!! Understanding UAC !!
Keywords: UAC Manifest User Account Control Windows Vista 7 8 8.1 RequestedExecutonLevel AsInvoker RequireAdministrator RequireAdmin HighestAvailable HighestAvail
At first glance UAC and Manifests can be a confusing topic. UAC was introduced starting with Windows Vista. UAC limits the privileges that applications run with by default, allowing meaningful corporate security policies to be enforced.
What does this mean to you, as a WinBatch script developer?
Most scripts do not require administrator privileges and should be just fine running as a standard-user: compiled with the UAC manifest setting: RequestedExecutonLevel:AsInvoker. However some functions or operations
require administrator privileges, and you should separate out those pieces into a separate script that is compiled with the UAC manifest setting: RequestedExecutonLevel:RequireAdministrator .
IMPORTANT: Always test your script running as a standard user. Scripts commonly fail in production because the developers haven't tested as a standard user.
Placement of compiled WinBatch scripts and any data files:
- User-specific scripts should placed in the %userprofile% and any registry data for your script should be stored in the user's hive, HKEY_CURRENT_USER (HKCU).
- System-wide scripts should placed in the %allusersprofile% directory. Create a directory specific to your script and allow users to write to it.
- Otherwise, you may choose to place your compiled script into the %ProgramFiles% directory BUT keep in mind that this requires Administrator privileges.
Installation scripts:
It is very common to start launch an application at the end of an Installation script. Unfortunately, the application is often started under the wrong user context because the user provided elevated credentials to perform the installation and the
application is created with the elevated user token. One recommendation is to create a bootstrapper EXE manifested AsInvoker. Read this section of the article for details: http://msdn.microsoft.com/en-us/magazine/cc163486.aspx#S15
Communicating between Processes in Different Security Contexts:
Windows Integrity Mechanism (WIM) defines different security (integrity) levels: Low, Medium, High, and System. Windows attempts to prevent lower-privileged processes from communicating with a higher privileged process.
In order to avoid this, most Windows messages are no longer sent from lower privileged processes to higher privileged processes, and this is based on the integrity level.
The token used to create the desktop will be running at the medium integrity level. This way everything by default is running with an integrity level of medium. When a user is prompted for elevation and gives his consent, the resulting process is
created with the fully privileged token and has an integrity level of high.
Because of UAC there may be processes in the same desktop session that have full administrator privileges and others that are running with a standard user token.
UAC uses WIM to block Windows messages from being sent between processes of different privilege levels.
For example, if are running on a system with: UAC on, logged in as Adminstrator, running a script manifesed: Asinvoker and trying to send keystrokes to process that is running elevated. Your sendkeys/sendkeysto will be ignored. In order to get the script
to work you will need to properly manifest your exe using either highest avialable ( if logged in as an admin ) or RequireAdministrator ( if logged in as a standard user ).
Reference: http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/nftechsupt.web+WinBatch/UAC+SendKey~and~UAC.txt
List of resources:
Article ID: W18308
Filename: !! Understanding UAC !!.txt
File Created: 2014:07:18:09:51:40
Last Updated: 2014:07:18:09:51:40