Windows Vista User Account Control (UAC) and Delphi. Fredrik Haglund Developer Evangelist

Similar documents
InstallAware Consulting Services Project Scope Form

Security settings for Domain users in IDM 4.0.3

Recertifying a Customized Driver Package (WLK)

Windows Xp Setup Error Code 32768

Casual Games and Windows Vista

Remote Process Explorer

REMOTE ACCESS VIA CHSLI EXTRANET JOB AID FOR MICROSOFT WINDOWS

Assistant User Guide

Preo Printelligence Unattended Installation Guide

Guide for Windows users with Internet Explorer and Firefox

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Profile Editor. Administrator's Guide. Version 5.1.

windream Client Installation windream GmbH, Bochum

Team TimeSheet for Outlook & SharePoint Client Installation and Configuration ( Per User Installation and Per Machine Installation )

User Profile Manager 2.0

Contents. Contents. Introducing Windows Windows Apps Start Button and Menu File Explorer Getting Around...

Remote Support 19.1 Web Rep Console

Abaqus Student Edition. Installation Instructions

Aladdin etoken PKI Client ReadMe 1

Defender Desktop Login GrIDsure Token User Guide

Client Configuration Guide

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

Open Add Remove Programs From Command Line Windows 7

Remote Support Web Rep Console

Rockfast Revelation Upgrade Procedure. (Rockfast Revelation version 547+)

IT Administration Guide

SolidWorks Enterprise PDM Installation Guide

Printer Software Installation Manual Metapace T-25

Password Reset Server Installation

ASSA ABLOY. CLIQ Connect PC Application User Manual

Aventail Connect Client with Smart Tunneling

AppGuard. AppGuard Personal User s Guide. Version 5.2. June Blue Ridge Networks

Full file at Chapter 2: Securing and Troubleshooting Windows Vista

Manual Internet Explorer 9 Xp Microsoft Website

What a difference a year makes

Windows Download & Installation

8x8 Virtual Office Salesforce Call Center Interface User Guide

Quest Desktop Authority Full Build Update Release Notes

Guide for Windows users with Internet Explorer and Firefox

When Applications Crash Part II - WER A two part guide to how any ISV can find and fix crashes that occur at customer sites.

Inteset Secure Lockdown ver. 2.0 Internet Explorer Edition (8-11)

Jet-Tech video tutorials

Remove Startup Programs Windows Vista Home Premium

IT Administration Guide

AppGuard. User s Guide. Version 4.4. June Blue Ridge Networks

Manually Unlock User Account Windows 7 Standard

DigitalPersona Pro Enterprise

Embarcadero AppWave Browser

How To Set User Account Password In Windows 7 From Guest

EOH-SASOL - Setup Sasol Mobile Express (Client)

Permissions Tutorial: Add a Read-Only User

ADOBE DRIVE 4.2 USER GUIDE

Change Startup Programs Windows Vista Home Premium

Streaming Profile Recipe

Click Next to Continue

R9.7 erwin License Server:

User Tracking Utility

Cisco Unified Serviceability

Change Service Startup Type Command Line Windows 7

Troubleshooting BPMS Errors

Inside Windows 7 User Account Control Mark Russinovich

Outlook Manual Out Of Office Setup 2010 Reply Pop3

Microsoft Windows GINA login

Immidio White Paper Things You Always Wanted To Know About Windows Profile Management

Recent Operating System Class notes 08 Administrative Tools (Part one) April 14, 2004

Managing the VPN Client

Check Point GO R75. User Guide. 14 November Classification: [Public]

PRODUCT LIBRARY 1.1 EUR. Release Notes. CD Contents. August 3rd, Windows. Server 2000 Server Windows. Printer Drivers.

[Type here] ID Capture V1.0

Release Notes Scribe Insight

An introduction to security in Windows 7

VIN Service: Multiple Connections. Mac

VMware User Environment Manager Administration Guide

Installing SensIt, RiskSim, and TreePlan 3.1 INSTALLATION OVERVIEW 3.2 REMOVING PREVIOUS VERSIONS 3.3 THE ADD-IN XLA FILE

70-697: Configuring Windows Devices Course 7 Managing Apps

Windows 7 Manually Install Network Printer Drivers Without Admin Rights Gpo

UC LOGON. Document version: 1.3

STATISTICA VERSION 10 STATISTICA MONITORING AND ALERTING SERVER (MAS) INSTALLATION INSTRUCTIONS

HPE MyRoom Assist Quick Reference Guide

Installation Manual. and User Guide

Installing GPSeismic Version

mycsunsoftware REFERENCE GUIDE

IEDigest V Jean-Pierre Regente Jean-Pierre Regente. ( All rights reserved )

Thin Clients, Wireless Computers, Macs and Mobile Devices

Smart Cards for Remote Authentication 3. Prerequisites 3. Install the Smart Card Driver 4

