Vista - What causes UAC prompts - is there a list?

Hi,

well I googled a lot and still can't find a list of things that will bring
an UAC prompt if a program attempts to do them.
I only found some recommendations , like "don't write to HKLM" , but indeed
these don't cover everything.

Is there a clear list of what does and what does not bring an UAC prompt?

For example, is it possible any sort of 'Read' operation to trigger it
(reading whatever registry settings, files that belong to another user
etc. )

Can a program only write to
C:\Documents and Settings\<username>\ and HKCU ?

Thanks

Hello,

Any program that needs to perform an action that requires administrator
privileges must throw a UAC prompt. So, with few exceptions, if a program
attempts to do anything that your user account DOES explicitly has
authorization to do, the program will be successful.

However, if the program attempts to do something that you are not explicitly
permitted to do, but "administrators" are, the program must prompt you via
UAC in order to be able to do that something.

Also note that the UAC prompt is not "automatic" - a program must explicitly
throw a UAC prompt. If a program is not designed to do that, it will either
fail with an "access denied" error or Windows will silently trick it into
thinking it is working.

The general rule, as you have ascertained, is that most everything can be
read by programs, but anything that affects the entire system requires admin
privileges (such as HKLM and most folders outside of the user profile). But,
as I explained, the specifics are based on permissions.

It may be easier to think of it this way: All programs run as a "standard
user" and are limited as such; Only through UAC does a program run as an
administrator.

--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

Thanks,

I sort of know all this.
I would prefer to check my apps against a list instead of guessing and later
receiving support requests.
As you say "most everything can be read by programs" , I'm interested in the
exclusions , if any - an attempt to read what will trigger an UAC prompt?
There should be a list somewhere, if not officially posted by Microsoft then
at least compiled by users with experience.

I have tried with application verifier but it creates a huge and mostly
useless log

Harpo wrote:
> Thanks,
>
> I sort of know all this.
> I would prefer to check my apps against a list instead of guessing
> and later receiving support requests.
> As you say "most everything can be read by programs" , I'm interested
> in the exclusions , if any - an attempt to read what will trigger an
> UAC prompt? There should be a list somewhere, if not officially
> posted by Microsoft then at least compiled by users with experience.
>
> I have tried with application verifier but it creates a huge and
> mostly useless log

http://search.microsoft.com/results....n-US&FORM=QBMA

Your answer should be in there somewhere.

--
Kerry
MS-MVP Windows - Shell/User
http://www.vistahelp.ca/phpBB2/

> As you say "most everything can be read by programs" , I'm interested in
> the exclusions , if any - an attempt to read what will trigger an UAC
> prompt?

NOTHING your application does will trigger a UAC prompt. As I stated
earlier, UAC is NOT automatic. Your application runs as if it were started
by a standard user, even if the user is logged in as an administrator. If
your application tries to access something that the user does not have
access to (ignoring the user's membership in the administrators group), one
of two things may happen:

1) (most likely) Your application will be denied access.

2) Virtualization may kick in. This will happen if your application is
32-bit and does not have a Vista-style manifest. In this scenario, if your
application tries to WRITE to HKLM or certain system folders, Windows will
make your program think it is writing to these locations, when in fact
Windows is silently making a copy of the saved data into the user's profile
directory and leaving the data in the original location unmodified.

You seem to be making UAC into something more than it is.

UAC is simply the means by which programs run with administrator
permissions. In Windows Vista, programs can either run with "standard user"
permissions (default, even if the user is an administrator) or run with
"administrator" permissions.

A program either runs with standard OR administrator permissions. Once a
program is started, its permission level does not change. When running with
standard permissions, the program cannot use "administrator" permission.

In order for a program to run with administrator permissions, the program
must include a Vista-style manifest that tells Windows that it requires
admin permissions. Windows will then throw a UAC prompt that asks the user
for permission.

UAC is the means by which programs receive admin permission; there is no way
for a program to run with admin permissions without the user being prompted
in this manner. UAC is NOT automatic; the program must tell Windows that it
needs admin permissions for the user to be prompted through a manifest.

Please read this document thoroughly:

http://msdn.microsoft.com/windowsvis...cProtVista.asp



--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

There are 3 ways to mark an application to run with admin rights. I posted
the mechanisms in response to
"UAC and scripts(.wsf)" post.

--
Vipin Aravind
http://blogs.explorewindows.com

"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:0B438159-6989-4CC8-ACC0-2CB5BB0E3440@microsoft.com...
>> As you say "most everything can be read by programs" , I'm interested in
>> the exclusions , if any - an attempt to read what will trigger an UAC
>> prompt?
>
> NOTHING your application does will trigger a UAC prompt. As I stated
> earlier, UAC is NOT automatic. Your application runs as if it were started
> by a standard user, even if the user is logged in as an administrator. If
> your application tries to access something that the user does not have
> access to (ignoring the user's membership in the administrators group),
> one of two things may happen:
>
> 1) (most likely) Your application will be denied access.
>
> 2) Virtualization may kick in. This will happen if your application is
> 32-bit and does not have a Vista-style manifest. In this scenario, if your
> application tries to WRITE to HKLM or certain system folders, Windows will
> make your program think it is writing to these locations, when in fact
> Windows is silently making a copy of the saved data into the user's
> profile directory and leaving the data in the original location
> unmodified.
>
> You seem to be making UAC into something more than it is.
>
> UAC is simply the means by which programs run with administrator
> permissions. In Windows Vista, programs can either run with "standard
> user" permissions (default, even if the user is an administrator) or run
> with "administrator" permissions.
>
> A program either runs with standard OR administrator permissions. Once a
> program is started, its permission level does not change. When running
> with standard permissions, the program cannot use "administrator"
> permission.
>
> In order for a program to run with administrator permissions, the program
> must include a Vista-style manifest that tells Windows that it requires
> admin permissions. Windows will then throw a UAC prompt that asks the user
> for permission.
>
> UAC is the means by which programs receive admin permission; there is no
> way for a program to run with admin permissions without the user being
> prompted in this manner. UAC is NOT automatic; the program must tell
> Windows that it needs admin permissions for the user to be prompted
> through a manifest.
>
> Please read this document thoroughly:
>
> http://msdn.microsoft.com/windowsvis...cProtVista.asp
>
>
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/

You are correct; however, from the perspective of an application developer,
the correct way is to use a manifest.

--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/