On Tue, Sep 15, 2009 at 8:39 PM, Andrew S. Baker <asbz...@gmail.com> wrote:
> Might this help?
> http://blogs.techrepublic.com.com/window-on-windows/?p=1546
I'm afraid I'm already doing that. That registry value is just
where "Behavior of the elevation prompt for administrators in Admin
Approval Mode" is stored. It has two chief problems:
(1) A lot of things still end up running with the LUA token, and
there's little consistency or documentation on what's what. It's
damned annoying to get 12 steps deep into a procedure only to discover
you needed to explicitly start some process as "elevated".
(2) Some things appear to become funky if AAM is on but elevation is
unprompted. The one that really annoys me (so far) is that Windows
Explorer's "New" menu will only offer "Folder" for a choice. You
can't even create shortcuts from it anymore.
Vista has some really goofy bugs, even in SP2.
* * *
For reference, here's some more info on UAC, from my notes:
UAC is a complex beastie, and the term "UAC" gets applied to a lot
of things. Things that get labeled "UAC" include:
* Admin Approval Mode (AAM), which itself includes access token
filtering and admin elevation prompting.
* Elevation prompts for standard users, which are independent of AAM.
* File and registration virtualization (FRV), which should be
independent of AAM but isn't for unknown reasons.
* Compatibility shims (do things like spoof admin credentials to trick
apps into running as LUA)
* A mechanism to detect install programs and prompt to elevate them
* Manifests - A program can specify what UAC behaviors it wants
Config options that control UAC are in:
GPEDIT.MSC -> Computer -> Windows Settings -> Security Settings ->
Local Policies -> Security Options
- or -
SECPOL.MSC -> Local Policies -> Security Options
* All of the option names are prefixed with “User Account Control: ”.
The options are:
Admin Approval Mode for the built-in Administrator account
Allow UIAccess applications to prompt for elevation without using the
secure desktop
Behavior of the elevation prompt for administrators in Admin Approval Mode
Behavior of the elevation prompt for standard users
Detect application installations and prompt for elevation
Only elevate executables that are signed and validated
Only elevate UIAccess applications that are installed in secure locations
Run all administrators in Admin Approval Mode
Switch to the secure desktop when prompting for elevation
Virtualize file and registry write failures to per-user locations
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
