Friday, March 7, 2008

UAC: How to elevate anything

Before reading this article, I need you to know a little something about UAC. At the minimum you should read my article Let's Talk UAC for the Enterprise. To get a little deeper into the subject, consider reading some detailed articles found here: UAC: An introduction to User Account Control.

After educating yourself on Vista's UAC, you should be aware that there are a great many things that cause elevation of applications:

  • Vista can autodetect that an installation program should be run elevated.
  • Vista knows that certain programs like GPMC should be run with the highest available token.
  • An application's manifest can specify that an elevated token should be used.
  • An administrator can specify in the properties of a file that an executable must run with an administrator token.
  • A user can right-click on an executable and specify that it be "Run as Administrator".
  • ...
But what do you do if the thing you need to elevate isn't an application? It seems to me that Microsoft hasn't really accommodated this possibility when designing Vista - but it needs to happen more often than you think. The most common example would be a script that needs to make system changes. What if you have a Visual Basic Script (.VBS, .VBA, .HTA, etc.)?

Not only can the script not have a manifest specifying an elevated token, but there is no obvious way to request elevation. You cannot specify it in the properties of these files since they are not executables. You cannot even right-click and specify that it be "Run as Administrator".

It turns out that there are a number of approaches to this problem (none of which are obvious). All the approaches rely on a basic pair of principles. Vista can only elevate executables (by initiating a new process) AND any processes launched by an elevated process will also be elevated. Each approach may look radically different, but it always boils down to exploiting these principles.

The approaches to elevating non-executables are as follows:
Elevating a command prompt (CMD) is by far the easiest and most common method for elevating scripts. You'd laugh if you walked through the offices of our technical staff. They all sit there with this pretty Vista OS but the only thing you see is these black CMD windows because it is the only practical way for them to work.

I will write an article on each of the approaches and turn the bullets into links as they are written. But hopefully I've given you some useful hints in the mean time if you can't wait for me :-)

4 comments:

Aaron said...

I've got "Run as administrator" on .BAT and .CMD files.

Being able to mark "always run as administrator" without resorting to shortcuts would be nice.

Gordon Martin said...

You caught me *blush* - I was on holiday when I wrote this article and didn't have access to a Vista computer.

Tell me more about "resorting to shortcuts" - when are you leveraging shortcuts to help you?

Aaron said...

I don't do it often, I'm more likely to elevate a command prompt. Here's how to add "Run as Administrator" for any file type: http://www.howtogeek.com/howto/windows-vista/add-run-as-administrator-to-any-file-type-in-windows-vista/

Gordon Martin said...

Thanks Aaron! That is a very nice reg hack!

So simple, but it will actually make a huge difference to the way we work. I've already shopped it around and it's a winner.

I'll add the link to the body of the article shortly.