April 11, 2008 11:38 AM PDT

Microsoft: Vista feature designed to 'annoy users'

Microsoft: Vista feature designed to 'annoy users'
Related Stories

RSA 2008: Blanketing security

April 11, 2008
Related Blogs

Get your hands on Vista SP1

March 18, 2008

Is Vista prettier in pink?

March 28, 2008

Nvidia to blame for many early Vista crashes

March 28, 2008
SAN FRANCISCO--A Microsoft manager has said that one of the security features in Vista was deliberately designed to "annoy users" to put pressure on third-party software makers to make their applications more secure.

David Cross, a product unit manager at Microsoft, was the group program manager in charge of designing User Account Control (UAC), which, when activated, requires people to run Vista in standard user mode rather than having administrator privileges, and offers a prompt if they try to install a program.

"The reason we put UAC into the (Vista) platform was to annoy users--I'm serious," said Cross, speaking at the RSA Conference here Thursday. "Most users had administrator privileges on previous Windows systems and most applications needed administrator privileges to install or run."

Cross claimed that annoying users had been part of a Microsoft strategy to force independent software vendors (ISVs) to make their code more secure, as insecure code would trigger a prompt, discouraging users from executing the code.

"We needed to change the ecosystem," said Cross. "UAC is changing the ISV ecosystem; applications are getting more secure. This was our target--to change the ecosystem. The fact is that there are fewer applications causing prompts. Eighty percent of the prompts were caused by 10 apps, some from ISVs and some from Microsoft. Sixty-six percent of sessions now have no prompts," said Cross.

Cross claimed it is a myth that users just turn UAC off, saying that Microsoft had collected opt-in information from users that showed that 88 percent were running UAC. Cross said it was also a myth that users blindly accept prompts without reading them.

"It's a myth that users click 'yes,' 'yes,' 'yes,' 'yes,'" said Cross. "Seven percent of all prompts are canceled. Users are not just saying 'yes.'"

Security company Kaspersky has severely criticized UAC, claiming in March last year that it would make Vista less secure than Windows XP.

At this year's RSA Conference, however, the security specialist seemed to have changed its tune. With Windows, "there is a large attack surface with a number of entry points," said Jeff Aliber, Kaspersky's U.S. senior director of product marketing. "Anyone trying to shrink that attack surface and promote secure apps development has to be a good thing."

Prior to the launch of Vista, Kaspersky issued a report in January 2007 that said UAC would be ineffectual. The company claimed that many applications perform harmless actions that, in a security context, can appear to be malicious. As UAC flashes up a warning every time such an action is performed, Kaspersky said that users would be forced to either blindly ignore the warning and allow the action to be performed or disable the feature to stop themselves from going "crazy."

Tom Espiner of ZDNet UK reported from San Francisco.

Click here for more stories on RSA 2008.

See more CNET content tagged:
ISV, RSA Security Inc., secure, ecosystem, prompt


Join the conversation!
Add your comment
It works!
The first thing I do is turn off UAC! I think people blame Microsoft for the inconvenience, not ISV's - all they know is that Vista is bugging them. Over time, I'm sure most people just start clicking Yes without thinking - have you ever watched users? The "seven percent" comment doesn't make sense to me - doesn't that mean 93% of people just click Yes?
Posted by robbtuck (132 comments )
Reply Link Flag
93% Meaning
I think the point was to show that not everyone clicks yes without reading the prompt. The statistic doesn't mean much more then that. Could be 7% just hit cancel without reading the prompt. Could also mean all users carefully read all prompts and 93% of the time they correctly click yes.
Posted by James7777777 (158 comments )
Link Flag
UAC is a necessary inconvenience
UAC is one of the two most important security changes Microsoft has made since it shipped NT back in 1993 (the other being the firewall). Providing a firm separation between user and administrator privileges makes it significantly more difficult for malicious code to do real damage. Turning UAC off is a BAD idea.

On the other hand, Microsoft didn't do a very good job of minimizing the impact. I should not see multiple UAC prompts during a single install, nor should I get them frequently when using the Control Panel apps. My Macs have the same security design and it's far less intrusive. I would also like to see it require a password, even if using an "administrator" account. If someone figures out a way to subvert the "allow" button you just lost your security, plus having to type the password avoids the "just click yes" syndrome.

I agree with the Windows guy who says the only way to get ISVs to improve their software is to make it relatively painful to leave it the way it is; we saw a lot of code improvements during the move to XP because it didn't allow some of the dirty programming that Win9x was fine with. It sucks waiting for ISVs to get around to shipping improved software, but it's a good thing in the long run.

Speaking of "just click yes" syndrome, I have definitely gone into that mode during certain Vista operations as a result of the dialog popping up too frequently. Still, I will notice if I get a UAC prompt in the middle of browsing a web page....

jim frost
Posted by jimafrost (31 comments )
Link Flag
I want the Uber option of...
[ ] I am an experienced power user and do not need, want, or tolerate hand holding by my OS

[ ] I am an experienced general user who wants minimal interruptions unless there's a real threat

[ ] I am an inexperienced user who needs to be protected from any and all threats

You know?
Posted by jeffreylebowskijr (13 comments )
Link Flag
Users are the pawns
Talk about unintended consequences! The only way Microsoft can get software vendors to stop writing apps that have to 'run as administrator' is to put pressure on users. The EU told ISVs they could effectively ignore anything coming from Redmond. Nellie made Joe User the pawn in Microsoft's effort to tighten its OS security. Gotta love that lady! Next time you see her, give her a big juicy kiss for me.
Posted by rmva (385 comments )
Reply Link Flag
Turning off UAC is like Turning off a good Firewall
Turning off UAC is like Turning off a good Firewall because its prompts are stopping you from watching Porn with a dangerous Codec.

Look UAC (for the most part) is a slight annoyance. Personally I rather having to approve code, I want to run, to run than to have what ever code wants to do what ever it wants to whenever it wants to because I'm running my XP laptop as a Domain Administrator.

Sure I hear that little ding the screen goes black and nothing happens until I alt-tab around to find the UAC Prompt. Sure the Prompt looks different depending on what kind of operation the Prog wants to do. But if I want stop "johnny's new Trojan Horse" from running regedit in the background by being told "Hey 1d10t!!! Johnny Beuatiful Pony is trying to turn you into a zombie." than a quick click on a randomly placed (so as not to be easliy clicked through or even, heaven forbid auto clicked by the Trojan) Prompt I ain't got no problem with it.

It goes without saying but this post is IMHOO
Posted by Tergon (74 comments )
Reply Link Flag
All the warnings I've seen mean nothing to me and I've never figured out how to copy what is said in order to look it up on the net and see what it means.

So, to me, the warnings are nothing but a nuisence. I expect the great majority of users are in the same boat.
Posted by Phillep_H (497 comments )
Link Flag
Spinning Wheel
So, it's OK to "annoy" your customers to get your way??

I'm all for added security, don't get me wrong, but putting the
onus on users to facilitate change?

Why not just use the 800 lb. gorilla tactic and tell the ISVs that
you won't run their software in Vista until they get their act
together, security-wise?

Again, it's nice to be the monopoly. How much more abuse are
Windows users supposed to take????
Posted by ppgreat (1128 comments )
Reply Link Flag
It's annoying, but your solutions is worse.
Microsoft could tell ISVs that they can't run on vista without approval. They could also charge an approval fee and require sales through a microsoft outlet where they take a percentage of the profit (think other vendors). Say goodbye to free software and probably a lot of third party software. Is having to click yes a few times when installing or using your application worse then not having the application at all???
Posted by James7777777 (158 comments )
Link Flag
Microsoft spying???
"Seven percent of all prompts are canceled. Users are not just saying 'yes.'"

