UAC exclusion list?
I am a user of XFire, which is an instant messenger aimed at gamers. It is designed to track what games are running in addition to certain programs like teamspeak as well as allow messaging from within a full screen application, but to do this it requires administrative access to hook into those programs. Because it is designed to hook into programs the UAC automatically blocks it from startup and puts up a prompt. I understand the need for security that makes the prompts necessary, but is there a way to exclude certain programs such as XFire from being blocked in a similar way to how you can permanently whitelist programs withthe firewall?
January 16th, 2009 12:12pm

I have to say the new UAC is an improvement however it is still lacking the ability to configure your own acl as tow hat programs will be permantly set to be let through. I run certain games and apps that require administration in order to execute including xfire amongst others. Personnally I would be better to have the option, firewalls have had them for years now. Why can't the UAC?
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2009 11:44pm

From what I understand there is still the stance that the goal is still to put pressure on ISVs to fix their applications. But I'll ask why a customized UAC for a single app wasn't considered or if so, why not put in Win7. Sometimes when you hear the reason why for a choice you go "oh, okay, I get it".
January 17th, 2009 4:50am

Have you tried to use the Compatibility Tab? In there you can select to run the program as Admin when you execute it. Which would save you from getting that prompt. You would just have to delay the startup of XFire. ~Alex T.~Windows Desktop Experience MVP~
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2009 7:11am

Create a scheduled task to start it on startup. You can configure the task to run elevated.
January 17th, 2009 7:37am

The whole point I am trying to get across is i shouldn't have to preform work arounds like compatibility and scheduled tasks. I should simply have the option to say don't ask me if i wish to run this application under adminstrator each time. It should be a built in function. If I click remember this setting or do not show this warning again I should never see it again. This way I can have full UAC whilst having customable options for programs I know are safe. For example like with many firewall applications a warning will pop up saying this application is trying to connect to the internet. Once i select allow this applicaiton to connect to the internet and always it will never ask me again for security reasons.This would create a better interface for any user from a novice to an expert to use. Which I am sure is what microsoft would want. A user friendly GUI.
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2009 11:16am

I can understand your point. But you have to look at this from the other side as well. If it was as simple as just giving the option to allow this task to be elevated then security risks could possibly use this as a exploit to allow for viruses and other such things to give them selves the elevated rights by default which would defeat the purpose of UAC altogether. Since they would be able to add themselves and people will unknowingly just click Okay to the prompt to allow it access without reading what the warning is and have their system compromised.I think that is the major reason why it continually asks for the rights since if it didnt it could be easily used as a way around UAC for virus writers to be able to find away around the security of UAC.Take your firewall example. If a person allows something through without reading what is asking for access then that program has full access. So they can easily and unknowingly give access to a program that can compromise the security of their system access to the net without even realizing what they have done.While this is a pain for people who read and know about such things, many people just click the Okay or allow button without reading the prompts and give access. It is not uncommon for even the best of us to just click okay without reading everything on screen at the time cause we are in a hurry or just cant be bothered to read the prompts.I can fully agree with your statement. But overall i think it would be a bad idea after seeing how easy it is for people to just click okay without knowing what they are agreeing to when they click. Be it for a program like XFire or for a keylogger people have the bad habit of just clicking okay and then looking back on it later thinking to themselves "What was that prompt for again?"Best option submit some feedback. See if there can be a option added for this which will kinda act like the old UAC and give a couple of prompts to make sure this is what users want and not just one of those annoying click okay to get it over with type deals.~Alex T.~Windows Desktop Experience MVP~
January 17th, 2009 10:31pm

Alex T said: Have you tried to use the Compatibility Tab? In there you can select to run the program as Admin when you execute it. Which would save you from getting that prompt. You would just have to delay the startup of XFire. ~Alex T.~Windows Desktop Experience MVP~ Oleg Krogius said: Create a scheduled task to start it on startup. You can configure the task to run elevated. Running it as an administrator is what generates the UAC popups. The UAC does that for any program set to be run as an administrator.Anyways the exclusion doesn't have to be automatic. As long as theres an exclusion list that I can add programs to, that's fine with me, even if I have to enter it manually.
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2009 2:54am

