Identification of Administrative Applications

re: Identification of Administrative Applications

Brian — Sat, 14 Jan 2006 05:19:13 GMT

Uh, isn't this a huge gaping security hole? If I was a malware author wouldn't it be easily within my capabilities to duplicate a number of those heuristics (such as including a bunch of installshield string resources and naming the executable setup.exe) and thus trick the system into running my badness with elevated privileges? How in the world is this not ripe for abuse?

On Raymond Chen's blog he's talked in detail in the past about how when they were designing some of the shell APIs for windows 95 they made it easy for a program to place itself preferentially on the start menu. And then authors abused the heck out of that, placing themselves at the top of the menu instead of the standard place, which forced MS to add code in XP so that programs couldn't manipulate the start menu any more. And similarly for "bring to front", which necessitated the "don't let programs steal focus" flashing taskbar added in 2k. Won't this just be another thing that lazy/malicious software will use to get around a well-meaning restriction?

How does running with dropped privileges by default achieve anything if all a program has to do to get the "SUID bit" is to call itself setup.exe?

re: Identification of Administrative Applications

Mr. FACT — Sat, 14 Jan 2006 05:33:59 GMT

This is very helpful

re: Identification of Administrative Applications

mgm — Sat, 14 Jan 2006 16:56:47 GMT

If I have documents located in a folder with rights only given to the Administrators group, is there any way from within an unprivileged application, such as Word, for a user in the Administrators group to open and edit documents in that folder? Will the File Open dialog prompt if you try and open a file in that folder?

re: Identification of Administrative Applications

Andy C — Tue, 17 Jan 2006 12:38:34 GMT

Brian: Not it's not a security hole, because it doesn't work like SUID. By default all executables will run with limited privileges, the above conditions just identify the situations in which Vista will prompt you to allow elevated execution - you still get the chance to say no.

re: Identification of Administrative Applications

hn — Tue, 17 Jan 2006 21:54:28 GMT

Is there a way to prompt the permission dialog programmatical way? So my application still running fine with regular permission. Once my API which requires Administrator privilliege is called, I will call windows API to ask for the permission?

re: Identification of Administrative Applications

User Account Control Team — Fri, 20 Jan 2006 03:32:12 GMT

I'll respond to a couple of the comments.

mqm's question: If the ACLs are set on a file to only allow access by Administrators, then when running with your non-admin token, you would not have access to these files. One solution is to ACL the files so they are owned by the user not by the Administrators group.

hn's question: There is no way to obtain admin privs for a process once it is created. If your app needs to perform an admin operation, you'll need to launch the program elevated up front.

re: Identification of Administrative Applications

UAC — Tue, 24 Jan 2006 09:17:46 GMT

Where do I find documentation for CoCreateInstanceAdmin()?

re: Identification of Administrative Applications

User Account Control Team — Tue, 24 Jan 2006 19:39:10 GMT

You can find info about CoCreateInstanceAdmin() here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

Thanks,
Jenn

re: Identification of Administrative Applications

UAC — Tue, 24 Jan 2006 21:15:03 GMT

Funny... That doesn't tell me if it initializes the COM objects in Proc or out of Proc and the paramters for the function. I can't find anything on in the 5270 CTP release of the platform SDK.

Vista LUA (or now UAC)

Dinis Cruz @ Owasp .Net Project — Mon, 30 Jan 2006 15:10:20 GMT

Note: LUA (Least User Access) has been
renamed UAC (User Access Control) which is a much better name...

re: Identification of Administrative Applications

Anonymous — Sat, 11 Feb 2006 03:04:07 GMT

This is a great idea in general, but it doesn't seem perfect to me. You give full admin rights to anything that requests them, and all installers are going to do.

Some commercial apps habe been bundled with spyware and the like, some others have a broken installer that does damage or leaves trash.

So, letting an regular app installer run with full admin rights is dangerous. A better course of action would be:

* Let it create a NEW dir in Program Files and write ONLY inside it. If it tries to wite DLLs to Windows or System32, "virtualize" them.

* Let it CREATE new shoucuts, registry settings, and whatever is needed to create an uninstaller.

