Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Elevation of particular actions in Windows Vista and beyond is controlled by a new mechanism that involves COM Elevation monikers [cite MS reference]. ACS allow the automatic elevation of configured actions by non-administrative users.  This functionality requires that "ShellExecuteHooks" be enabled which ACS does by default.  This configuration could be overridden by Group Policy.


[ACS 7.1 SP2 Beta Agents]

Setting up a Demo

  1. Need to download the three attachments
  2. Replace the existing agent packages in C:\Program Files\Altiris\Arellia\ApplicationControl\Agents\7.1 with the attached
  3. Update the version number of the ACS packages under the configuration tab to 7.1.1636
  4. Clone existing update rollout packages to allow upgrade (rename to include reference to the 1636 agent build)
  5. Agent machines will require explorer restart (logoff/logon or reboot) for the shell execute hook to become active
  6. Import the attached configuration into a ACS folder

Configuration

  1. This process is controlled by intercepting requests to elevate COM components via DCOM and setting up a Admin proxy via DCOM pointing to a (newly) created DCOM host "COMElevateHost" instead of the standard "DllHost" DLL surrogate host.
  2. ACS steps in and potentially elevated the DCOM host ("COMElevateHost") if commandline options match a particular elevatable COM component (Eg "Network Adapter Elevate Attempt" filter)
  3. If the COMElevateHost is running as an administrator then requests to it will deliver an elevated COM component, otherwise it will return an access denied failure
  4. If the shell execute process does not receive an elevated COM component it will default to standard processing which will go through standard UAC mechanisms (potentially displaying UI).

The additional policies included allow greater insight into the process (debugging) as well and identifiying necessary parameters for configuring additional filters.

Shell Execute Hook Registry Keys

Key

Name

Type

Value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

EnableShellExecuteHooks

REG_DWORD

1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Unknown macro: {AAABB7E6-188E-4DCC-90B4-4BF31EE7ED99}

REG_SZ

Arellia Application Control ShellExecuteHook




  • No labels