[disclosure: I am a developer at Symantec and was involved in the Norton UAC Tool. I am posting here because I wanted to clarify a few things regarding the Norton UAC Tool and respond to a few of the concerns posted in comments.]

The Norton UAC tool allows an application to run with silently-elevated privileges only in a specific context that was previously approved by the user with the "don't ask again" check box selected.

This means that there is a difference between regedit.exe launched from the start->run box, regedit.exe originating from a shortcut double click, and regedit.exe launched from a double click on a .reg file (and the context actually changes with each .reg file), and regedit.exe being launched by an application (malicious or not).

Given the contextual awareness of Norton UAC tool's automatic answering, the Norton UAC tool provides a usability improvement over Vista's default UAC prompts, while maintaining obvious security improvements in the Vista kernel (such as isolation, file/registry virtualization, and user interface privilege isolation) that are all disabled when UAC is disabled.

We decided to write this tool after we noticed two alarming trends with UAC. The first is that users fully disable UAC - which is a horrible workaround to a minor usability issue (since it disables isolation and virtualization - which in turn removes IE's protected mode). The second is that users get so used to responding to UAC prompts with "allow" that the prompts are often not even read by the user (Chicken Little "the sky is falling syndrome).

As a result, we are collecting information on the subject matter of prompts in addition to the response times to determine if reducing the overall number of prompts (by allowing users to remember their answers) causes users to spend more time reading the prompts... Microsoft records very similar timing and response information for all of Vista and Office when you agree to take part in the Customer Experience Improvement Program.

As for the impact to your system, the Norton UAC tool produces no running processes and is only active during a UAC prompt. We worked very hard to ensure the Norton UAC tool as as fast or faster than the built in Vista UAC prompts.

I would like to know why we cannot simply uninstall Norton (and most likely Symantec) software but instead have to run a script and then rip things out of the registry.

Is this usable if you are not working as an Admin?

UAC was soo annoying that I just had to turn it off. First it warns you that it needs permission, then it asks you for permission - how dumb is that!!!

But this has the words Norton attached to it, therefore by default I wouldn't touch it - been stung too many times in the past with "norton" products. THEY may feel it's a solid brand name, I think it's a liability to let any Symanetec/Norton product even near my pc.

I turned it off with out Norton. What is the big deal?

BetaNews: Please clearly disclaim when an article is written by a guest during "Bring Your Kid To Work Day."

Yes, I am shooting the messenger.

The user comments are more thoughtful and contain more technical information than the article itself. I don't want to repeat the observations already made, so I'll ask Scott to: 1. Read the FAQ; and 2. Read the download screens. Those two items would prevent Scott from asking himself so many questions.

My only regular UAC prompt is to run Asus' PCProbe II. The prompts I receive building a system are expected and not intrusive. With that said, this software seems to be a step in the right direction.

I'm a big fan of white lists. If this is done securely, it prevents me from responding to an expected UAC prompt. I am more concerned with end users clicking "Allow" as habit or turning off UAC entirely.

It will be interesting to see how similar this add on is to the UAC in Windows 7.

> why remove the roadblock for those frequently used tools and leave it in place for the less used or unused ones?

Because the idea behind UAC is not to warn about dangerous admin tools, but to block unsolicited changes (like virus or spyware).

I got a better idea, ditch both Norton and Winblows and get a Mac. Bye, bye security problems. :)

Hah, yeah cause being asked for your password every time a program needs administrator access is so much less annoying? You must have not thought that one out too well.

According to Apple, Mac OS X has all kinds of security problems. I'm not sure what makes you think that Mac OS X is so secure.

That what I don't get about boneheads like that who think UAC is more annoying than methods employed by other OSes that ask for your admin/root password every single time for the most mundane and trivial tasks. They are not adaptive, and do not "learn" the more you use them.

UAC was the best trade-off between security and convenience.

Allow? Sure... *click*

Allow? Nope... *click*

Anyone who would disable UAC unconditionally is, quite frankly, an idiot.

Perhaps they need to spend time with the "new" Mojave UAC. It's much better than Vista's implementation. ;)

anyone who needs UAC holding their hand every time they try to move a file from one folder to another folder is an idiot. besides it's not like there's any granular tuning of UAC, it's either on or off; and you can thank apple and all the idiots who actually need uac for the dumbed down approach to uac.

what a f**

This tool most certainly *does* work on the 64-bit version of Windows Vista, should you wish to run it. There is a download link on the Norton Labs website.

Unless it's been changed, disabling UAC also turns off the folder redirection and virtual folders... thereby 'fixing' most of the programs that wouldn't run in Vista. Still find that the best realistic combination of security and program-success is UAC off, running as a limited user, and manually elevating (Run as) when needed...

Those virtual folders are what allows misbehaving programs to install in the first place.

symantec... never again will i use your products unless i am forced

Heh Symantec, never seen a good company become such a worthless pest in history.

I would add Apple to that list, but they've never been a good company to begin with.

Dumbest thing I've seen in a long time. White-listing totally defeats the purpose.

How long do you think it will take those clever virus folk to write a virus that takes advantage of commonly white-listed programs? (hint: they've probably already started.)

How long before they can write a virus that will get around UAC altogether even with it fully turned on? They could even have one which will wait, quietly, until you click continue yourself to let a legitimate program pass and just piggyback on that. Nothing is foolproof.

Depends if the whitelist is kept as a randomly generated hash or other such security measure. Depends if it analyses the physical size of the program being accessed and checks it against the original listing.

I can't imagine the whitelist is in plain text.

*Edit* Hmm. That's odd. On initial posting the comment refused to show up. Ah well...

You're correct in 'Nothing is foolproof', but it's been a year and a half already. I'd expect to have seen the virus by now.

