Vista x64 User Account Control Problem!

I am a computer programmer currently looking into UAC issues on the latest version of the Vista x64 Business Edition operating system. I have read everything that I could find on the Microsoft web site regarding Vista UAC and I am having difficulty getting an installation application updated to be ‘LUA compliant’. The program that I’m working on installs x64 kernel mode drivers.

Let me describe exactly what’s happening.

First or all, I went to the web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

Next, I followed the instructions to update my program to ‘prompt before launch’ (see the section titled ‘Administrator-only Application’). I did this by taking the example manifest code from the site, creating a UTF-8 manifest file for my Visual Studio 2005 C++ project, updating my resource file to embed the manifest into my project, building the application, and then signing it with a certificate that was obtained from Verisign.

The requestedExecutionLevel that I included in the manifest was requireAdministrator (just like in the example).

The application, which installs x64 kernel mode drivers, works just fine on Vista x64 when I execute it by unchecking the global UAC checkbox (disabling the UAC feature) - or by leaving the UAC enabled and either executing the program by selecting ‘Run as Administrator’ or by changing the application’s Properties Compatibility Privilege Level to ‘Run this program as an administrator’.

BUT when I simply run the application, either by double-clicking on it or by selecting ‘Open’, it does NOT prompt me up front as documented on the web site. Instead, it simply runs the application - and when it attempts to perform the installation, it gives me a ‘you do not have permission’ error (regardless of whether I’m an adminstrator or a standard user).

I understand that Vista is splitting the access token into two and executing the program with a standard user’s privileges - but isn’t the embedded manifest supposed to prompt for permission to proceed with full administrator privileges with UAC enabled? That was what I expected. OR is it necessary to run the program using one of the methods I mentioned above with UAC enabled (i.e. ‘Run as Administrator’ or changing the Properties Compatibility Privilege Level)? If so, will these methods continue to be supported in subsequent releases of Vista x64? If this is the case, then I suppose this might simply be a matter of documenting the necessary steps in order for our clients to install our kernel mode drivers on Vista x64.

Thanks, Don.

I would open the .exe as a resource file in devstudio
and check and make sure the manifest actually embedded
in the .exe actually has the requestedExecutionLevel
stuff in it.

I’d also check your event log for errors regarding the
manifest when you run the program.

Thanks,

Joseph

xxxxx@attotech.com wrote:

I am a computer programmer currently looking into UAC issues on the latest version of the Vista x64 Business Edition operating system. I have read everything that I could find on the Microsoft web site regarding Vista UAC and I am having difficulty getting an installation application updated to be ‘LUA compliant’. The program that I’m working on installs x64 kernel mode drivers.

Let me describe exactly what’s happening.

First or all, I went to the web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp

Next, I followed the instructions to update my program to ‘prompt before launch’ (see the section titled ‘Administrator-only Application’). I did this by taking the example manifest code from the site, creating a UTF-8 manifest file for my Visual Studio 2005 C++ project, updating my resource file to embed the manifest into my project, building the application, and then signing it with a certificate that was obtained from Verisign.

The requestedExecutionLevel that I included in the manifest was requireAdministrator (just like in the example).

The application, which installs x64 kernel mode drivers, works just fine on Vista x64 when I execute it by unchecking the global UAC checkbox (disabling the UAC feature) - or by leaving the UAC enabled and either executing the program by selecting ‘Run as Administrator’ or by changing the application’s Properties Compatibility Privilege Level to ‘Run this program as an administrator’.

BUT when I simply run the application, either by double-clicking on it or by selecting ‘Open’, it does NOT prompt me up front as documented on the web site. Instead, it simply runs the application - and when it attempts to perform the installation, it gives me a ‘you do not have permission’ error (regardless of whether I’m an adminstrator or a standard user).

I understand that Vista is splitting the access token into two and executing the program with a standard user’s privileges - but isn’t the embedded manifest supposed to prompt for permission to proceed with full administrator privileges with UAC enabled? That was what I expected. OR is it necessary to run the program using one of the methods I mentioned above with UAC enabled (i.e. ‘Run as Administrator’ or changing the Properties Compatibility Privilege Level)? If so, will these methods continue to be supported in subsequent releases of Vista x64? If this is the case, then I suppose this might simply be a matter of documenting the necessary steps in order for our clients to install our kernel mode drivers on Vista x64.

Thanks, Don.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

No luck - but thanks for the suggestions Joseph. I double-checked to make sure that the manifest is embedded in the program (both through Visual Studio and by dumping the exe in binary) and it’s in there. I also checked the event log and I couldn’t find any entries related to my setup program’s manifest.

