Friday 12 August 2011

How to make your application UAC compliant

From Vista onwards Microsoft has been using security technology called User Account Control (UAC) which aims to prevent malware execution.

User account groups in Windows OS (from Vista on) range from those that are fully limited (e.g. "Users" group) to those with fully unrestricted access to computer ("Administrators"). Upon log on, standard user gets session that is assigned with an access token with restricted privileges. Member of Administrators group gets session assigned with two tokens - one with restricted (filtered) and one with unrestricted (elevated) privileges. In both cases all applications are run by default in the security context of the user with restricted token. This is because user-initiated applications inherit access token from explorer.exe (desktop) which always runs with restricted token. So, even if user logs on as Administrator, application they run will not have elevated rights but only rights of the standard user. For most of the applications running with restricted rights is not a problem but what if application needs to change certain parts of the file system (e.g. write into "Program Files" directory) or registry (HKLM keys), areas for which elevated rights are required? It depends on the application manifest (described in the next paragraph) and account type of the logged on user.

User that runs some application does not know what privileges it needs in order to run properly. Program will fail if it requires unrestricted privileges but is run without elevation, no matter by which user. To prevent this, a simple solution was invented: application itself carries information which tells OS which privileges (execution level) it needs. They are written in a manifest, a part of resources embedded into executable. Applications with manifest are signed or UAC compliant (don't confuse this with the term 'digitally signed').

If standard user runs signed application that requires elevated privileges, they are prompted (UAC Credential Prompt) to enter Administrator's credentials. If Administrator runs such application, they still need to confirm they allow this program to run (UAC Consent Prompt). So, in both cases user is aware that application they run requires unrestricted privileges and it is not run automatically. This prevents programs (potentially malware) to run unnoticed which is the basic idea of UAC.

What about applications that are not UAC compliant? No matter which user runs it UAC Consent Prompt appears first and program is run with restricted privileges unless user use "Run as Administrator" context menu option in which case standard user is prompted for Administrator's credentials.

Microsoft strongly suggest making all application UAC compliant as in future Windows releases applications without manifest will not be able to run with elevated rights at all.

So, how we can make our application UAC compliant if developing in Visual Studio?

Add linker option /MANIFESTUACGo to Properties->Configuration Properties->Linker->Manifest File and set Enable User Account Control to Yes.

How to set execution level our application requests from OS?

Add level attribute and its value to the option /MANIFESTUAC: /MANIFESTUAC:level='value'. Set UAC Execution Level to one of the following values:
  • asInvoker - no elevation; application will run with same rights as its parent process (process that started it). E.g. if you run Windows Commander as Administrator, and then you run some executable from it, that executable will be run as Administrator as well. Be aware that Windows Explorer (desktop) run as standard users, even for Administrators so applications run from it will run as standard users as well!
  • highestAvailable - conditional elevation; application will get highest permissions it can. Standard user can run it only with its, restricted permissions. Administrator in admin-approval mode needs to retype its credentials in order to run this application with administrator rights (elevation takes place here). Otherwise application is run with restricted token. 
  • requireAdministrator - elevation takes place always; application will run only with elevated rights. Administrator will run it with elevated rights. Standard user will be prompted for Administrator's credentials.
There is one more attribute of UAC manifest, called UAC Bypass UI Protection (/uiAccess='[true|false]') which determines whether application run with restricted token can send Windows messages to applications running with full privileges. If set to false, it enables UI Privilege Isolation.

References and useful links:

User Account Control (Wikipedia)
User Account Control (MSDN)
Teach Your Apps To Play Nicely With Windows Vista User Account Control

No comments: