Auditing Elevation on Windows Vista

A little while ago, I was investigating the customer experience data on elevations which we use to identify which applications are triggering the greatest number of elevation prompts on Windows Vista (and hopefully do something about it).

Working with a customer who is currently planning to deploy protected admin desktops, but who are interested in understanding what and how often people end up elevating, we wanted to go after the same information. In this case, we had slightly different interests than the UAC team does. While knowing the biggest culprit is interesting, we're also interested in the "long tail". We'd like to be able to do forensics ("ah, I see that you elevated 'Happyrootkit 1.0' a couple weeks ago, and now things are a bit slower...") to diagnose issues.

So, I was poking around doing research and determined how to do this, and I was going to go through and document here what I had done. Then, I found that the "Ask the Directory Services Team" blog already has here:

Nice. Less typing for me today!

So, what did I elevate yesterday?

Application Elevations
C:WindowsSystem32gpscript.exe 8
C:Program FilesMicrosoft Application Compatibility Toolkit 5Internet Explorer Compatibility Test Tooltesttool.exe 2
C:WindowsSystem32mmc.exe 2
C:WindowsSystem32WerFault.exe 2
C:845f22e7821553cb4spinstall.exe 1
C:96c454dd8c4de0e482770aca624b3aspinstall.exe 1
C:c7f3efbf0404b3b3b763b20aaebddfb8mpsigstub.exe 1
C:Users<username>DocumentsProgram FilesSysinternalsSuiteProcmon.exe 1
C:WindowsSoftwareDistributionDownloadInstallmpas-d.exe 1
C:WindowsSystem32dllhost.exe 1
C:WindowsSystem32rstrui.exe 1
C:WindowsSystem32runonce.exe 1
C:WindowsSystem32SystemPropertiesProtection.exe 1
C:WindowsSystem32wuauclt.exe 1

Not too bad, given that most of the apps launched with an elevated token inherited that token from the parent process. However, it looks like my enterprise group policy clicked this back off for me yesterday, so I only got 12 hours of data rather than a long-term view. Could be for some interesting findings!

Skip to main content