Sounds like exactly what UAC did in Vista. It prompted so much that people either turned it off, or just blindly hit OK. Subsequent versions toned down the alerts to what we have now in Win10. Making it a hardware switch doesn't change the fact that the average user will just quickly learn to flip the switch anytime something doesn't work quite right and we are right back where we started.

The average user is never going to be protected by something they can switch on and off at will. They will never understand the complexity around when it is OK to switch it off.

The constant uac notification wasn't a windows thing as much as apps. While windows itself was more or less reasonable with the warnings, lots of apps assumed it's still xp (or just haven't been updated) and they can do whatever, wherever.

It seems like there's a spectrum of outcomes here. As a user, I don't particularly care about system files, I care about the state of the system. In fact, if all this does is protect system files, then a ransomware attack would just wipe out all my user files and revert the machine back to a fresh install-- an identical outcome to if I just reformatted the drive and reinstalled Windows. Not helpful!

Really, this scheme needs to include the entire contents of the drive-- "freezing" the restore points Windows makes automatically. Now the tradeoff is how often you annoy the user/how fresh the backups will be. Once a year is obviously too infrequent, once a second is too often. Once a week, or month. Maybe do it at the same time as Windows does a system update, as you suggest.

You don't need fancy hardware support for this, just a NAS backup box with a client that doesn't let you erase older snapshots.

If you want to declare program files and system settings unprotected along with the user files, you could just continue to use UAC and make it only trigger two or three times a year. It'll protect you about as well as the switch, which is very little.

Sorry, I didn't explain well. I wasn't really making a point about the frequency. The point I meant to make was that anything the user learns has to be switched to continue proper functioning won't protect them, because they will just switch it when the malware requests it too. Which is exactly what has happened with UAC.

The OS we can reinstall, we don't care about its files. We care about our Excel files with the accounting books in them that we can not put in read only mode because we keep them open and update them every day.

Something like a versioning system with the past versions Immutable.

People might not want to use that since you can't redact mistakes that could get you into trouble. There are a wide variety of scenarios that are mostly innocent but would need to be addressed. And if you can destroy data, that leads to the original problem.

There's already no guarantee your data gets deleted on modern filesystems. And in corporate environments you can assume your data gets backed up transparently in the background all the time. Beyond making it more explicit I don't think anything would change in practice.

VM snapshots work this way, e.g. persist changes, discard changes and revert to previous snapshot.

This is more feasible with a file system where snapshots are efficient, like ZFS. With client-side virtualization (e.g. Qubes), snapshots can be done outside of Windows.

Reminds me of this XKCD: https://xkcd.com/1200/

Point is, nobody cares about the OS files. They care about their documents and data, and their logins to various secure systems. Securing system files alone doesn't really help much.

Probably the best thing is basically to be a Chromebook - the OS is signed and locked-down, can't ever be changed except for by signed updates from the mothership. Documents are meant to be stored entirely on the cloud. No support for running (unsigned?) apps locally, and even if they did, it wouldn't do much, because all of the data is on the cloud anyways.

Came to basically say the same... Also, a big fan of Chromebooks for most users... especially as many intranet/internal applications are now web based.

Well of course, but one reason why people want to make system files secure is because if those can be messed with it makes it so much easier to do all the bad things in that XKCD - without detection even.