Agreed, very simple"DO NOT ASK ME AGAIN FOR THIS PROGRAM"Boom, done. Every firewall/etc does it, can't be that hard.
January 18th, 2009 6:16am

That's the firewall, not the OS.Malware can be built to pretend to be your favorite app and then ride the coattails of that apps approval. The goal is to ensure that the desktop does not have obvious vulnerable holes to tunnel into the system. The solution you are proposing would do just that. Malware authors would realize that everyone allowed Sucky app A to have full administrator rights to the system and tag along accordingly.
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2009 7:22am

Well it's useless the way it is because everyone will just turn it off.Do you seriously suggest that I should dismiss SEVERAL popups when I first boot my PC, and then EVERY time I run most programs?Well, I won't, so I'll turn it right off and leave security to 3rd party programs - in other words business as usual for MS Windows eh?
January 19th, 2009 10:39am

I agree - I have asked most of the I.T staff I work with that use Vista and we've all turned UAC off. I think MS realise there is an issue to be dealt with here which is why we now have the slider control with a few more options, however it's really only meeting the users half-way. There has to be a better option or it is going to be turned off - plain and simple.
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2009 11:26am

I'm seriously saying that when you run Windows Vista and Windows 7 you don't get these prompt. The only time I see this is when Ia. install software and b. run crappy appsI am an IT staff person and I don't have it turned off. I turn it off when I install software, I turn it back on. I don't see it on a daily basis.During the beta, leave it for the default settings, see how many times you get it, note the actions/software you get it from.Especially when it comes to that software you should ask yourself why that software vendor doesn't care about security?I get a UAC on my MacMini. Sudo on Linux. Those IT guys are getting prompts for administrative approval on other operating systems as well.
January 20th, 2009 8:40am

Susan Bradley said: That's the firewall, not the OS.Malware can be built to pretend to be your favorite app and then ride the coattails of that apps approval. The goal is to ensure that the desktop does not have obvious vulnerable holes to tunnel into the system. The solution you are proposing would do just that. Malware authors would realize that everyone allowed Sucky app A to have full administrator rights to the system and tag along accordingly.If a malware program gets onto my computer and runs itself when I click the icon of ANOTHER program, then I have more serious issues than a simple trojan.In addition, they don't prevent you from automatically whitelisting programs on your firewall, and there are spyware programs and key loggers that can be be made to show up as a legitimate program. That's a security breach as well. No matter what you do there is not protecting the stupid from themselves, so trying to is a pointless gesture.Also as I said before, it doesn't have to be automatic, Even if I have to manually whitelist it, I would like the option. Also if I do it manually, then the only way malware will get whitelisted is if it replaces the exact .exe I unblock.The popups are not the problem, it's that I can't turn one off without turning them all off.Also there are some programs that do require administrative acess. The program I mentioned is one of those. It can qualify as a monitoring program, because it watches the active processes so it can track what games are running and record that, in addition it has to have acess to the game so you can use the messenger features without alt+tabbing. It needs this kind of acess to do what it is designed to do, and it is good that the UAC stops it, the first time, but I would like to be able to tell the UAC, "this program is OK, let it pass." regedit is another program that requires UAC approval, and if an MS program contains a virus then I should just throw my computer in the trash right now.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2009 8:15pm

I suppose a workable solution could be that the first time an app tried to gain admin privileges, you get the UAC, and an option to always allow that program. UAC then takes a hash of the .exe file trying to run and stores it.Next time that program runs and tries to gain admin rights, UAC checks the whitelist hash against a new hash of the exe file. If they match it won't throw up the UAC prompt and just allow it. If the hash has changed, then it throws up a UAC prompt that you can't click OK on until you tick a box to say you're sure the program is still OK.
January 21st, 2009 2:23am

