Application maifests and UAC

[Guest]

Hi!

Tell me if I got this right!

If an application has an application manifest for Vista then folder and
registry vistualization is automatically turned off, and the application will
fail silently if elevation isn't requested in that manifest.

If an application doesn't have a manifest, virtualization features are
activated and the application will succeed regardless of elevation or no
elevation.

Are there exceptions from this behaviour?

/H

 

[Jimmy Brush]

Hello,

You have the gist of it, although there are (of course) some
exceptions.

- 64-bit applications are never virtualized in this way

- Only certain folders and registry keys are protected by
virtualisation (%SYSTEMROOT%,
%PROGRAMDATA%,%PROGRAMFILES%\(Subdirectories,
HKEY_LOCAL_MACHINE\SOFTWARE [with some exceptions])

- Binary files (.exe, .dll, .sys) are NOT virtualised

- Only programs running in the context of an interactive user are
virtualised, this excludes non-interactive processes (such as
services) as well as kernel-mode code and code running under
impersonation

Other than that, if a program runs that has a manifest specifying a
regquestedExecutionLevel, that program will NOT be affected by
virtualisation, and it will fail if it attempts to access a
folder/file to which it has no access.

Otherwise, if the program has no manifest, and it attempts to write to
a virtualisation-protected file or regisitry key and it is denied
access, *AND* a program running with admin privileges would have been
able to perform that write, then the file/key is virtualised to the
application and the action succeeds.

MORE INFO

http://msdn2.microsoft.com/en-us/library/aa905330.aspx

http://download.microsoft.com/download/d/9/b/d9beb875-bc1d-4338-a655-251f4f353b2e/top10wave.exe

 

[Guest]

Thanks for the very informative reply Jimmy! then I got it right as I
thought. You gave me much more details on the exceptopns though. I have been
trying to replicate this behaviour unsuccessfully, and maybe you can explain
why it fails?

created a BATCH file that basically copies a textfile to a "forbidden"
location, c:\Program Files. this BATCH file is converted to an EXE file. Then
I tried to run is as a standard user but it fails. run as an administrator
either by right-clicking OR adding a side-by-side manifest it works, after an
elevation prompt in the later case. textfiles aren't one of the exceptions
you mentioned. I also did a similar test with the exact same result where an
existing file was updated instead of created.

What is causing this failure for the non manifested "application"? since it
can successfully run as admin?

kindly,
Hasse
--
/Hasse

Hello,

You have the gist of it, although there are (of course) some
exceptions.

- 64-bit applications are never virtualized in this way

- Only certain folders and registry keys are protected by
virtualisation (%SYSTEMROOT%,
%PROGRAMDATA%,%PROGRAMFILES%\(Subdirectories,
HKEY_LOCAL_MACHINE\SOFTWARE [with some exceptions])

- Binary files (.exe, .dll, .sys) are NOT virtualised

- Only programs running in the context of an interactive user are
virtualised, this excludes non-interactive processes (such as
services) as well as kernel-mode code and code running under
impersonation

Other than that, if a program runs that has a manifest specifying a
regquestedExecutionLevel, that program will NOT be affected by
virtualisation, and it will fail if it attempts to access a
folder/file to which it has no access.

Otherwise, if the program has no manifest, and it attempts to write to
a virtualisation-protected file or regisitry key and it is denied
access, *AND* a program running with admin privileges would have been
able to perform that write, then the file/key is virtualised to the
application and the action succeeds.

MORE INFO

http://msdn2.microsoft.com/en-us/library/aa905330.aspx

http://download.microsoft.com/download/d/9/b/d9beb875-bc1d-4338-a655-251f4f353b2e/top10wave.exe


--
- JB
Microsoft MVP - Windows Shell

Hi!

Tell me if I got this right!

If an application has an application manifest for Vista then folder and
registry vistualization is automatically turned off, and the application will
fail silently if elevation isn't requested in that manifest.

If an application doesn't have a manifest, virtualization features are
activated and the application will succeed regardless of elevation or no
elevation.

Are there exceptions from this behaviour?

/H