Disable UAC prompts for *specific* applications

[rdilipk]

Short of using TweakUAC, is there a way to selectively turn off the
UAC elevation prompts **specifically** for a given application?

Our application is going to run under an account that will have both
standard and admin access privileges. There may be situations when
the Vista box may undergo an unattended reboot. When the machine
comes back on:

* How does one log a user back in transparently without any manual
intervention?
* After such login in complete a Start menu script will launch our
application but since it will be unattended there will be no one to
consent to the elevation prompt. Is there a way to avoid popping it
for our application alone?

I read somewhere that signing an executable can allow Vista to elevate
its privileges silently. Is that what I should be doing?

thanks for any inputs.

 

[Guest]

NO.

 

[Guest]

Short of using TweakUAC, is there a way to selectively turn off the
UAC elevation prompts **specifically** for a given application?

Our application is going to run under an account that will have both
standard and admin access privileges. There may be situations when
the Vista box may undergo an unattended reboot. When the machine
comes back on:

* How does one log a user back in transparently without any manual
intervention?
* After such login in complete a Start menu script will launch our
application but since it will be unattended there will be no one to
consent to the elevation prompt. Is there a way to avoid popping it
for our application alone?

I read somewhere that signing an executable can allow Vista to elevate
its privileges silently. Is that what I should be doing?

thanks for any inputs.

Here is a thought.
If you could do that then any malware writer could do it also.

The app needs to be coded correctly.

 

[Guest]

You can have UAC automatically elevate administrator's privilege level for
all processes by making the adjustments described here:

http://www.vistax64.com/tutorials/80938-user-account-control-uac-elevate-privilege-level.html?ltr=U

 

[Guest]

Also, you can set up for automatic logon without user name or password as
described here:

http://www.vistax64.com/tutorials/66966-logon-automatically.html

 

[Joe Morris]

:

Short of using TweakUAC, is there a way to selectively turn off the
UAC elevation prompts **specifically** for a given application?
[...]

I read somewhere that signing an executable can allow Vista to elevate
its privileges silently. Is that what I should be doing?

At FOSE earlier this year one of the MS reps (at a booth, not a
presentation) suggested that MS *might* provide a mechanism to allow an
enterprise to configure its machinines so that applications signed with a
specific certificate (not one from Microsoft or any other outside
certificate authority) could be silently given elevated rights. This was
explicitly stated as a "maybe" and not something about which the MS employee
had firm knowledge.

I've seen nothing about this in the SP1 documentation or from any other
source.

Here is a thought.
If you could do that then any malware writer could do it also.

Depends on how the feature is implemented.

Although the OP's question involved signing, several people have suggested
using a whitelist.

If it's a whitelist by filename ("automatically elevate privileges if
requested by "foobar.exe") then you've got an open invitation to the world
to introduce an infected copy of "foobar.exe" and take over your computer.

A slightly more secure mechanism would be to specify the fully-qualified
path to the module to be silently given elevated privileges, plus a crypto
hash of its content. This leaves, however, the question of how entries are
made in the whitelist.

If you do employ signed modules as your control, the test cannot be merely
"is the module signed;" it must include some mechanism to ensure that the
module is authorized by the owner of the computer to receive the silent UAC
elevation treatment. Recall that signing a piece of code provides
identification but says absolutely nothing about the correctness of the code
or whether it represents a security threat.

My argument to MS has been that if an enterprise has tested a module and is
willing to declare it safe, MS has no business requiring that the end
user -- who is typically clueless about the security status of modules
distributed by the IT staff -- make the decision to permit or deny elevated
rights via UAC. A proposed solution would be to allow the enterprise to
configure Vista so that modules signed by a valid enterprise-issued
certificate (which should be chained from a root certificate NOT, repeat
NOT, provided in Vista by Microsoft) would be silently elevated. This puts
control of the feature in the hands of the enterprise (and not in the hands
of either Microsoft or a third-party software supplier), and takes the
decision-making responsibility out of the end user's hands while retaining
the long-overdue improvement in security that UAC provides.

Joe Morris

 

[mayayana]

These links might be somewhat informative:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html
/appcomp.asp

http://msdn.microsoft.com/windowsvista/reference/default.aspx?pull=/library/
en-us/dnlong/html/AccProtVista.asp

http://technet2.microsoft.com/WindowsVista/en/library/00d04415-2b2f-422c-b70
e-b18ff918c2811033.mspx

If I remember correctly, you can ask for admin-level
running by using a manifest, but then it still uses an
admin approval prompt.