Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Account Control: How to Make a Good UAC Application

Published byAbigail West Modified over 10 years ago

Similar presentations

Presentation on theme: "User Account Control: How to Make a Good UAC Application"— Presentation transcript:

1 User Account Control: How to Make a Good UAC Application
Peter R. Woods Senior Program Manager Microsoft Corporation

2 Session Objectives Session Objective(s):
Microsoft Windows User Account Control overview The new Shield paradigm Writing code in UAC environment Windows Vista Logo program Debugging Services Summary & future direction

3 Why User Account Control?
Most user accounts have Administrator privileges. Code running without Administrator privileges is safer for the system. Enterprises realize significant TCO reductions when running with managed systems. Enterprises migrating to SW that runs as Standard User

4 User Account Control All users run as Standard User by default
Filtered token created during logon Only specially marked apps get the unfiltered token Explicit consent required for elevation Predictable elevation points High application compatibility Data redirection Enabling legacy apps to run as standard user Installer Detection

5 Administrative Rights
UAC Architecture Abby Admin logon Administrative Rights Admin Token Split Token “Standard User” Filtered Token Standard User Rights

6 UAC Architecture Admin logon Standard User Rights User Process Abby
Change Time Zone Run Standard User Compliant Applications Install Fonts Install Printers Run MSN Messenger Abby “Standard User” Filtered Token User Process

7 Administrative Rights
UAC Architecture Administrative Rights Admin logon Admin Process Change Time Abby Elevation dialog Admin Process Configure IIS Admin Token Admin Process Install Application

8 Process Isolation Administrative and Standard User applications share the same desktop Security challenges Cross-process Window messages DLL injection and create remote thread Process Isolation mechanisms Integrity level for processes “Lower” cannot interfere with “Higher”

9 Standard User Token Privileges typically in Standard User token
Bypass traverse checking (SeChangeNotify) Shut down the system (SeShutdown) Increase Working Set Size (SeIncreaseWorkingSet) Remove computer from docking station (SeUndock) Change Time Zone (SeChangeTimeZone) New in Vista All other privileges removed. Privileged RIDs set to DENY_ONLY E.g. Administrators, Enterprise Admins, Policy Admins, Power User, etc.

10 Token Sample - Admin Account = High Mandatory Level SID = S-1-16-12288
_User SID_ Account = Abby SID = S Domain = LH-X937PF8H3FFT _Groups SIDs_ Account = None SID = S Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Everyone SID = S-1-1-0 Domain = Account = Administrators SID = S Domain = BUILTIN Attribute: SE_GROUP_OWNER Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY . Account = High Mandatory Level SID = S Domain = Mandatory Label _Restricted SIDs_ _Privileges_ Privilege: SeIncreaseQuotaPrivilege (Disabled) Privilege: SeSecurityPrivilege (Disabled) Privilege: SeTakeOwnershipPrivilege (Disabled) Privilege: SeLoadDriverPrivilege (Disabled) Privilege: SeSystemProfilePrivilege (Disabled) Privilege: SeSystemtimePrivilege (Disabled) Privilege: SeProfileSingleProcessPrivilege (Disabled) Privilege: SeIncreaseBasePriorityPrivilege (Disabled) Privilege: SeCreatePagefilePrivilege (Disabled) Privilege: SeBackupPrivilege (Disabled) Privilege: SeRestorePrivilege (Disabled) Privilege: SeShutdownPrivilege (Disabled) Privilege: SeDebugPrivilege (Disabled) Privilege: SeSystemEnvironmentPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeRemoteShutdownPrivilege (Disabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeManageVolumePrivilege (Disabled) Privilege: SeImpersonatePrivilege (Enabled) Privilege: SeCreateGlobalPrivilege (Enabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled) Privilege: SeCreateSymbolicLinkPrivilege (Disabled)

11 Token Sample - Filtered
_User SID_ Account = Abby SID = S Domain = LH-X937PF8H3FFT _Groups SIDs_ Account = None SID = S Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Administrators SID = S Domain = BUILTIN Attribute: SE_GROUP_USE_FOR_DENY_ONLY Account = Users SID = S . Account = INTERACTIVE SID = S-1-5-4 Domain = NT AUTHORITY Attribute: SE_GROUP_MANDATORY Attribute: SE_GROUP_ENABLED_BY_DEFAULT Attribute: SE_GROUP_ENABLED Account = Medium Mandatory Level SID = S Domain = Mandatory Label _Restricted SIDs_ _Privileges_ Privilege: SeShutdownPrivilege (Disabled) Privilege: SeChangeNotifyPrivilege (Enabled) Privilege: SeUndockPrivilege (Disabled) Privilege: SeIncreaseWorkingSetPrivilege (Disabled) Privilege: SeTimeZonePrivilege (Disabled)

