dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
622
JoeSchmoe007
Premium Member
join:2003-01-19
Brooklyn, NY

JoeSchmoe007

Premium Member

[WIN7] Need clarification on UAC in Windows 7

This article:

»www.istartedsomething.co ··· elevate/

refers to Windows 7 Beta.

Does anyone know if it was ever fixed in production version?
Frodo
join:2006-05-05

Frodo

Member

When I got this new computer with Windows 7, among the earliest things I did was to change the UAC setting from the default to the highest setting.

There is always the task scheduler hack to work around any prompts I don't want to see.

I have no idea whether they "fixed" it or not.

plencnerb
Premium Member
join:2000-09-25
53403-1242

1 edit

1 recommendation

plencnerb to JoeSchmoe007

Premium Member

to JoeSchmoe007
Well, I took the time to look at all of the comments that had been posted to that article.

About 1/2 way down the page, I came across this one.




Unfortunately, the URL was not posted correctly to the comment section. Notice that only part of it appears as a "link" (the red part), then there is the three dots, and the rest of the URL is listed. However, there is a part in the middle that is missing.

If you do click on that, you get this




The partial URL is
http://www.neowin.net/news/main/09/02/05/m
 

So, you need to add something after that, and then at the end, append "ws-7-uac-issues"

If there was a way to find the missing middle part of the URL, then I think we can get an answer if it was fixed or not.



EDIT



I did some searching and looking on neowin's webpage, and I came across the proper url for that article.

I have not read that one yet, or all of its comments, but here is the correct url

»www.neowin.net/news/main ··· c-issues

--Brian
JoeSchmoe007
Premium Member
join:2003-01-19
Brooklyn, NY

JoeSchmoe007 to Frodo

Premium Member

to Frodo
said by Frodo:

When I got this new computer with Windows 7, among the earliest things I did was to change the UAC setting from the default to the highest setting.

There is always the task scheduler hack to work around any prompts I don't want to see.

I have no idea whether they "fixed" it or not.

Can you elaborate on that task scheduler hack?
JoeSchmoe007

JoeSchmoe007 to plencnerb

Premium Member

to plencnerb
said by plencnerb:

Well, I took the time to look at all of the comments that had been posted to that article.

About 1/2 way down the page, I came across this one.

[attachment=1]

Unfortunately, the URL was not posted correctly to the comment section. Notice that only part of it appears as a "link" (the red part), then there is the three dots, and the rest of the URL is listed. However, there is a part in the middle that is missing.

If you do click on that, you get this

[attachment=2]

The partial URL is

http://www.neowin.net/news/main/09/02/05/m
 

So, you need to add something after that, and then at the end, append "ws-7-uac-issues"

If there was a way to find the missing middle part of the URL, then I think we can get an answer if it was fixed or not.



EDIT



I did some searching and looking on neowin's webpage, and I came across the proper url for that article.

I have not read that one yet, or all of its comments, but here is the correct url

»www.neowin.net/news/main ··· c-issues

--Brian

Thanks for investigation.

I've read that and there is a link to this article in comments:

»blogs.msdn.com/b/e7/arch ··· -up.aspx

So it looks like it was fixed in RTM.
Frodo
join:2006-05-05

Frodo to JoeSchmoe007

Member

to JoeSchmoe007
said by JoeSchmoe007:

Can you elaborate on that task scheduler hack?

A quick search shows this example.
»www.techrepublic.com/blo ··· mpt/730/
This example uses a task set up in task manager that runs with highest privileges and uses a shortcut such as “ schtasks /run /TN "Launch Device Manager" ”.

This seems to be the common approach. My approach is to set up one task that is triggered by an entry in the event logs. Here is my .vbs script to start process explorer that would otherwise trigger a UAC prompt
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.LogEvent 4, "0323422zzsa Trigger ProcessExplorer"
 

In the task, I have edited the xml filter to respond to the event log entry
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(Level=4 or Level=0) and (EventID=4)]] and *[EventData[Data='0323422zzsa Trigger AdminMenu' or Data='0323422zzsa Trigger ProcessExplorer' or Data='0323422zzsa Trigger eventvwr.msc']]</Select>
  </Query>
</QueryList>
 
The task runs another script that I set up, eventrun.vbs.

wscript.timeout = 5
set args=wscript.arguments
If args.count <> 3 then
wscript.echo "Event parameter missing"
end if
'Eventparm = args(2)
   if args(2) = "AdminMenu" then
     eventparm = "cmd.exe /c start cmd.exe /c C:\bin\AdmMenu.bat"
     CreateObject ("WSCript.shell").run eventparm, 1, False
   end if
 
   if args(2) = "ProcessExplorer" then
     eventparm = "C:\Bin\Filemon\ProcessExplorer\procexp.exe"
     CreateObject ("WSCript.shell").run eventparm, 1, False
   end if
WScript.Quit (0)
 

I like the task manager to start the appropriate program, and then get out of the picture. I don't like a task running for the entire duration that a program is running. Right now, I have a batch file with various things I may need to run as admin that I fire from a shortcut in quick launch, and process explorer from a shortcut on the desktop.

My admin menu batch file
@echo off
setlocal
Title Administration Menu
set errormsgx=
::Created by acem77 8/31/10
::http://social.msdn.microsoft.com/Forums/en-US/ieextensiondevelopment/thread/ce81943b-32b8-437b-b620-171c3d5893e7/
rem http://stackoverflow.com/questions/5274397/clearing-ie-cache-programatically-vs-inetcpl-cpl-clearmytracksbyprocess
:home
cls
COLOR 9E
echo.%errormsgx%
echo Windows 7 Administration Panel
echo Please select the task you wish to run.
echo Pick one: 
echo.
echo  1. Open Event Viewer
echo  2. Open Advanced Firewall
echo  3. Open Task Manager
echo  4. Services
echo  5. MSconfig - StartUp stuff
echo  6. Computer Management 
echo  7. Administrative Command Prompt 64Bit
echo  8. Administrative Command Prompt 32Bit
echo  9. Device Manager
echo  0. Control Panel
echo  a. Notepad Hosts
echo  x. EXIT
:choice
Echo Hit a number [0-9] and press enter. 
set /P CH=[0-9,a]
::set /P CH=
if "%CH%"=="1"  set x=start eventvwr.msc
if "%CH%"=="2"  set x=start wf.msc
if "%CH%"=="3"  set x=start Taskschd.msc 
if "%CH%"=="4"  set x=start services.msc
if "%CH%"=="5"  set x=start msconfig.exe
if "%CH%"=="6"  set x=start %windir%\system32\compmgmt.msc /s
if "%CH%"=="7"  set x=start %windir%\system32\cmd.exe
if "%CH%"=="8"  set x=start %windir%\SysWOW64\cmd.exe
if "%CH%"=="9"  set x=start /min C:\Bin\Hiddendevice.bat
if "%CH%"=="0"  set x=start %windir%\system32\Control.exe
if "%CH%"=="a"  set x=start %windir%\notepad.exe %windir%\system32\drivers\etc\hosts
if "%CH%"=="x" goto quit
if "%CH%"=="X" goto quit
::echo %x%
c:\Bin\sleep 1
if not "%x%"=="" goto runcmd
set x=
set errormsgx=   !!! - Invalid choice entered - %CH% - Retry - !!!
set CH=
goto home
:runcmd
 %x%
set x=
set CH=
set errormsgx=
goto Home
:quit
set x=
set CH=
set errormsgx=
endlocal
color
 
I'm happy with UAC and my bypass and so forth.
JoeSchmoe007
Premium Member
join:2003-01-19
Brooklyn, NY

JoeSchmoe007

Premium Member

Well, whatever was fixed in RTM - there are still vulnerabilities in UAC.

See this article: »www.pretentiousname.com/ ··· st2.html

At the top of the page it says that everything still applies to W7 as of September 2011 and to the Windows 8 Developer Preview released on 13/Sep/2011.
Frodo
join:2006-05-05

Frodo

Member

I think the proof of concept page is informative.
»www.pretentiousname.com/ ··· ils.html
quote:
We inject code into the selected process and make it run that code on a new thread. (There are no restrictions to doing this so long as the selected process is a peer of ours; i.e. same session(I think?), user and integrity level. Explorer.exe runs at medium integrity...

This is why I don't think that internet programs, such as a web browser should be running at medium integrity. I also run them using runas as an alternative user.
quote:
The injected code creates an elevated IFileOperation object. (If the Win7 defaults are in effect and the selected process is a Windows Publisher one then this does not trigger a UAC prompt.)

From day one with this computer, I switched the UAC to the highest setting. I didn't know why, but I wanted to make sure that in every instance, I would be alerted to administrative changes. If software has been vetted by me, such as process explorer, then I'll create a task scheduler workaround so I don't see the UAC prompt.

On the to do list is to make sure that all programs known to me to seek elevation, such as process monitor are read only to non-administrative processes.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by Frodo:

This is why I don't think that internet programs, such as a web browser should be running at medium integrity. I also run them using runas as an alternative user.

That's exactly what I'm doing in WXP for a long time, running as administrator. I launch browsers (IE8 and Iron) with limited privileges. I don't need any prompts for elevating every application that I want run though... I consider it as a waste of my valuable time .
Frodo
join:2006-05-05

Frodo

Member

said by OZO:

That's exactly what I'm doing in WXP for a long time, running as administrator. I launch browsers (IE8 and Iron) with limited privileges. I don't need any prompts for elevating every application that I want run though. ...

I reduced privileges in XP also, but a process running with lesser privileges can use functions such as sendmessage to communicate with processes running with higher privileges. Vista and beyond introduced UIPI to block that, using integrity levels. That's why I think it's important to keep internet related processes at a lower integrity level than explorer.

I'm not sure, but maybe the separate user may help, however, the processes are sharing the same desktop.

As far as excessive UAC prompts, I deem the problem as a lousy administrator issue, since there are workarounds to get vetted processes running without a prompt. Only prompt I've seen today is for process monitor, since I've been too lazy to write a workaround.
OZO
Premium Member
join:2003-01-17

1 edit

OZO

Premium Member

said by Frodo:

As far as excessive UAC prompts, I deem the problem as a lousy administrator issue, since there are workarounds to get vetted processes running without a prompt.

And I think the OP of this thread has found a good solution for that