Identification of Administrative Applications


Welcome to another installment of the Windows Vista UAC Blog!


Let’s dig a little deeper into the area of how Windows Vista knows which applications need to run with administrator privileges. We’ll use the term “Elevation” to describe the process by which an application is launched with admin privileges. Elevation falls into two categories:



  1. The O/S makes a decision that the application looks like an installer or updater and will automatically invoke elevation to run the program with administrative permissions/privileges when a user runs it. This decision is based on a heuristic. Here are some of the heuristic detection points, although this list is not exhaustive:

    • File name detection – looks for the words “setup”, “update”, “install” in the filename
    • SxS Manifest word detection – looks for well-known values in the assembly name attribute program’s SxS Manifest
    • String table detection – looks for well known values in the string table within the resource section of an executable

  2. An application is marked via an overt action to run with administrative permissions/privileges. This process of admin marking can occur in four ways.

    • Including an app manifest within the resource section of their executable program that specifies that the application needs to run with administrative permissions/privileges. This is the method that a developer of Windows Vista compliant code would use when developing or updating their application. The benefit is that the marking is performed by the developer and included in the code when it is compiled. This marking travels around with the code and is therefore independent of the target Windows Vista system. We have an MSDN article that has a section on how to do this. Take a look at: http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp
    • An application compatibility shim is installed on a Windows Vista machine that marks an executable so it will be elevated when run. This would be the way that an IT professional would mark a legacy application in their environment without having to make changes to the code. The application compatibility toolkit, available for download from Microsoft, includes a tool called compatAdmin.exe that is used to build the shims. We have an article available that describes how this is done (along with the process of deploying this shim within a group policy-managed environment). Take a look at: http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx
    • A checkbox is available on the compatibility tab under program properties that says “Run the program as an administrator”. This is how a user of Windows Vista would mark an application for elevation on a one-off basis.


    • A user can force elevation of an unmarked application by right clicking on an application and selecting “Run Elevated…” from the menu. This is how a user of Windows Vista would run an application elevated without persisting the setting. With this, a user can run an application elevated only when they specifically want to.

Cheers!


– Peter


Comments (36)

  1. Brian says:

    Uh, isn’t this a huge gaping security hole? If I was a malware author wouldn’t it be easily within my capabilities to duplicate a number of those heuristics (such as including a bunch of installshield string resources and naming the executable setup.exe) and thus trick the system into running my badness with elevated privileges? How in the world is this not ripe for abuse?

    On Raymond Chen’s blog he’s talked in detail in the past about how when they were designing some of the shell APIs for windows 95 they made it easy for a program to place itself preferentially on the start menu. And then authors abused the heck out of that, placing themselves at the top of the menu instead of the standard place, which forced MS to add code in XP so that programs couldn’t manipulate the start menu any more. And similarly for "bring to front", which necessitated the "don’t let programs steal focus" flashing taskbar added in 2k. Won’t this just be another thing that lazy/malicious software will use to get around a well-meaning restriction?

    How does running with dropped privileges by default achieve anything if all a program has to do to get the "SUID bit" is to call itself setup.exe?

  2. Mr. FACT says:

    This is very helpful

  3. mgm says:

    If I have documents located in a folder with rights only given to the Administrators group, is there any way from within an unprivileged application, such as Word, for a user in the Administrators group to open and edit documents in that folder? Will the File Open dialog prompt if you try and open a file in that folder?

  4. Andy C says:

    Brian: Not it’s not a security hole, because it doesn’t work like SUID. By default all executables will run with limited privileges, the above conditions just identify the situations in which Vista will prompt you to allow elevated execution – you still get the chance to say no.

  5. hn says:

    Is there a way to prompt the permission dialog programmatical way? So my application still running fine with regular permission. Once my API which requires Administrator privilliege is called, I will call windows API to ask for the permission?

  6. UAC says:

    I’ll respond to a couple of the comments.

    mqm’s question: If the ACLs are set on a file to only allow access by Administrators, then when running with your non-admin token, you would not have access to these files. One solution is to ACL the files so they are owned by the user not by the Administrators group.

    hn’s question: There is no way to obtain admin privs for a process once it is created. If your app needs to perform an admin operation, you’ll need to launch the program elevated up front.

