UAC

 

For the most part, many WinBatch scripts can perform wonderfully well without ever needing any special privileges or rights. However, some scripts that are designed to modify system configurations, install hardware or software, bypass security and other tasks that, if uncontrolled, may damage or somehow compromise the computer that this task is running on. UAC has a number of 'trip wires' or checks to verify that any tasks doing certain operations have proper permissions or authority to perform the task.

Special copies of  WinBatch and WinBatch Studio are available with each combination of UAC manifest settings. All are signed. During the WinBatch installation each of the WinBatch interpreter EXEs are installed and associated with a special  file extension. Simply by using the appropriate file extension, your script can be run with your choice of UAC manifest.

WinBatch offers the following UAC functions: UacElevationLevel, UacManifestSettings, UacExePromptTest. See the Windows Interface Language help file for details.

 

 

 

UAC Facts

Manifests

Code Signing

 

 

 

 

UAC Explained

User Account Control (UAC) is a set of tools built into Windows Vista that helps to protect your system. UAC uses the “least privileges” rule. Which states that all users and software run with the least privileges possible at all times. Any time a user or software needs administrative privileges a consent prompt appears.

When a consent prompt appears,  your screen is locked except for the consent prompt.

The purpose of the consent prompt is to notify you about an administrative task being attempted. You have to OK the task or cancel it for your screen to unlock. This feature is in place to make sure the user knows when administrative tasks are being done.

In the world of scripting, UAC can sometimes cause great headaches when attempting to automate something and the user is always getting prompted.

 

What Triggers UAC Consent Prompts
  • Installing and uninstalling of: Software, Device drivers, ActiveX controls, Windows Updates

  • Changing settings for: Windows Firewall, UAC

  • Configuring Windows Update

  • Adding or removing user accounts

  • Changing user account type

  • Configuring Parental Controls

  • Running the Task Scheduler

  • Restoring or backing up of system files

  • Viewing or changing another user’s files and folders

  • Software needing to run with administrative privileges( like WinBatch scripts that do administrative types of operations)

  • Software, like WinBatch,  that needs to perform system tasks (defragmenting your hard drive)

 
The Consent and Credential Prompts

With UAC enabled, Windows Vista either prompts for consent or for credentials for a valid administrator account before launching a program or task that requires a full administrator access token. This prompt ensures that no malicious application can silently install.

The Consent Prompt

The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token.

The Credential Prompt

The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. This standard user default prompt behavior is configurable with the Security Policy Manager snap-in (secpol.msc) and with Group Policy. Administrators can also be required to provide their credentials by setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode value to Prompt for credentials.

 
User Modes

In Windows Vista, there are two types of user accounts: standard user accounts and administrator accounts. Standard users are equivalent to the standard user account in previous versions of Windows. Standard users have limited administrative privileges and user rights—they cannot install or uninstall applications that install into %systemroot%, change system settings, or perform other administrative tasks. However, standard users can perform these tasks if they are able to provide valid administrative credentials when prompted. With UAC enabled, members of the local Administrators group run with the same access token as standard users. Only when a member of the local Administrators group gives approval can a process use the administrator’s full access token. This process is the basis of the principle of Admin Approval Mode.

The following table lists some of the tasks a standard user can perform and what tasks require elevation to an administrator account.

 

Standard Users

 Administrators

Establish a Local Area Network connection

Install and uninstall applications

Establish and configure a wireless connection

Install a driver for a device (E.G. a digital camera driver)

Modify Display Settings

Install Windows updates

Users cannot defragment the hard drive, but a service does this on their behalf

Configure Parental Controls

Play CD/DVD media (configurable with Group Policy)

 Install an ActiveX control

Burn CD/DVD media (configurable with Group Policy)

Open the Windows Firewall Control Panel

Change the desktop background for the current user

Change a user's account type

Open the Date and Time Control Panel and change the time zone

Modify UAC settings in the Security Policy Editor snap-in (secpol.msc)

Use Remote Desktop to connect to another computer

Configure Remote Desktop access

Change user's own account password

Add or remove a user account

Configure battery power options

Copy or move files into the Program Files or Windows directory

Configure Accessibility options

Schedule Automated Tasks

Restore user's backed-up files

Restore system backed-up files

Set-up computer synchronization with a mobile device (smart phone, laptop, or PDA)

Configure Automatic Updates

Connect and configure a Bluetooth device

 Browse to another user's directory

 

Application Launch Behavior

Whether an application can run and obtain a full administrator access token at runtime is dependent on the combination of the application’s requested execution level in the application compatibility database and the privileges and user rights available to the user account that launched the application. The following tables identify the possible run-time behavior based on such possible combinations.
 

