“Certified for Windows Vista” Software Logo Requirements

re: “Certified for Windows Vista” Software Logo Requirements

PatriotB — Thu, 29 Jun 2006 06:55:22 GMT

If I remember correctly, even the logo guidelines for Windows 2000 called for compatibility with least-privileged user accounts. Still didn't seem to help things any. :(

re: “Certified for Windows Vista” Software Logo Requirements

David Hopwood — Tue, 04 Jul 2006 18:41:56 GMT

I might as well ask this again:

Is it intended to be guaranteed that an app, running under UAC, that knows the Adminstrator password cannot use any admin privileges without a prompt? I didn't get an answer to this when I asked on a previous blog entry. Note that UAC and UIPI are not sufficient for this unless they also affect network protocols that use Windows account passwords for authentication.

UAP is blocking my ASP application

John — Thu, 06 Jul 2006 14:58:06 GMT

Hi,

I have an ASP (not an ASP.NET) application accessing Sql Server 2005 database installed in Vista Beta 2 (Build : 5384). I am unable to access my application in server. UAP is blocking my application. I dont want to change system level UAP configuration using msconfig or secpol.msc.
Can any one suggest me some idea to change application level UAP configuration, so that I can access by ASP application.

Thanks in Advance.

-John-

re: “Certified for Windows Vista” Software Logo Requirements

User Account Control Team — Fri, 07 Jul 2006 07:16:55 GMT

In response to David Hopwood's question, sorry for the delay.

We don’t guarantee that the Secure Desktop prevents malware from tricking the user into providing their password. And we don't guarantee that there is no risk if a program knows the username and password of an administrator account. Though, If a piece of malware was attempting to steal user credentials on a large scale it should be detected by an up-to-date anti-malware program, including Windows Defender, which will be included in Windows Vista to detect and remove spyware and other unwanted software.

It also worth noting that only a small percentage of customers could be tricked by this. By default, administrators will be given the consent prompt which does not request a password. And most standard users will not know the password to enter.

For customers that want to eliminate this potential risk, we have developed a high security mode that is compliant with the requirements of the Common Criteria standard. To enable this Group Policy, go to Computer Configuration, Administrative Templates, Windows Components, Credential User Interface, and enable Require trusted path for credential entry. When this setting is enabled, instead of displaying the credentials dialog, Windows will first prompt the user to type Control+Alt+Delete, then Windows will switch to the secure desktop to accept the users credentials.

There is always a balance between security and usability. In this case, we believe the risk is not great enough that it justifies making the user experience more complicated for all users, as this policy change does. But we have developed the functionality for those that require it.

- Alex

re: “Certified for Windows Vista” Software Logo Requirements

User Account Control Team — Fri, 07 Jul 2006 07:21:06 GMT

John, can you tell us more about what your application is trying to do, what specific action is causing the error, and what is the error message? Is this application just .asp pages in the inetpub directory? Or are there .dlls / components used?

- Alex

re: “UAP is blocking my ASP application"

John — Mon, 10 Jul 2006 09:03:35 GMT

Hi Alex,

Thanks for your response.

My ASP application is accessing data from Sql Server 2005 database (It is just .asp pages in the inetpub directory). When I log in as Administrator, my application is working fine.
I added my domain account (domain\john) in the Administrators group and I logged in as domain\john. When I access my application in the server, it is giving me the following error. (But, I can able to access my application in the client.)

Microsoft SQL Native Client error '80004005'
SQL Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF].

When I disable UAP, it is working fine in server and client irrespective of the logged in account (either administrator or domain\john)

-John-

re: “Certified for Windows Vista” Software Logo Requirements

David Hopwood — Wed, 12 Jul 2006 17:55:12 GMT

Thanks for the information about the "Require trusted path for credential entry" option.

I have to say that I disagree with the decision not to make this option the default (when credentials are required). If elevations requiring Administrator permissions are so frequent that the need to press Ctrl-Alt-Del would be a significant usability problem, then the real problem is the frequency of elevations.

re: “Certified for Windows Vista” Software Logo Requirements

Alex — Tue, 18 Jul 2006 08:50:53 GMT

John, sorry for the slow reply. Probably the database requires the users to be in the administrators group. The way UAC works it strips out the users administrator credential from their access token. If you explicitly give your domain account access to the database (instead of adding the administrators group) it should work.
Is that doing able in your environment? Give it a try and least for your account and see if it works. If it does not work then please post the line of code that causes the failure.
- Alex

re: “Certified for Windows Vista” Software Logo Requirements

Rick — Fri, 21 Jul 2006 19:49:03 GMT

Executable files with .EXE, .DLL, .SYS, .DRV, .OCX, .CPL, or .SCR extensions must be signed with an Authenticode certificate.

Regarding the above statement, if my software uses third party activex and standard VB components, do I need to sign every of the activex dll ocx?

-Rick

re: “Certified for Windows Vista” Software Logo Requirements

Yves — Wed, 24 Jan 2007 20:33:49 GMT

Can I have an answer:

If my application is "Certified for Windows Vista, Windows Defender won't block it in Auto Start (For example : 'run' in registry) ?

Regards,

Yves

re: “Certified for Windows Vista” Software Logo Requirements

Sumeet — Wed, 07 Feb 2007 17:53:26 GMT

My application is a mobility application. We have our own credential provider, in which we launch our application. It appears the createProcess() doesn't like to launch manifested exes with <requestedExecutionLevel> tag. Any pointer ?

Sumeet: I assume you're running normally and want to start a process that is manifested with requireAdministrator? In that case, try ShellExecute or ShellExecuteEx instead of CreateProcess.

HTH

-- Aaron