Since I was talking about configuring UAC on Windows Vista and Windows 7 a bit yesterday, I thought it made sense to bring up another policy whose actual use may not be obvious based on the name.

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

We talked about the secure desktop – but what is this UIAccess all about? Well, you can get details here:

http://msdn.microsoft.com/en-us/library/ms742884.aspx

But rather than going deep, let’s look at the manifest for msra.exe (Microsoft Remote Assistance):

sigcheck -m c:\windows\System32\msra.exe

sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

"c:\windows\system32\msra.exe":
        Verified:       Unsigned
        File date:      11:47 PM 12/12/2008
        Publisher:      Microsoft Corporation
        Description:    Windows Remote Assistance
        Product:        Microsoft« Windows« Operating System
        Version:        6.1.7000.0
        File version:   6.1.7000.0 (winmain_win7beta.081212-1400)
        Manifest:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-micr
osoft-com:asm.v3" manifestVersion="1.0">
    <assemblyIdentity
        version="5.1.0.0"
        processorArchitecture="amd64"
        name="Microsoft.Windows.RemoteAssistance"
        type="win32"
    />

    <description>Remote Assistance</description>

    <dependency>
        <dependentAssembly>
            <assemblyIdentity
                type="win32"
                name="Microsoft.Windows.Common-Controls"
                version="6.0.0.0"
                processorArchitecture="amd64"
                publicKeyToken="6595b64144ccf1df"
                language="*"
            />
        </dependentAssembly>
    </dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="asInvoker"
                uiAccess="true"
            />
        </requestedPrivileges>
    </security>
</trustInfo>
<asmv3:application>
   <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSe
ttings">
        <dpiAware>true</dpiAware>
        <autoElevate>true</autoElevate>
   </asmv3:windowsSettings>
</asmv3:application>
</assembly>

I think of this policy as the “give helpdesk the ability to elevate” policy.

(Obviously this only works if you don’t configure the policy to auto-deny elevation requests by standard users.)