0

Lets say we have the PIMAGE_NT_HEADERS or PIMAGE_DOS_HEADER structures filled for any given PE image. My question is, which variable inside either of these structures tells us if the process requires Admin privileges to execute (if it has the little security shield beside its application icon)? If neither, then please tell me how I can figure this out from the set of PE structures (without the use of APIs).

bob willis
  • 49
  • 6
  • @RemyLebeau So you're saying I cannot access it without calling the Load/Find resource APIs ... basically without APIs, I cannot accomplish the task? – bob willis May 19 '18 at 02:16
  • if you want to avoid APIs (why?), you would have to parse the PE header and manually access the raw data of the app's resource section. Assuming the manifest is even stored in a resource at all. – Remy Lebeau May 19 '18 at 06:29
  • Do you need to display the shield icon or do you want to know if a process is elevated? – Anders May 19 '18 at 12:21

1 Answers1

2

That information is not stored in the app's PE header.

Elevation is controlled by an Application Manifest, which is usually stored in the app's resources in an RT_MANIFEST (type 24) resource with an ID of 1 (the manifest may also be stored as an external file in the same folder as the app, though that is less common).

An app will require admin privileges to run if UAC is enabled and the app's manifest has a <requestedExecutionLevel> element set to requireAdministrator.

See How User Account Control (UAC) Affects Your Application for more details.

The following flowchart describes how your application will run depending on whether UAC is enabled and whether the application has a UAC manifest

image

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • This was exactly what I was looking for! Thank-you – bob willis May 19 '18 at 03:02
  • 1
    This is not the be all end all of UAC detection, there is also legacy installers detection. – Anders May 19 '18 at 12:39
  • @Anders yes, and only some of the details of its detection criteria are documented, but not all. Although have a look at [this related question](https://stackoverflow.com/questions/28239808/). – Remy Lebeau May 19 '18 at 15:30