No! The dumbest thing I've seen these past few days it the Tool Man trying to express some vague sense of humility.
That folks is a contradiction of terms.
Lord Farquard and his inbred puppies, expressing goodwill to fellow man is about as effective as .22 Saturday Night Special, when compared to a few nukes and depleted uranium shells (yes, another contradiction in terms).
God I'm good, FIGJAM hey Toolie?

And your opinion on the subject matter was?

Haha yah, that was retarded, just like you.

Exactly. There have been more attempts to hack Windows Vista than any other operating system ever created.

They could even have one which will wait, quietly, until you click continue yourself to let a legitimate program pass and just piggyback on that.

How'd the one that "waits" get installed then, genius?

No, My bad.

You posts are by far the dumbest thing I've ever seen. What a pointless waste of bits.

Go back to bed, Zaine.

to turn it off completely, just one click, contrary to what the story says you have to play with registry, u dont.

but i like how this product adds "do not ask again" for certain issues... prettty cool, why didnt windows do this 2 begin with!??

Because it's insecure. A virus would simply need to masquerade as a popularly white-listed application to gain access to admin privileges and avoid the UAC prompts.

Thus making UAC worthless in the long run. People just don't want to be bothered with it...

It takes a hash of the exe and the dll's to prevent masquerading. Some common hashing algorithms are insecure, but they should well know this and be using something else.

How does this make UAC worthless?

You'd have to have ignored a prompt to get the infection to begin with...

*laughing*

You simply cannot *think* when it comes to anything MSFT, can you?

Praise the lord!!!! Free at last!! [smiles]

If you ever actually used Vista since SP1, you might have actually noticed a difference in the amount and frequency of the UAC pop-ups.

Well, that...and they all but disappear after the initial system configuration.

Aside from that, devs have also begun coding their apps far more intelligently. No longer requiring admin rights, no longer using installers that install to protected folders, etc...

Check out the Win7 blog. They have some interesting feedback and stats regarding UAC from the release to now.

(well, to anyone interested...I know sjc001 couldn't care less about things like...Facts.)

Irrelevant, like everything you say. Its totally worthless if people are just going to automatically click continue on it without ever reading it. It really doesn't matter if it actually works because of this.

Norton wouldn't have come out with this if there really wasn't a desire for it.

While you are correct about this at least its an attempt- what the user does afterwards is their own fault.

*laughing my a** off*

Its totally worthless if people are just going to automatically click continue on it without ever reading it.

By and large, this has been fixed. The majority of UAC promts occur during the first use/initial configuration) and then drop off to almost nothing. perhaps your comments regarding UAC wouldn't be so irrelevant if you'd actually used it?

Norton wouldn't have come out with this if there really wasn't a desire for it.

This is the killer, and what really made me roll.

General public desire!=the right thing to do.

The general public are a bunch of morons who don't know security from a doughnut. You're going to go to them for security advice??

That's a tough choice. I hate UAC with a passion (and was part of a group that tried unsuccessfully to talk Microsoft into making it less annoying during a meeting in Redmond), but I don't disable it across the board, because it does serve some purpose. Then again, I'm not sure I want to install something from Symantec that embeds deep within Vista to tell it what to notify on and what to allow.

Microsoft really needs to include something like this in SP2. In contrast, Apple's approach to the problem is much less intrusive and not constantly annoying.

There probably will never be a SP2 for Vista. They'll ditch this albatross as soon as they can and put out Windows 7. Maybe they'll "fix" this problem then?

Microsoft really needs to include something like this in SP2

Good luck. How long do you think it will be before the viruses start compromising the most popular white-listed applications?

Apple's approach to the problem is much less intrusive and not constantly annoying.

...they also have devs that don't try and install their apps to protected folders or require super-user privileges to run.

This is the main problem with UAC...not UAC, but the application "developers" who've grown to used to be able to use admin privileges to accomplish the most mundane of tasks. It's changing (WoTLK, for example, generates *no* UAC prompts; During installation, *or* to run), but it's changing slowly.

What problem?

Remember, in the game Doom 3 UAC was the corporation that had opened the gates of hell.... [rollseyes]

Agreed, Windows is a much different beast than Mac OS X. And you're right, we probably won't see any major modification to UAC.

However, many Vista functions require UAC confirmation still, and as a result, every-day functions turn into annoyances, even if an application is following the rules. If I'm installing a piece of user-level shareware, Vista shouldn't prompt me and disable the screen like it does, both when first launching the installer and during the installer process. There needs to be a balance between security and usability.

All Microsoft needs to do is make UAC more like Sudo. Kind of like what the Ubuntu Linux developers have done.

Since Microsoft has started the practice of charging people to do an integrated install of Vista with a service pack they probably will release Service Pack 2 just to make more money.

UAC was also in the earlier Doom titles, ever since the game's creation.
I find it mildly amusing, but then I also used to chuckle about a company named USRobotics manufacturing modems.
(Recall U.S.Robotics - Isaac Asimov)

"This is the main problem with UAC...not UAC, but the application "developers" who've grown to used to be able to use admin privileges to accomplish the most mundane of tasks."

Agreed 100%!

Now that you mention it
* "the beast" (for the register.co.uk addicts :) )

* UAC

Now we know and you are the one who discovered it :)

that last sentence is the smartest thing that's ever been said on betanews.

Vista shouldn't prompt me and disable the screen like it does, both when first launching the installer and during the installer process.

Then the dev is doing something *wrong*. Messing with reg keys or installing to protected folders. This is *not* Vista's fault.

There is no "balance" between security and usability. There is secure...and *not* secure.

...and then all the malware needs to do is wait until admin privs are requested by the user...