Manifests

 

One of the requirements that User Account Control (UAC) puts on developers is that you must mark your applications with a 'manifest' to declare if the application would like to run elevated or not.  This can complicate matters when trying to develop and debug scripts using  WinBatch, WinBatch+Compiler and WinBatch Studio.

We have made available various WinBatch tools with all the possible manifest setting combinations.

 

 

UAC

UAC Facts

Code Signing

 

 

 

Manifest settings

 

Requested Execution Level

Possible Requested Execution Level Values:

Value

Description

Comment

asInvoker

The application runs with the same access token as the parent process.

Recommended for standard user applications.

highestAvailable

The application runs with the highest privileges the current user can obtain.

Recommended for mixed-mode applications.

requireAdministrator

The application runs only for administrators and requires that the application be launched with the full access token of an administrator.

 

Recommended for administrator only applications.  The application is already running elevated.

 

 

uiAccess Flag

Possible uiAccess values

Value

Description

false

The application does not need to drive input to the user interface of another window on the desktop. Applications that are not driving the 'user interface' should set this flag to false. Applications that are required to drive input to other windows on the desktop (WinBatch driving another application via the Control Manager Extender, for example) should set this value to true.  

 

true

The application is allowed to bypass user interface control levels to drive input to higher privilege windows on the desktop. This setting should only be used if required.

NOTES:

The Control Manager Extender functions generally require this setting.

If compiled the EXE must execute from a protected folder (e.g. \Program Files\... or \Windows\System32\...)

This setting requires that the application is code signed.

 

Important

Applications with the uiAccess flag set to true must be code signed to start properly.

In addition, the application must reside in a protected location in the file system. 'Program Files' and 'Windows\System32' are currently the two allowable protected locations.

Note: You can disable this security feature through the local security policy mmc snap-in:

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

 

Un-manifested Files

Including a manifest is a basic requirement for an application to run properly in Vista. Vista expects all executables (especially which requires administrative rights) to have a manifest explicitly showing its run level. So an application without such manifest may behave erroneously when accessing protected resources. Applications accessing protected resources without proper manifest may result in virtualization issues.

 

WinBatch

By default the WinBatch.exe file provided with WinBatch has a manifest with the settings: 'Requested Execution Level: highestAvailable' and 'uiAccess Flag: True'. However, if you are trying to develop scripts with UAC on you might be prompted each time your script attempts an operation that requires a higher execution level. Therefore, we have made available various WinBatch EXEs with all the possible manifest setting combinations.

 

Tool

Requested Execution Level

uiAccess

WinBatch.exe

highestAvailable

true

WinBatch_AF.EXE

requireAdministrator

false

WinBatch_AT.EXE

requireAdministrator

true

WinBatch_HF.EXE

highestAvailable

false

WinBatch_HT.EXE

highestAvailable

true

WinBatch_IF.EXE

asInvoker

false

WinBatch_IT.EXE

asInvoker

true

WinBatch_NN.EXE

Un-manifested

Un-manifested

 

You can also give your WinBatch script a special file extension, and WinBatch will run the appropriately manifested  version of WinBatch.

32-bit

File Extension

Tool

Requested Execution Level

uiAccess

.WBT

WinBatch.exe

highestAvailable

true

.WBT_AF

WinBatch_AF.EXE

requireAdministrator

false

.WBT_AT

WinBatch_AT.EXE

requireAdministrator

true

.WBT_HF

WinBatch_HF.EXE

highestAvailable

false

.WBT_HT

WinBatch_HT.EXE

highestAvailable

true

.WBT_IF

WinBatch_IF.EXE

asInvoker

false

.WBT_IT

WinBatch_IT.EXE

asInvoker

true

.WBT_NN

WinBatch_NN.EXE

Un-manifested

Un-manifested

64-bit

File Extension

Tool

Requested Execution Level

uiAccess

.WBT64

WinBatch.exe

highestAvailable

true

.WBT64_AF

WinBatch_AF.EXE

requireAdministrator

false

.WBT64_AT

WinBatch_AT.EXE

requireAdministrator

true

.WBT64_HF

WinBatch_HF.EXE

highestAvailable

false

.WBT64_HT

WinBatch_HT.EXE

highestAvailable

true

.WBT64_IF

WinBatch_IF.EXE

asInvoker

false

.WBT64_IT

WinBatch_IT.EXE

asInvoker

true

.WBT64_NN

WinBatch_NN.EXE

Un-manifested

Un-manifested

 

WinBatch Studio

By default the WinBatch Studio.exe file provided with WinBatch has a manifest with the settings: 'Requested Execution Level: highestAvailable' and 'uiAccess Flag: True'. However, if you are trying to develop and debug scripts with UAC on you might be prompted each time your script attempts an operation that requires a higher execution level. Therefore, we have made available various WinBatch Studio EXEs with all the possible manifest setting combinations.

Tool

Requested Execution Level

uiAccess

WinBatch Studio.exe

highestAvailable

true

WBStudio_AF.EXE

requireAdministrator

false

WBStudio_AT.EXE

requireAdministrator

true

WBStudio_HF.EXE

highestAvailable

false

WBStudio_HT.EXE

highestAvailable

true

WBStudio_IF.EXE

asInvoker

false

WBStudio_IT.EXE

asInvoker

true

WBStudio_NN.EXE

NA

NA

 

WinBatch+Compiler

The WinBatch+Compiler interface allows you to select the appropriate manifest for your compiled script.  The SETTINGS button in the WinBatch+Compiler can be used to specify the appropriate options.

 

UAC

UAC Facts

Application Manifests

Code Signing

WinBatch+Compiler

Compiler Usage

Settings