Winsock and Vista User Account Control

  • Article

As you might have heard, Vista introduces User Account Control (UAC) which is a security feature that enables users to perform some tasks as non-Administrators. This has an effect on LSP writers as the Winsock functions to install and remove LSP entries can only be called as an Administrator. On Vista there is a difference between the built in local Administrator account and users that are a member of the Administrators group. That is, users that are a member of the Administrators group are actually running with reduced privileges compared to the built in Administrator account.

The effect of this change is that the LSP install functions will return an access denied error unless the user is the built-in Administrator or unless the installing application is modified to prompt the user whether the installation should be allowed. The sample LSP has been updated to illustrate this change. The updated sample can be obtained from the Microsoft Connect website:

https://connect.microsoft.com

Once at the site, select 'available programs' from the navigation bar on the left side of the screen. You then need to join the 'WNDP' (Windows Network Developer Platform) group. From there the sample is available in the 'downloads' section.

In order for the install application to prompt a limited user whether to continue with the installation, an application manifest needs to be created. This is an XML file named the same as the installing executable with '.manifest' appended to the end (e.g. instlsp.exe.manifest). The manifest is pretty simple – it simply describes the application and indicates that the application requires administrative privileges to install correctly:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1"

manifestVersion="1.0">

<assemblyIdentity version="1.0.0.0"

name="instlsp.exe"

type="win32"/>

<description>instlsp - Sample LSP installer</description>

<!-- Identify the application security requirements. -->

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

<security>

<requestedPrivileges>

<requestedExecutionLevel

level="requireAdministrator"

uiAccess="false"/>

</requestedPrivileges>

</security>

</trustInfo>

</assembly>

Once the manifest is created, it simply needs to be referenced in the application’s resource file with the following directive:

#define MANIFEST_RESOURCE_ID 1

MANIFEST_RESOURCE_ID RT_MANIFEST "instlsp.exe.manifest"

You can take a look at the updated sample for the full details, but it is pretty straight forward.

There are a number of UAC related resources to find more information:

  • Getting Started with UAC

https://www.microsoft.com/technet/windowsvista/evaluate/feat/uaprot.mspx

  • UAC Developer Guidelines

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

  • UAC Blog

https://blogs.msdn.com/uac

  • UAC Question on Update

https://forums.microsoft.com/msdn/showpost.aspx?postid=111453&siteid=1

-- Anthony Jones (AJones)