at least on Windows 11, you *can* personalise your log-in
screen. You can personalise the *lock* screen and then tell to show the
same picture on the 'log-in' screen (actually named "sign-in screen).

Settings -> Personalisation -> Lock screen -> ... -> Show the lock
screen background picture on the sign-in screen -> On

OTOH, if there *is* more than one user, I wonder who sets the sign-in
screen background and when. I.e. what happens at startup (no user has
logged in yet, so no personalisation) and what happens when user A logs
out versus user B logs out (which personalised background is used?).

Others are free to test. I don't care as I'm using Windows Spotlight.

Frank Slootweg wrote on 3/29/24 8:18 AM:
>
> AFAIK, at least on Windows 11, you *can* personalise your log-in
> screen. You can personalise the *lock* screen and then tell to show the
> same picture on the 'log-in' screen (actually named "sign-in screen).
>
> Settings -> Personalisation -> Lock screen -> ... -> Show the lock
> screen background picture on the sign-in screen -> On
>
> OTOH, if there *is* more than one user, I wonder who sets the sign-in
> screen background and when. I.e. what happens at startup (no user has
> logged in yet, so no personalisation) and what happens when user A logs
> out versus user B logs out (which personalised background is used?).
>

At restart or power on, the Lock Screen retains the last Lock Screen picture

If more than one user means more than one Windows logon the above applies
as well as the Lock screen pic configured for the sign-in screen 'background'
If more than one user means two people using the same Windows logon, the
previously configuration remains intact.

Background on the sign-in screen i snot the same as 'background' for the
desktop.

--
....w¡ñ§±¤ñ

Ed Cryer wrote:
> John C. wrote:
>> John C. wrote:
>>> User account control is DRIVING ME NUTS!!!! I tried turning it to the
>>> second from the bottom setting, but that only stops the system from
>>> pestering me when *I* make changes to the system settings. I don't want
>>> to have to resort to turning UAC completely off like I did in W7, but
>>> the continual disruptions to my workflow is really starting to frustrate
>>> the heck out of me.
>>>
>>> Is there any way to get it to stop asking me if I want to allow a
>>> program to make changes?
>>>
>>> IMO, this is something that Microsoft designed very, very poorly.
>>>
>>
>> My thanks to Oliver and Newyana2 for their helpful replies. However, I
>> guess at this point there really is no solution other than to turn UAC
>> completely off. Maybe at some point in the future, M$ will make UAC less
>> intrusive.
>>
>
> I always keep it off completely; on all my MS systems. I've been doing
> that for years; and never met the slightest sign of a problem.
> Mind you, I have excellent firewall and AV, and do full regular scans.
>
>
> As to MS planning to make it less intrusive, I doubt that very much.
> They've had it in place for about 15 years, and, as far as I know, never
> altered a jot in it.
> Most of the regulars in this group will tell you the same. It's for
> babies! It's more for show than real use. "Hey, good old MS providing
> all that safeguard and security!".

What if M$ was able to come up with a proprietary HASH code to assign to
programs a person runs on a regular basis, then before pestering enc
users every time they try to run a third party program, check to see if
that HASH is on a list of safe programs to run?

--
John C.

John C. wrote:
>
> What if M$ was able to come up with a proprietary HASH code to assign to
> programs a person runs on a regular basis, then before pestering enc
> users every time they try to run a third party program, check to see if
> that HASH is on a list of safe programs to run?
>

How would you police those HASH codes? How would you distinguish genuine
from fake?
They'd attract scammers, and be fairly open and vulnerable.

Ed

John C. <r9jmg0@yahoo.com> wrote:
[...]

> What if M$ was able to come up with a proprietary HASH code to assign to
> programs a person runs on a regular basis, then before pestering enc
> users every time they try to run a third party program, check to see if
> that HASH is on a list of safe programs to run?

Don't know about Windows 10, but Windows 11 sort of have such (a)
feature(s): Smart App Control [1] and Reputation-based protection [2]
(multiple categories).

[1] 'What is Smart App Control?'
<https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003>

[2] There's no 'Learn more' link for this, but it shouldn't be too hard
to find more information if you're interested.

"John C." <r9jmg0@yahoo.com> wrote

| What if M$ was able to come up with a proprietary HASH code to assign to
| programs a person runs on a regular basis, then before pestering enc
| users every time they try to run a third party program, check to see if
| that HASH is on a list of safe programs to run?
|

In some ways that's what UWP/RT/Metro is intended to be.
They're safe because they're crippled by design, unable to
access much of the WinAPI. That's always been the idea
with Java, as well. And ActiveX/COM. Of course, it's not
easy to make something safe. And now Microsoft are using
UWP applets for system settings. Go figure.

On 3/30/2024 5:28 PM, Newyana2 wrote:
> "John C." <r9jmg0@yahoo.com> wrote
>
> | What if M$ was able to come up with a proprietary HASH code to assign to
> | programs a person runs on a regular basis, then before pestering enc
> | users every time they try to run a third party program, check to see if
> | that HASH is on a list of safe programs to run?
> |
>
> In some ways that's what UWP/RT/Metro is intended to be.
> They're safe because they're crippled by design, unable to
> access much of the WinAPI. That's always been the idea
> with Java, as well. And ActiveX/COM. Of course, it's not
> easy to make something safe. And now Microsoft are using
> UWP applets for system settings. Go figure.
>
>

There's some kind of manifest file.

If there are irregularities, the files will
be downloaded and replaced.

These are small steps, in the big picture.
The attack surface is still huge.

Regarding Johns suggestion of a hash, signing
an application has some similar properties, but
the signing keys have been stolen before. In
application, the signing computer is normally
air gapped, and that's not how the signing key
escaped (possibly lost at a partner facility).
As an example of ceremonies, Linux distro signing,
representatives actually fly by plane, to
carry out a signing. That's for the shim used
for secure boot. They're not allowed to email
the info to one another :-)

There is already a problem with Secure Boot on
Windows, which will take a year to fix. That's
one of the reasons the Linux shim was invalidated,
and representatives had to fly to (a non-Microsoft location)
to fix theirs.

Since nothing on computers here Secure Boots,
hey, I'm spared :-) Spared the ceremonies at least.
A purchaser of new equipment had better check
that both UEFI and CSM (legacy) is supported.
Intel promises to tighten the situation by
chucking the legacy. WinXP doesn't support UEFI.

Still no word on whether Pluton is a go or not.
Or whether a respin is required.

It's a good thing my toaster doesn't have a CPU in it.
I can still make toast. Even if the Cloud is unreachable.
Somewhere an advertiser weeps, that they don't
know my toasting preferences. Top secret stuff.

Paul

Ed Cryer wrote:
> John C. wrote:
>>
>> What if M$ was able to come up with a proprietary HASH code to assign to
>> programs a person runs on a regular basis, then before pestering enc
>> users every time they try to run a third party program, check to see if
>> that HASH is on a list of safe programs to run?
>>
>
> How would you police those HASH codes? How would you distinguish genuine
> from fake?
> They'd attract scammers, and be fairly open and vulnerable.

Well then, let's give up and keep having to put up with continual
interruptions from that god-damned UAC.

I tried turning it all the way off yesterday and it STILL pestered me to
death when I was simply trying to move shortcuts around on my Start Menu.

--
John C.