Perform Manual System Restore Xp Safe Mode Command Prompt

Agilent Genomic Workbench 6.0

Connect to Wireless, certificate install and setup Citrix Receiver

Sage Abra Suite. Installation Guide

About the Presentations

KG-TOWER Software Download and Installation Instructions

InstantRescue User Guide

Cisco NAC Appliance Agents

User and Installation Guide

DEKART Logon for Lotus Notes. Users Guide. Pages 41

Privileged Identity App Launcher and Session Recording

I- REQUIREMENTS. A- Main

10.User Password and Object Security

Resolve 8.3 File Name User Guide

Password Changer User Guide

Secure Single Sign On with FingerTec OFIS

Transcription:

Windows Vista User Account Control (UAC) and Delphi Fredrik Haglund Developer Evangelist

User Account Control (UAC) Security token split during logon one user token and one admin token Administrator shell run with Standard User token You have to explicitly consent every time you create a process with administrator token this is called elevation

Standard User Over the shoulder elevation

Windows Vista UAC is Enabled by Default All Subsequent User Accounts are Created as Standard Users Elevation Prompts are Displayed on the Secure Desktop by Default Elevation Prompts for Background Applications are Minimized to the Taskbar Elevations are blocked in the User's Logon Path Built-in Administrator Account is Disabled by Default on New Installations New Default Access Control List (ACL) Settings

Standard User All processes are started as Standard User as default A Standard User can not Change files in Program Files folders Change files in Windows or System32 folders Change registry under HKLM\Software Change the local machines date and time Install or uninstall Services Earlier strong Recommendations are now enforced!

New Technologies for Windows Vista Installer Detection User Interface Privilege Isolation Virtualization Access Token Split during login Secure Desktop

User Interface Privilege Isolation General guideline lower can not access higher A lower privilege process cannot: Perform a window handle validation SendMessage or PostMessage Use thread hooks to attach Use Journal hooks to monitor Perform dynamic link-library (DLL) injection Some resources are still shared between processes Desktop window, which actually owns the screen surface Desktop heap read-only shared memory Global atom table Clipboard

Virtualization / Redirection Virtualization is for compatibility not a feature Disabled for executables with UAC info in manifest!

UAC Architecture

The Shield Attached to controls which, if clicked, will require elevation as the next step Has only one state (I.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation

Shield UI Examples

Delphi What you have to do Test your application identify problems Classify your application as Standard User, Admin or Mixed. Add application Manifest Redesign functionality User apps should write data to correct locations Split out admin stuff into a separate executable Redesign user interface Add shield to buttons Redesign installer Test again Optionally sign application (Authenticode) Determine whether to pursue the Windows Vista Logo program

Test with Standard User Analyzer Tool SUA helps you find what you do that can break application

Requested Execution Level in Delphi NB! Remove all references to XPMan unit from project!!!

RC-file is compiled to RES-file

Manifest

<requierdexecutionlevel /> level= asinvoker Start process runing with same token as the process creating it. level= highestavailable Ask administrators for consent to elevate but start as standard user if user has no administrative privileges level= requireadministrator Ask administrators for consent to elevate. Standard user will get login dialog for over the shoulder support Will only start with administrative privileges

Windows XP Warning! Incorrect formatting of Manifest can blue screen Windows XP Read KB921337

Redesign Do not open files or registry keys with Write flag Save data, log files, etc. in the right location using SHGetFolderPath CSIDL_PERSONAL { My Documents } CSIDL_APPDATA { Application Data, new for NT4 } CSIDL_LOCAL_APPDATA { non roaming, user\local Settings\Application Data } CSIDL_COMMON_APPDATA { All Users\Application Data } CSIDL_MYPICTURES { My Pictures, new for Win2K } CSIDL_COMMON_DOCUMENTS { All Users\Documents }

SHGetFolderPath

RunAsAdmin Launch application running as administrator Use Application.Handle to delay elevation if app is minimized. No handle always gives direct foreground elevation.

Using COM class for Admin tasks COM Server must be an EXE EXE must have requireadministrator to install COM objects correctly Registration of COM Class must add value LocalizedString (and resource string in executable) add key Elevation and value Enabled = 1

Elevated COM calls Use Moniker to create elevated CoClass from User Process

The Shield - SetElevationRequiredState Call function with Button as parameter to add Shield symbol

Sign with Authenticode Get less serious looking consent dialog Register at winqual.microsoft.com Buy certificate (Verisign, etc.) Sign executables (MakeCert, Signtool.exe) Register applications at winqual to get access to crash logs

Resources Document Windows Vista Application Development Requirements for User Account Control Compatibility Tool Microsoft Standard User Analyzer Windows Vista Logo Program http://microsoft.mrmpslc.com/innovateonwindowsvista/

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback