4

I just ran an old program I had written years ago, several years before Vista was released. Windows (7) gave me the UAC prompt and asked for permission to run it. I was surprised because it is a relatively simple program which does nothing too fancy and certainly nothing that should require elevated privileges. I then checked the directory and sure enough, Windows is overlaying the shield icon on the program.

I did a quick scan of the code and do not see anything that would obviously trigger a UAC prompt. Moreover, the program shares a framework with several other programs I had written, none of which have the UAC requirement. The program in question, as well as the others which don’t trigger the UAC prompt are all stored in the same directory on a (FAT32) flash-drive.

The only really unique thing about this program that differs from the other, nearly-identical programs is that it uses ShellExecute to allow the user to launch the default web-browser to open selected URLs, but I can’t imagine if/why that would actually require elevated permissions.

Now I am trying to find some sort of information about what kind of heuristics Windows uses to determine whether it should use the UAC prompt or not. I know that old installers usually trigger the prompt, but those are usually called setup.exe or install.exe, while this has a pretty innocuous name (udb.exe). I suspect that it is detecting certain function calls or some such (of course, that would mean that Windows Explorer reads and disassembles the of all executable files which seems doubtful).

I assumed that there would exist some information on this, but the research I did only found a few off-site discussions (no mentions in the “similar question” lists above or to the right), which listed a few causes, none of which seem to apply:

  • A specific request of the program (which is not possible since it was written before UAC existed),
  • Lack of manifest (which it does have and would not explain why the other programs don’t trigger it)
  • An internal list of filenames/paths (not applicable here)
  • Source (again, that doesn’t explain the other programs being okay)
  • Access to restricted files/registry keys (not applicable here either)
  • Resource entries (again, the other programs share common resource data)
  • Other system-related activities (again, not applicable to the program)

I eventually found a few related questions like one that asked what I am, but that ended up with a completely different outcome which is of no help here, or another one which asked a similar, yet opposite question of equally no help. Unfortunatly, the best question I found was about an installer/updater (which of course, does not apply here), and was also no help because the answers were just the same old information I had found on other sites and listed above.

Does anybody know of a list of UAC triggers or some other way to figure out why Windows would think that some programs would needs elevation? Is there a list of restricted API functions or something?

To be clear, I am trying to find out why Windows is flagging one program for UAC, but not another, similar one.

Community
  • 1
  • 1
Synetech
  • 9,643
  • 9
  • 64
  • 96
  • Hmmm, you misunderstond concept of UAC. – Xearinox Jul 03 '14 at 21:02
  • @Xearinox, I misunderstood nothing. UAC is a way to prevent programs from doing certain potentially risky things without permission which does not apply to the program in question. You misunderstood the question. – Synetech Jul 04 '14 at 16:19
  • 1
    @HarryJohnston, you’ve misunderstood the question too. Like I said, I’m confused as to why one program I wrote before Vista existed doesn’t trigger UAC, while a similar one does. I want to find out **why** Windows is doing that. If there were a list of functions, files, registry keys, strings, etc., then I could run a search on it against my code to try to figure out what Windows is seeing that’s making it go off. As for a manifest, that defeats the point to the question. I’m not trying to avoid the prompt, I want to know **why** it’s happening at all. Like I said, I can find no reason for it. – Synetech Jul 04 '14 at 16:23
  • @Synetech: Simple answer: UAC is based at user rights, not some wonderful triggers, such as files, strings, etc. You have only have two options: you have permissions or not. – Xearinox Jul 04 '14 at 18:48
  • 2
    `UAC is based at user rights, not some wonderful triggers, such as files, strings, etc.` @Xearinox, **WRONG!** It is a known fact that there **ARE** certain factors that can trigger UAC. Do a little research. For example, I have already listed several things that can cause it like the filename being `setup.exe`. How does that have *anything* to do with permissions‽ – Synetech Jul 04 '14 at 19:05
  • `You have only have two options: you have permissions or not.` @Xearinox, did you bother to read my question at all? I clearly explained that the program that is getting flagged for UAC is **NOT** trying to do anything special that would require elevated privileges. *That* is why I am trying to find out why it is getting flagged. – Synetech Jul 04 '14 at 19:05
  • 1
    @HarryJohnston, first of all, it’s not off topic if it’s just for curiosity, it has to do with Windows API functions and their effects which is most certainly on topic here. Second, I want to know why because *it should not be happening*. I really don’t understand why it is so difficult to understand and why you have such resistance to a simple question. Besides, did you see the similar questions I linked to which were *not* closed as off topic? – Synetech Jul 05 '14 at 01:33
  • `To be on-topic a question must be "a practical, answerable problem"` Thanks for the link, but I am quite familiar with the network (I have been here much longer than you; not to mention on SU).    `you already know how to add a manifest, so UAC heuristics are not a problem for you` As I’ve already explained, a manifest is not a solution to this because it does not *explain **why*** it is happening to one program, but not a nearly identical one. Understanding that difference is the problem I am asking about, and it *does* have a distint answer. – Synetech Jul 06 '14 at 20:02
  • `If someone actually posted a complete, exhaustive description of the heuristics used, what would you do with that information` Like I already told you twice, I would perform a string comparison between the list and my code to see if there are any hits. Not every question here has to have code for an answer. If this isn’t on topic here, then where? Programmers? Nope. This is about distinct functions and strings in code, and therefore belongs here. – Synetech Jul 06 '14 at 20:02
  • 1
    `Sounds like a big waste of time to me` Then it’s a good thing you’re not the site warden or arbiter of what is or isn’t a valid use of time. If you think my question’s so horrible it’s destroying the site and brining about the end of the world, simply vote to close, or flag it to let the mods decide. As for everything else you said, unless you can provide some sort of reason to think you speak from an authoritative stance, it sounds like you’re just speculating about both the triggers (you really think Explorer has heuristics?) as well as what Microsoft has or has not released or documented. – Synetech Jul 07 '14 at 00:33
  • 1
    I doubt you're going to get the kind of answer you want. IMO you're better off analyzing problem executables on a case-by-case basis. – Bill_Stewart Jul 07 '14 at 01:47
  • (1) I meant that it seemed like it would be a waste of *your* time; obviously, if you wish to pursue it anyway, that's your prerogative. (2) You're right that we're usually pretty lenient about allowing questions based on curiosity, and at this point I'm unlikely to be objective, so I'm not going to vote to close. (3) It seems that I've antagonized you, which was not my intention; I'll try to butt out now. – Harry Johnston Jul 07 '14 at 03:13