12 User Experience (UX) The Security Shield Icon

13 The Security Shield Goal is to make your application simple & predictable Attached to controls which, if clicked, will require elevation as the next step Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation

14 Security Shield UI Examples
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Consent UI OS Application Unsigned Application Signed Application
3/25/ :50 AM Consent UI OS Application Unsigned Application Signed Application ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

16 3/25/ :50 AM Credential UI ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

17 User Experience Guidelines
Rules for shield and elevation MSDN and Windows Vista website New documents are being added. Check under ‘What’s new’ heading

18 Coding for UAC in a nutshell
3/25/ :50 AM Design code to not require any Administrative privileges whenever possible. Per-machine settings during install Place Per-Machine (Shared) data into %ALLUSERPROFILE% Place Per-Machine registry setting in HKLM Per-user settings at first run Store per-user data in user profile Place per-user data into %LOCALAPPDATA% Place per-user registry settings in HKCU Store user shared data in User\Public Take advantage of the Windows Vista Logo program! © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Coding for UAC in a nutshell
3/25/ :50 AM Examples of what not to do: Avoid self updating code. Major Application Compatibility issue Do not perform admin configuration at first run. Do not rely on explicit Admin checks for Standard User applications © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Applications that require Administrator privileges
3/25/ :50 AM Applications that require Administrator privileges Administrative applications can be marked to identify them to the O/S Mark application as requiring Administrator privileges using embedded manifest. Installer detection Application Compatibility shims Compatibility Tab on Program Properties Right-click Run as administrator © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Applications that require Administrator privileges
3/25/ :50 AM Applications that require Administrator privileges Mixed use applications: Application is bifurcated into Non administrative and administrative sections… Application launches as Standard user Within UI, clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield” Elevated tasks launch in separate process Separately marked executable Elevated COM object Object should request confirmation Command line tools should run AsInvoker… © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Separation of Admin Code
Cannot elevate a running process Communication: Two Design Patterns Service Broker Model IPC Globally mapped shared memory Side by Side Processes Named pipes Global or locally mapped shared memory

23 RequestedExecutionLevels
Level = asInvoker Launch with the same token as the parent process Level = highestAvailable Launch with the highest token this user possesses Level = requireAdministrator Highest token of the User provided User is a member of Administrators group

24 Sample Manifest MyAdminApp.exe.manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version=" " processorArchitecture="X86“ name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo> </assembly>

