Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Vista

Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
4/28/2013 11:33:10 AM

3. UAC User Interface

Windows Vista uses a shield icon to indicate which features of an application require elevated rights. For example, standard users can run Task Manager (as shown in Figure 3), but they will need administrative credentials if they click the Resource Monitor button. The shield icon serves to warn users before they attempt to access a feature they might not have sufficient privileges for.

Figure 3. The shield icon on the Resource Monitor button indicates that this function requires elevation.


By default, the consent or credential prompt appears on the secure desktop. The secure desktop freezes and darkens the entire desktop except for the UAC prompt, making it very difficult for malware to trick you into providing consent.

How It Works: Secure Desktop

The secure desktop actually makes a bitmap copy of the current screen, and then alpha-blends it to darken it. To prove that it’s a bitmap copy, open Task Manager, click the Performance tab, and notice how the CPU Usage History chart updates. Then, attempt to open Computer Manager. When the UAC prompt appears, Task Manager stops updating. Task Manager continues to draw the graph in the background, even though it’s not visible—this will be apparent if you wait a few seconds and then close the UAC prompt.


UAC prompts are color-coded to indicate the level of risk associated with the application:

  • If the top portion of the dialog is red, policy will prevent the application from running and users do not have the option of allowing it to run.

  • If the top portion is yellow, as shown in Figure 4, the application is unsigned, or it’s signed but the certificate is not trusted.

    Figure 4. UAC prompts are color-coded.

  • If the top portion is green, it indicates that the application is a component of Windows Vista, such as the Microsoft Management Console (MMC), as shown earlier in Figure 2.

  • If the top portion is gray, the application is signed and trusted by the local computer.

When training users, point out the color coding. Tell them to pay particular attention to yellow prompts, which indicate an increased risk of the application being malicious.

4. How Windows Vista Determines Whether an Application Needs Administrative Privileges

Windows Vista examines several aspects of an executable to determine whether it should display a UAC prompt before running the application:

  • Application properties Users can select the Run As Administrator check box for executable files.

  • Application manifest A description of the application provided by the application developer which can require Windows Vista to run the program as an administrator.

  • Application heuristics Aspects of the application that might indicate it requires administrative privileges, such as being named “Setup.exe”.

The sections that follow describe each of these aspects and show you how to configure applications so that they always require elevated privileges (which is important if an application does not work properly without elevated privileges but UAC does not automatically prompt the user).

How to Control UAC Using Application Properties

If the application does not automatically run with administrative credentials, you can right-click the application and then click Run As Administrator. If you deploy an application to users, however, you should configure the application to automatically prompt the user if it does not. To mark an application to always run with administrative credentials, follow these steps:

1.
Log on using administrative credentials, but do not use the built-in Administrator account.

2.
Right-click the application, and then click Properties.

3.
Click the Compatibility tab. If you want other users on the same computer to run the application with administrative privileges, click Show Settings For All Users.

4.
Under Privilege Level, select the Run This Program As An Administrator check box, as shown in Figure 5. Click OK. If the check box is not available, it means that the application is blocked from always running elevated, the application does not require administrative credentials to run, the application is part of the current version of Windows Vista, or you are not logged into the computer as an administrator.

Figure 5. You can mark an application to always run with administrative credentials.


You only need to mark applications that require administrative credentials but do not cause UAC to automatically prompt the user. You cannot set privilege level for Windows components, such as the command prompt. Instead, you should always right-click them and click Run This Program As An Administrator.

How UAC Examines the Application Manifest

For applications to receive a Certified For Windows Vista logo, they must include an embedded requested execution level manifest that specifies the privileges required. The privilege level is one of the following:

  • asInvoker or RunAsInvoker The application runs using the standard user privileges, and will not initiate a UAC prompt.

  • highestAvailable or RunAsHighest The application requests privileges higher than standard users and generates a UAC prompt. However, if the user does not provide additional credentials, the application will run anyway, using standard privileges. This is useful for applications that can adjust to either higher or lower privilege levels, or for applications that might need more privileges than a standard user, but fewer than a full administrator. For example, backup applications typically need the user to be a member of the Backup Operators group, but do not require the user to be a member of the Administrators group.

  • requireAdministrator or RunAsAdmin The application requires administrative privileges, generating a UAC prompt. The application will not run with standard privileges.

Note

To add a manifest to existing applications, use the Application Compatibility Toolkit, which you can download at http://go.microsoft.com/fwlink/?LinkId=23302. To diagnose issues that would prevent a program from running properly as a standard user, use the Microsoft Standard User Analyzer tool, available at http://www.microsoft.com/downloads/details.aspx?FamilyId=DF59B474-C0B7-4422-8C70-B0D9D3D2F575


UAC Heuristics

If you run an application setup file, UAC will prompt you for administrative credentials. This makes sense, because most installation routines require elevated privileges. However, installers created before Windows Vista do not include a manifest, so Windows Vista has to heuristically detect which executables are setup files.

To do this, Windows Vista examines 32-bit executables without a requested execution level manifest that would be run with standard privileges. If the executable meets those requirements and has a file name or metadata that includes keywords such as install, setup, or update (or several other indicators that it might be an installer), UAC prompts for elevated privileges before running the file. If UAC does not prompt you for administrator credentials for an install, right-click the setup file and then click Run As Administrator. Without administrative privileges, most installations will fail.

Other -----------------
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 3) - Creating New Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Maintaining Desktop Health : Using Task Scheduler (part 1) - Task Scheduler Architecture
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 4) - Using the Problem Reports And Solutions Control Panel
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 3) - Architecture of Windows Error Reporting, Configuring Windows Error Reporting
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 2) - Conceptual Components
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 1) - Error Reporting Cycle, Report Data Overview
- Maintaining Desktop Health : Using Performance Information And Tools
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server