Identification of Administrative Applications
Welcome to another installment of the Windows Vista UAC Blog!
Let’s dig a little deeper into the area of how Windows Vista knows which applications need to run with administrator privileges. We’ll use the term “Elevation” to describe the process by which an application is launched with admin privileges. Elevation falls into two categories:
- The O/S makes a decision that the application looks like an installer or updater and will automatically invoke elevation to run the program with administrative permissions/privileges when a user runs it. This decision is based on a heuristic. Here are some of the heuristic detection points, although this list is not exhaustive:
- File name detection – looks for the words “setup”, “update”, “install” in the filename
- SxS Manifest word detection – looks for well-known values in the assembly name attribute program’s SxS Manifest
- String table detection – looks for well known values in the string table within the resource section of an executable
- An application is marked via an overt action to run with administrative permissions/privileges. This process of admin marking can occur in four ways.
Including an app manifest within the resource section of their executable program that specifies that the application needs to run with administrative permissions/privileges. This is the method that a developer of Windows Vista compliant code would use when developing or updating their application. The benefit is that the marking is performed by the developer and included in the code when it is compiled. This marking travels around with the code and is therefore independent of the target Windows Vista system. We have an MSDN article that has a section on how to do this. Take a look at: https://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp
An application compatibility shim is installed on a Windows Vista machine that marks an executable so it will be elevated when run. This would be the way that an IT professional would mark a legacy application in their environment without having to make changes to the code. The application compatibility toolkit, available for download from Microsoft, includes a tool called compatAdmin.exe that is used to build the shims. We have an article available that describes how this is done (along with the process of deploying this shim within a group policy-managed environment). Take a look at: https://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx
A checkbox is available on the compatibility tab under program properties that says “Run the program as an administrator”. This is how a user of Windows Vista would mark an application for elevation on a one-off basis.
A user can force elevation of an unmarked application by right clicking on an application and selecting “Run Elevated…” from the menu. This is how a user of Windows Vista would run an application elevated without persisting the setting. With this, a user can run an application elevated only when they specifically want to.
Cheers!
- Peter
Comments
Anonymous
January 13, 2006
The comment has been removedAnonymous
January 13, 2006
This is very helpfulAnonymous
January 14, 2006
If I have documents located in a folder with rights only given to the Administrators group, is there any way from within an unprivileged application, such as Word, for a user in the Administrators group to open and edit documents in that folder? Will the File Open dialog prompt if you try and open a file in that folder?Anonymous
January 16, 2006
The comment has been removedAnonymous
January 17, 2006
Is there a way to prompt the permission dialog programmatical way? So my application still running fine with regular permission. Once my API which requires Administrator privilliege is called, I will call windows API to ask for the permission?Anonymous
January 19, 2006
I'll respond to a couple of the comments.
mqm's question: If the ACLs are set on a file to only allow access by Administrators, then when running with your non-admin token, you would not have access to these files. One solution is to ACL the files so they are owned by the user not by the Administrators group.
hn's question: There is no way to obtain admin privs for a process once it is created. If your app needs to perform an admin operation, you'll need to launch the program elevated up front.Anonymous
January 23, 2006
Where do I find documentation for CoCreateInstanceAdmin()?Anonymous
January 24, 2006
You can find info about CoCreateInstanceAdmin() here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp
Thanks,
JennAnonymous
January 24, 2006
Funny... That doesn't tell me if it initializes the COM objects in Proc or out of Proc and the paramters for the function. I can't find anything on in the 5270 CTP release of the platform SDK.Anonymous
January 29, 2006
Note: LUA (Least User Access) has been
renamed UAC (User Access Control) which is a much better name...Anonymous
February 10, 2006
This is a great idea in general, but it doesn't seem perfect to me. You give full admin rights to anything that requests them, and all installers are going to do.
Some commercial apps habe been bundled with spyware and the like, some others have a broken installer that does damage or leaves trash.
So, letting an regular app installer run with full admin rights is dangerous. A better course of action would be:
* Let it create a NEW dir in Program Files and write ONLY inside it. If it tries to wite DLLs to Windows or System32, "virtualize" them.