25 Admin Application Marking
3/25/ :50 AM Admin Application Marking © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Manifest marking in VS 2005 for c/c++
3/25/ :50 AM Manifest marking in VS 2005 for c/c++ © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Manifest marking in VS 2005 3/25/2017 10:50 AM
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Shield UI Examples … Add a Shield glyph to my UI
// if you want the small icon #include <shellapi.h> SHSTOCKICONINFO sii; sii.cbSize = sizeof(sii); SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_SMALLICON, &sii); hiconShield = sii.hIcon; // if you want the large icon SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICON | SHGSI_LARGEICON, &sii); // if you want an icon at a custom size SHGetStockIconInfo(SIID_SHIELD, SHGSI_ICONLOCATION, &sii); hiconShield = ExtractIconEx(sii. ...); © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Security Shield UI Examples
The standard button control (PUSHBUTTON, DEFPUSHBUTTON) has been enhanced to allow you to add an icon along with the displayed text, without requiring the BS_ICON or BS_BITMAP styles to be set. To show the shield icon, you can call the following macro (defined in commctrl.h): Button_SetElevationRequiredState(hwndButton, fRequired); Where hwndButton is the HWND of the button fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield. A Windows Message can also be used to enable the shield on a button. lresult = SendMessage(hwndButton, BCM_SETSHIELD, 0, fRequired); fRequired determines whether to show (TRUE) or hide (FALSE) the LUA shield. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 3/25/ :50 AM Coding samples Use ShellExecute() rather than CreateProcess() when launching other applications. CreateProcess() will return error if elevation is required ShellExecute() sends to the Application Information Service (AIS) for elevated launch. retHandle = ShellExecute(NULL, L"open“, L”\\Program Files\\MyApp\\MyAdminApp.exe”, NULL, SW_SHOWNORMAL); © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Coding samples Runas verb to ShellExecuteEx()
Allows caller to request elevation of normally unelevated apps. Pass ‘runas’ as the lpVerb in the SHELLEXECUTEINFO Structure (structure pointer)->lpVerb = L”runas” © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Coding samples Launching an elevated COM object
Accomplished using elevation moniker Object class must be registered as being ‘elevatable’ HKLM\Software\Classes\CLSID\ {9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8}\Elevation Enabled REG_DWORD 1 Object class must have ‘friendly name’ assigned HKLM\Software\Classes\CLSID\{9df523b0-a6c0-4ea9-b5f1-f4565c3ac8b8} “LocalizedString” REG_EXPAND_SZ Object has string name defined in DLL string table STRINGTABLE LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US { 101, “Your Elevated Com Object" } Object elevation is requested at launch time © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 Coding samples Elevation moniker in action Example:
HRESULT CreateElevatedComObject(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv) { BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300]; StringFromGUID2(rclsid, wszCLSID, sizeof(wszCLSID)/sizeof(wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID); if (FAILED(hr)) return hr; memset(&bo, 0, sizeof(bo)); bo.cbStruct = sizeof(bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv); } © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Windows Vista Logo Program & UAC
Builds upon existing Windows XP Logo Program Enhancements around running as standard user Use Install bootstrap model if launching software directly from installation process App must contain requestedExecutionLevel in an embedded manifest to define run level Authenticode sign installation package and all binaries © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Debugging Administrative Apps
3/25/ :50 AM Debugging Administrative Apps Launch copy of Visual Studio 2005 elevated Start->All Programs->Microsoft Visual Studio 2005->(right click on) Microsoft Visual Studio 2005 Select Run as Administrator Debug your program © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Process Isolation & Assistive Technology
Mechanism exists to mark Accessibility applications Accessibility apps (Assistive Technology) need to drive UI at higher levels. Accessibility have a manifest requestedExecutionLevel statement of: <requestedPrivileges> <requestedExecutionLevel level=“asInvoker“ uiAccess=“true”/> </requestedPrivileges> Assistive Technology applications Must be Authenticode signed and trusted or they will fail to launch.

37 Debugging Assistive Technology (AT) Apps
3/25/ :50 AM Debugging Assistive Technology (AT) Apps Defined as apps with manifest tag: uiAccess=true AT apps must be Authenticode signed (root in trusted root store) Launch your AT app from Windows Explorer Launch copy of Visual Studio 2005 Remote Debugger (msvsmon.exe) from within your app using shellExecute(). On the remote debugger, Select tools->options Click No Authentication (native only) and Allow any user to debug © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Debugging Assistive Technology (AT) Apps
3/25/ :50 AM Debugging Assistive Technology (AT) Apps On Visual Studio 2005 Select Debug->attach to process Under transport, select Remote (Native only with no authentication) Under Qualifier, enter the local machine name Select the process to debug (your app) and click attach © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Debugging AT Apps 3/25/2017 10:50 AM
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 3/25/ :50 AM Marking managed code No obvious way to do this in VS UI for managed code Manifest can be added after .exe is built Use tool MT.exe, part of the Windows SDK (add in link) Steps: Create manifest file Use mt.exe to embed manifest Mt.exe –manifest yourapp.manifest -outputresource:yourapp.exe;#1 Works for all languages c/c++, c#, j#, and VB © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Guides for Services Don’t create interactive services
3/25/ :50 AM Guides for Services Don’t create interactive services No UI from services on the user desktop Use RPC, sockets, named-pipes, or COM to communicate Use reduced privileged account: Local Service or Network Service, if possible User prompted to shift to special session 0 viewer for interactive services © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42 ‘Going the other way’ – from high to medium
No direct method Use a bootstrap EXE and launch the elevated EXE/MSI from there. Create/register a COM server marked to run as Interactive User and use it from your Less desirable since it leaves the COM server around for anybody else to use later on Register a WMI.Job (formerly scheduled task) that runs as the interactive user. 42

43 Data Redirection for Legacy Apps
Some legacy apps write to admin locations HLKM\Software %SystemDrive%\Program Files etc. Redirection removes need for elevation Writes to HKLM go to HKU redirected store HKU->(user SID)_classes->VirtualStore Writes to system directories redirected to per-user store (%localappdata%\virtualstore) Copy-on-write

