Elevate secured operations

Elevation of particular actions in Windows 6 (Vista, 2008) and beyond is controlled by a new mechanism that involves COM Elevation monikers.

ACS allows the automatic elevation of configured actions by non-administrative users. This functionality requires that "ShellExecuteHooks" be enabled (which ACS does by default). This configuration could be overridden by a Group Policy.  

ACS functional overview

1. COM Elevation functionality is inserted into all processes that leverage the Windows Shell if Shell Execute Hooks are enabled.
2. This process is controlled by intercepting requests to elevate COM components via DCOM and setting up an Admin proxy via DCOM pointing to a (newly) created DCOM host. "COMElevateHost" instead of the standard "DllHost" DLL surrogate host.
3. ACS steps in and potentially elevated the DCOM host ("COMElevateHost") if command line options match a particular elevatable COM component (such as the "Network Adapter Elevate Attempt" filter).
4. If the COMElevateHost is running as an administrator then requests to it will deliver an elevated COM component, otherwise it will return an access denied failure.
5. If the shell execute process does not receive an elevated COM component it will default to standard processing which will go through standard UAC mechanisms (potentially displaying UI).

The additional policies included allow greater insight into the process (debugging) as well and identifiying necessary parameters for configuring additional filters.

Shell execute hook registry keys