But that's it. No driver installs. No changes to the system folders. No changes on the program files of other installed applications. No changes on system-wide settings. No adding to startup/autorun. You get the idea.

There's an "advanced user" or something like that account in 2000/XP that is something similar, I think. Never looked into it.

re: Identification of Administrative Applications

kevin — Thu, 16 Feb 2006 05:59:17 GMT

If one of threads of a process calls Impersonate() or LogonAsUser() API to elevate itself to a privileged user and access some system resource and I don't provide explicit declaration in menifest file that this application need to run with elevation mode, then what will happen if a standard users or a admin user launch this application? Thanks

ShellExtensions and UAC

Hermann Schinagl — Wed, 05 Apr 2006 14:57:07 GMT

Hi

Can you give me a hint how to let my shellextension create symbolic links?

More in Detail: May ShellExtension calls CreateSymbolicLink, which needs at least a manifest containing 'requestedExecutionLevel level="highestAvailable"' or you get GetLastError=ERROR_PRIVILEGE_NOT_HELD
from CreateSymbolicLink. ok, added the manifest, copied the shellextension to the right place, restarted explorer.exe... and...
Nothing.

Taking a look at the privileges available for explorer.exe via procexp from sysinternals, I can see, that explorer still has its crappy least privileges assigned to it.

How do I proceed?

BTW: It is stupid to have 'requestedExecutionLevel level="highestAvailable"' in the manifest, when I only need SeCreateSymbolicLink. Why is there now finer granularity?

Ciao Hermann

re: Identification of Administrative Applications

Robert Barnett — Fri, 21 Apr 2006 17:39:53 GMT

Can we use this with web applications?

re: Identification of Administrative Applications

David — Fri, 28 Apr 2006 19:52:44 GMT

I agree with hn. There really needs to be an API that will prompt the user to move the application to an elevated privilege status. Consider an application that has no installer, but the application has menu items for "Register file types" and "Unregister file types." There could also be an API for restoring the application to its previous privilege status after completing a couple privileged operations.

re: Identification of Administrative Applications

Will — Sun, 14 May 2006 20:33:00 GMT

(experimenting with Build 5380 atm)

THere appears to be no way of running an application that says it needs admin mode in a non admin mode. e.g. something that is detected by heuristics - for example a file called setup.exe) but you don't want to run it with admin.

Are you guys planning to put this in?

Will

IS THERE AN ELEVATION WITHOUT ANY PROMPTS ?

security — Sun, 04 Jun 2006 13:29:21 GMT

"Run this program as administrator"

I am having troubles understanding this feature. In Beta2 , If I mark certain app with "Run this program as administrator" , it always asks me for Elevation!!! Is this the correct behavior ? . I thought the intention of this feature was to mark certain app to start administratively without prompting a user ???

Thanks

PLEASE HELP - "Run this program as administrator"

security — Sun, 04 Jun 2006 13:30:12 GMT

re: Identification of Administrative Applications

Aaron Margosis — Mon, 05 Jun 2006 05:05:50 GMT

To "security" - marking the program to run as administrator means that you will ALWAYS be prompted before it starts. You're saying, in effect, "this app needs elevated privileges - don't even bother running it if it can't run elevated." Nothing runs elevated without a protected interactive consent from an administrator. The behavior you're describing is akin to the SUID behavior in Unix, and that is not implemented in Windows. SUID has been a major source of EoP (elevation of privilege) security issues on Unix platforms, because it is *incredibly* hard to ensure that an app with the SUID bit set will perform ONLY the operations its designers (or the SUID-bit setter) intended, and that those operations don't have any undesired side-effects.

UAP is blocking my ASP application

John — Thu, 06 Jul 2006 14:53:42 GMT

Hi,

I have an ASP (not an ASP.NET) application accessing Sql Server 2005 database installed in Vista Beta 2 (Build : 5384). I am unable to access my application in server. UAP is blocking my application. I dont want to change system level UAP configuration using msconfig or secpol.msc.
Can any one suggest me some idea to change application level UAP configuration.

Thanks in Advance.

-John-

re: Identification of Administrative Applications

JianFei Liao — Wed, 12 Jul 2006 10:32:22 GMT

Can I mark an application to "run as admin" by putting the manifest file into the same folder with the .exe file ( I mean, not use the mt.exe to embed the manifest into the .exe file)?