Hello,there are two reasons behind this:1.) Windows is living ecosystem and it is VERY important to make vendors keeping up to date. When Vista was introduced, many applications raised UAC prompts even when it was not needed. In my opinion Microsoft made right decision, even though many power (or "power") users automatically disabled UAC (many of these people are later on complaining about spyware). Next step (once UAC support is incorporated to applications) should be to allow exclusion list, however it is very important that MS will do it right and I understand that change like this (which have much bigger impact than exclusion list for firewall) got huge consequences. At this moment however you can workaround it - simply create elevated scheduled task. If you want on-demand, just create manually-triggered scheduled task and change shortcut of XFire to run it (HINT: Schtasks)2.) From security perspective majority of users is what counts. The fact that few power users (talking about all MS users) disable UAC still means that your grandma will keep default settings. Probably biggest security feature of XP SP2 was that firewall was enabled by default :)
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2009 3:18am

Hello, You guys still don't get it. It is better to have a white list for authorized programs, than to have people turn UAC off. I know many people that have turned UAC off. Do you anger the people using Vista to try to pressure the software makers to fit Microsofts way? Or do you work with the consumer, who so far has not overwhelmingly accepted Vista, for just these reasons? I use Diskeeper, a good program, and it kicks up a UAC warning every time I want to do a Manual defrag. Does it kick up the warning as a crappy program? There are thousands of computers out there running this, and I for 1 would not call it a "crappy program" as Susan Bradley puts it. I would also like the white list.
May 19th, 2009 4:27am

I personallly want the operating system to be secure and not to have included ways for malware to intrude. I am quite happy with the UAC now in Windows 7. To me turning off UAC because of a few popups just begs for problems. Just my opinion.
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2009 1:41am

Hello Lead3, if the white list was offered you and all the others that would want the basic vanilla settings could use those. But for those of us that would like more settings could use them exactly like it's setup in the firewall. That way it would work out for both sides. Don't penalize the other side just because you don't agree. It can work for both.
May 21st, 2009 4:16am

Who is penalizing anything? I just gave my opinion.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2009 5:46am

Please don't take it personally. It as not meant as an attack on you. Microsoft could fix a lot of complaints by designing in a white list as described.
May 21st, 2009 6:19am

But you have to look at this from the other side as well. If it was as simple as just giving the option to allow this task to be elevated then security risks could possibly use this as a exploit to allow for viruses and other such things to give them selves the elevated rights by default which would defeat the purpose of UAC altogether. Since they would be able to add themselves and people will unknowingly just click Okay to the prompt to allow it access without reading what the warning is and have their system compromised. ~Alex T.~Windows Desktop Experience MVP~ You have to look at this from an end user point then, this is OUR computers, if WE feel we want to permanantly allow a porgram to not ned to ask to run because WE trust it then WE should have that option on OUR OWN computers and still be able to benefit from the UAC.It seems to me M$ is pretty much saying either use the UAC the way WE want you to or allow programs you trust but have no benefits from our security.If we want to risk getting some sort of virus on OUR computers doing this it is OUR choice not M$'sAnyways that said just go into Task Scheduler as Admin, and create a new task to run with highest privledges, make the task a shortcut and throw that in startup folder, should be all set.
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2009 9:06pm

But you have to look at this from the other side as well. If it was as simple as just giving the option to allow this task to be elevated then security risks could possibly use this as a exploit to allow for viruses and other such things to give them selves the elevated rights by default which would defeat the purpose of UAC altogether. Since they would be able to add themselves and people will unknowingly just click Okay to the prompt to allow it access without reading what the warning is and have their system compromised. ~Alex T.~Windows Desktop Experience MVP~ Looking at it from Alex's view point,,,, which offers greater security, having a UAC white list or disabling UAC ? I have myself, friends, family, and co-workers who disable UAC to get rid of the intrusive and EXCESSIVE popups. Disabling UAC does not offer benefits to anyone. Therefore having the option to tailor it is much better. I have read many forums where the posters do the same thing,disable UAC. In my opinion, there are thousands out there that have disabled UAC, making it wasted lines of code. Who does this benefit? If people don't want/like it, they are going to disable it, turn it off, or uninstall it. If it is a severe dislike, they won't buy it. Hey! Looks like I hit a point! News reports show a lot of people didn't like Vista. So they did not buy it. Maybe Micro$oft should listen to what I/we want, and not try to tell us what we must have.
May 24th, 2009 10:33pm

