UAC Facts

 

This is a list of things to watch out for when developing your WinBatch scripts:

 

 

 

UAC

Manifests

Code Signing

 

 

 

 

Administrative types of operations

This is a list of functions known to require an Administrator with UAC on. Scripts that include these functions should have the manifest setting requireAdministrator.

IMPORTANT!: This is not a complete list of functions and will be updated as necessary:

 

WIL Functions

AppExist ( relies on Performance Monitoring )

AppWaitClose ( relies on Performance Monitoring )

ComputerNameSet

FileCopy ( to protected directories: Program Files or Windows directory )

FileCopyAttr ( to protected directories: Program Files or Windows directory )

FileDelete ( to protected directories: to Program Files or Windows directory )

FileMove ( to protected directories: to Program Files or Windows directory )

FileMoveAttr ( to protected directories: Program Files or Windows directory )

FileOpen ( to protected directories: to Program Files or Windows directory )

FilePut ( to protected directories: to Program Files or Windows directory )

FilePutW ( to protected directories: to Program Files or Windows directory )

FileRename ( to protected directories: to Program Files or Windows directory )

FileTimeTouch ( to protected directories: to Program Files or Windows directory )

FileTimeSet ( to protected directories: to Program Files or Windows directory )

FileTimeSetEx ( to protected directories: to Program Files or Windows directory )

FileWrite ( to protected directories: to Program Files or Windows directory )

IgnoreInput

IniDelete ( protected Windows directory )

IniDeletePvt ( to protected directories: to Program Files or Windows directory )

IniWrite ( protected Windows directory )

IniWritePvt ( to protected directories: to Program Files or Windows directory )

IntControl 58 (set system time)

IntControl 84

RegApp (  protected key )

RegConnect

RegLoadHive ( to protected keys: HKEY_LOCAL_MACHINE  or HKEY_CLASSES_ROOT )

RegQuery__  ( to protected keys: HKEY_LOCAL_MACHINE  or HKEY_CLASSES_ROOT )

RegSet__ ( to protected keys: HKEY_LOCAL_MACHINE or  HKEY_CLASSES_ROOT )

RegUnloadHive ( to protected keys: HKEY_LOCAL_MACHINE  or HKEY_CLASSES_ROOT )

TerminateApp  ( relies on Performance Monitoring )

WinExeName ( relies on Performance Monitoring )

 

 

 

Extender Functions

Control Manager Extender  ( relies on Performance Monitoring): cWndByWndSpec, cWndByWndSpecName, cWndGetWndSpec, cWndGetWndSpecName

Process Extender ( relies on Performance Monitoring): tListProc

Win32 Network Extender ( add or delete User accounts): WntUserAdd, wntUserDelete

ADSI Extender ( add or delete User accounts): dsCreateObj,  dsDeleteObj

 

 


 

uiAccess TRUE issues

If Manifest  uiAccess set  to TRUE then:

  1. The EXE must execute from a protected folder (e.g. \Program Files\... or \Windows\System32\...)

  2. The EXE must be Code signed with a valid code signing certificate.

 

 
Control Manager Extender

In order to run a compiled WinBatch EXE, that contains Control Manager Extender functions, on a Windows System with UAC enabled requires:

  1. Manifest  uiAccess set  to TRUE

  2. EXE is 'Signed'

  3. EXE is installed in or under the "Program Files" folder or in the "Windows\System32" folder

 


 
Roboscripter / Control Manager Extender

ISSUE:  'Minor Error Occured' when trying to execute an 'action' in Roboscripter on Vista 64

These  functions are designed for Windows 32 bit application controls and cannot be used on Windows 64 bit controls.

cClearLVItem

cClearTVItem

cClickToolbar

cDblClickItem

cGetCalDate

cGetHRText

cGetIpAddr

cGetLVColText

cGetLvDdtText

cGetLvFocText

cGetLvSelText

cGetLVText

cGetSBText

cGetTBText

cGetTVItem

cGetUpDownMax

cGetUpDownMin

cSetCalDate

cSetDTPDate

cSetLVItem

cSetTVItem

cSetUpDownPos

 


 

DiskScan Issues

DiskScan(4) is returning a blank string on Windows Vista, even though Windows Explorer shows the network drive mappings.

ISSUE: When running as an Administrator on Vistaor newer , the user has two contexts: the limited user context, and the administrator context. When you map drives in Windows Explorer, they are added only for the limited user context. Thus when the script runs in the administrative context, no mapped drives 'seen' by the script. WBT files run with user elevation 'HighestAvilable', which means when running under an Administrator account the script is running in the context of the administrator NOT the user.

OPTIONS:

  • Perhaps map the drives under the administrator context in the first place.

  • Compile script using the AsInvoker manifest ( tells the script to run within the user level context ).

  • You can set this Registry value and you will get access to those drives from both 'integrity' levels.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections =1

  • Administrative users should map network drives under the limited user token. This mapping is accomplished by scheduling the script to run using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives.

It would seem that many other functions are also affected by this issue. Most any function that references the mapped drive: DirChange, FileOpen, FileExist, FileItemize, wntGetCon, etc.

 


 

Run 1932 WinExec Error 'Requested Operation Requires Elevation'

Run, RunWait or RunShell causing the '1932: WinExec Function Failed' error with the additional error information stating ' Requested Operation Requires Elevation'. Instead call ShellExecute which will prompt the user if necessary.