How do they know this? Who gave them permission to spy on people like this?
Posted by wango2007 (119 comments )
Reply Link Flag
Opt-in "user experience" feedback
That is the sort of metrics sent by the opt-in "user experience" feedback that has been on their products for several years now. It's presented as an option during setup and easy to disable at any time.
Posted by dionysis_gt (1 comment )
Link Flag
opt-in does not matter, they spy anyway...
You can say no all you like but the security holes you always have to patch provide them the same capability, you know the ones they keep moving around.... Since when did you think M$ was not spying on you? (been occuring since WIndows 98 by my count, Win 3.11 was actually honest and secure network stacks, without back doors) They call it customer feedback, user innovation, etc, but I call it down right theft, and industrial espionage when its at work. Why is your history and cache, stored in so many places, and in so many ways, many almost impossible to delete without specific software? Why is the network always active and actually interferes with performance when you are not accessing anything over the network, working %100 locally?

M$ controls their own operating system don't they? Why did they make these applications require administartive priviledges? What happened to applications running in their *own* (owned) space, not requiring administrative priviledges? Why do I have to be an admin to plug in a USB device, if it can't actually compromise the system?

Millions of dimbass questions we would all like answered, the basic answer from M$ is: 'because we say so', now give us more money or well file lawsuit against you for pointing out our blatent disregard for the customer and security, which has cost our business billions of speculative dollars, and we will have no problem proving has occcured, once we load the latest patch on your system along with the evidence to convict you.

And of course comments like this one will only add fuel to the lawsuit.....I have been waiting for years for them to sue me but, alas maybe they know I can prove their misdeeds, and do not want to give me a legal soapbox to shout from....I still have copies of all their software, all the evidence I will ever need to defend my case....
Posted by chash360 (394 comments )
Link Flag
Bunch of tools and frocking dropouts...
Here's an idea, let's annoy the heck out of our customers so they, in turn, will complain to our ISVs. Meanwhile Vista has taken the Millennium route due to lost productivity and more MS haters than ever before.

Steve, you're my hero :)
Posted by colamix (75 comments )
Reply Link Flag
Stories like this make me glad I bought a Mac...
Early grumblings about UAC & across the board user dissatisfaction with Vista's incompatibility with various hardware & software was the reason I switched to Mac after years of being a PC user. I don't think I will ever spend any serious money on a PC ever again. If I do, I'll load Ubuntu on it. So a big thanks goes out to Microsoft -- I had been on the fence about switching over for several years, but without the threat of a Vista machine upgrade, I never would have taken the plunge. It's worth putting up with a bunch of snooty Mac fanboys just to not have to deal with this kind of garbage.
Posted by dillholio (10 comments )
Reply Link Flag
Snooty Mac Fanboys
How many times a week do "snooty Mac fanboys" bang on your
front door to tell you how great your new Mac is? Seriously, we
don't want arrogant, condescending slugs like you in the Mac
universe. Go back to XP and kiss Momma Microsoft's teat.
Posted by montex66 (370 comments )
Link Flag
Is this blog from ShippingSeven, the mysterious Windows 7 developer corroborates this???
<a class="jive-link-external" href="http://shippingseven.blogspot.com/2008/04/okso.html" target="_newWindow">http://shippingseven.blogspot.com/2008/04/okso.html</a>
Posted by Mugunth (10 comments )
Reply Link Flag
How is it a myth?
"It's a myth that users click 'yes,' 'yes,' 'yes,' 'yes,'" said Cross.
"Seven percent of all prompts are canceled. Users are not just
saying 'yes.'"

Doesn't that mean that 93% of the prompts are being accepted...
meaning saying 'yes'? How is it a myth then?
Posted by balkce (32 comments )
Reply Link Flag
I payed big bucks to be annoyed!
And annoyed I am! I sure got my annoyence dollars worth here. I am a Microsoft user and something of an IT guy here at my job. I use XP at work and Vista at home. The company has already decided to use Linux on their ITX computers that are embedded into machines for the bio research industry (Yup they used to use Microsoft), and are recoding all software from C++ to Java (Yup, we are having great success with Java for running machines). Why did I say this? Well this means a beginning of business lost from Microsoft for letting us down. It was not because Linux and Java are free, Its because Microsft is letting us down BIG time!
I liked Microsoft, I really did, but boy did you let me down in a god awful way with your "strong arm bulling ways". And now the truth come out that you RIPPED me off, and I am nolonger just annoyed I am very angry. If big business can find the backbone to take the lead towards Linux I will soon follow. I will with out fail DeMicrosoft all my computers.

