|
SwissArmyDruid posted:https://twitter.com/panos_panay/status/1172196805208993797 Looks kinda like bismuth, so it probably means that their next device is going to be heavy, brittle and won't conduct heat very well.
|
#
?
Sep 14, 2019 11:59
|
|
|
|
| # ? Jun 5, 2024 17:03 |
|
|
nielsm posted:The purpose of Program Files being locked down is exactly so you can't modify things in there with regular user permissions. With full write access to the installed software all the time, anything that runs can just modify anything else silently.What kind of things are you doing that involves editing config files (system level, not user level) all the time? As far as I've ever noticed there's nothing stopping regular users from modifying things in PF, all the lockdown only prevent apps from modifying other apps. Sometimes I gotta get in there and change how resolution scaling is being handled and it's never thrown a UAC prompt at me for it.
|
|
#
?
Sep 14, 2019 12:20
|
|
|
When you change compatibility settings for a program it's a per user setting stored in registry. Just because the exe file is in PF doesn't mean you're modifying the exe file itself. There is a button to set system-wide compatibility settings instead of per user, you get a UAC prompt clicking that since it stores the settings in HKLM instead of HKCU.
|
|
#
?
Sep 14, 2019 12:27
|
|
|
Mr Shiny Pants posted:Yes, but on Linux/Unix it actually works you know. Like sudo actually being pleasant to work with when compared to UAC. Yeah, UAC was annoying way back when Vista launched. Which was apparently actually by design because Microsoft thought that if they annoyed users with UAC notifications, it would push developers to making their software more secure.  But it's not 2007. If you have to deal with UAC so often on Windows 10 that it becomes frustrating, you're doing something and/or are using software that you probably shouldn't. It is kind of amazing how much weird stuff there still floating around about UAC. At work someone got some fabulous install instructions for Solidworks from a reseller. According to them he had to: - Disable UAC - Disable the antivirus - Install Solidworks - Leave UAC disabled "to ensure smoother user experience". Activating the antivirus wasn't mentioned anywhere. But the instructions did recommend McAffee at the end.
|
|
#
?
Sep 14, 2019 13:17
|
|
|
Buff Hardback posted:Bit late, but disabling the dimming on UAC (aka removing its secure desktop mode) is functionally equivalent to turning UAC off. If it's not running in secure desktop mode, anything else can interact with the UAC dialog meaning that something can just automatically accept it for you. For gently caress's sake. Is this true?
|
|
#
?
Sep 14, 2019 13:28
|
|
|
Raygereio posted:It is kind of amazing how much weird stuff there still floating around about UAC. At work someone got some fabulous install instructions for Solidworks from a reseller. According to them he had to: From the complaints my dad made about Solidworks, I'd totally believe it.
|
|
#
?
Sep 14, 2019 13:41
|
|
|
I admin Solidworks at my job and you don’t have to do any of that.
|
|
#
?
Sep 14, 2019 13:48
|
|
|
isndl posted:As far as I've ever noticed there's nothing stopping regular users from modifying things in PF, all the lockdown only prevent apps from modifying other apps. Sometimes I gotta get in there and change how resolution scaling is being handled and it's never thrown a UAC prompt at me for it. lol Jesus Christ
|
|
#
?
Sep 14, 2019 14:07
|
|
|
isndl posted:As far as I've ever noticed there's nothing stopping regular users from modifying things in PF, all the lockdown only prevent apps from modifying other apps. Sometimes I gotta get in there and change how resolution scaling is being handled and it's never thrown a UAC prompt at me for it. If that's in your Steam folder, it's because of Steam changing its folder to have nonstandard permissions that let anything do everything in there. Mainly because game devs suck at doing it right and Valve doesn't want to deal with people upset that their copy of Hentai Puzzle Slideshow 3 isn't working right.
|
|
#
?
Sep 14, 2019 14:21
|
|
|
nielsm posted:When you change compatibility settings for a program it's a per user setting stored in registry. Just because the exe file is in PF doesn't mean you're modifying the exe file itself. There is a button to set system-wide compatibility settings instead of per user, you get a UAC prompt clicking that since it stores the settings in HKLM instead of HKCU. News to me, but makes sense. I'm poking around my folders now that I'm not phone-posting and everything in PF is stuff I don't want to touch like drivers, while my Applications folder is primarily games and game-supporting apps, or stuff that came with self-extractors instead of installers. Guess my installation system isn't secure but it's nothing I'd be worried about if I lost with no backups either. Geemer posted:If that's in your Steam folder, it's because of Steam changing its folder to have nonstandard permissions that let anything do everything in there. Mainly because game devs suck at doing it right and Valve doesn't want to deal with people upset that their copy of Hentai Puzzle Slideshow 3 isn't working right. Yeah, Steam games are the biggest 'have to dig through the folders for something specific' reason, whether it's changing the scaling on the executable or hitting the ini files because some tweaks aren't exposed through the ingame UI. It shouldn't be so complicated just to get borderless windowed mode but it is what it is sometimes.
|
|
#
?
