[Link:] Disabling UAC with keeping Metro apps...

Discussion in 'Windows 8' started by moderate, Aug 4, 2014.

  1. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90
    #1 moderate, Aug 4, 2014
    Last edited by a moderator: Apr 20, 2017
  2. Shenj

    Shenj MDL Expert

    Aug 12, 2010
    1,557
    652
    60
    That's literally a how-to to f**k over the security system in place just to avoid starting certain things as administrator, like a real noob.

    Don't do this on your primary install.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90
    #3 moderate, Aug 4, 2014
    Last edited: Aug 4, 2014
    (OP)
    Disabling UAC by "EnableLUA" does SAME thing in the meaning of security (ie. it is same "insecure" as this, as in "EnableLUA" all processes have High integrity (full access), also Protected Mode and x64 tabs (sandbox) in IE are killed)...
    So it is information for people, which already use "EnableLUA", it will not make security on their PC any less... :)

    However, it should be noted, that the procedure CAN'T be reverted by simple way, since it is done, so I recommend testing in VM 1st...
     
  4. Shenj

    Shenj MDL Expert

    Aug 12, 2010
    1,557
    652
    60
    You aren't supposed to use EnableLUA 0 to begin with, you wouldn't run Linux permanently as root either, well maybe you would but you aren't supposed to, that's very bad practice.

    If you have to inform people about any of this, chances are they are not experienced enough to run Windows with no security ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90
    #5 moderate, Aug 5, 2014
    Last edited by a moderator: Apr 20, 2017
    (OP)
    I agree, but it is just some information ONLY for people, who wants to kill UAC, use EnableLUA=0, but also want to run Metro apps...
    ...of course it is tampering with security settings.
    But if anybody uses Windows XP for example, they also have no UAC protection at all...

    It is basically MS fault, because Chrome for example uses Low and Untrusted integrity processes for tabs in W8-x EVEN when EnabledLUA=0 is set.
    But MS rather kills Protected Mode in IE then and sandbox for Metro (then) without any reason...
    It it because killed sandbox for Metro, which causes Metro apps can't run. However sandbox for Metro and IE (in IE it is called Enhaced Protected Mode) and x64 tabs in IE are killed for no good reason with EnableLUA=0, because all integrity levels: Untrusted, AppContainer, Low, Medium, High, System, TrustedInstaller stay even with LUA killed.

    SafeChrome.jpg
    Picture: UAC disabled by EnableLUA=0 so all processes integrity are High (with full access), but Chrome is still quite safe as Untrusted Mandatory Level (Nedůvěryhodná povinná úroveň in my lang) :)) for tabs processes (two tabs are opened) and one Low process for PDF, Flash and GPU calc.

    For example this will run FireFox as Low integrity (without nearly any rights) process even when you have set EnableLUA=0:

    Code:
    icacls "C:\Program Files\Mozilla Firefox\Firefox.exe" /setintegritylevel low
    icacls "C:\Program Files\Mozilla Firefox" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\*username*\AppData\Local\Temp" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\*username*\AppData\Local\Mozilla" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\*username*\AppData\Roaming\Mozilla" /setintegritylevel(oi)(ci) low /t
    icacls "C:\Users\*username*\Downloads" /setintegritylevel(oi)(ci) low /t
     
  6. Snuffy

    Snuffy MDL Expert

    Jan 7, 2008
    1,199
    595
    60
    #6 Snuffy, Aug 5, 2014
    Last edited by a moderator: Apr 20, 2017
    my self i like this one
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorAdmin"=dword:00000000
    
    "ConsentPromptBehaviorUser"=dword:000000002
     
     
  7. sunilk

    sunilk MDL Member

    May 15, 2014
    111
    16
    10
    UAC is the worst possible feauture in windows os.
     
  8. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90
    Yes, I remember, when I met it 1st time in Vista, I got ultra-pissed, when I tried to rename desktop all-users-shortcut (so in C:\Users\Public\Desktop ) and got prompt... :)))
    My reaction was: WTF? I can't even rename f*****g shortcut? This perfectly fits to "PC for idiots" trend...

    And this trend continues until now (just compare prompt, when you plug new device in W7 and W8-x-x)... :/
    W7.jpg
    W7 prompt, when plugging my UMTS stick (USB complex device with 6 sub-devices). But wait, the idiotic BFU doesn't understand this, so we have this now in W8:
    W8.jpg
     
  9. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
  10. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90
    #10 moderate, Aug 6, 2014
    Last edited: Aug 6, 2014
    (OP)
    <Auto-Cenzored> :))
     
  11. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    #11 Smorgan, Aug 6, 2014
    Last edited: Aug 6, 2014
    It will take hours to take ownership of all files on the computer under the C drive.

    In other words if I read this properly that is a waste of time. I will keep this civil and not begin the name calling.

    All you need to do is auto elevate as admin and you can get rid of the headache called permissions.

    Takeownership.reg is a wonderful idea though which can be used on system files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90
    OK, OK, OK, I accept your arguments :)
    Please Admins delete this rubbish thread (and Smorgan account :))))
     
  13. testplayer

    testplayer MDL Novice

    Jun 25, 2011
    42
    4
    0
    I just use the built-in administrator account and enable the FilterAdministratorToken. No UAC + can use Metro. However, the explorer shell is still in low integrity. For people using XP, skipping Vista & 7, jumping to 8 & 8.1 directly like me, it is simply like a jail. I was trying to use Server 2012 R2 as a workstation, however, lacking of bluetooth is really a pain in the ass.
     
  14. moderate

    moderate MDL Guru

    Aug 31, 2009
    2,652
    2,180
    90