By the way, the "zipping and unzipping" of files in Vista taking such a long time, was that ment to annoy me also? As a matter of fact the GUIless (Well partial GUI)defragmentation not showing details, was that supposed to annoy me also? Oh wait a minute, just one more thing all those applications like OCR programs that worked excellant in XP, but not Vista, was that supposed to annoy me also? Oh for crying out load, Just one more thing, All that money I spent to get the 2.3 rated Vista computer to a 5.9 rating, was that supposed to annoy me also? Oh man, I am trying to finish this and just relized one more annoying thing, and that is, in the end, are you going to leave me hanging, like you hung all the Windows ME users (Me as one of them)by rushing out Windows 7 next year? You fooled me twice and shame on me for being a devoted fan of yours, and for being stupid enough to be still one. Boy do I really suck.
Posted by Ted Miller (305 comments )
Reply Link Flag
IT guy huh? Vista's file transfer rate is fine, invest in a little more RAM, "IT guy". Your kidding me right? Crying about Microsoft ripping you off, what ya gonna do sue them, knock on Bill Gates door and whine to him? Linux is crap, good luck with that one. And if you were truely an "IT guy" at your work, it wouldn't have takin you long to realize that Vista wasn't for you and that you probably needed to take it back and get a refund of your money. Which would mean you put XP back on your system and move on with life. LOL, wow!!! P.S. If you have the time to sit there and watch the little boxes defrag on your comp. for 3-4hours, something tells me you have plenty of time to learn how to use Vista.
Posted by chkm8 (9 comments )
Link Flag
UAC? How About Defender??? :P
Microsoft's got a point. The fact that it is so annoying and frightening-looking will keep people clicking away at the damnable thing. The fact that it serves no purpose whatever is proven by Microsoft's shameful admission that a pitifully tiny proportion of users - 7% - heed UAC.

Did you notice how Microsoft also so slyly uses UAC as an promotional device? Oh, these guys in Redmond are cute. Windows UAC gives you a MUCH harder time - it's like mystical - on those programs from companies Redmond perceives as competitors? Snaeky... . lol

So... I LOVE my Vista Ultimate - going on 15 months I've been using it now (14 of which have blissfully UAC-disabled).

And I've stopped needing to take my anti-anxiety medications (Redmond should throw in a free supply of five years of Xanax for Vista buyers).

"Kaspersky said that users would be forced to either blindly ignore the warning and allow the action to be performed or disable the feature to stop themselves from going 'crazy.'"

You said it, Kaspersky! High BP and anxiety patients experiencing heart attacks thanks to UAC should send their claims for medical expenses to The Bill &#38; Melinda Gates Foundation.

Now if only there was someway I could murder that damnable Windows Defender without breaking Microsoft's EULA. Hmmm... ideas will be appreciated.

P.S. On a more serious note about this Redmond clown's comments .. here's what REALLY DOES annoy me about UAC, actually. Vista has 25 versions, right? The crappy one at the very bottom is called Basic. Fair enough, they could make a case for claiming UAC to be appropriate for the poor SOB's who bought Vista Basic for $25 (at my local Best Buy today). But for users sophisticated enough to understand the value of stuff like the security programs BitLocker and entertainment programs like Aero's 3D GUI who shelled out for Premium, Business or Ultimate, the brainiacs up there in Redmond could've thrown in at least ONE administrator accout per system that was non-UAC'ed by default.

If that had done something courteous and thoughtful like that, I might even have joined SpyNet without charging Microsoft for my participation. To this day, I can't see what that damned Defender defends (except for Microsoft's profits).
Posted by i_made_this (302 comments )
Reply Link Flag
I haven't disabled UAC
And it doesn't bother me in the slightest. Personally, Microsoft has the right idea here. There is NO reason why in normal operation, any program needs to be elevated to Administrator Access.

Even SECURITY PROGRAMS can be modified so that they do not need administrator access to do their job.

Secondly, even the people who buy Windows Home Premium, Business and Ultimate are surprisingly stupid when it comes to security. I've seen that for myself, when I've read the MANY postings on Tom's Hardware about a person looking for help on Vista because they were stupid enough to run a program that shouldn't need admin access even after that UAC prompt came up.

