Wiki Markup |
---|
Elevation |
...
Setting up a Demo
...
of particular actions in Windows Vista and beyond is controlled by a new mechanism that involves COM Elevation monikers \[cite MS reference\]. ACS allow the automatic elevation of configured actions by non-administrative users. This functionality requires that "ShellExecuteHooks" be enabled which ACS does by default. This configuration could be overridden by Group Policy. \\ \\ \\ [ACS 7.1 SP2 Beta Agents]\\ \\ h3. Setting up a Demo # Need to download the three attachments # Replace the existing agent packages in C:\Program Files\Altiris\Arellia\ApplicationControl\Agents\7.1 with the attached |
...
# Update the version number of the ACS packages under the configuration tab to 7.1. |
...
1636 # Clone existing update rollout packages to allow upgrade (rename to include reference to the 1636 agent build) # Agent machines will require explorer restart (logoff/logon or reboot) for the shell execute hook to become active |
...
# Import the attached configuration into a ACS folder |
...
Configuration
...
h3. Configuration # This process is controlled by intercepting requests to elevate COM components via DCOM and setting up a Admin proxy via DCOM pointing to a (newly) created DCOM host "COMElevateHost" instead of the standard "DllHost" DLL surrogate host. # ACS steps in and potentially elevated the DCOM host ("COMElevateHost") if commandline options match a particular elevatable COM component (Eg "Network Adapter Elevate Attempt" filter) |
...
# If the COMElevateHost is running as an administrator then requests to it will deliver an elevated COM component, otherwise it will return an access denied failure |
...
# If the shell |
...
execute process does not receive an elevated COM component it will default to standard processing which will go through standard UAC mechanisms ( |
...
potentially displaying UI). |
...
The additional policies included allow greater insight into the process (debugging) as well and identifiying necessary parameters for configuring additional filters. \\ Shell Execute Hook Registry Keys \\ | Key | Name | Type | Value | | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | EnableShellExecuteHooks | REG_DWORD | 1 | | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {AAABB7E6-188E-4DCC-90B4-4BF31EE7ED99} | REG_SZ | Arellia Application Control ShellExecuteHook | \\ \\ \\ |