But you have to look at this from the other side as well. If it was as simple as just giving the option to allow this task to be elevated then security risks could possibly use this as a exploit to allow for viruses and other such things to give them selves the elevated rights by default which would defeat the purpose of UAC altogether. Since they would be able to add themselves and people will unknowingly just click Okay to the prompt to allow it access without reading what the warning is and have their system compromised. ~Alex T.~Windows Desktop Experience MVP~ One more point. There have been so many security issues since Vista came out, and hacks out there, UAC did nothing to help stop them. Hence all the security updates to Vista, and the SP1 and SP2 additions!!!!!!!!!!
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2009 10:38pm

yea.. I refuse to use vista myself, but im fond of 7.Anyways to touch on another point Alex made,thats peoples own dumb fault if they are going to click on things without reading them. Thats how people end up with all sorts of adware and browser toolbars to begin with. Is it really M$ job to "Stupify" the computer experience for people? Seriously, like George Carlin once said, remove all warning labels and let nature take its course. This reminds me of the guy who used his lawnmower as a weed whacker and chopped his hand off, sued, and won, simply because there was no warning label stating not to use said mower as a whacker. Should people REALLY be rewarded for their own stupidity? Like the UAC, should people who go to sketchy sites and download pirated stuff REALLY be rewarded with security for their stupidity and cheapness? /shrug, I guess it's just me.
May 25th, 2009 5:08am

I agree with you.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2009 9:59am

I am another user that would like to have a way to exclude some programs of the UAC. I have one coleague that is really irritated that every time he wants to play Mass Effect (one of the best games of the last year, not a "____ program", like someone said) it triggers a UAC prompt. BUT, wait a second... Mass Effect is a title published by MICROSOFT GAME STUDIOS and, it still triggers the UAC. Ok, so, dont even Microsoft software can play well with UAC. What to say about third party? Lots of programs I use every day triggers the UAC. Everest, Fraps, Garena. For sure I can make a elevated task and put them. BUT, again, WAIT. If I can create a rule to run a program without asking for UAC, why cant a malware do the same? And, puting it simple, if every time a user try to run a program, the UAC prompt is triggered, the user tends to just click ok without reading it. And UAC miss all the point. I think it would be much more secure if a UAC prompt really MEANS something is going. If every time the UAC asks something, it tends to be taken as a "commom issue" and malware can explot it too. Many people I know just disable UAC for good because it keeps asking the same thing over and over again. This behaviour is ridiculous. I use a firewall for years, its safe and I trust it. But if my firewall didnt have a option to remember what I trust, I would never use it. Now, what can I say? EVERY firewall that remember the user actions, and create rules for it.. lets say, maybe 100% of the products in the market, are they all not secure because they have this terrible "hole"? Come on. This is not true. The fact is UAC IS BROKEN and MS dont want or cant fix it.
May 25th, 2009 10:03pm

+1 for UAC Program Exclusion. I have CCleaner running on start-up, and now it won't run until I click ok which is a real pain. Like most, I skipped Vista and am transitioning from XP to 7. I have to admit that UAC is vastly improved from Vista, but it's still missing this critical piece. Again, between and exclusion list entry and completely disabling UAC so that an application runs as it's intended; I think everyone can agree that the exclusion list is the safest route. How hard or easy it should be is of course debatable. Personally I'd be OK with going into the control panel/security and manually entering it, or going into the properties of something (a la DEP). Not having this is simply NOT a good design. Nuno
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2009 11:44pm