It seems work sometimes but not always. Is this a feature of Vista by design? Or just some heritage "bonus" from XP so we can't count on it...

re: Identification of Administrative Applications

Paul Sanders — Wed, 12 Jul 2006 21:47:57 GMT

Does anybody know if there actually is an API hidden away somewhere to (temporarily) elevate an application's privileges so that it can, for example, write something to the HKLM registry tree? If not, there certainly should be.

LogonUser does not fit the bill as the caller has to provide account credentials (user ID and password), whereas UAC prompts the user for these (if appropriate).

I have noticed that the User Accounts Control Panel seems to behave as if such an API exists (try clicking on 'Manage Another Account').

re: Identification of Administrative Applications

Paul Sanders — Wed, 12 Jul 2006 21:54:15 GMT

re: Identification of Administrative Applications

Daniel Sinclair — Mon, 24 Jul 2006 15:03:25 GMT

When launching certain (legacy) apps Vista uses hueristics to establish whether it needs to run as admin or not if its not specifically tagged. Applications like Sql Managment Studio, the Windows MMC.exe and Orca all look like they're using the kinds of APIs that need admin privs but in fact non of them do (although it depends on the command line or snap in loaded with MMC).

When Vista asks me whether I'd like to elevate this application, I'd like to have a checkbox that remembered if my selection was, "No this app doesn't need to run as admin, despite what it might look like, so don't ask me again".

re: Identification of Administrative Applications

Aaron Margosis — Mon, 24 Jul 2006 15:15:22 GMT

@Daniel Sinclair: That checkbox won't happen in Vista. It would be too open for abuse, just like SUID in *nix platforms.

re: Identification of Administrative Applications

Daniel Sinclair — Mon, 24 Jul 2006 17:18:25 GMT

With regard to the UAC dialog asking me whether I want to run as admin or not, I should have said that I'd like three choices, not two. One to run as admin, another to run as non-admin and finally not to run at all. I'd like a checkbox that allows me to 'remember' whether a legacy application (that Vista has failed to successfully identity using heuristics needs admin privs) can run without admin privs, and not ask me next time.

In the current implementation I find that I'm having to run some apps as admin when they don't need to. Without UAC, and running as non-admin by default I had a choice, so UAC is less secure for those organisations already embracing runnig as non-admin on XP.

re: Identification of Administrative Applications

Aaron Margosis — Mon, 24 Jul 2006 21:00:32 GMT

@Daniel Sinclair: actually, tools like RegEdit and MMC.exe are marked to run as "highestAvailable", not as "requireAdministrator". If the current user is a member of the Administrators group, s/he will be prompted for elevation - the app will run elevated or not at all. But if the user is a Standard User and cannot elevate in-place without using a different account, the tool will simply run with Standard User privileges. The tool can still be run elevated by right-clicking it and choosing "Run as administrator". So a solution to your problem could be to run as Standard User, and use a separate admin account for running apps elevated.

re: Identification of Administrative Applications

Andy Champ — Wed, 26 Jul 2006 18:16:51 GMT

Aaron,
you're missing the point. There are legacy apps that don't have a manifest, and which Vista looks at and decides need elevated rights.

Daniel has asked for a feature I've wanted too - I want to be able to say "YOU might think this app needs elevation, but you're wrong. Run it without". Having a checkbox saying "... and I never want it to be elevated" also seems a good idea.

You seem to be saying this is a security risk. Having a box that says "Run this guy elevated every time, and don't ask me" is a risk. How can a feature that says "do NOT elevate" be a security risk? It's no more a security risk than planting a manifest in the same folder!

Andy

re: Identification of Administrative Applications

Aaron Margosis — Thu, 27 Jul 2006 10:30:17 GMT

@Andy Champ - you're right, I misread the previous messsage.

re: Identification of Administrative Applications

HF Kok — Fri, 04 Aug 2006 06:25:45 GMT

Hi Guys,
I'm having problem on copying .sys file into the System32/drivers folder. Is there anyway that i could make this happen?

