I just ran an old program I had written years ago, several years before Vista was released. Windows (7) gave me the UAC prompt and asked for permission to run it. I was surprised because it is a relatively simple program which does nothing too fancy and certainly nothing that should require elevated privileges. I then checked the directory and sure enough, Windows is overlaying the shield icon on the program.
I did a quick scan of the code and do not see anything that would obviously trigger a UAC prompt. Moreover, the program shares a framework with several other programs I had written, none of which have the UAC requirement. The program in question, as well as the others which don’t trigger the UAC prompt are all stored in the same directory on a (FAT32) flash-drive.
The only really unique thing about this program that differs from the other, nearly-identical programs is that it uses ShellExecute to allow the user to launch the default web-browser to open selected URLs, but I can’t imagine if/why that would actually require elevated permissions.
Now I am trying to find some sort of information about what kind of heuristics Windows uses to determine whether it should use the UAC prompt or not. I know that old installers usually trigger the prompt, but those are usually called setup.exe or install.exe, while this has a pretty innocuous name (udb.exe). I suspect that it is detecting certain function calls or some such (of course, that would mean that Windows Explorer reads and disassembles the of all executable files which seems doubtful).
I assumed that there would exist some information on this, but the research I did only found a few off-site discussions (no mentions in the “similar question” lists above or to the right), which listed a few causes, none of which seem to apply:
A specific request of the program (which is not possible since it was written before UAC existed),
Lack of manifest (which it does have and would not explain why the other programs don’t trigger it)
An internal list of filenames/paths (not applicable here)
Source (again, that doesn’t explain the other programs being okay)
Access to restricted files/registry keys (not applicable here either)
Resource entries (again, the other programs share common resource data)
Other system-related activities (again, not applicable to the program)
I eventually found a few related questions like one that asked what I am, but that ended up with a completely different outcome which is of no help here, or another one which asked a similar, yet opposite question of equally no help. Unfortunatly, the best question I found was about an installer/updater (which of course, does not apply here), and was also no help because the answers were just the same old information I had found on other sites and listed above.
Does anybody know of a list of UAC triggers or some other way to figure out why Windows would think that some programs would needs elevation? Is there a list of restricted API functions or something?
To be clear, I am trying to find out why Windows is flagging one program for UAC, but not another, similar one.
Original Answer (2014 July 04)
A search for UAC heuristics yields this blog entry: Identification of Administrative Applications. On that page:
The O/S makes a decision that the application looks like an installer or updater and will automatically invoke elevation to run the program with administrative permissions/privileges when a user runs it.This decision is based on a heuristic. Here are some of the heuristic detection points, although this list is not exhaustive:
File name detection – looks for the words “setup”, “update”, “install” in the filename
SxS Manifest word detection – looks for well-known values in the assembly name attribute program’s SxS Manifest
String table detection – looks for well known values in the string table within the resource section of an executable
Thus Xearinox is simply not correct that it is completely based on permissions.
One way you may be able to find out why your program is triggering the UAC prompt is to use Process Monitor and check for permission errors.
Update (2020 July 29)
Searching yields an updated documentation page:
How User Account Control Works
There is an Installer detection technology section at the bottom of that page that contains the following information (similar to the list above):
Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:
The file name includes keywords such as "install," "setup," or "update."
Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
Keywords in the side-by-side manifest are embedded in the executable file.
Keywords in specific StringTable entries are linked in the executable file.
Key attributes in the resource script data are linked in the executable file.
There are targeted sequences of bytes within the executable file.
Related
I know that in Windows, the GUID is used by the Windows Installer to check for already installed products under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ and other product-relevant information is stored using the compressed GUID in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\.
Yet a google search to figure out what the compressed GUID actually is and why both forms are being used for saving product-specific data in the registry database only revealed algorithms for converting from one form to another.
Apparently, the compressed GUID is calculated from merely changing the order of the characters in a specific way, giving me more confusion about why this is the compressed form and why it is used this way.
Additionally, some sources appear to refer to the GUID as the product code of the software product, and others specifically use the term product code as a synonym for the compressed GUID.
I do not have much knowledge of the inner workings of Windows and its installers, but hope that someone can enlighten me with the information I was unable to find. I apologize in advance for my mediocre English.