1 Answers1

4

Original Answer (2014 July 04)

A search for UAC heuristics yields this blog entry: Identification of Administrative Applications. On that page:

The O/S makes a decision that the application looks like an installer or updater and will automatically invoke elevation to run the program with administrative permissions/privileges when a user runs it.This decision is based on a heuristic. Here are some of the heuristic detection points, although this list is not exhaustive:

  • File name detection – looks for the words “setup”, “update”, “install” in the filename
  • SxS Manifest word detection – looks for well-known values in the assembly name attribute program’s SxS Manifest
  • String table detection – looks for well known values in the string table within the resource section of an executable

Thus Xearinox is simply not correct that it is completely based on permissions.

One way you may be able to find out why your program is triggering the UAC prompt is to use Process Monitor and check for permission errors.

Update (2020 July 29)

Searching yields an updated documentation page:

How User Account Control Works

There is an Installer detection technology section at the bottom of that page that contains the following information (similar to the list above):

Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:

  • The file name includes keywords such as "install," "setup," or "update."
  • Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
  • Keywords in the side-by-side manifest are embedded in the executable file.
  • Keywords in specific StringTable entries are linked in the executable file.
  • Key attributes in the resource script data are linked in the executable file.
  • There are targeted sequences of bytes within the executable file.
Bill_Stewart
  • 22,916
  • 4
  • 51
  • 62
  • I agree that Xerinox is incorrect about it being only about permissions, but I have already addressed the items in the list in that post. Plus, the author admitted at the start of that post that it is not an exhaustive; that’s exactly why I posted here, to see if anyone knows of or can find an exhaustive list to compare against. I will however give ProcMon a shot to see if there is anything illuminating. – Synetech Jul 05 '14 at 01:37
  • I don't believe Process Monitor will be helpful, because the decision whether to require elevation occurs before the process starts. – Harry Johnston Jul 05 '14 at 01:46
  • @HarryJohnston - You can disable UAC and then run the app as standard user. Process Monitor may then provide some clues. – Bill_Stewart Jul 05 '14 at 04:41
  • I don't believe the heuristics are aimed at trying to determine whether the application is actually going to try to use privilege or not; the technology exists (it is used in anti-virus products) but I think it would be overkill for this scenario, and quite possibly counter-productive. (See my latest comments on the question.) I could be wrong, of course. – Harry Johnston Jul 06 '14 at 23:36
  • `I don't believe the heuristics are aimed at trying to determine whether the application is actually going to try to use privilege or not… I think it would be overkill for this scenario, and quite possibly counter-productive.` Of course. I can’t imagine that Windows Explorer uses heuristics to analyze every single executable; the performance impact of simply displaying the `System32` directory would be horrendous, let alone any sort of folder with lots of executables, especially large ones. So why did you say it uses advanced heuristics in your comment to the question? – Synetech Jul 07 '14 at 00:37
  • 2
    The heuristics are used when the executable is launched. I think that the other specifics (the rest of the list which the blog author did _not_ enumerate) should be regarded as implementation details that may change at any time. – Bill_Stewart Jul 07 '14 at 01:45
  • `The heuristics are used when the executable is launched.` @Bill_Stewart, why would it bother using heuristic analysis when the program is launched? Explorer determines if UAC is required when it decides whether to show the shield icon-overlay or not, so it has already decided before running anything. Doing a runtime analysis would be redundant. – Synetech Jul 15 '14 at 01:21
  • Obviously that's referring to executables you run. Not all executables that trigger UAC show the shield icon overlay. – Bill_Stewart Jul 15 '14 at 01:41
  • Can you update the link to "Identification of Administrative Applications"? it's no longer valid. – Sajuuk May 06 '20 at 03:48
  • You'll need to search for it; that's why I said "a search for" in the first sentence of my answer. (The possibility of stale links is also why I quoted the relevant information in my answer rather than posting just the link.) – Bill_Stewart May 06 '20 at 15:07