"Administrative" necessary?

I am annoyed by repeated demands that I be in Administrative mode to
do simple things such as move a file.

I am the sole non-paranoid user, owner, and Administrator of a Win7pro
Dell.

How can I convince Win7 of that fact? Thanks.

|I am annoyed by repeated demands that I be in Administrative mode to
| do simple things such as move a file.
|
| I am the sole non-paranoid user, owner, and Administrator of a Win7pro
| Dell.
|
| How can I convince Win7 of that fact? Thanks.

You can boot in the actual Administrator account.
If you want to do that it first has to be made visible.
That was discussed last week.

As a less extreme measure, you can go into Control
Panel user settings and set User Account Control to
the lowest level. That should stop the majority of
nags.

You can also take a file-oriented approach. If you
take ownership of files and then grant yourself full
control of them then you can do with them as you
like. As long as you first take ownership, that approach
can be used for *any* file system item. It's a wacky
system that doesn't make much sense, but all you
really need to know is that taking ownership and giving
yourself "permissions" are two different things, and
that in many cases you'll need to do the former before
you can have success with the latter. That's just how
it works.

| However, moving files around,
| deleting your System folder, is just as hard as it was before.
| Most procedures still require multiple steps. I don't
| really know of any way to make things "totally convenient".
|

Assuming one is not worried about security
issues and doesn't actually want to delete
the system folder (but may want to go so far
as, say, removing restrictions on Program Files)
it's very much doable by systematically taking
ownership of most or all of C drive and removing
restrictions.

We've talked about this before. After encountering
the Win7 mess for the first time I wrote a tool to
keep me from tearing my hair out:

http://www.jsware.net/jsware/nt6fix.php5#restfix

In tests I didn't find anything I couldn't remove
restrictions from. I was able to free and move or
delete winsxs, for instance. (Not something I'd
recommend to the faint of heart, but it can be
done.

I think you, yourself, have posted details of another
way to do the same thing: A Registry tweak that will
allow restrictions to be removed via context menu.

As I noted above, one doesn't have to tolerate
restrictions. But Microsoft have made it both mysterious
and tedious to get around them. Security through
obscurity. The option they offer is two command line
tools, Takeown and CACLS. The menu tweak option
puts those tools in the context menu. My utility uses
the Windows API to do the same thing conveniently
and recursively. (Even the Windows API is an obscure
maze when it comes to file restrictions. The excessive,
artificial complexity is dizzying. [And a target of scorn
by Linux people.] But as with Takeown and CACLS,
removing restrictions *can* be done via API.)

People who have any experience with scripting could
also write their own scripts to automate/recurse Takeown
and CACLS.
However it's approached, while it may take some work,
it only has to be done once.

Mayayana wrote:
| However, moving files around,
| deleting your System folder, is just as hard as it was before.
| Most procedures still require multiple steps. I don't
| really know of any way to make things "totally convenient".
|

Assuming one is not worried about security
issues and doesn't actually want to delete
the system folder (but may want to go so far
as, say, removing restrictions on Program Files)
it's very much doable by systematically taking
ownership of most or all of C drive and removing
restrictions.

We've talked about this before. After encountering
the Win7 mess for the first time I wrote a tool to
keep me from tearing my hair out:

http://www.jsware.net/jsware/nt6fix.php5#restfix

In tests I didn't find anything I couldn't remove
restrictions from. I was able to free and move or
delete winsxs, for instance. (Not something I'd
recommend to the faint of heart, but it can be
done.

I think you, yourself, have posted details of another
way to do the same thing: A Registry tweak that will
allow restrictions to be removed via context menu.

As I noted above, one doesn't have to tolerate
restrictions. But Microsoft have made it both mysterious
and tedious to get around them. Security through
obscurity. The option they offer is two command line
tools, Takeown and CACLS. The menu tweak option
puts those tools in the context menu. My utility uses
the Windows API to do the same thing conveniently
and recursively. (Even the Windows API is an obscure
maze when it comes to file restrictions. The excessive,
artificial complexity is dizzying. [And a target of scorn
by Linux people.] But as with Takeown and CACLS,
removing restrictions *can* be done via API.)

People who have any experience with scripting could
also write their own scripts to automate/recurse Takeown
and CACLS.
However it's approached, while it may take some work,
it only has to be done once.

