Manifests

One of the requirements that User Account Control (UAC) puts on developers is that you must mark your applications with a 'manifest' to declare if the application would like to run elevated or not. This can complicate matters when trying to develop and debug scripts using WinBatch, WinBatch+Compiler and WinBatch Studio.

We have made available various WinBatch tools with all the possible manifest setting combinations.

UAC

UAC Facts

Code Signing

Manifest settings

Requested Execution Level

Possible Requested Execution Level Values:

Value	Description	Comment
asInvoker	The application runs with the same access token as the parent process.	Recommended for standard user applications.
highestAvailable	The application runs with the highest privileges the current user can obtain.	Recommended for mixed-mode applications.
requireAdministrator	The application runs only for administrators and requires that the application be launched with the full access token of an administrator.	Recommended for administrator only applications. The application is already running elevated.

uiAccess Flag

Possible uiAccess values

Value

Description

false

The application does not need to drive input to the user interface of another window on the desktop. Applications that are not driving the 'user interface' should set this flag to false. Applications that are required to drive input to other windows on the desktop (WinBatch driving another application via the Control Manager Extender, for example) should set this value to true.

true

The application is allowed to bypass user interface control levels to drive input to higher privilege windows on the desktop. This setting should only be used if required.

NOTES:

The Control Manager Extender functions generally require this setting.

If compiled the EXE must execute from a protected folder (e.g. \Program Files\... or \Windows\System32\...)

This setting requires that the application is code signed.

Important

Applications with the uiAccess flag set to true must be code signed to start properly.

In addition, the application must reside in a protected location in the file system. 'Program Files' and 'Windows\System32' are currently the two allowable protected locations.

Note: You can disable this security feature through the local security policy mmc snap-in:

User Account Control: Only elevate UIAccess applications that are installed in secure locations

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Un-manifested Files

Including a manifest is a basic requirement for an application to run properly in Vista. Vista expects all executables (especially which requires administrative rights) to have a manifest explicitly showing its run level. So an application without such manifest may behave erroneously when accessing protected resources. Applications accessing protected resources without proper manifest may result in virtualization issues.

WinBatch

By default the WinBatch.exe file provided with WinBatch has a manifest with the settings: 'Requested Execution Level: highestAvailable' and 'uiAccess Flag: True'. However, if you are trying to develop scripts with UAC on you might be prompted each time your script attempts an operation that requires a higher execution level. Therefore, we have made available various WinBatch EXEs with all the possible manifest setting combinations.

Tool	Requested Execution Level	uiAccess
WinBatch.exe	highestAvailable	true
WinBatch_AF.EXE	requireAdministrator	false
WinBatch_AT.EXE	requireAdministrator	true
WinBatch_HF.EXE	highestAvailable	false
WinBatch_HT.EXE	highestAvailable	true
WinBatch_IF.EXE	asInvoker	false
WinBatch_IT.EXE	asInvoker	true
WinBatch_NN.EXE	Un-manifested	Un-manifested

You can also give your WinBatch script a special file extension, and WinBatch will run the appropriately manifested version of WinBatch.

32-bit

File Extension	Tool	Requested Execution Level	uiAccess
.WBT	WinBatch.exe	highestAvailable	true
.WBT_AF	WinBatch_AF.EXE	requireAdministrator	false
.WBT_AT	WinBatch_AT.EXE	requireAdministrator	true
.WBT_HF	WinBatch_HF.EXE	highestAvailable	false
.WBT_HT	WinBatch_HT.EXE	highestAvailable	true
.WBT_IF	WinBatch_IF.EXE	asInvoker	false
.WBT_IT	WinBatch_IT.EXE	asInvoker	true
.WBT_NN	WinBatch_NN.EXE	Un-manifested	Un-manifested

64-bit

File Extension	Tool	Requested Execution Level	uiAccess
.WBT64	WinBatch.exe	highestAvailable	true
.WBT64_AF	WinBatch_AF.EXE	requireAdministrator	false
.WBT64_AT	WinBatch_AT.EXE	requireAdministrator	true
.WBT64_HF	WinBatch_HF.EXE	highestAvailable	false
.WBT64_HT	WinBatch_HT.EXE	highestAvailable	true
.WBT64_IF	WinBatch_IF.EXE	asInvoker	false
.WBT64_IT	WinBatch_IT.EXE	asInvoker	true
.WBT64_NN	WinBatch_NN.EXE	Un-manifested	Un-manifested

WinBatch Studio

By default the WinBatch Studio.exe file provided with WinBatch has a manifest with the settings: 'Requested Execution Level: highestAvailable' and 'uiAccess Flag: True'. However, if you are trying to develop and debug scripts with UAC on you might be prompted each time your script attempts an operation that requires a higher execution level. Therefore, we have made available various WinBatch Studio EXEs with all the possible manifest setting combinations.

Tool	Requested Execution Level	uiAccess
WinBatch Studio.exe	highestAvailable	true
WBStudio_AF.EXE	requireAdministrator	false
WBStudio_AT.EXE	requireAdministrator	true
WBStudio_HF.EXE	highestAvailable	false
WBStudio_HT.EXE	highestAvailable	true
WBStudio_IF.EXE	asInvoker	false
WBStudio_IT.EXE	asInvoker	true
WBStudio_NN.EXE	NA	NA

WinBatch+Compiler

The WinBatch+Compiler interface allows you to select the appropriate manifest for your compiled script. The SETTINGS button in the WinBatch+Compiler can be used to specify the appropriate options.

UAC

UAC Facts

Application Manifests