How to manipulate files inside Inetpub/wwwroot all day without being bugged by UAC

A lot has been written about UAC. Some choose to disable it. I chose not to and I'm doing just fine. At least, I don't have to type in my password on every prompt like on some other OS that likes to mock us on TV ;)

Anyway, the one place where UAC has been really annoying to me as a web developer is that any file manipulation in Inetpub requires validation by default (and that's legitimate, it's not a directory that you want rogue processes to be able to easily modify). I tend to be in that directory a lot.

So I was talking about that with Nikhil yesterday and we were wondering if running the Windows Explorer as administrator would fix the problem. At first, it looks like it doesn't, but Nikhil then mentioned that Explorer was probably not actually running as admin because all Explorer windows run under a single process by default. So I went to the folder options (press alt while in Explorer, choose tools/folder options) and activated "launch folder windows in a separate process" in the "view" tab. An Explorer launched as an administrator from this moment on will enable you to do all file manipulations without UAC prompts.

Hope this helps.

UPDATE: Dean suggested in the comments giving rights to your user acount on the directory. That works too, but it means that you're permanently disabling UAC on that directory for *all* applications that run under your identity. That may be fine depending on the value you attach to Inetpub contents. For example, don't do that on a production, public-facing machine (but the above method should probably not be used either in this situation). The method I expose above also exposes the system to shell extensions that you may have installed on the machine, so check those and only use trusted ones I suppose, or don't do this if unsure.

4 Comments

  • Dean: that's a good point, but it doesn't do exactly the same thing.
    If you just give permissions, it means that any process that runs under your identity can do whatever it wants on the folder. If you just run the explorer as admin, then only that explorer process has the rights.
    In other words, giving permissions basically disables UAC on that folder (permanently), whereas running as admin disables UAC for this process (temporarily).

  • Yes, you're absolutely right, but giving rights on the folder presents the same risks as far as shell extensions are concerned.
    If you have shell extensions that you're unsure about, I guess it's just better to leave UAC on, not give additional permissions and not run as admin...
    Ultimately, I see people disabling UAC as a whole and while it would be best to leave it on and bear with the alerts, such tricks can help in that it's better to have it partially on (and know the risks) than have it completely off.
    As always, the best protection is skeptical computing.

  • Dean: you're absolutely right, so for a dev machine, the inetpub folder may be dependable and just giving access may be acceptable but on a production server, well, in this case just leave everything on I suppose.

  • @Victor: please don't take my advice as the official Microsoft recommendation but only as my opinion. If those developers must publish the development site to the production server, this seems quite normal. I'm not sure what to do if that is not acceptable. One thing you might want to do is turn on write audits on that directory. That won't prevent attacks from insiders but it would enable you to find who's responsible for it.

Comments have been disabled for this content.