Since I was talking about configuring UAC on Windows Vista and Windows 7 a bit yesterday, I thought it made sense to bring up another policy whose actual use may not be obvious based on the name.
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
We talked about the secure desktop – but what is this UIAccess all about? Well, you can get details here:
http://msdn.microsoft.com/en-us/library/ms742884.aspx
But rather than going deep, let’s look at the manifest for msra.exe (Microsoft Remote Assistance):
sigcheck -m c:windowsSystem32msra.exe
sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
"c:windowssystem32msra.exe":
Verified: Unsigned
File date: 11:47 PM 12/12/2008
Publisher: Microsoft Corporation
Description: Windows Remote Assistance
Product: Microsoft« Windows« Operating System
Version: 6.1.7000.0
File version: 6.1.7000.0 (winmain_win7beta.081212-1400)
Manifest:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-micr
osoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity
version="5.1.0.0"
processorArchitecture="amd64"
name="Microsoft.Windows.RemoteAssistance"
type="win32"
/>
<description>Remote Assistance</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="amd64"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="true"
/>
</requestedPrivileges>
</security>
</trustInfo>
<asmv3:application>
<asmv3:windowsSettings xmlns="
http://schemas.microsoft.com/SMI/2005/WindowsSe
ttings">
<dpiAware>true</dpiAware>
<autoElevate>true</autoElevate>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>
I think of this policy as the “give helpdesk the ability to elevate” policy.
(Obviously this only works if you don’t configure the policy to auto-deny elevation requests by standard users.)