An Administrator in Admin Approval Mode

Parent Process Access Token

Consent Policy

None or asInvoker

highestAvailable

requireAdministrator

Standard user

No prompt

 Application launches as a standard user

 Application launches with a full administrative access token; no prompt

 

 Application launches with a full administrative access token; no prompt

 

Standard user

Prompt for consent

Application launches as a standard user

Application launches with a full administrative access token; prompt for consent

Application launches with a full administrative access token; prompt for consent

Standard user

Prompt for credentials

Application launches as a standard user

Application launches with a full administrative access token; prompt for credentials

Application launches with a full administrative access token; prompt for credentials

Administrator (UAC is disabled)

NA

 Application launches with a full administrative access token; no prompt

 Application launches with a full administrative access token; no prompt

 Application launches with a full administrative access token; no prompt

 

A Standard User Account

Parent Process Access Token

Consent Policy

None or asInvoker

highestAvailable

requireAdministrator

Standard user

No prompt

Application launches as a standard user

Application launches as a standard user

Application fails to launch

Standard user

Prompt for credentials

Application launches as a standard user

 Application launches as a standard user

Prompt for administrator credentials before running application

Standard user (UAC is disabled)

 NA

Application launches as a standard user

Application launches as a standard user

Application fails to launch

 

A Standard User with Additional Privileges (E.G. Backup Operator)

Parent Process Access Token

Consent Policy

None or asInvoker

highestAvailable

requireAdministrator

Standard user

No Prompt

Application launches as a standard user

Application launches as a standard user

 Application fails to launch

Standard user

 Prompt for credentials

 Application launches as a standard user

Application launches as a standard user

Prompt for administrator credentials before running application

Standard user (UAC is disabled)

NA

 Application launches as a standard user

 Application launches as a standard user

Application fails to launch

 
 
Application Compatibility Toolkit

The Application Compatibility Toolkit (ACT) is a Microsoft toolkit that enables WinBatch developers  to determine whether their compiled EXEs are compatible with a new version of the Microsoft® Windows® operating system. ACT also enables such individuals to determine how an update to the new version will impact their applications.

 
Administering UAC with the local Security Policy Editor and Group Policy

Prior to Windows Vista, standard users often had the option of installing applications. The key difference then was that, although administrators could create Group Policy settings to limit application installations, they did not have access to limit application installations for standard users as a default setting. In a UAC environment, they do, and administrators can still use Group Policy to define an approved list of devices and deployment.

There are eight Group Policy object (GPO) settings that can be configured for UAC. The following table lists the settings and their default

 

UAC Settings

Description

Default Value

User Account Control: Admin Approval Mode for the Built-in Administrator account.

There are two possible settings:

• Enabled - The built-in Administrator will be run as an administrator in Admin Approval Mode.

 

• Disabled - The administrator runs with a full administrator access token.

 

• Disabled for new installations and for upgrades where the built-in Administrator is NOT the only local active administrator on the computer. The built-in Administrator account is disabled by default for installations and upgrades on domain-joined computers.

 

• Enabled for upgrades when Windows Vista determines that the built-in Administrator account is the only active local administrator on the computer. If Windows Vista determines this, the built-in Administrator account is also kept enabled following the upgrade. The built-in Administrator account is disabled by default for installations and upgrades on domain-joined computers.

 

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

There are three possible values:

• No prompt – The elevation occurs automatically and silently. This option allows an administrator in Admin Approval Mode to perform an operation that requires elevation without consent or credentials. Note: this scenario should only be used in the most constrained environments and is NOT recommended.

 

• Prompt for consent – An operation that requires a full administrator access token will prompt the administrator in Admin Approval Mode to select either Continue or Cancel. If the administrator clicks Continue, the operation will continue with their highest available privilege.

 

• Prompt for credentials – An operation that requires a full administrator access token will prompt an administrator in Admin Approval Mode to enter an administrator user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

 

Prompt for consent

User Account Control: Behavior of the elevation prompt for standard users

There are two possible values:

• No prompt – No elevation prompt is presented and the user cannot perform administrative tasks without using Run as administrator or by logging on with an administrator account. Most enterprises running desktops as standard user will configure the “No prompt” policy to reduce help desk calls.

