Identification of Administrative Applications

Welcome to another installment of the Windows Vista UAC Blog!

Let’s dig a little deeper into the area of how Windows Vista knows which applications need to run with administrator privileges. We’ll use the term “Elevation” to describe the process by which an application is launched with admin privileges. Elevation falls into two categories:

  1. The O/S makes a decision that the application looks like an installer or updater and will automatically invoke elevation to run the program with administrative permissions/privileges when a user runs it. This decision is based on a heuristic. Here are some of the heuristic detection points, although this list is not exhaustive:
    • File name detection – looks for the words “setup”, “update”, “install” in the filename
    • SxS Manifest word detection – looks for well-known values in the assembly name attribute program’s SxS Manifest
    • String table detection – looks for well known values in the string table within the resource section of an executable
  2. An application is marked via an overt action to run with administrative permissions/privileges. This process of admin marking can occur in four ways.
    • Including an app manifest within the resource section of their executable program that specifies that the application needs to run with administrative permissions/privileges. This is the method that a developer of Windows Vista compliant code would use when developing or updating their application. The benefit is that the marking is performed by the developer and included in the code when it is compiled. This marking travels around with the code and is therefore independent of the target Windows Vista system. We have an MSDN article that has a section on how to do this. Take a look at: https://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp

    • An application compatibility shim is installed on a Windows Vista machine that marks an executable so it will be elevated when run. This would be the way that an IT professional would mark a legacy application in their environment without having to make changes to the code. The application compatibility toolkit, available for download from Microsoft, includes a tool called compatAdmin.exe that is used to build the shims. We have an article available that describes how this is done (along with the process of deploying this shim within a group policy-managed environment). Take a look at: https://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx

    • A checkbox is available on the compatibility tab under program properties that says “Run the program as an administrator”. This is how a user of Windows Vista would mark an application for elevation on a one-off basis.

    • A user can force elevation of an unmarked application by right clicking on an application and selecting “Run Elevated…” from the menu. This is how a user of Windows Vista would run an application elevated without persisting the setting. With this, a user can run an application elevated only when they specifically want to.

Cheers!

- Peter