How UAC Works UAC如何工作
This section describes the architectural and functional components of User Account Control (UAC) for application developers.
這部分描述UAC針對應用開發者的體系結構和功能組件。
New Technologies for Windows Vista Windows Vista的新技術
The following sections detail new technologies for Windows Vista, including the ActiveX Installer Service, installer detection, standard user patching with Windows Installer 4.0, Security Center integration, User Interface Privilege Isolation, and virtualization.
下面這部分詳述了Windows Vista的新技術,包括ActiveX安裝服務、安裝程序檢測、Windows Installer 4.0標準用戶補丁、安全中心集成、用戶接口權限隔離、虛擬化(文件系統虛擬重定向)。
ActiveX Installer Service ActiveX安裝服務
The ActiveX Installer Service enables enterprises to delegate ActiveX control installation for standard users. This service ensures that routine business tasks are not impeded by failed ActiveX control installations and updates. Windows Vista also includes Group Policy settings that enable IT professionals to define Host URLs from which standard users can install ActiveX controls. The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and some changes in Internet Explorer. The ActiveX Installer Service is an optional component, and will only be enabled on client computers where it is installed.
ActiveX安裝服務使企業能夠委託ActiveX來控制標準用戶的安裝過程,並確保日常業務不受ActiveX控制安裝和升級失敗的影響。Windows Vista在組策略中有此設置, IT專業人員能通過此設置定義標準用戶安裝ActiveX控件的主機URL。ActiveX安裝服務包括窗口服務、一個組策略管理級框架和Internet Explorer的一些更改。ActiveX安裝服務本身是一個可選組件,只有客戶機安裝後方纔有效。
Installer Detection
Installation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by administrator users; this restriction means that standard users do not have sufficient access to install most programs. Windows Vista heuristically detects installation programs and requests administrator credentials or administrator approval in order to run with access privileges. Windows Vista also heuristically detects updater and un-installation programs. A design goal of UAC is to prevent installations from being executed without the user's knowledge and explicit consent since installations write to protected areas of the file system and registry.
設計爲應用部署的軟件的安裝程序,有很多對系統文件夾和註冊表鍵值的寫操作。這些受保護的系統區域是典型的只有管理員用戶才擁有寫入權限的;此限制意味着標準用戶沒有足夠訪問權限去安裝大多數程序。Windows Vista啓發式地檢測安裝程序,要求管理員認證並批准訪問權限。Windows Vista也啓發式地檢測升級和卸載程序。UAC的一個設計目的就是防止在缺乏用戶知識和沒有明確表示同意的情況下,執行安裝並對文件系統和註冊表保護區進行寫操作。
Important When developing new installation programs, much like developing programs for Windows Vista, be sure to embed an application manifest with an appropriate requestedExecutionLevel element (see Step 6: Create and Embed an Application Manifest in downloadable Help file). When the requestedExecutionLevel is present in the embedded application manifest, it overrides Installer Detection.
要點 開發新的安裝程序時,尤其是針對Windows Vista,應確嵌入一個包含類似requestedExecutionLevel元素的應用manifest文件(參看Help file中的Step 6: Create and Embed an Application Manifest)。當requestedExecutionLevel元素在嵌入的manifest文件中出現時,將覆蓋Installer Detection。
Installer Detection only applies to:
Installer Detection僅用於:
1. 32 bit executables
32位可執行文件
2. Applications without a requestedExecutionLevel
沒有requestedExecutionLevel元素的應用程序
3. Interactive processes running as a Standard User with UAC enabled
以標準用戶且啓用UAC的方式運行的交互程序
Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:
在創建32位進程之前,會檢查以下屬性來斷定它是否是安裝程序:
· Filename includes keywords such as "install," "setup," and "update."
文件名是否包含”install”、”setup”和”update”等關鍵字。
· Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
以下版本控制資源領域的關鍵字:Vendor,Company Name,Product Name,File Description,Original Filename,Internet Name和Export Name。
· Keywords in the side-by-side application manifest embedded in the executable.
