The problem is it's very hard to distinguish legit from non-legit without asking the user. Users do a lot of stuff and malware can mimick any of it. And if you do ask the user, the malware can make the user answer yes - usually by means as simple as "The OS will be displaying a confirmation dialog, please click YES for this program to work". Yes, it won't work with 100% of people, but it's a game of numbers - it will work for significant number of them.