Posts Tagged ‘Vista’

UAC, are you high?

February 7, 2011

MSDN has a Starting Low Integrity Processes sample that creates a process with a Low IL and this works fine if the parent is running at Medium IL, but if the parent is running at High IL, UAC elevation no longer works. (The sample code does not talk about High IL parent, only Medium IL parents)

Windows does not seem to take the Integrity Level into account when checking for admin rights:
UAC Low IL Admin
When requesting elevation, it does not seem to check if Current IL < High IL and just assumes that any token that has a non-deny administrators group SID is elevated and starts the process with the wrong IL when it really should show the consent UI and force the IL to be >= High IL on the new process. Once we are in this state (Non-deny admin. group SID and IL < 0x3000) there is no way for us to elevate a child process or to get a higher IL!

It would probably come as a surprise to most people that the simple reg.exe command fails when the console has the "Administrator: " prefix and most admin check methods (IsUserAnAdmin(), TokenElevationType=TokenElevationTypeFull and TokenElevation: TokenIsElevated!=0) indicate that you are elevated! IsUserAnAdmin is only documented to check group membership and is a pre Vista API, but the other two are elevated token/privileges specific so either my definition of elevated is wrong, or there are some major bugs with the IL handling.

Advertisements

UAC, RunAs silent fail?

January 26, 2011

When running as a standard user with UAC disabled, choosing “Run as administrator” from the context menu is broken!

Silent Bob

Not showing the consent UI is understandable since UAC is not “hooked” into the system, but just starting the process non-elevated without a warning dialog is just wrong. When the runas verb is used with ShellExecute and UAC is not enabled it should just show the old Run As dialog used in Windows 2000/XP/2003.

Left out of the mix

October 31, 2009

Ever since the release of windows 95 it has been possible to minimize the volume control:

Win95 Volume Control
WinXP Volume Control

In Vista, the minimize button was removed for no reason. Why Larry, why???

Vista Volume Control

Adding the window style back with a tool like WinSpy++ clearly shows that there is no technical reason for the removal.

Vista Volume Control Mod

Even adding the maximize button works. (I have a little program that runs in the background and fixes little annoyances like this, when I get around to talking about the stupid vista explorer tree view, I might talk more about this tool and what it does)

A file in the details pane is worth two in the statusbar

September 10, 2009

So tell me Explorer, which one is it, 95 or 96?

Explorer file count

If only the details pane would display basic info like free space, there would be no reason to show both the statusbar and the details pane. Then the file count would not be confusing, just possibly wrong.