Oh, and as to the 'Windows Defender' thing.... it's hellishly EASY to turn off, just start the damn thing, go into the settings, and TURN IT OFF!
It isn't brain surgery here!

I would like UAC to remember which programs I have given permission to run in Administrator Mode, but I can understand why they didn't do that. Someone could easily forge the ID of a program that is on numerous systems, get past the UAC prompt and install or run something VERY bad.
Posted by Leria (585 comments )
Link Flag
Its no different than ZONEALARM
Well i use User Access control. I still enjoyed moving from XP to Vista Ultimate... spare the performance bugs with my C2DuoE6600, AbitIN9, 8800gtx, Fatal1ty sound-card equipped gaming rig. Do i still use XP? Yes i dual boot will i keep using Xp oh hell yes.

However this User Access control is far less annoying than Zonealarm's old UAC. Only annoying thing about it is when it takes to long to load... Or it takes to long to load after you accept the program.
Posted by Ajndrews (2 comments )
Reply Link Flag
Zone Alarm remembers and could be put on learning mode and had a method for you to set program access on your own so the popups didnt happen though so its actually a bit more annoying since it pops up each and every time...
Posted by linadragon (57 comments )
Link Flag
Good post pretty much agree with all that.
Posted by Ajndrews (2 comments )
Reply Link Flag
&gt;Cross claimed it is a myth that users just turn
&gt;UAC off, saying that Microsoft had collected
&gt;opt-in information from users that showed that 88
&gt;percent were running UAC.

All this proves is that 88 percent of those who do not know how to opt-out also don't know how to turn off UAC.
Posted by Jim Harmon (329 comments )
Reply Link Flag
I have been running win2k for 8 years now as admin of my machine, without a virus scanner in the background and have had no problems at all. Why? Because I know what I'm doing on a PC. There should be options for all advanced users like one comment
[ ] Make my PC dummy proof.
[ ] I need someone to hold my hand.
[ ] Power user, stay out of my way.

If ppl think UAC is annoying on windows, try using linux for anything, you have become root multiple times/day to get anything done.
Posted by mlinder69-21063211865664677784 (36 comments )
Reply Link Flag
Yea right!!!
Who the heck is David Cross, and who care's? Yes it's my understanding that there are some user's out there that cannot, or will not take the time to figure out a way around certain "annoyance's". But c'mon! Are you all striving so had to bash Vista, and this is all you can come up with? How pathedic... For some one to claim that this version of the Window's OS was put out there to annoy the user's is absurd. It took me all of two minute's with my laptop out of the box to find the UAC setting's and other useful setting to make it just as it were XP. That's right, David Cross is a moron...
Posted by chkm8 (9 comments )
Reply Link Flag
YEA RIGHT!!! You are so smart!!!
Sounds great &#38; I can do that too but because programs don't work because not all of the files are on the disks or are corrupted, I had to order new disks, back up copies of just what I added, reformat, etc. to even be able to do what you did. There are much more annoying features than this article covered. Not just annoying but bad errors.
Posted by ninalou (9 comments )
Link Flag
The guy works for Microsoft.. David Cross, a product unit manager at Microsoft,
Posted by linadragon (57 comments )
Link Flag
I somewhat agree..
Yes, I am quite surprised that some of simple applicationss that I were used to run in Windows XP, when I run under windows vista, it prompts for administrative priviledge. I blame the developer of the application that writes the code so ignorant to write into system folder or registry that actually it shouldn't be done that way. I am a developer too.
Posted by Gunady (191 comments )
Reply Link Flag
For once Microsoft succeeds
--at being annoying, something their products are expert at.
Posted by The_happy_switcher (2175 comments )
Reply Link Flag
right on
now THAT is a marketing strategy!
Posted by trd1282 (97 comments )
Link Flag
What's more annoying....
Apple fanboys constantly spouting off over things they know nothing about. Yes, keep pestering and annoying people, that'll make everybody run out and buy a Mac!
Posted by Igiveup2 (190 comments )
Link Flag
This Is A Test Only A Test
I bought a Vista machine and it was the worst machine I ever owned. I returned it because I can think but most people will submit and believe that the machine is great.