可執行文件所嵌入的並行應用manifest文件中的關鍵字。
· Keywords in specific StringTable entries linked in the executable.
可執行文件所連接的具體StringTable entries中的關鍵字。
· Key attributes in the resource file data linked in the executable.
可執行文件所連接的資源文件數據中的關鍵屬性。
· Targeted sequences of bytes within the executable.
可執行文件內的字節目標序列。
Note The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
注意 這些關鍵字和字節序列源自對不同安裝技術觀察而得出的共同特徵。
Ensure that you thoroughly review the entirety of this document, including "Step 6: Create and Embed an Application Manifest" in the downloadable Help File.
確保你已溫習過Help File文件的全部內容,其中包括"Step 6: Create and Embed an Application Manifest"。
Note The User Account Control: Detect application installations and prompt for elevation setting must be enabled for installer detection to detect installation programs. This setting is enabled by default and can be configured using the Security Policy Manager snap-in (secpol.msc) or with Group Policy (gpedit.msc).
General information and an overview of the Microsoft Windows Installer can be found at MSDN (http://go.microsoft.com/fwlink/?LinkId=30197).
注意 The User Account Control:必須爲installer detection啓用應用程序安裝和權限升級設置,才能檢測安裝過程。默認啓動此項設置,可以使用Security Policy Manager snap-in (secpol.msc)或者Group Policy (gpedit.msc)進行配置。MSDN (http://go.microsoft.com/fwlink/?LinkId=30197)中有關於Microsoft Windows Installer的基本信息和概述。
Patching Applications in a UAC Environment
UAC環境中的補丁程序。
Microsoft Windows Installer version 4.0 was designed with UAC in mind to make application installations and patching easier. With the introduction of Windows Installer 4.0, patches can be applied to applications without reinstalling a newer version of the application. This method is ideal when an application is deployed in a per-computer install and patches need to be deployed by a user without requiring an administrator access token. For information about how to create and apply patches to applications, see MSDN (http://go.microsoft.com/fwlink/?LinkId=71492).
微軟Windows Installer 4.0版設計主旨是使應用程序安裝和升級更容易。使用Windows Installer 4.0版,可以對應用程序使用補丁而無需重新安裝新版本。在每臺計算機上安裝部署應用程序,以及由一個無需管理員令牌的用戶進行升級部署時,這種途徑是很理想的。想了解如何爲應用程序創建和使用補丁,請參考MSDN(http://go.microsoft.com/fwlink/?LinkId=71492)。
Security Center Integration 安全中心集成
When UAC is disabled on a Windows Vista computer, the Security Center creates an alert and prompts the user to re-enable UAC. Security Center displays this alert once the computer has been restarted after the UAC setting change.
Vista系統的機器上UAC無效時,Security Center會產生警告,並提示用戶重新啓用UAC。在UAC改變設置後,機器一旦重啓Security Center會顯示此警告。
User Interface Privilege Isolation 用戶界面特權隔離
User Interface Privilege Isolation (UIPI) is one of the mechanisms that helps isolate processes running as a full administrator from processes running as an account lower than an administrator on the same interactive desktop. UIPI is specific to the windowing and graphics subsystem, known as USER, that supports windows and user interface controls. UIPI prevents a lower privilege application from using Windows messages to send input from one process to a higher privilege process. Sending input from one process to another allows a process to inject input into another process without the user providing keyboard or mouse actions.
用戶界面特權隔離(UIPI),是幫助隔離在同一交互界面上以全面管理員權限運行的進程與權限低於管理員賬戶運行的進程的機制之一。
Windows Vista implements UIPI by defining a set of user interface privilege levels in a hierarchical fashion. The nature of the levels is such that higher privilege levels can send window messages to applications running at lower levels. However, lower levels cannot send window messages to application windows running at higher levels.
