UAC and elevation prompt pattern

Asked 26/6, 2010 at 16:13 Answered 19/8, 2015 at 15:51

Solved windows uac design-patterns privilege-elevation

I've read several questions regarding UAC and privilege elevation but I've not found a satisfactory/comprehensive answer.

I have this scenario: on Windows 6 or above, when the user opens a configuration window I have to show the shield (BCM_SETSHIELD) on the OK button only if privilege elevation will be required to complete the task. -- I do know that in the Windows UI the shield is always visualized for "administrative tasks", even if UAC is disabled, but the customer had this specific request.

I have draft this condition in order to show the icon:

The user has not administrative rights
OR
The current process has TOKEN_ELEVATION_TYPE == TokenElevationTypeLimited

The condition #1 is simple: if the user hasn't administrative rights elevation is always required regardless of UAC. The #2 implies that the user has administrative rights, and any other value of TOKEN_ELEVATION_TYPE means that elevation is not needed.

Is really that simple? I am missing something? And - there's a documented or well-known pattern regarding this topic?

Jansen answered 26/6, 2010 at 16:13 Comment(2)

This is a well written question, if I have seen one. – Sabatier 26/6, 2010 at 16:15

@badp: I've thought and researched about it a bit, but it still puzzles me as it seems too easy... maybe I've not taken in account some boundary condition. – Jansen 26/6, 2010 at 16:21

You are right. Most people just put the shield on if the button will be running elevated, but the right thing to do is to put the shield on if the button will cause elevation (ie suppress it if you are already elevated, since everything you launch will remain elevated unless you go to some trouble to launch a non elevated process, and suppress it if UAC is off.)

The good news is that if someone in the Administrators group runs (under UAC) an application non-elevated, you'll get back false when you ask if they are an admin or not. So I think you might be ok with just that one test.

Ander answered 26/6, 2010 at 19:25 Comment(5)

Well, actually there is a rationale in putting the shield even if the application is already elevated (or if UAC is disabled): this way the user will immediately acknowledge that the button does "administrative stuff". I endorse this UI style, but the customer don't. – Jansen 26/6, 2010 at 19:31

So do you think that I can rely only on the #1 check? – Jansen 26/6, 2010 at 19:33

I think you should code it as "if you're not an admin, put on the shield" and then run all your test cases to see if it suffices. My suspicion is that it will. – Ander 26/6, 2010 at 21:36

When UAC is enabled and you are not running elevated you have a limited token; this token has the Administrators group removed, so the first check is enough. – Kordula 26/6, 2010 at 22:55

> "you'll get back false when you ask if they are an admin or not." What API do you refer to ? If a user belongs to the Admin group this fact is not changed by anything. He is admin or normal user. No matter if a process runs elevated or not. If you refer to the API IsUserAnAdmin(): This API is deprecated and must be used anymore since Vista. – Roach 19/8, 2015 at 15:55

I see that there is a lot of confusion about this topic and the answer from Kate here is not correct and incomplete.

Since Vista an Admin may be logged in but his processes do not run elevated automatically. An Admin has a so called "Split Token". This means that there may be processes running for the SAME admin user, and some of them run elevated and other do NOT run elevated. When an Admin runs a not elevated process, some of the privileges of his token have been removed. It is not anymore as in XP where ALL processes run either elevated or not elevated.

Install Process Explorer from www.sysinternals.com and enable the column "Integrity Level". If you see there "Medium" this process does not run elevated. If you see there "High" the process runs elevated. If the process runs with Integrity level "High" no UAC prompt is required to start another process elevated.

When UAC is completely turned off, ALL processes run "High", so no elevation is required never. UAC can be turned off under

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

setting the key "EnableLUA". Changing this setting requires reboot.

But there is another point that was not yet mentioned here. In Control panel it is possible to configure "Elevate without prompting". And in this case an Admin user can start an elevated process from another not elevated process and NO UAC prompt will show up.

This setting is stored under the same registry path in the key "ConsentPromptBehaviorAdmin" for admin users.

For all non-admin users there is the key "ConsentPromptBehaviorUser" but this changes only the bahavior, but elevation cannot be turned off. Non-admins will always get an UAC prompt. (if UAC is not completely off)

How do you know if your process runs elevated: Call OpenProcess(), then OpenProcessToken(), then GetTokenInformation(TokenElevation).

And to get the Integrity Level call GetTokenInformation(TokenIntegrityLevel) and then GetSidSubAuthority()

So if you want to show your icon only if elevation is really required you must check if your process runs elevated and additionally check these registry keys and you must know if the user is an admin or not. This involes several lines of code and I would consider to show this icon always when elevation may be required to keep it simple.

Please note that the API IsUserAnAdmin() is deprecated. It must not be used anymore since Vista. Checking if a user belongs to the administrators group is much more code now.

Roach answered 19/8, 2015 at 15:51 Comment(4)

How do I find what in a PE executable triggers UAC if I turned UAC on? besides 1. the name of executable; 2. the manifest of this executable ? – Percussionist 6/5, 2020 at 7:56

Correct. If the filname contains "Setup" or "Install" Windows starts the process elevated. Also the manifest may define that elevation is required. But finding this out before starting the process may fail. Imagine a process which restarts itself elevated via ShellExecute(with Verb="runas") when it finds out the it does not run elevated. – Roach 6/5, 2020 at 19:19

isn't that expected behaviour? all privileged modifications are still denied by permission. – Percussionist 7/5, 2020 at 3:33

I don't understand your comment. – Roach 7/5, 2020 at 20:10

Recommended topics

Hot tags