But if we promote such an approach, who is going
to help the people who start to see random side
effects ? (Like say they run Windows Update and an
update doesn't install successfully, and the "repair"
tools don't have a clue what is wrong.) If a user understands
the permission model better than I do, then perhaps working
this way has merit.

You can use the Task Scheduler, and schedule a .bat
file to run one minute from now, and using that technique,
the running .bat runs as the SYSTEM account, and that will
open a lot of doors to you as well. But perhaps when you
finish, things won't be quite the same as they were before.

For a person on a mission to smash stuff, I would recommend
an ICACLS /save run, to record the permissions of C: for later.
The output is a text file, which can be edited if necessary.
Then if the conclusion later was "if only I could
put all the stuff I changed back", that text file would
be a good starting material.

Paul

On Thu, 21 Jan 2016 19:24:37 -0500, B00ze wrote:

Good day.

On 2016-01-21 02:19, Paul wrote:

masonc wrote:
I am annoyed by repeated demands that I be in Administrative mode to
do simple things such as move a file.

Disable UAC would prevent being prompted for permission.
Read the caveats, before you do this!

What caveats? Security? Malware writers have long ago switched their
approach so that their crap runs in the USER context and does not
bring-up UAC at all, I know, 3 times a client of mine got CryptoWall and
not a beep on UAC. I also got infected with a fake A/V (using IE @ work)
and no UAC prompt. UAC is completely useless on Windows 7 (unfortunately
and beyond belief, you HAVE to turn it on with Win8+ because MS are
braindead and stuff doesn't work without it).

On both 7 and 8.x, one of the very first things I do on a new install is to
disable UAC completely. I also disable System Restore and enable file
extension visibility, but those aren't relevant.

Do you have an example of a situation where you needed UAC enabled in order
for something to work?

--

Char Jackson

On 2016-01-21 20:18, Char Jackson wrote:

On Thu, 21 Jan 2016 19:24:37 -0500, B00ze wrote:

Good day.

On 2016-01-21 02:19, Paul wrote:

masonc wrote:
I am annoyed by repeated demands that I be in Administrative mode to
do simple things such as move a file.

Disable UAC would prevent being prompted for permission.
Read the caveats, before you do this!

What caveats? Security? Malware writers have long ago switched their
approach so that their crap runs in the USER context and does not
bring-up UAC at all, I know, 3 times a client of mine got CryptoWall and
not a beep on UAC. I also got infected with a fake A/V (using IE @ work)
and no UAC prompt. UAC is completely useless on Windows 7 (unfortunately
and beyond belief, you HAVE to turn it on with Win8+ because MS are
braindead and stuff doesn't work without it).

On both 7 and 8.x, one of the very first things I do on a new install is to
disable UAC completely. I also disable System Restore and enable file
extension visibility, but those aren't relevant.

Do you have an example of a situation where you needed UAC enabled in order
for something to work?

Not in Windows 7. I have "Administrator" and "Me" users, and I want
badly to run "Me" as a standard user, but for now I decided to add "Me"
to the admin group because I constantly have to tweak the built-in
firewall and I can't do that as a normal user. If I finally try and
end-up using "Private Firewall" then I will probably make "Me" a simple
user. But UAC will remain disabled, it's only useful when your regular
user is in the Administrators group. See, that's the strange thing, UAC
is only useful if you are an admin, but for REAL security you should NOT
be an admin, you should be a regular user. UAC is Microsoft saying "Ok,
we give up, everyone should be an admin, we'll just patch it up with UAC."

In Windows 10 (and possibly for Win 8) you cannot run "Store Apps"
unless UAC is enabled, and since in Win10 the start menu itself is a
store app, you're kinda stuck, you have to enable UAC...

Best Regards,

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Fdn/EFF/Red+Cross/Planetary-Society-+-
oO-( )-Oo Objects on screen are closer than they appear...

| See, that's the strange thing, UAC
| is only useful if you are an admin, but for REAL security you should NOT
| be an admin, you should be a regular user. UAC is Microsoft saying "Ok,
| we give up, everyone should be an admin, we'll just patch it up with UAC."
|

Why do you see it as a risk when it's giving you
the option? As Admin you have an option to elevate.
As a normal user you don't. You don't trust yourself
to have the option?

On Fri, 22 Jan 2016 20:41:17 -0500, B00ze wrote:

On 2016-01-21 20:18, Char Jackson wrote:

On Thu, 21 Jan 2016 19:24:37 -0500, B00ze wrote:

Good day.