Windows Vista通過定義一套分層次的用戶界面特權級別來實現UIPI。這些級別具有這樣的性質:高特權級別能向地特權級別應用程序發送窗口消息,而低特權級別卻不能向高特權級別程序發送窗口消息。
The user interface privilege level is at the process level. When a process is initialized, the User subsystem calls into the security subsystem to determine the desktop integrity level assigned in the process security access token. The desktop integrity level is set by the security subsystem when the process is created and does not change. Therefore, the user interface privilege level is also set by the User subsystem when the process is created and does not change.
用戶界面特權級別是進程級的。當一個進程被初始化時,用戶子系統要求進入安全子系統,以確認進程安全訪問令牌中分配的桌面誠信級別。當進程被創建時,桌面誠信級別由安全子系統設置,此誠信級別是不變的。因此,當進程被創建時,用戶界面特權級別也由用戶子系統設置,並且也是不變的。
All applications run by a standard user have the same user interface privilege level. UIPI does not interfere or change the behavior of window messaging between applications at the same privilege level. UIPI comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.
所有以標準用戶運行的應用程序具有相同的用戶界面特權級別。UIPI不干涉或改變處於同一特權級別的應用程序間的窗口消息行爲。當用戶是管理員組的成員並以標準用戶(有時稱作以過濾訪問令牌運行的進程)運行應用程序,以及在同一桌面以完全管理員訪問令牌運行程序的情況下,UIPI才生效。UIPI通過阻止以下所列行爲,使低權限進程不能訪問高權限進程。
A lower privilege process cannot:
一個低特權進程不能:
· Perform a window handle validation of higher process privilege.
執行高進程權限的窗口句柄確認。
· SendMessage or PostMessage to higher privilege application windows.
向高權限應用窗口SendMessage或PostMessage。
· These Application Programming Interfaces (APIs) return success but silently drop the window message.
這些應用編程接口(APIs)返回正確結果,但悄然將窗口信息丟棄。
· Use thread hooks to attach to a higher privilege process.
使用線程鉤子嵌入高權限進程。
· Use Journal hooks to monitor a higher privilege process.
使用日誌鉤子監視高權限進程。
· Perform DLL injection to a higher privilege process.
對高權限進程進行DLL注入。
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels:
在UIPI有效的情況下,以下共享USER資源仍然可以在不同特權級別的進程間共享。
· Desktop window, which actually owns the screen surface.
桌面窗口,它實際擁有屏面。
· Desktop heap read-only shared memory.
桌面堆只讀共享內存。
· Global atom table.
全局原子表。
· Clipboard
剪切板。
Painting to the screen is another action that is not blocked by UIPI. Painting to the screen refers to the process of using the Paint method to display content on an external output—a monitor, for example. The USER/graphics device interface (GDI) model does not allow control over painting surfaces; therefore, it is possible for a lower privilege application to paint over the surface region of a higher privilege application window.
向屏幕上畫圖是另一種行爲,不會被UIPI阻塞。此行爲引用了使用Paint方法在外部輸出(例如顯示器)上顯示內容的過程。用戶/圖形設備接口(GDI)模型不允許控制繪製屏面;因此才使低權限應用程序能夠對高權限應用程序窗口區域進行繪圖。
Note Because the Windows Shell (the Explorer.exe process) is running as a standard user process, any other process running as standard user can still send the Windows Shell keystrokes. This is the primary reason an administrator account in Admin Approval Mode is prompted for elevation consent when the user initiates an administrative action, such as double-clicking on a setup file or clicking on a button marked with an elevation shield icon.
注意 Windows Shell(Explorer.exe進程)以標準用戶進程運行,任何其他標準用戶運行進程仍然可以向Windows Shell發送keystrokes(擊鍵)。由於這樣的原因,當用戶初始一個管理員級動作,例如雙擊一個安裝文件、或在點擊一個有提升盾牌圖標標記的按鈕時,將會提示管理許可模式的管理員賬號提升確認。
Virtualization 虛擬化
Important Virtualization is implemented to improve application compatibility problems for applications running as a standard user on Windows Vista. Developers must not rely on virtualization being present in subsequent versions of Windows.