Sep 14, 2019 15:23
|
|
|
PirateBob posted:For gently caress's sake. Is this true? It's actually worse than that. Everything other than "Always notify" collapses into "meh" https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
|
|
#
?
Sep 14, 2019 19:43
|
|
|
At the behest of this thread some time ago, I cranked that poo poo UP a notch to maximum. I have an upper-mid-tier gaming PC so the prompt is fast and easy to deal with.
|
|
#
?
Sep 14, 2019 21:01
|
|
|
Ofecks posted:At the behest of this thread some time ago, I cranked that poo poo UP a notch to maximum. I have an upper-mid-tier gaming PC so the prompt is fast and easy to deal with. After re-reading that post to find it, I also cranked mine up to max. Prompt only takes a second for me, and the increase in security is worth the trade-off for me.
|
|
#
?
Sep 14, 2019 21:19
|
|
|
What kind of threats would get through Windows Defender/Malwarebytes Premium and inject itself into explorer to present a false UAC etc? What are you guys most worried about? And how would those threats get in?
|
|
#
?
Sep 14, 2019 21:53
|
|
|
PirateBob posted:What kind of threats would get through Windows Defender/Malwarebytes Premium and inject itself into explorer to present a false UAC etc? What are you guys most worried about? And how would those threats get in? Actual ransomware does this and won't necessarily get caught by Windows Defender or other antivirus programs. You end up with ransomware by not keeping your software up to date, installing poo poo off the internet, or just being really unlucky and encountering a 0-day vulnerability in your browser or whatever.
|
|
#
?
Sep 14, 2019 22:40
|
|
|
mystes posted:It's not showing a fake UAC prompt if that's what you're thinking. It's using tricks (doing stuff through programs that are built into windows) so that no UAC prompts are shown unless you have it set to "Always Prompt." So if you have UAC set to "always prompt" and you never click yes on some stupid poo poo, you're basically invulnerable to ransomware?
|
|
#
?
Sep 14, 2019 23:25
|
|
|
So it sounds like defender doesn't loving work if it's that easy to get around it.
|
|
#
?
Sep 15, 2019 00:39
|
|
|
Javid posted:So it sounds like defender doesn't loving work if it's that easy to get around it.
|
|
#
?
Sep 15, 2019 00:43
|
|
|
PirateBob posted:So if you have UAC set to "always prompt" and you never click yes on some stupid poo poo, you're basically invulnerable to ransomware? Not quite, sometimes you get some EternalBlue poo poo and an attack goes from zero to owned with no stops or waiting. But that's what computer security is about, nothing is ever perfect but everything you do to add defense in depth is a help. If you follow every one of the best practices you're still not invulnerable. Your chances of getting hit are reduced. As long as it's your home computer, do what you like and make your own best choices about security vs convenience. I for example would have a hard time setting UAC to the highest level, but I'm not gonna turn it off entirely because that's too much risk. If you want to set your own risk tolerance way higher that's on you but a) you should actually inform yourself about how much the risk changes and b) have a backup plan. Javid posted:So it sounds like defender doesn't loving work if it's that easy to get around it. You know the measles vaccine isn't 100% effective either, right? Why bother with that poo poo? gently caress vaccines!
|
|
#
?
Sep 15, 2019 01:01
|
|
|
Javid posted:So it sounds like defender doesn't loving work if it's that easy to get around it.
|
|
#
?
Sep 15, 2019 01:19
|
|
|
PirateBob posted:So if you have UAC set to "always prompt" and you never click yes on some stupid poo poo, you're basically invulnerable to ransomware? This, plus have ad and script blockers on in your browser will get you closer than you would be otherwise.
|
|
#
?
Sep 15, 2019 01:54
|
|
|
By design, Ransomware packages don't need UAC authorization. All they care about is encrypting documents accessible directly from the current user context, which aren't in UAC involved situations.
|
|
#
?
Sep 15, 2019 02:24
|
|
|
fishmech posted:By design, Ransomware packages don't need UAC authorization. All they care about is encrypting documents accessible directly from the current user context, which aren't in UAC involved situations.
|
|
#
?
Sep 15, 2019 02:38
|
|
|
fishmech posted:By design, Ransomware packages don't need UAC authorization. All they care about is encrypting documents accessible directly from the current user context, which aren't in UAC involved situations. This is why you turn on controlled folder access. You’ll need to whitelist a couple apps, but it’s wild to see how many programs want access all over the place.
|
|
#
?
Sep 15, 2019 03:32
|
|
|
PirateBob posted:What kind of threats would get through Windows Defender/Malwarebytes Premium and inject itself into explorer to present a false UAC etc? What are you guys most worried about? And how would those threats get in? There is a baked in exception list of things that will elevate without prompting (including rundll32 for gods sake) that you can use to elevate from user to root without consent if the slider isn’t on max BangersInMyKnickers fucked around with this message at 15:07 on Sep 15, 2019 |
|
#
?
