Crtiical error with new beta [UAC/Admin]

mia
mia
Community Member
edited April 2023 in 1Password 7 for Windows

Licensed user, legit copy.

PIC: https://i.imgur.com/G0FG2gG.png

Windows 10 Pro 64bit.
UAC is off. (yes, off, and it will stay that way).

When the new beta installer runs in the background, I get that message and upon startup with 1Password tries to install the new version. This has never happened before and the setup hasn't changed.

I believe it's because EnableLUA has been disabled on this computer. I certainly hope this is NOT expected, because I don't plan on restoring UAC anytime soon.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @mia!

    Thanks for reporting this. I've moved this thread to our Windows Beta forum.

    Can you clarify why you want UAC turned off?

    1Password is now requiring admin rights to be installed but it is not possible to do this without UAC, this is a critical security component of WIndows that shouldn't be turned off. We're using that same component to protect 1Password from now on.

    I don't think we have any plans to allow 1Password to keep running on systems without UAC but if we can understand why you're doing this, we may reconsider this.

  • mia
    mia
    Community Member
    edited July 2019

    I just saw the release notes and the beta thread where people are talking about this. Well, that's going to be a huge problem for me. I rely on 1Password hour of every day on a machine that has UAC turned off for various reason(s). It would take too long to type up here, but I run a LOT of software on this computer (about 500) and UAC needs to be disable to ensure compatibility for some of the key ones. Not all computers are connected to the net all the time.

    I'm not sure how I can get around this. 1PW is critical software on my computer, but so are a few of the others. :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    VMs are great for running things that have antiquated requirements without negatively impacting the security of the entire system, so you may want to consider that. UAC was introduced over a decade ago, for good reason. Lacking a specific use case that affects a large potion of our customers, I just don't see us holding back security improvements that benefit everyone for the convenience of a few, or one. Sorry.

  • lumarel
    lumarel
    Community Member
    edited July 2019

    Did I miss something, as I understood it, it is just needed for the installation-/update-process.
    It should be totally possible to enable it for this short period of time.

    Off course I also don't recommend running any newer Windows platform in stone-age-mode. I know there are some programs which do require the UAC to be turned off, but these are really old. Sometimes it was even possible to set the executable for such a program to require admin rights, which already cleared the errors. As @MikeT and @brenty already said, a VM is always the most suitable environment for such ones.

  • @lumarel is correct, we only use UAC to set permissions on 1Password directory during the installation, so that only admin users can modify its files. 1Password doesn't need it again until the next update, which can't modify the files until it is granted admin permissions.

    The next update, 1Password 7.4, will register its updater with Windows in admin context (hopefully, one last UAC prompt) but after that, in theory, UAC will not be needed for updates as well. So, eventually, it will be a one-time event.

  • mia
    mia
    Community Member

    Brenty - isn't this the best time to make 1Password 7 available in compressed (ZIP, 7z, RAR, whatever) format downloadable on the site like 99% of other devs do? This would essentially alleviate the admin installer issue without having to compromise the security of your product at all.

    Mike Said:
    "The next update, 1Password 7.4, will register its updater with Windows in admin context (hopefully, one last UAC prompt) but after that, in theory, UAC will not be needed for updates as well. So, eventually, it will be a one-time event."

    So I could turn on UAC temporarily, run the installer, and then turn it back off and that would work permanently for each subsequent install without having to re-enable UAC each time?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Brenty - isn't this the best time to make 1Password 7 available in compressed (ZIP, 7z, RAR, whatever) format downloadable on the site like 99% of other devs do? This would essentially alleviate the admin installer issue without having to compromise the security of your product at all.

    @mia: I don't think we'll be doing that. "ZIP, 7z, RAR, whatever" are not signed (and decompression apps have had plenty of security issues of their own). Since we can sign our installer, users can confirm that it was signed by AgileBits in the first place and that it hasn't been tampered with before they run it. Among other thing, the installer needs admin privileges because it installs 1Password to a protected location, which is a security benefit (as other apps would need to request permission to modify it as well). So if we distributed our app as an archive, you could only get around the admin requirement by installing it to an unprotected location, which would definitely be a compromise as far as security, just for starters.

    The next update, 1Password 7.4, will register its updater with Windows in admin context (hopefully, one last UAC prompt) but after that, in theory, UAC will not be needed for updates as well. So, eventually, it will be a one-time event.

    So I could turn on UAC temporarily, run the installer, and then turn it back off and that would work permanently for each subsequent install without having to re-enable UAC each time?

    I believe that should work. As Mike mentioned above, our understanding based on research and internal testing is that elevation will be required to install/update to 7.4 initially, but it will register the updater so that it will not need to request elevation after that to update. The only caveat is that this has not been tested more widely yet. But once we have a beta available for 7.4 you should be able to confirm or deny this for sure. :)

  • Please keep in mind that all of this is still beta and subject to change, we may find an alternative for this type of setup.

This discussion has been closed.