Announcing Microsoft Standard User Analyzer Beta 1

User Account Control Team — Thu, 25 May 2006 22:21:00 GMT

The UAC team has just released the first beta version of the Microsoft Standard User Analyzer (SUA) tool. SUA is a tool that independent software vendors (ISVs) and IT developers can use to diagnose and identify possible application compatibility issues when migrating applications from running as administrator on down level Windows operating systems to Windows Vista which even with administrators run most programs with standard user privileges by default.

SUA is a runtime diagnose tool and has two modes, predictive mode and diagnose mode. In predictive mode, the application being tested is launched elevated with administrative privileges. SUA works by monitoring a set of selected APIs that are used to access resources, like files and registry keys, on the operating system. During application runtime, SUA interprets how each API is called, monitors the result, and logs the result on whether such a call will succeed or fail when the application is running as standard user instead of as administrator. This allows the application to be fully exercised to provide a high level summary of all the potential standard user issues in the application. In diagnose mode, the application being tested is launch with a standard user token. The application may fail at the first error it encounters. This mode is useful if you want to test the application in a standard user environment after you have fixed all the issues identified by SUA in the predictive mode.

Figure 1 Screenshot of Standard User Analyzer Beta 1

As we progress in our understanding of standard user application compatibility issues, we will be integrating our knowledge into the next beta version of the tool. We hope you will find this tool useful in helping you change your application to be standard user ready on Windows Vista.

Please visit the Standard User Analyzer site to obtain additional information and to download the tool.

Thanks,

Wei Wang

Lead SDE/T

Windows Security

Identification of Administrative Applications

User Account Control Team — Sat, 14 Jan 2006 04:35:00 GMT

Welcome to another installment of the Windows Vista UAC Blog!

Let’s dig a little deeper into the area of how Windows Vista knows which applications need to run with administrator privileges. We’ll use the term “Elevation” to describe the process by which an application is launched with admin privileges. Elevation falls into two categories:

The O/S makes a decision that the application looks like an installer or updater and will automatically invoke elevation to run the program with administrative permissions/privileges when a user runs it. This decision is based on a heuristic. Here are some of the heuristic detection points, although this list is not exhaustive:
- File name detection – looks for the words “setup”, “update”, “install” in the filename
- SxS Manifest word detection – looks for well-known values in the assembly name attribute program’s SxS Manifest
- String table detection – looks for well known values in the string table within the resource section of an executable
An application is marked via an overt action to run with administrative permissions/privileges. This process of admin marking can occur in four ways.
- Including an app manifest within the resource section of their executable program that specifies that the application needs to run with administrative permissions/privileges. This is the method that a developer of Windows Vista compliant code would use when developing or updating their application. The benefit is that the marking is performed by the developer and included in the code when it is compiled. This marking travels around with the code and is therefore independent of the target Windows Vista system. We have an MSDN article that has a section on how to do this. Take a look at: http://msdn.microsoft.com/windowsvista/default.aspx?pull=/library/en-us/dnlong/html/AccProtVista.asp
- An application compatibility shim is installed on a Windows Vista machine that marks an executable so it will be elevated when run. This would be the way that an IT professional would mark a legacy application in their environment without having to make changes to the code. The application compatibility toolkit, available for download from Microsoft, includes a tool called compatAdmin.exe that is used to build the shims. We have an article available that describes how this is done (along with the process of deploying this shim within a group policy-managed environment). Take a look at: http://www.microsoft.com/technet/windowsvista/deploy/appcompat/acshims.mspx
- A checkbox is available on the compatibility tab under program properties that says “Run the program as an administrator”. This is how a user of Windows Vista would mark an application for elevation on a one-off basis.
- A user can force elevation of an unmarked application by right clicking on an application and selecting “Run Elevated…” from the menu. This is how a user of Windows Vista would run an application elevated without persisting the setting. With this, a user can run an application elevated only when they specifically want to.

Cheers!

- Peter

UACBlog : Devs

Announcing Microsoft Standard User Analyzer Beta 1

Identification of Administrative Applications