Versions Compared

Old Version 2

changes.mady.by.user Anonymous

Saved on

compared with

New Version Current

changes.mady.by.user Max Pinion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Elevation of particular actions in Windows Vista and 6 (Vista, 2008) and beyond is controlled by a new mechanism that involves COM Elevation monikers [cite MS reference].

ACS allow allows the automatic elevation of configured actions by non-administrative users.   This functionality requires that "ShellExecuteHooks" be enabled (which ACS does by default).   This configuration could be overridden by a Group Policy.  

ACS

...

Setting up a Demo

  1. Need to download the three attachments
  2. Replace the existing agent packages in C:\Program Files\Altiris\Arellia\ApplicationControl\Agents\7.1 with the attached
  3. Update the version number of the ACS packages under the configuration tab to 7.1.1635
  4. Clone existing update rollout packages to allow upgrade (rename to include reference to the 1635 agent build)
  5. Agent machines will require explorer restart (logoff/logon or reboot) for the shell execute hook to become active
  6. Import the attached configuration into a ACS folder

...

functional overview

  1. COM Elevation functionality is inserted into all processes that leverage the Windows Shell if Shell Execute Hooks are enabled.
  2. This process is controlled by intercepting requests to elevate COM components via DCOM and setting up a an Admin proxy via DCOM pointing to a (newly) created DCOM host. "COMElevateHost" instead of the standard "DllHost" DLL surrogate host.
  3. ACS steps in and potentially elevated the DCOM host ("COMElevateHost") if commandline command line options match a particular elevatable COM component (Eg such as the "Network Adapter Elevate Attempt" filter).
  4. If the COMElevateHost is running as an administrator then requests to it will deliver an elevated COM component, otherwise it will return an access denied failure.
  5. If the shell evexecute execute process does not receive an elevated COM component it will default to standard processing which will go through standard UAC mechanisms (ppotentially potentially displaying UI).

The additional policies included allow greater insight into the process (debugging) as well and identifiying necessary parameters for configuring additional filters.

Shell execute hook registry keys

Key

Name

Type

Value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

EnableShellExecuteHooks

REG_DWORD

1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

{AAABB7E6-188E-4DCC-90B4-4BF31EE7ED99}

REG_SZ

Application Control Solution ShellExecuteHook