Sep 15, 2019 15:05
|
|
|
Factor Mystic posted:This is why you turn on controlled folder access. You’ll need to whitelist a couple apps, but it’s wild to see how many programs want access all over the place. Even without that setting, UAC enforces folder and process integrity levels to help with this. Pop a browser RCE? It’s probably not going anywhere because the process is low integrity and can’t leave appdata\LocalLow BangersInMyKnickers fucked around with this message at 14:19 on Sep 16, 2019 |
|
#
?
Sep 15, 2019 15:10
|
|
|
I've had UAC on max for years after learning of that particular design vulnerability. I don't find it particularly annoying, so meh.  I do like how the Settings app can be super janky and pop up UAC prompts without much warning if you simply try to access some specific area of the app. Oh yeah and also I can't use Refresh in the app either because of UAC being set to strict, funnily enough.
|
|
#
?
Sep 15, 2019 16:32
|
|
|
Ruflux posted:Oh yeah and also I can't use Refresh in the app either because of UAC being set to strict, funnily enough. What, really? You mean the main settings section that's supposed to replace the old control panel which they bafflingly haven't entirely ditched yet, right?
|
|
#
?
Sep 15, 2019 18:24
|
|
|
isndl posted:all the lockdown only prevent apps from modifying other apps. Please.
|
|
#
?
Sep 15, 2019 23:25
|
|
|
So I enabled Controlled Folder Access after reading the tail of this thread. It doesn't do anything? Does it only trigger with unsigned executables or whatever?
|
|
#
?
Sep 16, 2019 00:18
|
|
|
Combat Pretzel posted:So I enabled Controlled Folder Access after reading the tail of this thread. It doesn't do anything? Does it only trigger with unsigned executables or whatever? Some applications are whitelisted by default, but it absolutely will trigger with all kinds of applications. Just keep using it for a while, you'll definitely notice. Also, of course, real-time protection needs to be enabled.
|
|
#
?
Sep 16, 2019 00:23
|
|
|
Raygereio posted:When I read this I can't help but wonder how much this is your own honest opinion, and how much of it is the same old tired 10+ year old out-of-date nonsense being repeated yet again when someone wants to bitch about Windows. I have it on, because why not. But stupid stuff like not prompting if you want to save anyway like when you accidentally forgot to open notepad.exe as an admin. Or removing your network drives because it runs in a different context, therefore the installer you started that needs admin access, fails anyway. I know *why* it works as it does, but it's just shoddy IMHO. Like you said, it's been 10 years.
|
|
#
?
Sep 16, 2019 05:17
|
|
|
Combat Pretzel posted:So I enabled Controlled Folder Access after reading the tail of this thread. It doesn't do anything? Does it only trigger with unsigned executables or whatever? It basically stops unapproved processes from scraping through your my documents and other library folders so they don't get cryptolockered by a user-mode process.
|
|
#
?
Sep 16, 2019 14:21
|
|
|
BangersInMyKnickers posted:It basically stops unapproved processes from scraping through your my documents and other library folders so they don't get cryptolockered by a user-mode process. Ok I just turned this on. If something that's not already whitelisted wants access it'll tell me and not just silently break, right?
|
|
#
?
Sep 16, 2019 18:50
|
|
|
Hipster_Doofus posted:Ok I just turned this on. If something that's not already whitelisted wants access it'll tell me and not just silently break, right? It's been a while since I've had something trip it but I recall it throwing up notifications when something hits it.
|
|
#
?
Sep 16, 2019 19:21
|
|
|
Hipster_Doofus posted:Ok I just turned this on. If something that's not already whitelisted wants access it'll tell me and not just silently break, right? Yep, it'll show a notification that access has been blocked.
|
|
#
?
Sep 16, 2019 19:34
|
|
|
If you're doing something fullscreen like bideo james though you might get silent failures at any point Also it looks like they've changed it to include protected memory access too? That used to be a separate setting and that caused me problems with virtualisation (I couldn't install/update Intel's HAXM thing, just got unhelpful failures until I disabled that)
|
|
#
?
Sep 16, 2019 20:22
|
|
|
Yeah I run with that on as well and once in a while I get "svchost.exe has been blocked from making changes to memory". Kinda scary 
|
|
#
?
Sep 16, 2019 21:27
|
|
|
baka kaba posted:If you're doing something fullscreen like bideo james though you might get silent failures at any point If protected memory is a Hyper-V thing, then no, HAXM will not work, because Hyper-V still doesn’t pass through virtualization extensions, even in Domain 0.
|
|
#
?
Sep 16, 2019 22:19
|
|
|
|
| # ? Jun 5, 2024 17:03 |
|
|
Tapedump posted:Please. Tell. Us. You. Realize. This. Is. Almost. Entirely. The. Whole. Point. When I wrote that post I was mistakenly assuming that executables were being given a subset of permissions specific to their own folders, though it turns out I was just dealing with folders using nonstandard permissions. Things were working so I didn't delve any deeper than that, and as time went on everything I cared about moved to AppData anyways.
|
|
#
?
Sep 16, 2019 22:22
|
|