WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

UAC

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

!! Understanding UAC !!

 Keywords: UAC Manifest User Account Control Windows Vista 7 8 8.1 RequestedExecutonLevel AsInvoker RequireAdministrator RequireAdmin HighestAvailable HighestAvail

At first glance UAC and Manifests can be a confusing topic. UAC was introduced starting with Windows Vista. UAC limits the privileges that applications run with by default, allowing meaningful corporate security policies to be enforced.

What does this mean to you, as a WinBatch script developer?

Most scripts do not require administrator privileges and should be just fine running as a standard-user: compiled with the UAC manifest setting: RequestedExecutonLevel:AsInvoker. However some functions or operations require administrator privileges, and you should separate out those pieces into a separate script that is compiled with the UAC manifest setting: RequestedExecutonLevel:RequireAdministrator .

IMPORTANT: Always test your script running as a standard user. Scripts commonly fail in production because the developers haven't tested as a standard user.

Placement of compiled WinBatch scripts and any data files:

Installation scripts:

It is very common to start launch an application at the end of an Installation script. Unfortunately, the application is often started under the wrong user context because the user provided elevated credentials to perform the installation and the application is created with the elevated user token. One recommendation is to create a bootstrapper EXE manifested AsInvoker. Read this section of the article for details: http://msdn.microsoft.com/en-us/magazine/cc163486.aspx#S15

Communicating between Processes in Different Security Contexts:

Windows Integrity Mechanism (WIM) defines different security (integrity) levels: Low, Medium, High, and System. Windows attempts to prevent lower-privileged processes from communicating with a higher privileged process. In order to avoid this, most Windows messages are no longer sent from lower privileged processes to higher privileged processes, and this is based on the integrity level.

The token used to create the desktop will be running at the medium integrity level. This way everything by default is running with an integrity level of medium. When a user is prompted for elevation and gives his consent, the resulting process is created with the fully privileged token and has an integrity level of high.

Because of UAC there may be processes in the same desktop session that have full administrator privileges and others that are running with a standard user token. UAC uses WIM to block Windows messages from being sent between processes of different privilege levels.

For example, if are running on a system with: UAC on, logged in as Adminstrator, running a script manifesed: Asinvoker and trying to send keystrokes to process that is running elevated. Your sendkeys/sendkeysto will be ignored. In order to get the script to work you will need to properly manifest your exe using either highest avialable ( if logged in as an admin ) or RequireAdministrator ( if logged in as a standard user ). Reference: http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/nftechsupt.web+WinBatch/UAC+SendKey~and~UAC.txt

List of resources:


Article ID:   W18308
Filename:   !! Understanding UAC !!.txt
File Created: 2014:07:18:09:51:40
Last Updated: 2014:07:18:09:51:40