Not sure what you are doing, or why this is a problem for your scenario. However, the GUIDs you mention - the rearranged GUIDs with the braces and dashes removed - are actually referred to as Packed GUIDs. Then there are also Compressed GUIDs that are just 23 characters long that are primarily used to create Darwin descriptors - which are combinations of the product code GUID, a feature name, and a component code GUID. They are used for MSI's advertisement features. This is according to Bob Baker's book "Getting Started with InstallShield Developer and Windows Installer Setups".
As far as I recall the packed GUIDs are apparently used to make registry searches more efficient. I am unfamiliar with the exact technical details involved. Perhaps Bob or Rob of WiX can elaborate.
I have to run, not really an answer, I will look at it again later. Please elaborate your question with more details on what the problem actually is. As a summary it seems the collective comments suggest that this GUID concept is due to registry space saving, searching efficiency and obfuscation.
My advice (if I understand correctly): do not attempt to read packed or compressed GUIDs from the registry directly - rather go via the MSI API (COM / Win32) - which should have the features you need to do almost anything with MSI.
Some Links:
MSIEXEC -Embedding
MSI API Links (quite similar links):
Is MsiOpenProduct the correct way to read properties from an installed product?
Wix upgrade goes into maintenance mode and never does upgrade
how to find out which products are installed - newer product are already installed MSI windows
Is there an alternative to GUID when using msiexec to uninstall an application?
The packed guid is reportedly used to save space in the registry. It is used for component Ids, so once you start getting a million components on the system I assume they were worried about the extra space usage. It's also possible it was used to prevent people trawling the registry to look for Windows Installer items instead of using the APIs. It's an undocumented implementation detail, and if too many people got into habit of using the registry instead of using the APIs there would be issues if that implementation changed. So treat this as interesting information, not something to use in an application.
Darwin Descriptors are different - they are just an encoding of product code, component id, and feature name. They occur in various places where that combination of data is useful for loading COM servers, starting programs etc. Again, it's undocumented, but if you wanted to untangle them you could LoadLibrary on msi.dll and find and call MsiDecomposeDescriptorW with the right parameters.
This question already has answers here:
The UAC prompt shows a temporary random Program Name for msi, can the correct name be displayed?
(2 answers)
Closed 5 years ago.
Hi!
Would somebody answer my question, please?
I need an user-friendly WIX uninstaller filename, how to achive it?
It looks like windows set an artificial name which looks like a password :)
Thank you very much.
UPDATE: It appears signing the MSI with signtool.exe and the /d switch will change this behavior as explained in these answers
(thanks to Phil for finding this):
The UAC prompt shows a temporary random Program Name for msi, can the correct name be displayed?
Odd 'Program name' when installing signed msi installer
Slipstreaming in a relevant link: Installshield Custom Dialogue Installer
The name you are seeing is probably the random hex name assigned to a copy of the original installation database that is cached on the system in %SystemRoot%\Installer (normally C:\WINDOWS\Installer). This is a "super hidden" OS folder, and it should never be touched in any way at all.
A sample path to such a database could be: C:\WINDOWS\Installer\7da655.msi. I am pretty sure this is what you are seeing in your UAC prompt. Please verify or better yet add a picture of it to your question for other people's reference.
This cached database, with the weird name, is used during modify, repair and uninstall operations for the software in question. What WiX is showing you is in every way the correct information - it is what a system administrator might even need to see at some point. However, other setup creation tools do things differently, often showing the vendor and the product GUID instead of the full path to the cached database.
So that was the explanation - now we have to wait for one of the WiX guys to actually answer whether it is possible to change this display type. As such this is more of a comment than an answer, but it should be relevant to understand what is going on. I am also going to have a look now to see if I see any options to change this in WiX.
In my personal opinon the WiX display is superior to some of the other UAC dialogs shown for other MSI files, but I realize you find this information too detailed for your users. I suppose they could hide this path in the "more information" section.
Is it possible to get a file's UID (owner) on Windows? I tried to use FileInfo.Sys(), but it only works on Linux. I'm really stumped on this one and can't figure out how to get the UID.
The first problem is that file systems native to Windows which supports file/directory ownership do not have the concept of "owner UID" simply because Windows users have no UIDs either.
The security of the Windows NT line or kernels is implemented using the so-called "access control lists" (ACLs), and security principals (such as users) are identified using the so-called "security identifiers" (SIDs). A SID is a variable-length multi-field data structure usually passed around as a byte array.