  7. UAC says:

    Where do I find documentation for CoCreateInstanceAdmin()?

  8. UAC says:

    Funny… That doesn’t tell me if it initializes the COM objects in Proc or out of Proc and the paramters for the function. I can’t find anything on in the 5270 CTP release of the platform SDK.

  9. Note: LUA (Least User Access) has been

    renamed UAC (User Access Control) which is a much better name…

  10. Anonymous says:

    This is a great idea in general, but it doesn’t seem perfect to me. You give full admin rights to anything that requests them, and all installers are going to do.

    Some commercial apps habe been bundled with spyware and the like, some others have a broken installer that does damage or leaves trash.

    So, letting an regular app installer run with full admin rights is dangerous. A better course of action would be:

    * Let it create a NEW dir in Program Files and write ONLY inside it. If it tries to wite DLLs to Windows or System32, "virtualize" them.

    * Let it CREATE new shoucuts, registry settings, and whatever is needed to create an uninstaller.

    But that’s it. No driver installs. No changes to the system folders. No changes on the program files of other installed applications. No changes on system-wide settings. No adding to startup/autorun. You get the idea.

    There’s an "advanced user" or something like that account in 2000/XP that is something similar, I think. Never looked into it.

  11. kevin says:

    If one of threads of a process calls Impersonate() or LogonAsUser() API to elevate itself to a privileged user and access some system resource and I don’t provide explicit declaration in menifest file that this application need to run with elevation mode, then what will happen if a standard users or a admin user launch this application? Thanks

  12. Hermann Schinagl says:

    Hi

    Can you give me a hint how to let my shellextension create symbolic links?

    More in Detail: May ShellExtension calls CreateSymbolicLink, which needs at least a manifest containing ‘requestedExecutionLevel level="highestAvailable"’ or you get GetLastError=ERROR_PRIVILEGE_NOT_HELD

    from CreateSymbolicLink. ok, added the manifest, copied the shellextension to the right place, restarted explorer.exe… and…

    Nothing.

    Taking a look at the privileges available for explorer.exe via procexp from sysinternals, I can see, that explorer still has its crappy least privileges assigned to it.

    How do I proceed?

    BTW: It is stupid to have ‘requestedExecutionLevel level="highestAvailable"’ in the manifest, when I only need SeCreateSymbolicLink. Why is there now finer granularity?

          Ciao Hermann

  13. Robert Barnett says:

    Can we use this with web applications?

  14. David says:

    I agree with hn.  There really needs to be an API that will prompt the user to move the application to an elevated privilege status.  Consider an application that has no installer, but the application has menu items for "Register file types" and "Unregister file types."  There could also be an API for restoring the application to its previous privilege status after completing a couple privileged operations.

  15. Will says:

    (experimenting with Build 5380 atm)

    THere appears to be no way of running an application that says it needs admin mode in a non admin mode.  e.g. something that is detected by heuristics  – for example a file called setup.exe) but you don’t want to run it with admin.

    Are you guys planning to put this in?

    Will

  16. security says:

    "Run this program as administrator"

    I am having troubles understanding this feature. In Beta2 , If I mark certain app with "Run this program as administrator" , it always asks me for Elevation!!! Is this the correct behavior ? . I thought the intention of this feature was to mark certain app to start administratively without prompting a user ???

    Thanks

  17. security says:

    "Run this program as administrator"

    I am having troubles understanding this feature. In Beta2 , If I mark certain app with "Run this program as administrator" , it always asks me for Elevation!!! Is this the correct behavior ? . I thought the intention of this feature was to mark certain app to start administratively without prompting a user ???

    Thanks

  18. To "security" – marking the program to run as administrator means that you will ALWAYS be prompted before it starts.  You’re saying, in effect, "this app needs elevated privileges – don’t even bother running it if it can’t run elevated."  Nothing runs elevated without a protected interactive consent from an administrator.  The behavior you’re describing is akin to the SUID behavior in Unix, and that is not implemented in Windows.  SUID has been a major source of EoP (elevation of privilege) security issues on Unix platforms, because it is *incredibly* hard to ensure that an app with the SUID bit set will perform ONLY the operations its designers (or the SUID-bit setter) intended, and that those operations don’t have any undesired side-effects.