 

• Prompt for credentials – An operation that requires a full administrator access token will prompt the user to enter an administrative user name and password. If the user enters valid credentials the operation will continue with the applicable privilege.

 

Enabled

User Account Control: Only elevate executables that are signed and validated

There are two possible values:

• Enabled - Only signed executable files will run. This policy will enforce PKI signature checks on any interactive application that requests elevation. Enterprise administrators can control the administrative application allowed list through the population of certificates in the local computers Trusted Publisher Store.

 

• Disabled - Both signed and unsigned code will be run.

 

Disabled

User Account Control: Only elevate uiAccess applications that are installed in secure locations

There are two possible values:

• The system will only give uiAccess privileges and user rights to executables that are launched from under %ProgramFiles% or %windir%. The ACLs on these directories ensure that the executable is not user-modifiable (which would otherwise allow elevation of privilege). uiAccess executables launched from other locations will launch without additional privileges (i.e. they will run "asInvoker").

 

• Disabled - The location checks are not done, so all uiAccess applications will be launched with the user's full access token upon user approval.

 

Enabled

User Account Control: Run all administrators in Admin Approval Mode

There are two possible values:

• Enabled - Both administrators and standard users will be prompted when attempting to perform administrative operations. The prompt style is dependent on policy.

 

• Disabled - UAC is essentially "turned off" and the AIS service is disabled from automatically starting. The Windows Security Center will also notify the logged on user that the overall security of the operating system has been reduced and will give the user the ability to self- enable UAC.

 

Note: Changing this setting will require a system reboot.

 

Enabled

User Account Control: Switch to the secure desktop when prompting for elevation

There are two possible values:

• Enabled - Displays the UAC elevation prompt on the secure desktop. The secure desktop can only receive messages from Windows processes, which eliminates messages from malicious software.

 

• Disabled - The UAC elevation prompt is displayed on the interactive (user) desktop.

 

Enabled

User Account Control: Virtualize file and registry write failures to per-user locations

There are two possible values:

• Enabled - This policy enables the redirection of pre-Windows Vista application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to %ProgramFiles%; %Windir%; %Windir%\system32; or HKLM\Software\.... This setting should be kept enabled in environments that utilize non-UAC compliant software. Applications that lack an application compatibility database entry or a requested execution level marking in the application manifest are not UAC compliant.

 

• Disabled - Virtualization facilitates the running of pre-Windows Vista (legacy) applications that historically failed to run as a standard user. An administrator running only Windows Vista compliant applications may choose to disable this feature as it is unnecessary. Non-UAC compliant applications that attempt to write %ProgramFiles%; %Windir%; %Windir%\system32; or HKLM\Software\.... will silently fail if this setting is disabled.

 

Enabled

 

Configure the UAC Group Policy settings.

You must be logged in as a member of the local administrator’s group to perform the procedure. You can also perform the procedure as a standard user if you are able to provide valid credentials for an administrator account at the User Account Control credential prompt.

 To configure the UAC Group Policy settings:

1.  Click Start, click Run, type secpol.msc, and then click OK.

2.  In Security Settings, expand Local Policies, and then select Security Options.

3.  In the details pane (the right pane), right-click the relevant UAC setting and select Properties.

4.  Use the drop-down list-box to choose the appropriate value for the setting.

Note:  Modifying the User Account control: Run all administrators in Admin Approval Mode setting will require a computer restart before the setting becomes effective. All other UAC Group Policy settings are dynamic and do not require a reboot.

 

Disabling UAC

Disabling the User Account Control: Run administrators in Admin Approval Mode setting turns UAC “off.” Files and folders are no longer virtualized to per-user locations for non-UAC compliant applications and all local administrators are automatically logged in with a full administrative access token. Disabling this setting essentially causes Windows Vista to revert to the Windows XP user model. While some non-UAC compliant applications may recommend turning UAC off, it is not necessary to do so since Windows Vista includes folder and registry virtualization for pre-Windows Vista or non-UAC compliant applications by default. Turning UAC off opens your computer to system-wide malware installs. If this setting is changed, a system restart will be required in order for this change to go into effect.

 
More Information on UAC

This is only a basic explanation of UAC. For more info on UAC:

UAC Facts

Manifests

Code Signing

 

Understanding and Configuring User Account Control in Windows Vista