Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Elevation of particular actions in Windows 6 (Vista, 2008) and beyond is controlled by a new mechanism that involves COM Elevation monikers.

ACS allow allows the automatic elevation of configured actions by non-administrative users.   This functionality requires that "ShellExecuteHooks" be enabled (which ACS does by default).   This configuration could be overridden by a Group Policy.  

...

  1. Updated Agents and demo configuration is located in the three attachments
  2. Replace the existing agent packages in C:\Program Files\Altiris\Arellia\ApplicationControl\Agents\7.1 with the attached
  3. Update the version number of the ACS packages under the configuration tab to 7.1.1636
  4. Clone existing update rollout packages to allow upgrade (rename to include reference to the 1636 agent build)
  5. Agent machines will require explorer restart (logoff/logon or reboot) for the shell execute hook to become active
  6. Import the attached configuration into a ACS folder

ACS Functional Overview

ACS functional overview

  1. COM Elevation functionality is inserted into all processes that leverage the Windows Shell if Shell Execute Hooks are enabled.
  2. This process is controlled by intercepting requests to elevate COM components via DCOM and setting up a an Admin proxy via DCOM pointing to a (newly) created DCOM host. "COMElevateHost" instead of the standard "DllHost" DLL surrogate host.
  3. ACS steps in and potentially elevated the DCOM host ("COMElevateHost") if commandline command line options match a particular elevatable COM component (Eg such as the "Network Adapter Elevate Attempt" filter).
  4. If the COMElevateHost is running as an administrator then requests to it will deliver an elevated COM component, otherwise it will return an access denied failure.
  5. If the shell execute process does not receive an elevated COM component it will default to standard processing which will go through standard UAC mechanisms (potentially displaying UI).

The additional policies included allow greater insight into the process (debugging) as well and identifiying necessary parameters for configuring additional filters.

Shell

...

execute hook registry keys

Key

Name

Type

Value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

EnableShellExecuteHooks

REG_DWORD

1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

{AAABB7E6-188E-4DCC-90B4-4BF31EE7ED99}

REG_SZ

Arellia Application Control Solution ShellExecuteHook