  19. John says:

    Hi,

    I have an ASP (not an ASP.NET) application accessing Sql Server 2005 database installed in Vista Beta 2 (Build : 5384). I am unable to access my application in server. UAP is blocking my application. I dont want to change system level UAP configuration using msconfig or secpol.msc.

    Can any one suggest me some idea to change application level UAP configuration.

    Thanks in Advance.

    -John-

  20. JianFei Liao says:

    Can I mark an application to "run as admin" by putting the manifest file into the same folder with the .exe file ( I mean, not use the mt.exe to embed the manifest into the .exe file)?

    It seems work sometimes but not always. Is this a feature of Vista by design? Or just some heritage "bonus" from XP so we can’t count on it…

  21. Paul Sanders says:

    Does anybody know if there actually is an API hidden away somewhere to (temporarily) elevate an application’s privileges so that it can, for example, write something to the HKLM registry tree?  If not, there certainly should be.

    LogonUser does not fit the bill as the caller has to provide account credentials (user ID and password), whereas UAC prompts the user for these (if appropriate).

    I have noticed that the User Accounts Control Panel seems to behave as if such an API exists (try clicking on ‘Manage Another Account’).

  22. Paul Sanders says:

    Does anybody know if there actually is an API hidden away somewhere to (temporarily) elevate an application’s privileges so that it can, for example, write something to the HKLM registry tree?  If not, there certainly should be.

    LogonUser does not fit the bill as the caller has to provide account credentials (user ID and password), whereas UAC prompts the user for these (if appropriate).

    I have noticed that the User Accounts Control Panel seems to behave as if such an API exists (try clicking on ‘Manage Another Account’).

  23. Daniel Sinclair says:

    When launching certain (legacy) apps Vista uses hueristics to establish whether it needs to run as admin or not if its not specifically tagged. Applications like Sql Managment Studio, the Windows MMC.exe and Orca all look like they’re using the kinds of APIs that need admin privs but in fact non of them do (although it depends on the command line or snap in loaded with MMC).

    When Vista asks me whether I’d like to elevate this application, I’d like to have a checkbox that remembered if my selection was, "No this app doesn’t need to run as admin, despite what it might look like, so don’t ask me again".

  24. @Daniel Sinclair:  That checkbox won’t happen in Vista.  It would be too open for abuse, just like SUID in *nix platforms.

  25. Daniel Sinclair says:

    With regard to the UAC dialog asking me whether I want to run as admin or not, I should have said that I’d like three choices, not two. One to run as admin, another to run as non-admin and finally not to run at all. I’d like a checkbox that allows me to ‘remember’ whether a legacy application (that Vista has failed to successfully identity using heuristics needs admin privs) can run without admin privs, and not ask me next time.

    In the current implementation I find that I’m having to run some apps as admin when they don’t need to. Without UAC, and running as non-admin by default I had a choice, so UAC is less secure for those organisations already embracing runnig as non-admin on XP.

  26. @Daniel Sinclair:  actually, tools like RegEdit and MMC.exe are marked to run as "highestAvailable", not as "requireAdministrator".  If the current user is a member of the Administrators group, s/he will be prompted for elevation – the app will run elevated or not at all.  But if the user is a Standard User and cannot elevate in-place without using a different account, the tool will simply run with Standard User privileges.  The tool can still be run elevated by right-clicking it and choosing "Run as administrator".  So a solution to your problem could be to run as Standard User, and use a separate admin account for running apps elevated.

  27. Andy Champ says:

    Aaron,

    you’re missing the point.  There are legacy apps that don’t have a manifest, and which Vista looks at and decides need elevated rights.

    Daniel has asked for a feature I’ve wanted too – I want to be able to say "YOU might think this app needs elevation, but you’re wrong.  Run it without".  Having a checkbox saying "… and I never want it to be elevated" also seems a good idea.

    You seem to be saying this is a security risk.  Having a box that says "Run this guy elevated every time, and don’t ask me" is a risk.  How can a feature that says "do NOT elevate" be a security risk?  It’s no more a security risk than planting a manifest in the same folder!

    Andy

  28. @Andy Champ – you’re right, I misread the previous messsage.

  29. HF Kok says:

    Hi Guys,

    I’m having problem on copying .sys file into the System32/drivers folder. Is there anyway that i could make this happen?

    The error msg pop out is

    "You need to provide administrator credentials to copy to this folder"

    Can anyone how can i get the admin privileges?

  30. Shajeer says:

    Application fails to start under Vista after implementing the manifest.It displays the error “A referral was returned from the server.”

    The manifest rights is

    <requestedExecutionLevel   level=”requireAdministrator”

      uiAccess=”true”/>

    It works fine if the access rights for uiAcess is set to false

    <requestedExecutionLevel   level=”requireAdministrator”

      uiAccess=”false”/>

    Kindly advice…

    -Shaj

    Do you really need uiAccess=true?  That capability is generally intended only for accessibility utilities.  If you do need uiAccess enabled, then the executable needs to be digitally signed, and must be installed under %windir% or %ProgramFiles%.

    HTH

    — Aaron Margosis

  31. Shajeer says:

    Thanks for your quick reply..

    How to get our software digitally signed?

    Let us know whether any functionality will fail if the uiAccess is set to false?

    (Detailed Explanation will be helpful)

    We are installing our application in           %ProgramFiles% path only.

    Basically our intention is, whenever our application is launched it should launch in administrator mode without any hassle for the users.

    Kindly help us resolve our issue..

    What does your app do that requires it to run with administrator privileges?  Does it perform system-administrative tasks, or is it just a regular application that happens to write to protected, system-wide locations in the registry and file system?  If it’s the latter, you and your users would be much better off changing the app so that it doesn’t need admin privileges to begin with.

    If by “without any hassle for the users” you mean “without being prompted for elevation”, you can’t do it.

    Various developer-oriented UAC issues are written up here, including this bit about uiAccess (“false” is the right setting for the vast majority of apps):

    uiAccess

    • false—The application does not need to drive input to the UI of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true.
    • true—The application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop. This setting should only be used for UI Accessibility applications.

    — Aaron Margosis

  32. Shajeer says:

    Question No 1:

    ————–

    We need the administrator rights because

    1) We are getting the harkdisk number for registration purpose.

    2) We are writing the values in registry under HKEY_CLASSES_ROOT and also in HKEY_CURRENT_USER,HKEY_LOCAL_MACHINE

    for various purposes.

    3) We use SendMessage and PostMessage APIs to send messages to other applications.

    4) We use hooks for setting keyboard shorcuts.

    5) We do send requests to our servers to check for updates and then downloads the updated components if any.

    Let us know whether all the above can be accomplished with setting uiAccess = false.

    Question No 2:

    ————–

    If we install our software in some other path say D:TestApplication rather than installing in %programfiles% will it create any problem in performing any tasks.

    Kindly advice.

  33. Shajeer says:

    Hello Aaron Margosis

    I have another problem.

    With repect to one application even if i had specified in the manifest file as "require amninistrator", it is not asking for require elevation. It just opens in standard user rights.

    But it works for all other appliacation, except one which is a larger application when compared to others.

    Kindly advice.

  34. Henryk Birecki says:

    Where do I find CoCreateInstanceAdmin. The most recent SDK (Oct (Nov?) 2006) does not have it. No information on it seems to exist except on one MSDN page that directs one to use it.

  35. Shajeer says:

    My Manifest file not working

    I have included the following lines in "MyApplication.rc2"

    #define MANIFEST_RESOURCE_ID 1

    MANIFEST_RESOURCE_ID RT_MANIFEST "MyApplication.exe.manifest"

    And the contents of manifest file is as follows

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

     <assemblyIdentity version="1.0.0.0"

        processorArchitecture="X86"

        name="MyApplication"

        type="win32"/>

     <description> MyApplication requires the administravtive priveligaes</description>

     <!– Identify the application security requirements. –>

     <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

       <security>

         <requestedPrivileges>

           <requestedExecutionLevel

             level="requireAdministrator"

             uiAccess="false"/>

           </requestedPrivileges>

          </security>

     </trustInfo>

    </assembly>

    But when I try to launch the application it is still launching in StandardUser Mode, and the Admin Shield is missing.

    Please do help to fix the problem.