The error msg pop out is
"You need to provide administrator credentials to copy to this folder"

Can anyone how can i get the admin privileges?

re: Identification of Administrative Applications

Shajeer — Fri, 01 Dec 2006 13:06:41 GMT

Application fails to start under Vista after implementing the manifest.It displays the error "A referral was returned from the server."

The manifest rights is

<requestedExecutionLevel level="requireAdministrator"

uiAccess="true"/>

It works fine if the access rights for uiAcess is set to false

<requestedExecutionLevel level="requireAdministrator"

uiAccess="false"/>

Kindly advice...

-Shaj

Do you really need uiAccess=true? That capability is generally intended only for accessibility utilities. If you do need uiAccess enabled, then the executable needs to be digitally signed, and must be installed under %windir% or %ProgramFiles%.

HTH

-- Aaron Margosis

re: Identification of Administrative Applications

Shajeer — Mon, 04 Dec 2006 12:39:24 GMT

Thanks for your quick reply..

How to get our software digitally signed?

Let us know whether any functionality will fail if the uiAccess is set to false?

(Detailed Explanation will be helpful)

We are installing our application in %ProgramFiles% path only.

Basically our intention is, whenever our application is launched it should launch in administrator mode without any hassle for the users.

Kindly help us resolve our issue..

What does your app do that requires it to run with administrator privileges? Does it perform system-administrative tasks, or is it just a regular application that happens to write to protected, system-wide locations in the registry and file system? If it's the latter, you and your users would be much better off changing the app so that it doesn't need admin privileges to begin with.

If by "without any hassle for the users" you mean "without being prompted for elevation", you can't do it.

Various developer-oriented UAC issues are written up here, including this bit about uiAccess ("false" is the right setting for the vast majority of apps):

uiAccess

false—The application does not need to drive input to the UI of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true.
true—The application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop. This setting should only be used for UI Accessibility applications.

-- Aaron Margosis

re: Identification of Administrative Applications

Shajeer — Tue, 05 Dec 2006 15:05:41 GMT

Question No 1:

--------------

We need the administrator rights because

1) We are getting the harkdisk number for registration purpose.

2) We are writing the values in registry under HKEY_CLASSES_ROOT and also in HKEY_CURRENT_USER,HKEY_LOCAL_MACHINE

for various purposes.

3) We use SendMessage and PostMessage APIs to send messages to other applications.

4) We use hooks for setting keyboard shorcuts.

5) We do send requests to our servers to check for updates and then downloads the updated components if any.

Let us know whether all the above can be accomplished with setting uiAccess = false.

Question No 2:

--------------

If we install our software in some other path say D:\TestApplication rather than installing in %programfiles% will it create any problem in performing any tasks.

Kindly advice.

re: Identification of Administrative Applications

Shajeer — Fri, 08 Dec 2006 08:54:10 GMT

Hello Aaron Margosis

I have another problem.

With repect to one application even if i had specified in the manifest file as "require amninistrator", it is not asking for require elevation. It just opens in standard user rights.

But it works for all other appliacation, except one which is a larger application when compared to others.

Kindly advice.

re: Identification of Administrative Applications

Henryk Birecki — Tue, 12 Dec 2006 22:23:33 GMT

Where do I find CoCreateInstanceAdmin. The most recent SDK (Oct (Nov?) 2006) does not have it. No information on it seems to exist except on one MSDN page that directs one to use it.

re: Identification of Administrative Applications

Shajeer — Wed, 17 Jan 2007 15:38:13 GMT

My Manifest file not working

I have included the following lines in "MyApplication.rc2"

#define MANIFEST_RESOURCE_ID 1

MANIFEST_RESOURCE_ID RT_MANIFEST "MyApplication.exe.manifest"

And the contents of manifest file is as follows

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assemblyIdentity version="1.0.0.0"

processorArchitecture="X86"

name="MyApplication"

type="win32"/>

<description> MyApplication requires the administravtive priveligaes</description>

<requestedExecutionLevel

level="requireAdministrator"

uiAccess="false"/>

</requestedPrivileges>

</security>

</trustInfo>

</assembly>

But when I try to launch the application it is still launching in StandardUser Mode, and the Admin Shield is missing.

Please do help to fix the problem.