Windows Vista Security Guide 1.2 Released

We have identified an issue with version  1.1 of  the Windows Vista Security Guide, which caused some of the group policy objects to not be created correctly. If you have downloaded version 1.1, which was available for download from December 4, 2006 through December 14, 2006, please download version 1.2 from More information about this issue is available at

We apologize for any inconvenience.

Kelly Hengesteg
Senior Program Manager
Microsoft Security & Compliance Solutions

Comments (11)

  1. Microsoft identified an issue with v1.1 of the above-mentioned topic title. Issue : Some of the group

  2. Jorge Coelho says:

    Sorry for this being OT to this post, but due to the lack of documentation on MSDN about the subject and given that Vista is 4 days away from being released to consumers, here goes:

    Some of my applications, being UI enhancers, need to manipulate other windows in order to minimize, maximize, bring them to the foreground, etc… Nothing that would compromise security.

    In Vista, applications cannot send messages to others running with higher privileges, so when my application tries to, say, unminimize a UAC prompt, nothing happens. After searching hi and lo and fighting with the disturbingly minimal information presented about this on MSDN, I came across a post by Aaron Margosis where he states that:

    "If you do need uiAccess enabled, then the executable needs to be digitally signed, and must be installed under %windir% or %ProgramFiles%."

    "uiAccess=true—The application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop."

    So, apparently, without digitally signing my application it will not work correctly in Vista. I also need a manifest embedded in the executable with the uiAccess flag set to true.

    My questions are the following:

    1 – Is the Admin privilege required if you set uiAccess to true? (I’m under the impression that it is not, and I would not want my applications to require elevation by the user just so they are able to minimize and restore other windows).

    2 – An application belonging to a competitor is able to manipulate other windows in Vista, while running with normal privileges. However, after examining it, I do not see the uiAccess flag specified on its manifest. Is ‘uiAccess=true’ really required to minimize, etc, other windows or is digitally signing an application enough?

    3 – Assuming uiAccess is set to true, my application is digitally signed, it’s installed in %Program Files% and is running with normal privileges: besides being able to manipulate other windows, will higher privilege applications now accept files dragged & dropped from my application?

    4 – Not really a question, but a complaint: since the application needs to be installed onto a trusted location on the hard drive in order to obtain the uiAccess privilege, this means my application will cease to function correctly if the user decides to install it anywhere else other than %Program Files% (for instance, in a folder at the root of the C: drive). This not only creates problems for me (how to ensure the external setup application I’m using forbids the user to install the app outside %Program Files%) as it prevents the user from organizing *his* hard drive and programs how *he* wants.

    5 – After compilation, data critical to license key validation is appended to the end of my application’s executable file. This data is read every time my application is run. Since a Digital Certificate also appends data to the end of an executable, how can I get the two to work together? i.e.; if I append the data AFTER signing the application, won’t it complain later about code tampering? If I append the data before, how would my application then know WHERE to look for it?

    6 – One of my ‘applets’ is a CPU monitor displaying CPU performance data (i.e.; it displays the top 3 or so tasks using the most CPU at any given time and the percentage of CPU used by each). Under Vista RC1 I noticed that PDH fails to return CPU usage data *unless* the application is running with admin privileges (see for a post by someone else complaining about the same issue). Has this been fixed in Vista RTM or is it now also a Vista ‘feature’? And, if the later, how can I restore previous functionality without having to elevate my application?

    Sorry for the long post, and I would really appreciate a reply even if it is to answer just a *few* of my questions.

    Thanks and Best Regards,

    Jorge Coelho

    Winstep Xtreme – Xtreme Power! – Winstep Software Technologies


  3. rajkishore says:

    windowsvista       please send it to                                          

  4. Windows Integrity Levels says:

    I want to know more about Windows Integrity Levels. Please post more info about that.

    Why Vista is not using MAC and only implements mandatory integrity control.

  5. ... says:

    Ich erklare meinen Freunden uber diese Seite. Interessieren!

  6. dek says:

    what is this? its just released but so many issue?

  7. dek says:

    what is this? its just released but so many issue?

  8. Carmelo Lisciotto says:

    So many issues with Vista can be viewed as a potential opportunity for the IT consultancy firms 🙂

    Carmelo Lisciotto

  9. Dan Becker says:

    Hey, over on the UAC blog, you promised to give away free shwag if you didn’t post for a whole month.

    I think you owes us some shwag! 🙂

    But seriously, I’m sad to see no posting since January. There’s a ton of stuff to be talking about! At least consider do a post with ‘hey, this blog is basically dormant, but here are a bunch of other ‘softie blogs covering Vista security.’

  10. LinkDir says:


    Very good site. You are doing a great job.


  11. markovich says:

    So many issues with Vista can be viewed as a potential opportunity for the IT consultancy firms 🙂