44 Developer Impact Summary
3/25/ :50 AM Windows XP Logo’d for Standard User? It will just work on Windows Vista Fails on Windows XP as Standard User? Use the SUA Analyzer tool to look for Admin dependences Admin app on Windows XP? Needs to be marked as requireAdministrator Web apps need special attention due to Protected Mode IE © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 Developer Impact Summary
Installation Best Practices Use MSI 3.1 for Install and Update Alternate to MSI3.1 – call Update.exe marked as admin to do the update Be careful with Self Updating Code ClickOnce is a great deployment technology for Standard User apps

46 Future UAC Direction 3/25/ :50 AM Continue Isolation of Admin code on Standard User Desktop Integrate Application IDs into OS for Standard User code Integrate Software Restriction Policies into AppIDs Tighten down power of Setup applications Metadata in Manifests Rollout of Windows Vista Logo program to help ISVs write compliant code. Work with Developers to reduce dependence on Data Redirection © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47 Resources General Security Information Getting Started with UAC:
3/25/ :50 AM Resources General Security Information Getting Started with UAC: UA Developer Guidelines: UAC Blog: UAC Question on Update: © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48 Tools Standard User Analyzer (SUA)
3/25/ :50 AM Tools Standard User Analyzer (SUA) Intended to predict whether an application would work correctly as standard user Identifies API calls that would fail if attempted by a user Identifies all Access requiring elevated privileges Available for download at the Microsoft Download Center: © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49 SUA Analyzer 3/25/2017 10:50 AM Enter Target App Name Enter parameters
Check Launch Elevated Checkbox Click Launch button. (On Vista, approve two elevation dialogs) Exit notepad (On Vista, approve elevation dialog) Tool shows interaction that would fail as standard user. In this case, boot.ini is not accessible to standard users. Send comments to: © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50 FAQ 3/25/ :50 AM If I mark my app as “admin”, can I skip the elevation consent dialog? – No Can you modify the privilege of a running application? - No Will LUA elevate whenever a privileged API is used? – No, the entire process is either elevated or not How long does the elevated process last? Can it time out? – Life of the process Can I enable which users will use UAC? – Currently this is a per machine setting Does UAC apply to all processes and services? – Interactive processes only What areas of the Registry and File system get redirected? – HKLM\Software, %SystemRoot%, subdirectories of %ProgramFiles% Won’t Redirection de-motivate developers to fix their code? – Yes, it is a short term mitigation, not in 64bit What happens when installer detection fails? – The app runs as non-admin Will UAC be going down-level? – No © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51 Other UAC Goodies Application Compatibility Toolkit (ACT5) Lab in the TLC all week UAC Chalk Talk – TechEd Theater, Wednesday 2:00-3:15 SEC310 - Account Control: Running Windows Vista with Least Privilege, Wednesday 4:30-5:45, Room 210 ABC DEV345 - Windows Vista: Targeting Key Native APIs from Managed Code, Friday 9: :15, Room 102 AB

52 Wrap up & Questions 52

53 3/25/ :50 AM Fill out a session evaluation on CommNet for a chance to Win an XBOX 360! © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54 3/25/ :50 AM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "User Account Control: How to Make a Good UAC Application"

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist

Where Developers Matter Vista Enable Your Applications Fredrik Haglund, Regional Developer Evangelist
Service Manager for MSPs

Service Manager for MSPs
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
Windows 7 Training. Windows ® 7 Compatibility Session 0 Isolation Isolation of Windows 7 Services.

Windows 7 Training. Windows ® 7 Compatibility Session 0 Isolation Isolation of Windows 7 Services.
Event slides will be posted at:

Event slides will be posted at:
Windows Vista Presentation Advances Daniel Moth Developer & Platform Group, Microsoft Ltd

Windows Vista Presentation Advances Daniel Moth Developer & Platform Group, Microsoft Ltd
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Windows Vista Security model and vulnerabilities.

Windows Vista Security model and vulnerabilities.
Information for Developers Windows XP Service Pack 2 Information for Developers.

Information for Developers Windows XP Service Pack 2 Information for Developers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Windows 7 Training. Windows ® 7 Compatibility Installer Detection.

Windows 7 Training. Windows ® 7 Compatibility Installer Detection.
Certified for Windows Vista. Introducing the Windows Vista Logo Programs.

Certified for Windows Vista. Introducing the Windows Vista Logo Programs.
Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.

Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.
MICROSOFT ASSESSMENT AND PLANNING (MAP) TOOLKIT LAB Dev Chaudhari zevenseas India.

MICROSOFT ASSESSMENT AND PLANNING (MAP) TOOLKIT LAB Dev Chaudhari zevenseas India.
Understanding Active Directory

Understanding Active Directory
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.

Similar presentations

Ads by Google