One of the many reasons why I love my job so much is that I am so consistently faced with problems that are difficult to sort out. Well, not that I like the sensation of being stumped, but I sure do like the sensation of figuring out what was happening. (Obviously even more so if the solution is non-trivial.) And one of my goals is to share this knowledge here, so you don't have to spend as much time being stumped as I did.

Working with a customer application, they had found a number of LUA bugs, and with UAC enabled on Windows Vista they were going to present a serious problem. Unfortunately, they depend on the makers of third party components who also had LUA bugs, and the schedule for updated UAC-compliant components did not align with their own. So, in the interim, they just had to manifest their application as requireAdministrator, which will cause it to prompt when you want to run it. Yes, of course they weren't excited about doing that (who is?) but with Windows Vista's consumer release just around the corner there is a serious time constraint.

So, we just cooked up our UAC XML manifest and applied it to the binary. The shell immediately responded, as it should have - it began showing a shield icon on top of the application icon. Yet, myseriously, when we double clicked on the application to launch it, we didn't see the secure desktop asking us to approve the authorization / provide credentials. We were just launching the application non-elevated. Huh? I scratched my head. A lot. Then I scratched it some more. Obviously I had the manifest syntax correct, or else it wouldn't have shown the shield icon in the shell. So what was going on here? More head scratching.

As it turns out, if you start poking around the binary itself, I found a little flag set. The ALLOWISOLATION:NO flag. This is a flag that really should be avoided in just about every circumstance. It tells the loader specifically not to process the manifest for side-by-side (or UAC, which is new in Vista). So, the loader wasn't ever reading the manifest because the binary itself was telling it not to. So, we just used editbin.exe /ALLOWISOLATION to reset this flag to its normal state, and things were back to normal. Everything was fine.

Which then brought us to the next question - why was the shell reading the manifest, but not the loader? I went back and forth on this one for a bit, but in the end I believe it is doing the right thing. The shield icon is saying that this executable will require elevation immediately. And, in fact, it does. Just because we directed the loader to ignore the manifest does not negate this simple fact.

So, if you run across a scenario where Explorer is showing the shield icon, you have UAC enabled, but you don't see a consent dialog, take a look at the ALLOWISOLATION:NO flag - this may be your culprit!