* Let it CREATE new shoucuts, registry settings, and whatever is needed to create an uninstaller.
But that's it. No driver installs. No changes to the system folders. No changes on the program files of other installed applications. No changes on system-wide settings. No adding to startup/autorun. You get the idea.
There's an "advanced user" or something like that account in 2000/XP that is something similar, I think. Never looked into it.Anonymous
February 15, 2006
The comment has been removedAnonymous
April 04, 2006
The comment has been removedAnonymous
April 21, 2006
Can we use this with web applications?Anonymous
April 28, 2006
I agree with hn. There really needs to be an API that will prompt the user to move the application to an elevated privilege status. Consider an application that has no installer, but the application has menu items for "Register file types" and "Unregister file types." There could also be an API for restoring the application to its previous privilege status after completing a couple privileged operations.Anonymous
May 14, 2006
(experimenting with Build 5380 atm)
THere appears to be no way of running an application that says it needs admin mode in a non admin mode. e.g. something that is detected by heuristics - for example a file called setup.exe) but you don't want to run it with admin.
Are you guys planning to put this in?
WillAnonymous
June 03, 2006
"Run this program as administrator"
I am having troubles understanding this feature. In Beta2 , If I mark certain app with "Run this program as administrator" , it always asks me for Elevation!!! Is this the correct behavior ? . I thought the intention of this feature was to mark certain app to start administratively without prompting a user ???
ThanksAnonymous
June 03, 2006
"Run this program as administrator"
I am having troubles understanding this feature. In Beta2 , If I mark certain app with "Run this program as administrator" , it always asks me for Elevation!!! Is this the correct behavior ? . I thought the intention of this feature was to mark certain app to start administratively without prompting a user ???
ThanksAnonymous
June 04, 2006
To "security" - marking the program to run as administrator means that you will ALWAYS be prompted before it starts. You're saying, in effect, "this app needs elevated privileges - don't even bother running it if it can't run elevated." Nothing runs elevated without a protected interactive consent from an administrator. The behavior you're describing is akin to the SUID behavior in Unix, and that is not implemented in Windows. SUID has been a major source of EoP (elevation of privilege) security issues on Unix platforms, because it is incredibly hard to ensure that an app with the SUID bit set will perform ONLY the operations its designers (or the SUID-bit setter) intended, and that those operations don't have any undesired side-effects.Anonymous
July 05, 2006
Hi,
I have an ASP (not an ASP.NET) application accessing Sql Server 2005 database installed in Vista Beta 2 (Build : 5384). I am unable to access my application in server. UAP is blocking my application. I dont want to change system level UAP configuration using msconfig or secpol.msc.
Can any one suggest me some idea to change application level UAP configuration.
Thanks in Advance.
-John-Anonymous
July 11, 2006
Can I mark an application to "run as admin" by putting the manifest file into the same folder with the .exe file ( I mean, not use the mt.exe to embed the manifest into the .exe file)?
It seems work sometimes but not always. Is this a feature of Vista by design? Or just some heritage "bonus" from XP so we can't count on it...Anonymous
July 12, 2006
Does anybody know if there actually is an API hidden away somewhere to (temporarily) elevate an application's privileges so that it can, for example, write something to the HKLM registry tree? If not, there certainly should be.
LogonUser does not fit the bill as the caller has to provide account credentials (user ID and password), whereas UAC prompts the user for these (if appropriate).
I have noticed that the User Accounts Control Panel seems to behave as if such an API exists (try clicking on 'Manage Another Account').Anonymous
July 12, 2006
Does anybody know if there actually is an API hidden away somewhere to (temporarily) elevate an application's privileges so that it can, for example, write something to the HKLM registry tree? If not, there certainly should be.
LogonUser does not fit the bill as the caller has to provide account credentials (user ID and password), whereas UAC prompts the user for these (if appropriate).