 


 

Registry Issues

Windows Vista and newer is clamping down on Windows applications that require administrative privileges. Specifically applications that 'unnecessarily' write to the HKEY_LOCAL_MACHINE (HKLM) or system parts of the file system. For example, HKEY_LOCAL_MACHINE only grants KEY_WRITE to administrators and SYSTEM Accounts. An application that requests KEY_WRITE to HKEY_LOCAL_MACHINE will not work with UAC enabled.

Registry virtualization is a Microsoft application compatibility technology that enables registry write operations that have global impact to be redirected to per-user locations. This redirection is transparent to applications reading from or writing to the registry. It is supported starting with Windows Vista. Registry operations to the global store (HKEY_LOCAL_MACHINE\Software) are redirected to a per-user location within the user's profile known as the virtual store (HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software). Keep this in mind when developing scripts that write to the registry. The function RegOpenFlags lets you specify an alternate view of the registry for Reg[..] functions which create, open, and delete registry keys, when running on (or accessing) a 64-bit Windows platform.

 


 

File System Redirection

WinBatch is a 32 bit application. When it is run on a 64 bit Windows platform, the Windows file system auto-magically redirects file operations that refer to 64 bit directories to the 32 bit equivalents. For example, the %windir%\System32 directory is reserved for 64-bit applications. Since most System DLL file names were not changed when porting to 64-bit, 32-bit applications must use a different directory as their System32 directory. WOW64 hides this difference using file system redirection. Whenever a 32-bit application,like WinBatch, attempts to access %windir%\System32, the access is redirected to a new directory, %windir%\SysWOW64. IntControl 92 can be used to disable this functionality.

 


 

RunOnce and Startup Issues

On Vista or newer this issue occurs because a program or a service that has User Account Control (UAC) restrictions tries to start during the Windows startup process or logon process.  Software Explorer blocks programs or services that require UAC confirmation from running. To let you know that the program has been blocked, a message will appear in the notification tray to the right of your desktop, near the clock.

Those who wish to have their compiled WinBatch scripts as part of the startup process are encouraged to architect their applications to run AsInvoker so that all users (that is, administrators and standard users) can run the software without the need for a UAC elevation.

The UacExePromptTest function can be used to check if the EXE was going to cause a UAC prompt. If the EXE causes a UAC prompt Vista will not allow it to run at Startup.

 

Possible work around:

This will allow your script to run at windows startup with full permission and no longer display the blocked programs alert on the bottom right tray.

 

Remove the EXE from the Startup. You will need to create a Task using the Task Scheduler with full permissions.

1. Launch the Task Scheduler. Start Menu |  All Programs | Accessories | System Tools

2. From the Actions panel on the right, select Create Task...

a. Name the Task  in the "Name Section"

3. On the General tab under Security Options

a. Select an user account with administrative privileges

b. Select the radio button 'Run only when user is logged on'

c. Check the box 'Run with highest privileges'

4. On the Triggers tab and click New...

a. In Begin the task, select 'At log on'

b. In the Settings options, select All users

c. In the 'Advanced Settings' options, check the box Enabled

d. Click OK to close the dialog

5. On the Actions tab and click New...

a. For Action, select 'Start a program'

b. In the Settings options, browse for the script you want to execute on startup

c. Click OK to close the dialog

6. On the Settings tab

a. Check the box Run task as soon as possible after a scheduled start is missed

b. Uncheck the box Stop the task if it runs longer than

7. Make any other desired settings

8. Click OK to save and close the task properties

 

The reason the task scheduler solution is allowed to work is because non-administrative programs cannot create scheduled tasks, so there is no way for malware to abuse this service in the way that is possible with the other startup methods.

 


 

Unknown Publisher

If you do not sign your compiled WinBatch EXEs then Windows Vista or newer makes your program to appear as if it's a malware or a virus program. When you run an EXE on Vista or newer,  you may receive a message asking you whether or not you trust the application you are about to run. If your EXE is not digitally signed then the Popup message will reference an "Unknown Publisher". If the EXE is digitally signed it will reference your own information in the Popup message.

NOTICE: Down the road, Windows will require any EXE, regardless of functionality, running under UAC, to be signed and trusted.

 


 

Installer Detection Technology

Installation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by an administrator user, which means that standard users do not have sufficient access to install programs. Windows Vista and newer heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows  also heuristically detects updater and uninstallation programs. Note that a design goal of UAC is to prevent installations from being executed without the user's knowledge and consent since they write to protected areas of the file system and registry.

Installer Detection only applies to:

  1. 32 bit executables ( which includes compiled WinBatch EXEs)

  2. Applications without a requestedExecutionLevel ( no manifest )

  3.  Interactive processes running as a Standard User with LUA enabled

Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:

  • Filename includes keywords like "install," "setup," "update," etc.

  • Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.

  • Keywords in the side-by-side manifest embedded in the executable.

  • Keywords in specific StringTable entries linked in the executable.

  •  Key attributes in the RC data linked in the executable.

  •  Targeted sequences of bytes within the executable.

Note: Installer Detection should not affect your WinBatch scripts that include a Manifest.

 

More Information on UAC

This is only a basic explanation of UAC. For more info on UAC:

UAC

Manifests

Code Signing

 

Understanding and Configuring User Account Control in Windows