Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

UAC provides an additional layer of security for the Operating system.  It however is often viewed as a thorn in the side of users.  They often seek to disable it or complain about it due to frustration and annoyment with the frequent prompts.  Arellia Application Control Solution (ACS) can supress the UAC prompts for many common processes and programs.  This will reduce the user frustration with UAC.  UAC can then be left enabled to provide the additional security for new or unknown processes and programs.

Sometimes it is complicated to determine which process or program needs to be managed by ACS to prevent the UAC prompts.  Hereafter are described two methods to help determine which process to have ACS act on.

Option 1 

The first and often easiest method is to simply run the process or program to the point where the UAC prompt appears.  In the lower left-hand corner is the "Show Details" link (or in this case the "Hide Details" link as Show Details was already clicked on).  Select that and then in the details section in the top of the page will be expanded and show the file which is attempting to be initiated and which is causing the UAC prompt [See the detail "Program location" surrounded by the Orange box in the image below.].  This is then almost always the file which needs to be managed by ACS with an Application Initiation policy.

 Note:  UAC windows may have different coloring or size than this example, but the layout is generally the same with the Show/Hide details at the bottom left side, and the details in the upper middle section.

Option 2 

If the UAC prompt page does not give enough information then a more extensive investigation may need to be undertaken.

  1. Increase the logging level on the client machine which has the ACS agent installed to 1f.  See the Symantec KB if details are needed for client logging level.  It may help to clear the log files on the client machine so that there are fewer to search in the next steps.
  2. Turn off the secure desktop
  3. Download from Microsoft "Process Explorer" and run.  Since the Secure desktop is turned off, Process Explorer will be able to be accessed behind the UAC prompts (just move to the side) and details on the processes can be viewed by right-clicking on the process and selecting the Properties option.  Then the Commnad line: may be seen on the Image tab.
  4. Execute the process or program in question.
  5. Search for "has image name" in the ACS_.log files on the client machine.  All the processes which ACS is detecting will be listed there.
  6. Keep track of the processes in a table if necessary like the following:

Process name

PID

Parent PID

Start time

End time

 

 

 

 

 

 

 

 

 

 
  1. Search for "process start" in the ACS_.log files and put the PID in the table.
  2. Then search forwards and backwards for the PIDs in question and fill out the rest of the table.  Note:  If the process did not finish then there will be no end time.  Just use the last entry time.
  3. Then evaluate the data in the table and see which process needs the Application Initiation policy or a standard Application Control policy with a Rights Action (maybe including the using the Users unrestricted token).
  • No labels