要點 實現虛擬化是爲了改進Windows Vista上以標準用戶運行的應用程序的兼容性問題。開發人員絕不能依靠隨後的Windows版本的虛擬化。
For detailed information about "Virtualization" see the Windows Help file, which can be downloaded here. To find this article in the help file, expand Fundamentals, expand Secure Applications, expand Developing Secure Applications, and then click User Account Control (UAC).
想了解“虛擬化”的詳細信息,請參看Windows幫助文件。
User Account Control Architecture UAC體系
The following diagram represents the process flow for executable launches in Windows Vista.
下圖表示了在Windows Vista中可執行文件的運行流程。
Figure 1. UAC architecture
The following describes the process flow displayed in the UAC architecture diagram and how UAC is implemented when an executable attempts to launch.
以下描述UAC體系圖中所示的進程流程,以及在試圖執行可執行文件時如何實現UAC機制。
Standard User Launch Path
標準用戶運行方式
The Windows Vista standard user launch path is similar to the Windows XP launch path, but includes some modifications.
Windows標準用戶運行方式和Windows XP運行方式相似,但有一些修改。
1. ShellExecute() calls CreateProcess().
ShellExcute()調用CreateProcess()。
2. CreateProcess() calls AppCompat, Fusion, and Installer Detection to assess if the application requires elevation. The executable is then inspected to determine its requestedExecutionLevel, which is stored in the executables application manifest. The AppCompat database stores information for an applications application compatibility fix entries. Installer Detection detects setup executables.
CreateProcess()調用AppCompat, Fusion和Installer Detection檢查應用程序是否需要提升權限。然後檢測並決定執行程序的requestedExecutionLevel, requestedExecutionLevel存儲於可執行應用manifest中。AppCompat庫中存放應用程序的應用兼容性修正實體。Installer Detection檢測Setup執行文件。
3. CreateProcess() returns a Win32 error code stating ERROR_ELEVATION_REQUIRED.
CreateProcess()返回一個標記爲ERROR_ELEVATION_REQUIRED的Win32錯誤碼。
4. ShellExecute() looks specifically for this new error and, upon receiving it, calls across to the Application Information service (AIS) to attempt the elevated launch.
ShellExecute()看起來是專門針對這個新error的,一旦收到此error,即通過調用AIS(Application Information service)試圖執行提升。
Elevated Launch Path
提升運行途徑
The Windows Vista elevated launch path is a new Windows launch path.
Windows Vista提升運行途徑是一種新的Windows執行途徑。
1. AIS receives the call from ShellExecute() and reevaluates the requested execution level and Group Policy settings to determine if the elevation is allowed and to subsequently define the elevation user experience.
AIS接收到ShellExecute()發出的調用命令,重新評估所需的執行級別,由Group Policy設置決定提升動作是否被允許,隨後提升用戶權限。
2. If the requested execution level requires elevation, AIS launches the elevation prompt on the callers interactive desktop (based on Group Policy), using the HWND passed in from ShellExecute().
如果requested execution level需要提升,AIS會使用由ShellExecute()傳入的HWND,在調用者交互桌面運行提升提示框(基於組策略)。
3. Once the user has given consent or valid administrator credentials, AIS will retrieve the corresponding access token associated with the appropriate user, if necessary. For example, an application requesting a requestedExecutionLevel of highestAvailable will retrieve different access tokens for a user that is only a member of the Backup Operators group than for a member of the local Administrators group.
一旦用戶許可或提供有效的管理員認證,AIS會補償符合的與適當用戶相關的訪問令牌。例如,應用程序要求HighestAvailable的requestedExecutionLevel,將爲用戶補償僅在Backup Operators組中成員的不同訪問令牌,而不是本地管理員組的成員。
AIS reissues a CreateProcessAsUser() call, supplying the administrator access token and specifying the callers interactive desktop.
AIS重排CreateProcessAsUser()調用,提供管理員訪問令牌,並指明調用者交互桌面。
未完待續......
