How does consent.exe know what to display?

Question

consent.exe is responsible for showning the UAC dialog. Looking at the command line parameters with Process Explorer, I see the following:

consent.exe 1316 748 000000004385BD60

I have

read How does the Windows “Secure Desktop” mode work? here on SE
tried to convert the numbers to and from hex to see if it matches something
read the Technet article "Inside Windows Vista User Account Control" by Mark Russinovich
ran consent.exe /? (just in case - I didn't expect anything)
checked if one of the numbers occurs in the output of a !process 0 0 using LiveKD. If that command really lists all process objects, the process to be created (executable name displayed by the UAC dialog) does not exist yet.
Looking at Process Explorer's "Handle" lower pane
Finding the values in a session recorded by Process Monitor
I was unable to capture consent.exe in Rohitab's API monitor

So far, I only figured out the first number: it is the process ID (PID) of the parent process, which happens to be svchost.exe in my case.

How does consent.exe figure out from that command line information what the path of the executable to be started is?

Good question. Could you check if the second number is a valid thread ID within the process? — Polynomial, Apr 12 '15 at 20:28
@Polynomial: no, it's not a thread ID, neither in `svchost` nor in the application which tries to run the elevated application. — Thomas Weller, Apr 12 '15 at 20:39

score 2 · Answer 1 · answered Dec 22 '18 at 16:45

2

As you can see, the first argument is the PID of consent.exe's parent process. And by monitoring the APIs that this parent process (which is a "svchost") called before creating the consent process, I was able to find out that the third argument is a pointer to a structure within the svchost's heap, and the second argument is the length of the structure. The structure seems to contain the path of the process to run, its working directory, and its arguments. Also there are some bytes I can not figure out. But the information is certainly enough for grubbing the full path of the exe.

This answer is tested only on Windows 10 x64 1809

answered Dec 22 '18 at 16:45

SixZiv

21
1

1

Would you mind sharing the steps you took? – Thomas Weller Dec 22 '18 at 20:30
1

My pleasure. I just used the API monitor mentioned in the question to monitor the svchost, and then triggered an UAC prompt manually. Then search for the CreateProcessAsUserW which started the consent.exe. Just short before that we can find several memset actions which copied the name,path and working directories(maybe) into somewhere inside the heap. Looking for the allocation of the buffer, I got to see that the address of the buffer is exactly the third parameter, and the length is the second. – SixZiv Dec 23 '18 at 06:35

score 2 · Answer 2 · answered Apr 13 '15 at 10:36

2

Based on the Russinovich TechNet article you linked: Remember that applications call out to the Application Information Service (AIS) to elevate. So consent.exe doesn't need to know how to launch programs. It exists solely to establish user consent, and return the result to AIS. AIS then does the actual launching (assuming consent.exe returns success).

answered Apr 13 '15 at 10:36

Justin King-Lacroix

452
2
6

It is true that it does not need to launch programs, but it displays the program's (Exe's) full path. To get all the other information, it needs to read the Exe's digital signature and display the manufacturer name. Therefore, what I'm looking for is: how does consent.exe get to know this Exe full file name? – Thomas Weller Apr 13 '15 at 19:14
3

Presumably it's sent the information by AIS over some IPC pipe or similar. – Justin King-Lacroix Apr 13 '15 at 19:39

How does consent.exe know what to display?

2 Answers2