Another complication is that a file on an ACL-enabled Windows file system might have no owner at all (and no ACL attached to it as well); this is rare but possible.
So... If the part of explanation stating "there's no such thing as the entry owner's UID on Windows filesystem" is OK for you, this is all there is to it.
If not, and you actually wanted to ask "how do I get security information for an entry on a Windows filesystem?", the question gets more complicated.
AFAIK the stock standard library shipped with Go does not have the necessary wrappers around the relevant bits of the Win32 API. So to implement this, you'll need to either wrap them yourself (it's not that hard, after all) or try to find a helper package.
We are having some strange issues on Windows Server 2012 (both normal and R2). Every once in a while (seemingly randomly) we start getting strange errors with all the programs on a server (API calls to Process32Next fail for instance). These occurrences seem to be a associated with one or more of our old ActiveX EXE (VB6) programs suddenly showing 'Embedding' in their description in the process viewer (task manager or Process Hacker). The problem goes away when everyone logs off. I cannot find anything much on Google about this. These programs have been around unchanged for over a decade and I cannot see how ANY program could affect every other program on a server but I am hoping that understanding why the Embedding description shows up might help lead to a solution.
Also, sometimes the name of the process is blank as well.
ActiveX EXE is another name for Automation Server. This is one of several technologies built on top of COM that fall into the OLE 1.0, OLE 2.0, and OLE custom control (a.k.a. ActiveX) categories. OLE stands for Object Linking and Embedding.
My guess is that wherever you are looking this term "Embedding" is being used to indicate an Automation Server. So it probably has no direct bearing on your issues.
I suspect this is a case of "looking where the light is good."
You may be running into some issues related to Session 0 Isolation, User Interface Privilege Isolation, or both. Or more likely you might have DCOM/Automation activation settings incorrect for one or more of these programs.
You might start by looking at the definitions for these servers in DCOMCNFG.EXE. People often rely on defaults and that may not be what you should have. Some of these might be defined in COM+ which means additional rules. Some of these interact with user rights and group membership.
But we have far too little specific information to really be of much help here.
In Windows software X every link you formulate is automatically converted into a clickable object.
The interesting and security-relevant part here is, that a link like "http://%COMPUTERNAME%.com/" will open the standard browser calling e.g. "http://NR57005-PC.com/", which of course is an information disclosure vulnerability, as all environment variables are converted.
Now my question is, whether this behaviour could lead to more critical issues - e.g. code execution vulnerabilities, which would highly increase the importance of a quick fix.
Do you have any suggestions how to prove, that this this is not only a disclosure issue but a critical vulnerability? Could an attacker inject batch commands by any chance?
I already played around with pipes, ampersands and quotes but so far I didn't find anything interesting.
Thanks in advance,
Patrick
Edit:
To clarify, my approach was the following:
The system must be executing a command like firefox.exe "http://%COMPUTERNAME%.com/", otherwise the system variable would not be converted.
And now, for I know that there is some unfiltered batch call going on, I thought it could be possible to escape the parameter string. For instance, a link like http://google.com/"¬epad&" could have resulted in firefox.exe "http//google.com"¬epad&"", which would have opened the notepad - as a proof of concept that code execution works. Unfortunately this escaping attempt did not work. Therefore I wonder, if there are other tricks to gain shell access or similar.
Your attacker would have to register and control the server NR57005-PC.com. To do so, he would have to have prior information about the hostname(s).
The attack surface presented will depend on the User Agent used to retrieve the link, which will depend on your batch file processing and/or the default browser configured on the system.
Assuming Internet Explorer, your attack surface will be reduced from what you may expect thinking about it as a batch file, because the website will no longer be in the Local Computer zone, but the Internet Zone. Crafty tricks like you're considering won't work.
You're left with using a typical IE vulnerability to gain control. The batch file gains you the opportunity, without depending on a user to visit a malicious website.
I assume you're a pen-tester/auditor and are trying to qualify a finding. I'd recommend
1 - hacking together a demo, but depending on user error to run an executable or similar. You can make the claim a user isn't expecting the browser to give an exe, and thus will be more trusting, even though he should not be.
2 - Recognize the fact it's not a critical vulnerability and move on. An attacker can get the same access/trust more easily through a well-crafted social engineering email.