Lets look into more details at how UAC really works.
I started by reading the info documented here: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
and more specifically at the section "Win 7 UAC Code-Injection: How it works" although this does not explain why regedit.exe was asking for UAC to std users it is still interresting to know that there are groups of applications and not all of them interact with UAC in the same way. Regedit.exe is not on the MS white list so I kept digging.
My searches got me to stumble upon this forum entry, were the application manifest files were pointed out.
http://stackoverflow.com/questions/16370317/accessing-regedit-without-admin-rights
"You can run regedit without administrative privileges by launching it as a non-administrator. If you launch it as an administrator user, you get the UAC prompt, but if you launch it as a regular user, you get no prompt and most things outside of HKEY_CURRENT_USER are read-only.
regedit.exe is marked with <requestedExecutionLevel level="highestAvailable" uiAccess="false" />, which does not always ask for admin permissions, only if the current user is an administrator.
If you really need to run regedit as an admin user without admin rights, according to this thread, you can use the Compatibility Administrator tool to configure your system to ignore therequestedExecutionLevel"
To see the manifest for an application you can either edit the exe with notepad and you will find it near the end of the file or you can use a Sysinternal utility called sigcheck and use the -m switch followed by the exe's path.
A bit more digging on the net to get to the Microsoft documentation on how to create an application manifest and this was the key to understand the UAC behaviour. As per this msdn article http://msdn.microsoft.com/en-us/library/bb756929.aspx application uses manifest to communicate to the operating system their needs.
For UAC, the manifest attribute in which we are interested is "requestedExecutionLevel" <requestedExecutionLevel
level="asInvoker|highestAvailable|requireAdministrator" uiAccess="true|false"/>Here is a description of each level:
The Consent policy settings (2nd column for the table above) can be identified either by looking at the GPO settings by running RSOP from an elevated command prompt or through the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.The following Microsoft article explains every settings: http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
Here is a screenshot of the Consent settings in the registry:
At the end it turned out that an application was adding Authenticated Users to a custom Database Admin group converting standard users in standard users with additional priviledges. So the lesson learned here is that when UAC is not behaving "as expected", the user rights have probably been modifyed. So a good thing to do is to check the membership of the local group to see if the Users, Authenticated Users or Everyone group are member of other groups giving them additional priviledges and modifying the UAC behaviour.
This is it for now. I do hope that you will find the info provided usefull.
Thanks for reading.
No comments:
Post a Comment