Announcing Microsoft Standard User Analyzer Beta 1

The UAC team has just released the first beta version of the Microsoft Standard User Analyzer (SUA) tool.  SUA is a tool that independent software vendors (ISVs) and IT developers can use to diagnose and identify possible application compatibility issues when migrating applications from running as administrator on down level Windows operating systems to Windows Vista which even with administrators run most programs with standard user privileges by default.

SUA is a runtime diagnose tool and has two modes, predictive mode and diagnose mode.  In predictive mode, the application being tested is launched elevated with administrative privileges.  SUA works by monitoring a set of selected APIs that are used to access resources, like files and registry keys, on the operating system.  During application runtime, SUA interprets how each API is called, monitors the result, and logs the result on whether such a call will succeed or fail when the application is running as standard user instead of as administrator.  This allows the application to be fully exercised to provide a high level summary of all the potential standard user issues in the application.  In diagnose mode, the application being tested is launch with a standard user token.  The application may fail at the first error it encounters.  This mode is useful if you want to test the application in a standard user environment after you have fixed all the issues identified by SUA in the predictive mode.

Figure 1 Screenshot of Standard User Analyzer Beta 1

As we progress in our understanding of standard user application compatibility issues, we will be integrating our knowledge into the next beta version of the tool.  We hope you will find this tool useful in helping you change your application to be standard user ready on Windows Vista.

Please visit the Standard User Analyzer site to obtain additional information and to download the tool.



Wei Wang

Lead SDE/T

Windows Security

Comments (17)

  1. Bryan says:

    I was hoping this could be used by a sysadmin to help see what an app needs in order to run, but I am totally lost here!

    I’ve tried launching several apps via the tool – none seem to load. The first time around, it notified me that I needed appverif.exe – fine, went and got that.

    Now I see various messages in the debug window, like:

    Launching: C:Program FilesMoffsoft FreeCalcMoffFreeCalc.exe

    Returned  : 216

    Executing: appverif.exe -disable luapriv -for "MoffFreeCalc.exe"

    Returned : 0

    Executing: appverif.exe -export log -for "MoffFreeCalc.exe" -with to="C:DOCUME~1BRYAN~1.PURLOCALS~1TempMoffFreeCalc.exe.xml" Symbols="C:WINDOWS"

    Returned : 1

    … but nothing else happens. There’s no Help. I’ve tried playing with various options. So far, this seems kind of useless! Maybe some additional documentation pointers would be valuable here …

  2. Bryan says:

    It seems my real problem is this:

    StampLogFile failed

    Refresh log #1

    Executing: appverif.exe -stamp log -for "anyapp.exe" -with Stamp=STAMP1

    Returned : 1

    I seem to be getting this error no matter what I do. And I seem to get LOTS of them when I run apps that I know are generating LUA errors. I am running the program itself while logged in as a member of Administrators. I get the problem when I ‘Launch elevated’ whether I launch as a member of Administrators, or the Administrator account itself.

    How to resolve?

  3. Koti says:

    Please give me the instructions how to use MS standard user analyzer.

  4. UAC says:

    Hi Koti, when you run the MSI that installs the Standard User Analyzer, it installs a SUAnalyzer.rtf file in the Program FilesStandard User Analyzer directory.  Just open that file in an editor that can handle the RTF format (such as WinWord).  Let us know if the instructions in that document are helpful.


  5. Mahesh says:

    I think this is going to be a very useful (stand-alone) tool. I do have a question though-

    At the core, what is the difference between this tool and the UAC Evaluator that is included in AppCompat Toolkit?



  6. Denverite says:

    What a great tool.  I’ve downloaded it and plan on using/testing it this afternoon.  

    I do have one question regarding the SUA.  When running it in ‘diagnose’ mode, is virtualization truned off automatically or do you recommend turning it off via the Security Policy manager?

    Please advise.  Thanks.

  7. UACBlog says:


    First, let me introduce myself, my name is Steve Hiskey, and I am the Lead Program Manager for…

  8. Denverite says:

    So, I used SUA to analyze and diagnose an application.  I wish to save the log file to disk.  However, the ‘Export Log File’ option under the File menu item is disabled!  How is a log file exported or what am I missing?  Please advise.

  9. efratian says:

    I am not sure if this is really the right thread for this question, but give me a chance. We have an application running on XP, etc., that we are trying to adapt to Vista. I need to have process A, which is running with elevated privileges (after undergoing an elevation prompt at creation), to run process B without elevated privileges. It is a security risk to run it with elevated privileges. How do I do that? CreateProcess does not seem to allow for any flags to control the privilege level to be granted to the child process.

  10. Dan Mitchell says:

    For what it’s worth, there’s a bug in this tool as it stands — running it on our app, the resulting XML file contains non-standard ascii characters (in particular, e acute), so it can’t read its own log files back in again, so there’s no way to get useful results out.

    I wrote a tiny app that strips out all bytes >128 from files to fix this, so now I can get useful info, but you folks at MS might want to see what could be going on here.

  11. Yu says:

    Dan, the issue with non-standard character in the xml log file is due to a bug in the underlying Application Verifier used by Standard User Analyzer. It will be fixed in the next release of Application Verifier. Meanwhile, as a workaround, you can manually open the log file using notepad.exe (you can get the log file location from the "Debug Info" box in “App Info” tab – it’s usually C:UsersusernameAppDataLocalTempapp.exe.xml, save it using "UTF-8" format and reload it in Standard User Analyzer.

  12. Yu says:

    Denverite, the “Export Log File” option will only be enabled after the target application is closed and the log file is exported and loaded successfully. If for some reason the log file failed to export or load, this option is grayed out.  Take a look at the “Debug Info” box under the “App Info” tab, if you see any step that returns a non-0 exit code, that might be the cause. The log file is actually exported by SUA itself after you close the target application – it’s usually C:UsersusernameAppDataLocalTempapp.exe.xml.

  13. Yu says:

    Denverite, the virtualization setting for the target application is the same as when you start the application without Standard User Analyzer. In other words, it’s usually on unless the target application is a system binary with a runlevel setting in its manifest. You can leave it on when using SUA.

    Virtualization is a stop-gap technology and it’s meant to help legacy applications run on Vista but in the long run, all new applications written for Vista should not rely on it. In fact, Vista Logo requires Vista-approved application to run well with virtualization turned off.

  14. Yu says:

    Bryan, error 216 is ERROR_EXE_MACHINE_TYPE_MISMATCH.  Is your application a 64-bit application? Right now, Standard User Analyzer only works for 32-bit application as we expect most legacy application to be 32-bit applications.

    As for “StampLogFile” issue, did you have “Realtime Diagnosis” enabled? If so, try to disable it and see how it goes.

  15. новини says:

    Nice tool, when its going open source?