Understanding the AdditiveRunAsHighest Flag on Windows 7


This post corrects an error from a previous post.

Back when I was explaining the changes in the operating system layers for Windows 7, I incorrectly described the AdditiveRunAsHighest. Since RunAsHighest is already confusing enough, and AdditiveRunAsHighest is even more confusing (even I got it wrong), I want to make sure I actually get it right (and apologize for not having done so before).

AdditiveRunAsHighest requests that the application receives the RunAsHighest flag if and only if nobody else has requested a higher level of elevation.

That means we will overrule a manifest if that manifest is asInvoker, but we will not overrule a manifest if that manifest is requireAdministrator. It also means we will overrule a layer if that layer requests RunAsInvoker, but we will not overrule a layer if that layer requests RunAsAdministrator.

In short, it means that this flag will only be used to increase your level of elevation (to highestAvailable) and will never be used to decrease it (from requireAdministrator).

The reason why this flag exists? Setups. If we think you are a setup, then the setup detection logic applies the VistaSetup layer, which has (as you might imagine) RunAsAdministrator. We don’t want setups to fail for every standard user out there – they still need to prompt. So, this layer will not cause standard users to stop seeing prompts for setups (or manifested apps for that matter). If we had used the existing RunAsHighest flag, then it would have broken setup detection for standard users – and we love our standard users.

Comments (2)

  1. Djs says:

    Chris,

    I am having trouble observing this shim NOT elevating when the EXE is manifested asInvoker.

    In order to eliminate other possibilities I located an EXE that is manifested asInvoker by the developer and is not in the system AppCompat database.  (Notepad++.exe).

    I tested with no shims configured.  Then added only AdditiveRunAsHighest.  UAC Elevation is triggered.

    I have run DbgView and see that the shimming engine is applying my AdditiveRunAsHighest and it is the only shim being applied.

    There are no layers being applied via the registry.

    I have vanilla OOB UAC settings and an administrator account in admin approval mode.

    Could you steer me in the right direction?

    Djs.

  2. cjacks says:

    @Djs – it will elevate when the app is manifested asInvoker. It will always elevate at least to highestAvailable, but won’t demote you from requireAdministrator down to highestAvailable.