In reality the problems with Vista are a test to see what the public will put up with. All the bugs in the system are there to see if people will do anything about it. If Gates gets away with Vista then he will be one step closer to controlling the country. PCs are the way most people receive and transmit information. Vista is owned by Microsoft not the user and does what ever Gates wants. Control a person?s input and output of information and you control the person.

Bill Gates bought his way out of his antitrust case by giving money to those who shape public opinion. People on the internet are paid to say they love Vista. Soon people in the media will tell everyone that Vista is great and people will believe them rather then their own experience.

Soon people will believe what ever Gates wants them to believe.
Posted by agniredux (9 comments )
Reply Link Flag
I shut off Defender and the UAC after 2 days.
I couldn't even clean out my registry without the damn thing interfering. Frankly, I don't think I trust MS's definition of "malicious software." What's more, I've got my firewall (zonealarm) monitoring some windows processes and set to kill them if they try to run.
Posted by Wookiee-1138 (690 comments )
Reply Link Flag
Why is it
That Apple and Linux Distros can produce a reasonably secure OS without annoying the user.

MS can't even come close to the security of Linux, so what is the extra annoyance for?

Once again MS tries to copy the competition and totally screws it up.

Why is that?

Oh yeah, they are incompetent.
Posted by The_Decider (3097 comments )
Reply Link Flag
UAC Over the Top, Linux/Unix = Just Right
I had to turn UAC off to get any work done. They should've taken some implementation cues from Linux/Unix; I work with lower permissions, only rarely getting prompted for higher permissions, and get plenty of work done.
Posted by eonodownload (2 comments )
Reply Link Flag
Actually proves Microsoft is right
That is because Linux and Unix apps are designed from the get-go with multiuser in mind. Since, by default, typical users NEVER run with root privileges, applications can NEVER assume typical users can do administrator-level things.

So developers couldn't get used to being lazy and not verifying their applications run with reduced user privileges.

To be fair, Microsoft is crippled because they need to support backwards-compatibility to Windows 3.1 days --- when the OS really didn't have a "multiuser" concept.

If/when Microsoft decides to sever all ties to backward compatibility, they have a chance to fix these long standing issues.

From what I understand, that's sort of what Apple did with OS X.

So the issue is being caught between a rock and a hard place.
Posted by bluemist9999 (1020 comments )
Link Flag
Cross is full of crap!!!!
EVERYONE I know using Vista has turned off UAC! It is the most annoying and most ridiculous so called feature Microsoft has every come up with.

Everyone at Microsoft is denial (at least publicly) about how bad Vista really is and how poor the user experience is.

BTW... no one I know opts-in, and I would suspect the majority of educated users don't either. Bottom line his figures are absolutely meaningless.

I recently switched to a MacBook Pro (for my mobile computer) and the experience has been fantastic! I still have a Dell XPS420 with Vista and even with SP1 it still doesn't work right...POS
Posted by alqaqish (127 comments )
Reply Link Flag
Once Again!
4 Year old computer running Vista SP1. Running just fine! Using it for this post! I think what is full of crap is the over blown histeria about Vista. Ididn't even do a clean install. Down and dirty upgrade from XP. As far as I'm concerned Vista is a better user experience on my machine than XP was!
Posted by cross platform (121 comments )
Link Flag
In agreement
I am a little concerned about this opt-in situation for collecting the data. I myself know of no one that has opted in. I believe you are correct in calling into question the validity of the data. To hear that UAC is doing just as it was designed to do, annoy users, makes me all the more ready to move onto another platform. I have spent countless hours dealing with UAC and driver issues. To hear that this was designed to use up my valuable time, and annoy me, is an insult that will NOT be forgiven.
Posted by igl00lgi (95 comments )
Reply Link Flag
MS would not be able to do this if it were not a monoply.
If this company were not a monopoly they would not have dared to design such an annoyance. To hear that this was designed to use up my valuable time (money), and annoy me, is an insult that will NOT be forgiven. No more MS. I would rather waste my time with OSS and VMs.
Posted by igl00lgi (95 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.