On 2016-01-21 02:19, Paul wrote:

masonc wrote:
I am annoyed by repeated demands that I be in Administrative mode to
do simple things such as move a file.

Disable UAC would prevent being prompted for permission.
Read the caveats, before you do this!

What caveats? Security? Malware writers have long ago switched their
approach so that their crap runs in the USER context and does not
bring-up UAC at all, I know, 3 times a client of mine got CryptoWall and
not a beep on UAC. I also got infected with a fake A/V (using IE @ work)
and no UAC prompt. UAC is completely useless on Windows 7 (unfortunately
and beyond belief, you HAVE to turn it on with Win8+ because MS are
braindead and stuff doesn't work without it).

On both 7 and 8.x, one of the very first things I do on a new install is to
disable UAC completely. I also disable System Restore and enable file
extension visibility, but those aren't relevant.

Do you have an example of a situation where you needed UAC enabled in order
for something to work?

Not in Windows 7. I have "Administrator" and "Me" users, and I want
badly to run "Me" as a standard user, but for now I decided to add "Me"
to the admin group because I constantly have to tweak the built-in
firewall and I can't do that as a normal user. If I finally try and
end-up using "Private Firewall" then I will probably make "Me" a simple
user. But UAC will remain disabled, it's only useful when your regular
user is in the Administrators group. See, that's the strange thing, UAC
is only useful if you are an admin, but for REAL security you should NOT
be an admin, you should be a regular user. UAC is Microsoft saying "Ok,
we give up, everyone should be an admin, we'll just patch it up with UAC."

In Windows 10 (and possibly for Win 8) you cannot run "Store Apps"
unless UAC is enabled, and since in Win10 the start menu itself is a
store app, you're kinda stuck, you have to enable UAC...

When the very first Win10 build came out, I loaded it in a VM and almost
immediately disabled UAC. The start menu didn't seem to be affected, or at
least I didn't notice any difference. I doubt that I could fire that VM up
again now, since it's probably expired.

--

Char Jackson

On 2016-01-23 12:09, Char Jackson wrote:

In Windows 10 (and possibly for Win 8) you cannot run "Store Apps"
unless UAC is enabled, and since in Win10 the start menu itself is a
store app, you're kinda stuck, you have to enable UAC...

When the very first Win10 build came out, I loaded it in a VM and almost
immediately disabled UAC. The start menu didn't seem to be affected, or at
least I didn't notice any difference. I doubt that I could fire that VM up
again now, since it's probably expired.

Ah, I was led to believe the start menu would not work with UAC
disabled, or when using the built-in Administrator account. I could be
wrong, I haven't tried 10 yet, just 8.1. I'll stop spreading lies, lol :-)

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Fdn/EFF/Red+Cross/Planetary-Society-+-
oO-( )-Oo You klingon sons, you've killed my *******... No, wait...

On 2016-01-22 22:02, Mayayana wrote:

| See, that's the strange thing, UAC
| is only useful if you are an admin, but for REAL security you should NOT
| be an admin, you should be a regular user. UAC is Microsoft saying "Ok,
| we give up, everyone should be an admin, we'll just patch it up with UAC."
|

Why do you see it as a risk when it's giving you
the option? As Admin you have an option to elevate.
As a normal user you don't. You don't trust yourself
to have the option?

If UAC told me exactly what triggered it, then I would use it, but right
now all it says is "do you trust this app?" and that's not enough for me
(trust the app to do WHAT exactly?). I prefer running as a standard
user, let the app get a permission error and handle it correctly, or
fail. When I need to elevate, I RunAs :-) I don't know, I feel safer as
a regular user. Hmmmm, now you're making me re-think, tsk tsk tsk -
Maybe I could place "Me" in the admin group and enable UAC, possibly
then "Windows Firewall Notifier" can make changes to the firewall that
way, provided it triggers a UAC prompt. But UAC comes with so many
caveats, like not being able to create files in ROOT of C etc, which I
don't have to deal with when it's off. Hmmm, I still feel UAC is like M$
giving-up (we should all be running a Micro Kernel by now, with every
single process running in user space, but I digress, Linux doesn't have
that either, only GNU)...

Best Regards,

--
! _\|/_ Sylvain /
! (o o) Member-+-David-Suzuki-Fdn/EFF/Red+Cross/Planetary-Society-+-
oO-( )-Oo Okay, I pulled the pin, now what? Hey, where U going?