I have noticed that the User Accounts Control Panel seems to behave as if such an API exists (try clicking on 'Manage Another Account').Anonymous
July 24, 2006
The comment has been removedAnonymous
July 24, 2006
The comment has been removedAnonymous
July 24, 2006
With regard to the UAC dialog asking me whether I want to run as admin or not, I should have said that I'd like three choices, not two. One to run as admin, another to run as non-admin and finally not to run at all. I'd like a checkbox that allows me to 'remember' whether a legacy application (that Vista has failed to successfully identity using heuristics needs admin privs) can run without admin privs, and not ask me next time.
In the current implementation I find that I'm having to run some apps as admin when they don't need to. Without UAC, and running as non-admin by default I had a choice, so UAC is less secure for those organisations already embracing runnig as non-admin on XP.Anonymous
July 24, 2006
@Daniel Sinclair: actually, tools like RegEdit and MMC.exe are marked to run as "highestAvailable", not as "requireAdministrator". If the current user is a member of the Administrators group, s/he will be prompted for elevation - the app will run elevated or not at all. But if the user is a Standard User and cannot elevate in-place without using a different account, the tool will simply run with Standard User privileges. The tool can still be run elevated by right-clicking it and choosing "Run as administrator". So a solution to your problem could be to run as Standard User, and use a separate admin account for running apps elevated.Anonymous
July 26, 2006
The comment has been removedAnonymous
July 26, 2006
@Andy Champ - you're right, I misread the previous messsage.Anonymous
August 03, 2006
Hi Guys,
I'm having problem on copying .sys file into the System32/drivers folder. Is there anyway that i could make this happen?
The error msg pop out is
"You need to provide administrator credentials to copy to this folder"
Can anyone how can i get the admin privileges?Anonymous
November 30, 2006
Application fails to start under Vista after implementing the manifest.It displays the error "A referral was returned from the server." The manifest rights is <requestedExecutionLevel level="requireAdministrator" uiAccess="true"/> It works fine if the access rights for uiAcess is set to false <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> Kindly advice... -Shaj Do you really need uiAccess=true? That capability is generally intended only for accessibility utilities. If you do need uiAccess enabled, then the executable needs to be digitally signed, and must be installed under %windir% or %ProgramFiles%. HTH -- Aaron MargosisAnonymous
December 03, 2006
Thanks for your quick reply.. How to get our software digitally signed? Let us know whether any functionality will fail if the uiAccess is set to false? (Detailed Explanation will be helpful) We are installing our application in %ProgramFiles% path only. Basically our intention is, whenever our application is launched it should launch in administrator mode without any hassle for the users. Kindly help us resolve our issue.. What does your app do that requires it to run with administrator privileges? Does it perform system-administrative tasks, or is it just a regular application that happens to write to protected, system-wide locations in the registry and file system? If it's the latter, you and your users would be much better off changing the app so that it doesn't need admin privileges to begin with. If by "without any hassle for the users" you mean "without being prompted for elevation", you can't do it. Various developer-oriented UAC issues are written up here, including this bit about uiAccess ("false" is the right setting for the vast majority of apps): uiAccess false—The application does not need to drive input to the UI of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true. true—The application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop. This setting should only be used for UI Accessibility applications. -- Aaron MargosisAnonymous
December 04, 2006
The comment has been removedAnonymous
December 07, 2006
Hello Aaron Margosis I have another problem. With repect to one application even if i had specified in the manifest file as "require amninistrator", it is not asking for require elevation. It just opens in standard user rights. But it works for all other appliacation, except one which is a larger application when compared to others. Kindly advice.Anonymous
December 12, 2006
Where do I find CoCreateInstanceAdmin. The most recent SDK (Oct (Nov?) 2006) does not have it. No information on it seems to exist except on one MSDN page that directs one to use it.Anonymous
January 16, 2007
My Manifest file not working I have included the following lines in "MyApplication.rc2" #define MANIFEST_RESOURCE_ID 1 MANIFEST_RESOURCE_ID RT_MANIFEST "MyApplication.exe.manifest" And the contents of manifest file is as follows <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="MyApplication" type="win32"/> <description> MyApplication requires the administravtive priveligaes</description> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> But when I try to launch the application it is still launching in StandardUser Mode, and the Admin Shield is missing. Please do help to fix the problem.