LUA Buglight 2.3 PREVIEW -- Feedback requested


LUA Buglight is a utility for identifying admin-permissions issues ("LUA bugs") in desktop applications. That is, it identifies the specific reasons that a particular application works only when run with administrative rights.  The version attached to this blog post is a PREVIEW of v2.3, which adds support for Windows 8.1, Windows 2012 R2, and Windows 10.  I plan to release the final, digitally-signed version by the end of the month.  In the meantime, I'm posting this version so that you can try it out and report any issues that you see.  It should work on all x86 and x64 editions of Windows XP and newer and Windows Server 2003 and newer.  Please let me know if you see otherwise.  (The one known issue is that it is not yet digitally signed except for the kernel drivers.  In particular, the UAC elevation prompt will report "unknown publisher" and display an orange banner.  That will be addressed before final release.)

It has been well-established for many years that for security and reliability reasons, users should log on with standard user rights and that their applications should not require administrative rights.  Windows Vista began the movement toward making that the default for Windows.  Although Windows Vista and Windows 7 include technologies to help applications that had required administrative rights on earlier versions of Windows to run correctly with standard user rights, many users and organizations "solved" their application compatibility issues by disabling User Account Control (UAC) and continuing to run with full administrative rights.  Windows 8.x and Windows 10 increasingly depend on features that are absent when UAC is disabled, so the "never notify" Control Panel slider option that used to disable UAC now sets the "silent elevation" option and keeps UAC enabled.  That means that unless apps specifically request elevation, they'll run with standard user rights, and continuing to run everything with full administrative rights will become more difficult and inconvenient.  LUA Buglight can help you identify the causes for many of the compatibility issues and point to solutions.

Let me know whether and how well this works for you.  Thanks.

[1-July-2015: attachment removed; v2.3 is now available here.]

Comments (3)

  1. Virsee says:

    When i ran the utility it is giving me ""error: LUA buglight must be run unelevated by a member of the administrators group in admin-approval mode.""

    [Aaron Margosis] That's correct. It works by intercepting API calls and when it observes one fail with "access denied" or "privilege not held", it retries the operation using your UAC-elevated credentials (which must be the same user) before returning control to the app. If that operation succeeds, the details of the operation are logged.

  2. Steve Sullivan says:

    I am trying to run this program on a machine on our network and I'm getting an error 'LUA Buglight must be run unelevated by a member of the Administrators group in admin-approval mode''

    I am using my network account which has local Admin rights on this machine. I have tried it with UAC turned on and off, and even as a different account. Same message.

    Help?

    [Aaron Margosis] What that means is that your account needs to be a member of the Administrators group, that UAC needs to be enabled (might require a reboot), and that you need to start LUA Buglight without admin rights.
  3. RLee says:

    I receive the following message when trying to test the app with msra.exe: "Target process requires elevation. LUA Buglight cannot profile this app." Is this because the app is not requesting permissions to the local file structure and/or registry, but rather the domain rights to actually run the application?

    [Aaron Margosis] It looks like msra.exe demands elevation because it's marked uiAccess="true" and has an autoelevation tag in its manifest. LUA Buglight cannot directly test a program that demands elevation on start, but it can test such a program if it's started by process that LUA Buglight is already monitoring. For example, you can test the msra.exe in SysWOW64 - that version isn't marked uiAccess or autoelevate, and it launches the 64-bit msra.exe. Another alternative is to test cmd.exe in LBL, and start msra.exe from that command prompt.

    Hope this helps.

Skip to main content