Page Comparison

User Account Control (UAC) helps prevent unauthorized changes to computers in your system, but they can also annoy users. You can use Application Control Solution to suppress UAC prompts for many common processes and programs but still have it provide an additional layer of security.

This document describes three ways to help how you can determine which files need to be managed by ACS to suppress the UAC prompts:

1. Check the UAC prompt details
2. Search for “has image name”Use Process Explorer from the former SysInternals
   
   

Check the UAC prompt details

The first and often easiest method is to simply run Run the process or program to the point where the UAC prompt appears and then click the Show Details link (or in this case the "Hide Details" link as Show Details was already clicked on).  Select that and then in the . The details section in the top of the page will be expanded and show the file which that is attempting to be initiated and which is causing the UAC prompt [See the detail "Program location" surrounded by the Orange box in the image below.].  This is then almost always the file which needs start and need to be managed by ACS with an Application Initiation policy.

...

...

...

Search for "has image name"

If the UAC prompt page does not give enough information then a more extensive investigation may need to will be undertakennecessary. 

1. Increase the logging level on the client machine which has the ACS agent installed to 1f.   See the Symantec KB if details are needed for client logging level.  It may help to clear the log files on the client machine so that there are fewer to expedite the search in the next steps.
2. Turn off the secure desktop.
3. Download from Microsoft "Process Explorer" and run.  Since the Secure and run the Process Explorer from Microsoft (for information on how to use the Process Explorer, go to the following heading Use Process Explorer). Because secure desktop is turned off, Process Explorer will be able to be accessed run behind the UAC prompts on your screen (just move drag the UAC dialog box to the side) and details on the processes can be viewed by right-clicking on . 
4. Right-click the process and selecting the Properties option.  Then the Commnad line: may be seen on the Image tab.click Properties to view process details.
5. Execute the process or program in question.
6. Search for "has image name" in the ACS_.log files on the client machine.   All the processes which that ACS is detecting will be listed there.

7. Keep track of the processes in a table if necessary, like the following:

   Process name	PID	Parent PID	Start time	End time

8. Search for "process start" in the ACS_.log files and put the PID in the table.
9. Then search forwards and backwards for the PIDs in question and fill out the rest of the table.  Note:  If the process did not finish then there will be no end time.  Just use the last entry time.
10. Then evaluate the data in the table and see which process needs the Application Initiation policy or a standard Application Control policy with a Rights Action (maybe including the using the Users unrestricted token).

Anchor
pro pro

Use Process Explorer

...

To run Process Explorer from the former SysInternals (now with Microsoft) - Process Explorer download, do the following steps:

1. Run Process Explorer and by default it will show the hierarchy of the processes running on the computer. 

...

2. Apply UAC to the parent process and

...

1. allow it to flow to child processes

...

1. .
2. Use Process Explorer to find out what process or process family runs a window or parts of a window. 

...

2. Click and drag the icon on the menu bar

...

1. that looks

...

1. like a target

...

1. over

...

1. the

...

1. item that needs to be elevated

...

1. .
2. That process or its parent process would be the appropriate place to test elevating the process to

...

1. verify that it is the corrrect process.