User Account Control (UAC) helps prevent unauthorized changes to computers in your system, but they can also annoy users. You can use Application Control Solution to suppress UAC prompts for many common processes and programs but still have it provide an additional layer of security.
This document describes three ways to help you determine which files need to be managed by ACS to suppress the UAC prompts:
- Check the UAC prompt details
- Search for “has image name”
- Use Process Explorer from the former SysInternals
Note:
You can also use this information to determine which processes ACS needs to elevate privileges for.
Check the UAC prompt details
The first and often easiest method is to simply run the process or program to the point where the UAC prompt appears and then click the Show Details link (or in this case the "Hide Details" link as Show Details was already clicked on). Select that and then in the details section in the top of the page will be expanded and show the file which is attempting to be initiated and which is causing the UAC prompt [See the detail "Program location" surrounded by the Orange box in the image below.]. This is then almost always the file which needs to be managed by ACS with an Application Initiation policy.
Note: UAC windows may have different coloring or size than this example, but the layout is generally the same with the Show/Hide details at the bottom left side, and the details in the upper middle section.
Search for "has image name"
If the UAC prompt page does not give enough information then a more extensive investigation may need to be undertaken.
- Increase the logging level on the client machine which has the ACS agent installed to 1f. See the Symantec KB if details are needed for client logging level. It may help to clear the log files on the client machine so that there are fewer to search in the next steps.
- Turn off the secure desktop
- Download from Microsoft "Process Explorer" and run. Since the Secure desktop is turned off, Process Explorer will be able to be accessed behind the UAC prompts (just move to the side) and details on the processes can be viewed by right-clicking on the process and selecting the Properties option. Then the Commnad line: may be seen on the Image tab.
- Execute the process or program in question.
- Search for "has image name" in the ACS_.log files on the client machine. All the processes which ACS is detecting will be listed there.
Keep track of the processes in a table if necessary like the following:
Process name
PID
Parent PID
Start time
End time
- Search for "process start" in the ACS_.log files and put the PID in the table.
- Then search forwards and backwards for the PIDs in question and fill out the rest of the table. Note: If the process did not finish then there will be no end time. Just use the last entry time.
- Then evaluate the data in the table and see which process needs the Application Initiation policy or a standard Application Control policy with a Rights Action (maybe including the using the Users unrestricted token).
Use Process Explorer from the former SysInternals
Use Process Explorer from the former SysInternals (now with Microsoft) - Process Explorer download
Run Process Explorer and by default it will show the hierarchy of the processes running on the computer. Elevating or applying UAC to the parent process and allowing it to flow to child processes if necessary will usually be the correct action. Process Explorer can be used to find out what process or process family runs a window or parts of a window. With Process Monitor there is an icon on the menu bar which looks kind of like a target. Clicking and dragging on that icon over any window on the screen will highlight part or all of the window. When the item which needs to be elevated is highlighted release the mouse button and Process Explorer will highlight in its list of processes the process which runs that window or part of a window. That process or its parent process would be the appropriate place to test elevating the process to see if it is the corrrect process.