...
Elevation
...
of particular actions in Windows 6 (Vista,
...
2008)
...
and beyond
...
is
...
controlled
...
by
...
a
...
new
...
mechanism
...
that
...
involves
...
...
...
...
.
ACS allow the automatic elevation of configured actions by non-administrative users. This functionality requires that "ShellExecuteHooks" be enabled which ACS does by default. This configuration could be overridden by Group Policy.
Setting up a Demo - Pre 7.1 SP2
- Updated Agents and demo configuration is located in the three attachments
- Replace the existing agent packages in C:\Program Files\Altiris\Arellia\ApplicationControl\Agents\7.1
...
- with
...
- the
...
- attached
...
- Update
...
- the
...
- version
...
- number
...
- of
...
- the
...
- ACS
...
- packages
...
- under
...
- the
...
- configuration
...
- tab
...
- to
...
- 7.1.1636
...
- Clone
...
- existing
...
- update
...
- rollout
...
- packages
...
- to
...
- allow
...
- upgrade
...
- (rename
...
- to
...
- include
...
- reference
...
- to
...
- the
...
- 1636
...
- agent
...
- build)
...
- Agent
...
- machines
...
- will
...
- require
...
- explorer
...
- restart
...
- (logoff/logon
...
- or
...
- reboot)
...
- for
...
- the
...
- shell
...
- execute
...
- hook
...
- to
...
- become
...
- active
...
- Import
...
- the
...
- attached
...
- configuration
...
- into
...
- a
...
- ACS
...
- folder
...
ACS
...
Functional
...
Overview
...
- COM
...
- Elevation
...
- functionality
...
- is
...
- inserted
...
- into
...
- all
...
- processes
...
- that
...
- leverage
...
- the
...
- Windows
...
- Shell
...
- if
...
- Shell
...
- Execute
...
- Hooks
...
- are
...
- enabled.
...
- This
...
- process
...
- is
...
- controlled
...
- by
...
- intercepting
...
- requests
...
- to
...
- elevate
...
- COM
...
- components
...
- via
...
- DCOM
...
- and
...
- setting
...
- up
...
- a
...
- Admin
...
- proxy
...
- via
...
- DCOM
...
- pointing
...
- to
...
- a
...
- (newly)
...
- created
...
- DCOM
...
- host
...
- "COMElevateHost"
...
- instead
...
- of
...
- the
...
- standard
...
- "DllHost"
...
- DLL
...
- surrogate
...
- host.
...
- ACS
...
- steps
...
- in
...
- and
...
- potentially
...
- elevated
...
- the
...
- DCOM
...
- host
...
- ("COMElevateHost")
...
- if
...
- commandline
...
- options
...
- match
...
- a
...
- particular
...
- elevatable
...
- COM
...
- component
...
- (Eg
...
- "Network
...
- Adapter
...
- Elevate
...
- Attempt"
...
- filter)
...
- If
...
- the
...
- COMElevateHost
...
- is
...
- running
...
- as
...
- an
...
- administrator
...
- then
...
- requests
...
- to
...
- it
...
- will
...
- deliver
...
- an
...
- elevated
...
- COM
...
- component,
...
- otherwise
...
- it
...
- will
...
- return
...
- an
...
- access
...
- denied
...
- failure
...
- If
...
- the
...
- shell
...
- execute
...
- process
...
- does
...
- not
...
- receive
...
- an
...
- elevated
...
- COM
...
- component
...
- it
...
- will
...
- default
...
- to
...
- standard
...
- processing
...
- which
...
- will
...
- go
...
- through
...
- standard
...
- UAC
...
- mechanisms
...
- (potentially
...
- displaying
...
- UI).
...
The
...
additional
...
policies
...
included
...
allow
...
greater
...
insight
...
into
...
the
...
process
...
(debugging)
...
as
...
well
...
and
...
identifiying
...
necessary
...
parameters
...
for
...
configuring
...
additional
...
filters.
...
Shell Execute Hook Registry Keys
Key | Name | Type | Value |
|---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer |
...
EnableShellExecuteHooks | REG_DWORD |
...
1 | |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks |
...
{AAABB7E6-188E-4DCC-90B4-4BF31EE7ED99} |
...
REG_SZ |
...
Arellia |
...
Application |
...
Control |
...
ShellExecuteHook |
...