cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Helpdesk Elevation on Windows Vista and Windows 7
By
Chris Jackson
Published Aug 14 2018 04:08 PM 371 Views
Chris Jackson
Microsoft
‎Aug 14 2018 04:08 PM

Helpdesk Elevation on Windows Vista and Windows 7

‎Aug 14 2018 04:08 PM
First posted to MSDN on Jan, 08 2009

Since I was talking about configuring UAC on Windows Vista and Windows 7 a bit yesterday, I thought it made sense to bring up another policy whose actual use may not be obvious based on the name.

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

We talked about the secure desktop – but what is this UIAccess all about? Well, you can get details here:

http://msdn.microsoft.com/en-us/library/ms742884.aspx

But rather than going deep, let’s look at the manifest for msra.exe (Microsoft Remote Assistance):

sigcheck -m c:windowsSystem32msra.exe

sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

"c:windowssystem32msra.exe":
Verified:       Unsigned
File date:      11:47 PM 12/12/2008
Publisher:      Microsoft Corporation
Description:    Windows Remote Assistance
Product:        Microsoft« Windows« Operating System
Version:        6.1.7000.0
File version:   6.1.7000.0 (winmain_win7beta.081212-1400)
Manifest:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-micr
osoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity
version="5.1.0.0"
processorArchitecture="amd64"
name="Microsoft.Windows.RemoteAssistance"
type="win32"
/>

<description>Remote Assistance</description>

<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="amd64"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="true"
/>
</requestedPrivileges>
</security>
</trustInfo>
<asmv3:application>
<asmv3:windowsSettings xmlns=" http://schemas.microsoft.com/SMI/2005/WindowsSe
ttings">
<dpiAware>true</dpiAware>
<autoElevate>true</autoElevate>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>

I think of this policy as the “give helpdesk the ability to elevate” policy.

(Obviously this only works if you don’t configure the policy to auto-deny elevation requests by standard users.)

0 Likes
Like
Version history
Last update:
‎Nov 13 2018 08:15 AM
Updated by:
Labels