Windows 10 Annoyances

I had to reinstall my Insider Preview VM from scratch this past week. I have it on an external drive, and that drive failed, and my last backup of the VDI file was older than the latest build ISO, so I decided to experience the new Windows smell again.

The first thing was Cortana during the install process. The speaker button in the bottom-right corner didn’t work, but I was installing into a VM, so I could mute the host OS (or, had I thought of it, not given the VM a virtual sound system).

Next, and this goes way back, though not as far back as Windows NT 4, the first account Windows creates has Administrator privileges. Not unreasonable, but there’s no warning that the account created has Administrator privileges. I’d love to see MSFT’s telemetry on how many Windows PCs are running logged in accounts with Administrator privileges. I figure it’s way too high. [In contrast, NT4 activates the old built-in Administrator account, prompts the user/owner to enter a password, then suggests the user/owner create another account for actual use. Why was that sensible approach deprecated?]

Then there’s the lock screen and login screen. There’s no way to set a specific image for the login screen. It’s only possible to set a specific image for the lock screen, then choose to use the same image for the login screen. However, if you use the registry tweak to disable the lock screen, you can’t change the lock screen image in Settings > Personalization. MSFT REALLY wants Windows 10 users to use the lock screen so users can see lock screen ads?

Minor: the latest build doesn’t seem to respect the setting to disable app suggestions in the Start menu. If you go into Settings, enable then disable it, suggestions won’t appear in the Start menu for the rest of the session, but log out and log in and suggestions reappear. Yes, I’ve submitted this as feedback.

Of all of these, first account with Administrator privilege without suggesting the user/owner create another account for typical use is not good at all. That approach may explain why Windows UAC has to be so much more intrusive than sudo under Linux.

Conversation 5 comments

  • rameshthanikodi

    06 August, 2017 - 10:27 pm

    <p><em>"There’s no way to set a specific image for the login screen. It’s only possible to set a specific image for the lock screen, then choose to use the same image for the login screen. However, if you use the registry tweak to disable the lock screen, you can’t change the lock screen image in Settings &gt; Personalization. MSFT REALLY wants Windows 10 users to use the lock screen so users can see lock screen ads?"</em></p><p>No. Not everything is a conspiracy. Windows 7 had a lock screen too, and it wasn't user-customizable in any way either.</p><p>Regarding the account with Administrator privileges, an account with Administrator privileges in Windows no longer means what it used to meant.&nbsp;AFAIK, most installations after Vista should have <a href="https://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/&quot; target="_blank">an additional hidden administrator account</a>, and that's the one with the "real" and "full" privileges. The first user account created by Windows is not the real full administrator, even though it may say so.</p><p>Sad to say, Windows security was a real issue back in the day, so the team that worked on Vista turned the security model up to 11, which is sort of why we're now stuck with something that is more intrusive than anything we find on Linux. Like they say, making Windows is like making billions of people like a type of pizza.</p>

    • hrlngrv

      Premium Member
      06 August, 2017 - 11:29 pm

      <p><a href="#165076"><em>In reply to FalseAgent:</em></a></p><p>With respect to the double-secret admin account, it's <strong>TrustedInstaller</strong>, and there are a lot of things only it can do . . . unless one runs takeown and icacls to give Administrator the same access and privileges.</p><p><br></p><p>The first account is enough Administrator that it can take ownership of any file or directory, can then change access control for any file or directory using icacls, and can thus use batch files running in hidden windows effectively to remove all security from a Windows system.</p><p><br></p><p>Windows would be a lot more secure if the first account were a plain vanilla standard account and Windows had an equivalent to Linux's sudo. Of course, that'd require MSFT tacitly to admit that Windows security has been suboptimal since Windows XP tried to make NT/2K user-friendlier.</p><p><br></p><p>When it comes to security, is there much need to give 1 billion people several billion different types of locks? As long as each lock took a different key, wouldn't one type of deadbolt suffice? However, I figure this was MSFT trying to give as many people as easy a time with Windows as possible. Give the first account partial or greater admin rights, then put lots &amp; lots of hurdles in the way of doing anything which could affect 2 or more users. If MSFT went back to urging/forcing users to have at least 2 accounts, one admin and another standard for regular use, Windows would be more secure than having a 3/4-admin account with lots of obstacles (so many that it encourages way too many users to reduce or disable UAC).</p>

      • rameshthanikodi

        07 August, 2017 - 2:45 pm

        <blockquote><a href="#165078"><em>In reply to hrlngrv:</em></a></blockquote><p>Well what you're describing is explicit user action causing a vulnerability and opening the door to kiddie batch script attacks. To use a metaphor, all the cards fall when you remove one.</p><p>When UAC was introduced in Vista, any attempt by an application or the user to make changes to Windows would trigger a prompt. This resulted in many instances where the UAC would get triggered, and it was a source of many complaints about Vista.</p><p>So in Windows 7, they actually cut back on what would trigger UAC, and by default, user changes to Windows will no longer trigger UAC.&nbsp;Only applications that try to make changes to Windows will trigger UAC. The setting to have user changes to Windows trigger UAC is still there, it's just not the default anymore.</p><p>So I guess you can say what we have now is a result of complains by Windows users. I do agree that attempted changes to the system by First Account Admin should trigger UAC, but I guess limiting applications and kiddie scripts is good enough for Microsoft.</p>

        • hrlngrv

          Premium Member
          07 August, 2017 - 3:26 pm

          <p><a href="#165161"><em>In reply to FalseAgent:</em></a></p><p>I've never seen UAC triggered by running batch files, .BAT or .CMD, and takeown and icacls run without triggering UAC within batch files. The current default first account is already vulnerable to script attacks without users changing a damn thing.</p><p><br></p><p>Does that require user interaction? Sure. Could such user interaction be as simple as opening an e-mail attachment?</p><p><br></p><p>I have no doubt the current situation of the first account having a few more privileges than members of the Power Users group in NT4 is the result of users complaining about the NT4/2K approach of needing both Administrator and standard user accounts. MSFT gave then a single account which still (Windows 10) triggers UAC a bit too often while leaving huge attack vectors wide open.</p>

  • slartybartmark

    07 August, 2017 - 3:04 pm

    <p>There is a tool called "LogonSC.exe" that was given to me by an MS employee (indirectly). It allows you to change the login screen on Win7. It allows you to pick from the Bing Daily Image in numerous countries or use your own pic, change periodically, etc.. If you run it on anything post Win7 you get "WARNING! This application is supported only on Windows 7 Client. It has been detected that you are running on some other OS. You're on your own…" It had a 'send feedback' link that points to an @microsoft.com email address I won't post here, but perhaps a Win10 version is floating around. I haven't found much luck finding any updated version. Maybe another good idea that got squashed. I'll send an email to the MS address and see if I get a response.</p>

Newsletter

Stay up to date with the latest tech news from Thurrott.com!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2023 BWW Media Group