0

For applications that trigger the UAC ("Do you want to allow this app to make changes to your device" dialog), which are the characteristics that are detected by Windows in order to decide to trigger UAC? Consider that "Run this program as an administrator" is disabled in the Compatibility tab of the executable/shortcut properties. Does Windows detect paticular data/metadata inside the executable file? Does Windows keep metadata about different applications, differentiating between apps that may "make changes to the device" and apps that don't?

matpop
  • 300
  • 2
  • 7

1 Answers1

2

which are the characteristics that are detected by Windows in order to decide to trigger UAC

Attempting to access a resource that the account's standard user token does not have permission to access.

https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works

"When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token."

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Thank you for the documentation link. My problem is to understand what actually triggers all the UAC process. From what you point out, it seems that averything happens dynamically, i.e. the application is launched, the application attempts to access a resource that needs administrative privileges to be accessed, the UAC kicks in. But the problem is, somehow the app icon already has the Windows "security shield" mark on it! And it seems to be there even if I never launched the application yet. It seems Windows already "knows" (statically) that the application may access reserved resources – matpop Jan 27 '22 at 13:47
  • 1
    It could be in the manifest of the target executable. Developers can specify if the application requires administrator requestedPrivileges/requestedExecutionLevel. – Greg Askew Jan 27 '22 at 14:26
  • nope... it has the `asInvoker` option – matpop Jan 28 '22 at 12:43