Nuno,what you can do is via group policy by changing the behaviour or uac,you can set for admin Elevate without prompt and also for users in security tab...hope this helps...Kind regards,RR
August 12th, 2009 12:39am

Thanks for the reply RR, Yes I saw those options when I was going through the PC's security policy, but allowing elevate without prompt would apply for all applications across the board. That's the same as disabling UAC, which what we would prefer not to do. What we need is the ability to set this on a per application basis, so trusted apps can run without explicit permission, but the OS still warns us when a unknown app is trying to do some system level change. Regards, Nuno
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2009 9:20pm

Oh i get it Nuno,wish we could have some sort of a control more in depth using applocker,but maybe it will be available some simmilar feature later....btw have you tried to change in the security tab to the Promp for elevation for windows non-binaries,that could be a temporary solution not sure if this make sense but it might work.Kind regards,RR
August 12th, 2009 10:37pm

Sorry MS, after a couple of weeks to struggling with how a few key applications interact with UAC, I finally had to completely disable it! I would much rather have it enabled, but without an exclusion list, I simply can't keep it on. I'm an SE, and I run a lot of applications that do not mix well with UAC. I hope that you are listening to these threads, and that you consider adding a UAC exclusion list in a future update, until then it will have to remain disabled. :-( Regards, Nuno
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2009 11:04pm

I have Rivatuner's hardware monitor set to auto start with Win, but the UAC pop-ups prevent that plus they pop-up when I start Speedfan to monitor my temps. Looking for a way to exclude those programs lead me here so now I'll have to turn UAC off and rely on MSE for protection... :/
April 20th, 2011 11:05am

That's the firewall, not the OS. Malware can be built to pretend to be your favorite app and then ride the coattails of that apps approval. The goal is to ensure that the desktop does not have obvious vulnerable holes to tunnel into the system. The solution you are proposing would do just that. Malware authors would realize that everyone allowed Sucky app A to have full administrator rights to the system and tag along accordingly. But UAC is simply a top level ACL Firewall! Very primitive one. It is not even a part of architecture, unlike it is made in linux, just a tapping too People, shortcuts and schedules are OK. But what do you suppose to do with explorer context tools? Like "unlocker" or others? .... Is there any way to sign an executable so the system would see it as "trusted"? or UAC does not even check certificates?
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2011 7:24am

I get a UAC on my MacMini. Sudo on Linux. Those IT guys are getting prompts for administrative approval on other operating systems as well. There are SOME problems with this answer. Notably, there is a reason user's don't bitch about sudo. Sudo has a special file associated with it, called the "sudoers" file. This file lets you greatly play around with the exact power of each user. You can have an admin's login be able to "sudo" basicly ANY command (short of editing the sudoers file itself, which can be edited only by "root", which for non-unix users, think Administrator account on steroids). You could also, have it so a user account "Joe" is in the sudoers file with an entry saying "commandname ::= mkdir fluffybunny". This means joe can make directories in any damn place he wants, but he can only make directories named "fluffybunny". Similarly, I can add "commandname ::= apt-get upgrade flash". Now our pal joe can upgrade flash whenever he damn well feels like it. And now I put in 'Joe nopasswd = "apt-get upgrade flash"' Look at that! now he doesn't even get prompted for it! it just goes! weee how fun! And whats this? How long has this command existed in unix? whats that mr. wikipedia? 30 years? Golly thats a long time! I'll be fair, and honest. I like Windows 7. I like UAC. Its a step in the right direction. As an IT admin, it makes instalsl way easier then it was on XP. I just walk over to a system, run the application, punch in my credentials, and walk away. No more having to log off the user and log on as myself, and sit there for the whole install. But lets not pretend this is supremely innovative, and lets not pretend it doesn't have problems. I don't want to see a whole bunch of "No! its ok really! Its perfect the way it is!". Even Martin down there admits that "yes, it needs an exclusion list" and that it is the next logical step.
August 31st, 2011 1:35am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics