The UAC Compatibility Evaluator and Elevation on Windows Vista


The release candidate of the Application Compatibility Toolkit is here, and it’s good stuff. I’ve had to resort to sniffing around with a debugger to find many issues with this one, and it’s still improving for the final release!

I am particularly impressed by what the team has put together for compatibility evaluators. For those of you who are unfamiliar with the tool, you can deploy a data collection package (DCP) that does more than just collect inventory – it actively shims system functions looking for known issues that could trigger compatibility issues after a migration to Windows Vista.

One of these is the UAC Compatibility Evaluator. It looks for a more limited subset of compatibility issues than Standard User Analyzer or LUA Buglight, because it is designed to keep the machine performing well even in a wide deployment to real users. However, one thing to keep in mind is that the UAC CE does not detect issues for applications that are not run elevated – it only detects these issues when the process is elevated and able to succeed. (I expect this may change for v.next.)

Now, for the vast majority of you, this probably isn’t a big deal. Most organizations will perform their compatibility testing BEFORE they upgrade to a new operating system, for fairly obvious reasons! However, one great use of the evaluators that I have been recommending is to install it in your test lab while you are going through testing. So, while users or testers are running through their tests, you not only gather their feedback on the behavior, but you have additional technical data that perhaps may showcase issues that aren’t a big deal in the lab, but may be a big deal when deployed to a lot more people. If you choose to take this approach, and you want to gather UAC data, then you will want to either consider one of the more diagnostic tools or else run the application elevated (but don’t forget test runs with it non-elevated!).

Comments (14)

  1. myITforum Daily Newsletter Daily Newsletter November 10, 2006 The myITforum.com newsletter is delivered

  2. ABC says:

    Hi,

    So UAC compatibility evaluator will capture only the basic issues related to the standard user access, right? ( Not like SUA Tool, which shows all the issues)

    But I am not understanding upto what level this evaluator will capture the issues?

  3. cjacks says:

    UACCE is very high level – it’s just writing to Program Files / Windows / HKLM basically. Most of what it catches will already be mitigated with file/registry virt, but we use that for a surrogate for "they probably did something else wrong too".

  4. ABC says:

    k…..But SUA Tool will give us the information saying so and so files or folders are working with the help of Virtualization( by seeing the SUA logs we can identify this.)

    But when we are selecting UAC evaluators as a part of DCP, it is not giving us any information like, these files/registries of this application are working with Virtualization.

    I have not seen any issues in the ACM reports( even as a part of evaluator) like what I am able to see in the SUA tool logs.

    -ABC

  5. cjacks says:

    Double click into it and we’ll progressively give you more details. But SUA gives you far, far more details, and that’s by design. Personally, I don’t use UACCE much.

  6. Venkat says:

    Hi,

    Basically I am working on a project of migrating  applications from XP to Vista.Iam getting an error:"XP to Vista migration failed , access is denied" and application automaticallly shutsdown.

    If i give full control to the application folder manually I am able to resolve the issue.

    But I want to use shim.

    i found 1)RunasAdmin

           2)RunasIvoker

           3)RunasHighest

           4)ForceadminAccess can solve the issue.

    Can you give the differences between these shims and give your valuable suggestions for resolving this issue.

  7. cjacks says:

    If it’s just files, you can redirect using CorrectFilePaths. Just point the files somewhere to a user accessible location. I’d look at what you can find in the Standard User Analyzer tool, which will track the specific files it’s trying to write to.

  8. venkat says:

    Hi Chris thanks for ur reply.

    I have ACT tool with me , but I dont know hw to run SUA in that. while I was just running the application this issue encoutered.And I also dont know the files which you r taking about to redirect.

    Plz  help me regarding this.

  9. cjacks says:

    Hi Venkat,

    I don’t know which files to redirect either – that’s why I was pointing you to a tool! 🙂 SUA is under Microsoft Application Compatibility Toolkit

    Developer and Tester Tools Stanard User Analyzer. You can read the help documentation for the guide on how to use it, but it’s pretty straightforward. The thing to look for: the Mitigation menu – which fixes things up for you once you’ve found the problems.

    Chris

  10. Venkat says:

    Hi Chris,

    while iam running an application in vista iam getting runtime error 70 access denied and the application getting closed.

    Would u plz suggest the reason and remediation option or shims as soon as possible.

    Thanks

  11. cjacks says:

    Hi Venkat,

    Access Denied alone isn’t enough to diagnose. I don’t know what it was trying to access. I’d try using Standard User Analyzer any time you have Access Denied as a good starting point.

    Thanks,

    Chris

  12. venkat says:

    Hi chris,

    I launched an application through SUA.Though there are no functionality changes in vista and XP,these isssues have beeen logged in SUA.what may be the reason,could you plz suggest any shims for the same.

    File Issues:

    1)CreateFileW: File (DeviceHarddiskVolume1Program FilesNMFCOLNKPLCHPLCH.ldb) only grants requested ‘FILE_WRITE_DATA’

    to ‘NT AUTHORITYSYSTEM, BUILTINAdministrators’

    2)CreateFileW: File (DeviceHarddiskVolume1Program FilesNMFCOLNKPLCHPLCH.MDB) only grants requested ‘FILE_WRITE_DATA’

    to ‘NT AUTHORITYSYSTEM, BUILTINAdministrators’

    3)CreateFileW: Directory (DeviceHarddiskVolume1Program FilesNMFCOLNKPLCH) only grants requested ‘FILE_ADD_FILE’

    to ‘NT SERVICETrustedInstaller, NT AUTHORITYSYSTEM, BUILTINAdministrators’

    4)CreateFileA: File (DeviceHarddiskVolume1Windowsplchcrw.ini) only grants requested ‘FILE_WRITE_DATA’

    to ‘NT AUTHORITYSYSTEM, BUILTINAdministrators’

    5)CreateFileA: Directory (DeviceHarddiskVolume1Windows) only grants requested ‘FILE_ADD_FILE’

    to ‘NT SERVICETrustedInstaller, NT AUTHORITYSYSTEM, BUILTINAdministrators’ .

    Chirs thanks for ur wonderful support.and plz help regarding this asap.

  13. venkat says:

    Hi chris,

    I launched an application in vista through SUA.Though there are no functionality changes in vista and XP,these isssues have beeen logged in SUA.what may be the reason,could you plz suggest any shims for the same.

    File Issues:

    1)CreateFileW: File (DeviceHarddiskVolume1Program FilesNMFCOLNKPLCHPLCH.ldb) only grants requested ‘FILE_WRITE_DATA’

    to ‘NT AUTHORITYSYSTEM, BUILTINAdministrators’

    2)CreateFileW: File (DeviceHarddiskVolume1Program FilesNMFCOLNKPLCHPLCH.MDB) only grants requested ‘FILE_WRITE_DATA’

    to ‘NT AUTHORITYSYSTEM, BUILTINAdministrators’

    3)CreateFileW: Directory (DeviceHarddiskVolume1Program FilesNMFCOLNKPLCH) only grants requested ‘FILE_ADD_FILE’

    to ‘NT SERVICETrustedInstaller, NT AUTHORITYSYSTEM, BUILTINAdministrators’

    4)CreateFileA: File (DeviceHarddiskVolume1Windowsplchcrw.ini) only grants requested ‘FILE_WRITE_DATA’

    to ‘NT AUTHORITYSYSTEM, BUILTINAdministrators’

    5)CreateFileA: Directory (DeviceHarddiskVolume1Windows) only grants requested ‘FILE_ADD_FILE’

    to ‘NT SERVICETrustedInstaller, NT AUTHORITYSYSTEM, BUILTINAdministrators’ .

    Chirs thanks for ur wonderful support.and plz help regarding this asap.

  14. cjacks says:

    Hi Venkat,

    Windows Vista’s file and registry virtualization doesn’t work for executable files, and my guess is that the .mdb counts as executable code and that’s why virt isn’t just fixing it. Try CorrectFilePaths to drop that somewhere else. If you go to the mitigation menu in SUA and ask it to apply mitigations, it may have already made that fix up for you.

    Chris