Helpdesk Elevation on Windows Vista and Windows 7


Since I was talking about configuring UAC on Windows Vista and Windows 7 a bit yesterday, I thought it made sense to bring up another policy whose actual use may not be obvious based on the name.

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

We talked about the secure desktop – but what is this UIAccess all about? Well, you can get details here:

http://msdn.microsoft.com/en-us/library/ms742884.aspx

But rather than going deep, let’s look at the manifest for msra.exe (Microsoft Remote Assistance):

sigcheck -m c:windowsSystem32msra.exe

sigcheck v1.54 – sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals – www.sysinternals.com

“c:windowssystem32msra.exe”:
        Verified:       Unsigned
        File date:      11:47 PM 12/12/2008
        Publisher:      Microsoft Corporation
        Description:    Windows Remote Assistance
        Product:        Microsoft« Windows« Operating System
        Version:        6.1.7000.0
        File version:   6.1.7000.0 (winmain_win7beta.081212-1400)
        Manifest:
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<!– Copyright (c) Microsoft Corporation –>
<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ xmlns:asmv3=”urn:schemas-micr
osoft-com:asm.v3″ manifestVersion=”1.0″>
    <assemblyIdentity
        version=”5.1.0.0″
        processorArchitecture=”amd64″
        name=”Microsoft.Windows.RemoteAssistance”
        type=”win32″
    />

    <description>Remote Assistance</description>

    <dependency>
        <dependentAssembly>
            <assemblyIdentity
                type=”win32″
                name=”Microsoft.Windows.Common-Controls”
                version=”6.0.0.0″
                processorArchitecture=”amd64″
                publicKeyToken=”6595b64144ccf1df”
                language=”*”
            />
        </dependentAssembly>
    </dependency>
<trustInfo xmlns=”urn:schemas-microsoft-com:asm.v3″>
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level=”asInvoker”
                uiAccess=”true”
            />
        </requestedPrivileges>
    </security>
</trustInfo>
<asmv3:application>
   <asmv3:windowsSettings xmlns=”
http://schemas.microsoft.com/SMI/2005/WindowsSe
ttings”>
        <dpiAware>true</dpiAware>
        <autoElevate>true</autoElevate>
   </asmv3:windowsSettings>
</asmv3:application>
</assembly>

I think of this policy as the “give helpdesk the ability to elevate” policy.

(Obviously this only works if you don’t configure the policy to auto-deny elevation requests by standard users.)

Skip to main content