Is it a command line app? Command line apps don’t really play with
UAC – they are always supposed to be set asInvoker.

Thanks,

Joseph

xxxxx@attotech.com wrote:

No luck - but thanks for the suggestions Joseph. I double-checked to make sure that the manifest is embedded in the program (both through Visual Studio and by dumping the exe in binary) and it’s in there. I also checked the event log and I couldn’t find any entries related to my setup program’s manifest.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Did you examine the setupapi logs in the Windows\Inf folder? There is one
log for apps and another for drivers.

Thomas F. Divine

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-272940-
xxxxx@lists.osr.com] On Behalf Of xxxxx@attotech.com
Sent: Thursday, December 14, 2006 2:02 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Vista x64 User Account Control Problem!

No luck - but thanks for the suggestions Joseph. I double-checked to make
sure that the manifest is embedded in the program (both through Visual
Studio and by dumping the exe in binary) and it’s in there. I also
checked the event log and I couldn’t find any entries related to my setup
program’s manifest.

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hi Joseph,

No, it’s a little GUI application that uses the MSI calls DriverPackageInstall, DriverPackagePreinstall, and DriverPackageUninstall. It fails with the ‘access denied’ error code when I attempt to make any of these calls because Vista x64 is requiring full administrator privileges.

Thanks, Don.

Thanks Thomas,

I checked them both (there are no entries in either log file for my program).

Don.

Well, we’ve reached the end of my UAC knowledge.

I have had this work for my applications (I’ve a server
administration GUI that I used the following following in,
which does work correctly (gets the confirmation dialog
if the user is an administrator and the credentials prompt
if the user isn’t an administrator.)

<ms_asmv3:trustinfo> xmlns:ms_asmv3=“urn:schemas-microsoft-com:asm.v3”>
<ms_asmv3:security>
<ms_asmv3:requestedprivileges>
<ms_asmv3:requestedexecutionlevel level=“requireAdministrator”></ms_asmv3:requestedexecutionlevel>
</ms_asmv3:requestedprivileges>
</ms_asmv3:security>
</ms_asmv3:trustinfo>

Thanks,

Joseph

PS. Watch out for WinXP-- VS.2005 MT tool generates manifests
it can’t grok if you’re not careful. And then WinXP rolls over
and shows the world it blue side.

xxxxx@attotech.com wrote:

Hi Joseph,

No, it’s a little GUI application that uses the MSI calls DriverPackageInstall, DriverPackagePreinstall, and DriverPackageUninstall. It fails with the ‘access denied’ error code when I attempt to make any of these calls because Vista x64 is requiring full administrator privileges.

Thanks, Don.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

xxxxx@attotech.com wrote:

I did this by taking the example manifest code
from the site, creating a UTF-8 manifest file for my Visual
Studio 2005 C++ project, updating my resource file to embed the
manifest into my project, building the application, and then
signing it with a certificate that was obtained from Verisign.

VS 2005 generates manifest files automatically. When we
did this for VS.2005, we went to the “Manifest Tool” /
“Input and Output” page in the properties and put our
manifest file in as an “Additional Manifest File”

I have no idea why this would make a difference…

Thanks,

Joseph

Thanks Joseph!

I’ll give it a try. Maybe even though it appears in the exe and in Visual Studio it’s not getting embedded properly. I’ll let you know how it goes.

Don.

THAT DID IT! THANKS JOSEPH!

THAT REALLY MADE MY DAY!

I REALLY APPRECIATE IT, Don.

> BUT when I simply run the application, either by double-clicking on it or by

selecting ‘Open’, it does NOT prompt me up front as documented on the web
site. Instead, it simply runs the application - and when it attempts to
perform the
installation, it gives me a ‘you do not have permission’ error (regardless of

For me on Vista-32, the manifest alone was enough for the Windows shell and UAC
subsystem to say “Unsigned app wants to run as admin, allow?” - and, if I
respond Yes, then it was running as full admin.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

I have a command-line app with “requireAdministrator” - works fine.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Joseph Galbraith”
To: “Windows System Software Devs Interest List”
Sent: Thursday, December 14, 2006 10:26 PM
Subject: Re: [ntdev] Vista x64 User Account Control Problem!

> Is it a command line app? Command line apps don’t really play with
> UAC – they are always supposed to be set asInvoker.
>
> Thanks,
>
> Joseph
>
> xxxxx@attotech.com wrote:
> > No luck - but thanks for the suggestions Joseph. I double-checked to make
sure that the manifest is embedded in the program (both through Visual Studio
and by dumping the exe in binary) and it’s in there. I also checked the event
log and I couldn’t find any entries related to my setup program’s manifest.
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer