How UAC Works UAC如何工作
This section describes the architectural and functional components of User Account Control (UAC) for application developers.
这部分描述UAC针对应用开发者的体系结构和功能组件。
New Technologies for Windows Vista Windows Vista的新技术
The following sections detail new technologies for Windows Vista, including the ActiveX Installer Service, installer detection, standard user patching with Windows Installer 4.0, Security Center integration, User Interface Privilege Isolation, and virtualization.
下面这部分详述了Windows Vista的新技术,包括ActiveX安装服务、安装程序检测、Windows Installer 4.0标准用户补丁、安全中心集成、用户接口权限隔离、虚拟化(文件系统虚拟重定向)。
ActiveX Installer Service ActiveX安装服务
The ActiveX Installer Service enables enterprises to delegate ActiveX control installation for standard users. This service ensures that routine business tasks are not impeded by failed ActiveX control installations and updates. Windows Vista also includes Group Policy settings that enable IT professionals to define Host URLs from which standard users can install ActiveX controls. The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and some changes in Internet Explorer. The ActiveX Installer Service is an optional component, and will only be enabled on client computers where it is installed.
ActiveX安装服务使企业能够委托ActiveX来控制标准用户的安装过程,并确保日常业务不受ActiveX控制安装和升级失败的影响。Windows Vista在组策略中有此设置, IT专业人员能通过此设置定义标准用户安装ActiveX控件的主机URL。ActiveX安装服务包括窗口服务、一个组策略管理级框架和Internet Explorer的一些更改。ActiveX安装服务本身是一个可选组件,只有客户机安装后方才有效。
Installer Detection
Installation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by administrator users; this restriction means that standard users do not have sufficient access to install most programs. Windows Vista heuristically detects installation programs and requests administrator credentials or administrator approval in order to run with access privileges. Windows Vista also heuristically detects updater and un-installation programs. A design goal of UAC is to prevent installations from being executed without the user's knowledge and explicit consent since installations write to protected areas of the file system and registry.
设计为应用部署的软件的安装程序,有很多对系统文件夹和注册表键值的写操作。这些受保护的系统区域是典型的只有管理员用户才拥有写入权限的;此限制意味着标准用户没有足够访问权限去安装大多数程序。Windows Vista启发式地检测安装程序,要求管理员认证并批准访问权限。Windows Vista也启发式地检测升级和卸载程序。UAC的一个设计目的就是防止在缺乏用户知识和没有明确表示同意的情况下,执行安装并对文件系统和注册表保护区进行写操作。
Important When developing new installation programs, much like developing programs for Windows Vista, be sure to embed an application manifest with an appropriate requestedExecutionLevel element (see Step 6: Create and Embed an Application Manifest in downloadable Help file). When the requestedExecutionLevel is present in the embedded application manifest, it overrides Installer Detection.
要点 开发新的安装程序时,尤其是针对Windows Vista,应确嵌入一个包含类似requestedExecutionLevel元素的应用manifest文件(参看Help file中的Step 6: Create and Embed an Application Manifest)。当requestedExecutionLevel元素在嵌入的manifest文件中出现时,将覆盖Installer Detection。
Installer Detection only applies to:
Installer Detection仅用于:
1. 32 bit executables
32位可执行文件
2. Applications without a requestedExecutionLevel
没有requestedExecutionLevel元素的应用程序
3. Interactive processes running as a Standard User with UAC enabled
以标准用户且启用UAC的方式运行的交互程序
Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:
在创建32位进程之前,会检查以下属性来断定它是否是安装程序:
· Filename includes keywords such as "install," "setup," and "update."
文件名是否包含”install”、”setup”和”update”等关键字。
· Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
以下版本控制资源领域的关键字:Vendor,Company Name,Product Name,File Description,Original Filename,Internet Name和Export Name。
· Keywords in the side-by-side application manifest embedded in the executable.
可执行文件所嵌入的并行应用manifest文件中的关键字。
· Keywords in specific StringTable entries linked in the executable.
可执行文件所连接的具体StringTable entries中的关键字。
· Key attributes in the resource file data linked in the executable.
可执行文件所连接的资源文件数据中的关键属性。
· Targeted sequences of bytes within the executable.
可执行文件内的字节目标序列。
Note The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
注意 这些关键字和字节序列源自对不同安装技术观察而得出的共同特征。
Ensure that you thoroughly review the entirety of this document, including "Step 6: Create and Embed an Application Manifest" in the downloadable Help File.
确保你已温习过Help File文件的全部内容,其中包括"Step 6: Create and Embed an Application Manifest"。
Note The User Account Control: Detect application installations and prompt for elevation setting must be enabled for installer detection to detect installation programs. This setting is enabled by default and can be configured using the Security Policy Manager snap-in (secpol.msc) or with Group Policy (gpedit.msc).
General information and an overview of the Microsoft Windows Installer can be found at MSDN (http://go.microsoft.com/fwlink/?LinkId=30197).
注意 The User Account Control:必须为installer detection启用应用程序安装和权限升级设置,才能检测安装过程。默认启动此项设置,可以使用Security Policy Manager snap-in (secpol.msc)或者Group Policy (gpedit.msc)进行配置。MSDN (http://go.microsoft.com/fwlink/?LinkId=30197)中有关于Microsoft Windows Installer的基本信息和概述。
Patching Applications in a UAC Environment
UAC环境中的补丁程序。
Microsoft Windows Installer version 4.0 was designed with UAC in mind to make application installations and patching easier. With the introduction of Windows Installer 4.0, patches can be applied to applications without reinstalling a newer version of the application. This method is ideal when an application is deployed in a per-computer install and patches need to be deployed by a user without requiring an administrator access token. For information about how to create and apply patches to applications, see MSDN (http://go.microsoft.com/fwlink/?LinkId=71492).
微软Windows Installer 4.0版设计主旨是使应用程序安装和升级更容易。使用Windows Installer 4.0版,可以对应用程序使用补丁而无需重新安装新版本。在每台计算机上安装部署应用程序,以及由一个无需管理员令牌的用户进行升级部署时,这种途径是很理想的。想了解如何为应用程序创建和使用补丁,请参考MSDN(http://go.microsoft.com/fwlink/?LinkId=71492)。
Security Center Integration 安全中心集成
When UAC is disabled on a Windows Vista computer, the Security Center creates an alert and prompts the user to re-enable UAC. Security Center displays this alert once the computer has been restarted after the UAC setting change.
Vista系统的机器上UAC无效时,Security Center会产生警告,并提示用户重新启用UAC。在UAC改变设置后,机器一旦重启Security Center会显示此警告。
User Interface Privilege Isolation 用户界面特权隔离
User Interface Privilege Isolation (UIPI) is one of the mechanisms that helps isolate processes running as a full administrator from processes running as an account lower than an administrator on the same interactive desktop. UIPI is specific to the windowing and graphics subsystem, known as USER, that supports windows and user interface controls. UIPI prevents a lower privilege application from using Windows messages to send input from one process to a higher privilege process. Sending input from one process to another allows a process to inject input into another process without the user providing keyboard or mouse actions.
用户界面特权隔离(UIPI),是帮助隔离在同一交互界面上以全面管理员权限运行的进程与权限低于管理员账户运行的进程的机制之一。
Windows Vista implements UIPI by defining a set of user interface privilege levels in a hierarchical fashion. The nature of the levels is such that higher privilege levels can send window messages to applications running at lower levels. However, lower levels cannot send window messages to application windows running at higher levels.
Windows Vista通过定义一套分层次的用户界面特权级别来实现UIPI。这些级别具有这样的性质:高特权级别能向地特权级别应用程序发送窗口消息,而低特权级别却不能向高特权级别程序发送窗口消息。
The user interface privilege level is at the process level. When a process is initialized, the User subsystem calls into the security subsystem to determine the desktop integrity level assigned in the process security access token. The desktop integrity level is set by the security subsystem when the process is created and does not change. Therefore, the user interface privilege level is also set by the User subsystem when the process is created and does not change.
用户界面特权级别是进程级的。当一个进程被初始化时,用户子系统要求进入安全子系统,以确认进程安全访问令牌中分配的桌面诚信级别。当进程被创建时,桌面诚信级别由安全子系统设置,此诚信级别是不变的。因此,当进程被创建时,用户界面特权级别也由用户子系统设置,并且也是不变的。
All applications run by a standard user have the same user interface privilege level. UIPI does not interfere or change the behavior of window messaging between applications at the same privilege level. UIPI comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.
所有以标准用户运行的应用程序具有相同的用户界面特权级别。UIPI不干涉或改变处于同一特权级别的应用程序间的窗口消息行为。当用户是管理员组的成员并以标准用户(有时称作以过滤访问令牌运行的进程)运行应用程序,以及在同一桌面以完全管理员访问令牌运行程序的情况下,UIPI才生效。UIPI通过阻止以下所列行为,使低权限进程不能访问高权限进程。
A lower privilege process cannot:
一个低特权进程不能:
· Perform a window handle validation of higher process privilege.
执行高进程权限的窗口句柄确认。
· SendMessage or PostMessage to higher privilege application windows.
向高权限应用窗口SendMessage或PostMessage。
· These Application Programming Interfaces (APIs) return success but silently drop the window message.
这些应用编程接口(APIs)返回正确结果,但悄然将窗口信息丢弃。
· Use thread hooks to attach to a higher privilege process.
使用线程钩子嵌入高权限进程。
· Use Journal hooks to monitor a higher privilege process.
使用日志钩子监视高权限进程。
· Perform DLL injection to a higher privilege process.
对高权限进程进行DLL注入。
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels:
在UIPI有效的情况下,以下共享USER资源仍然可以在不同特权级别的进程间共享。
· Desktop window, which actually owns the screen surface.
桌面窗口,它实际拥有屏面。
· Desktop heap read-only shared memory.
桌面堆只读共享内存。
· Global atom table.
全局原子表。
· Clipboard
剪切板。
Painting to the screen is another action that is not blocked by UIPI. Painting to the screen refers to the process of using the Paint method to display content on an external output—a monitor, for example. The USER/graphics device interface (GDI) model does not allow control over painting surfaces; therefore, it is possible for a lower privilege application to paint over the surface region of a higher privilege application window.
向屏幕上画图是另一种行为,不会被UIPI阻塞。此行为引用了使用Paint方法在外部输出(例如显示器)上显示内容的过程。用户/图形设备接口(GDI)模型不允许控制绘制屏面;因此才使低权限应用程序能够对高权限应用程序窗口区域进行绘图。
Note Because the Windows Shell (the Explorer.exe process) is running as a standard user process, any other process running as standard user can still send the Windows Shell keystrokes. This is the primary reason an administrator account in Admin Approval Mode is prompted for elevation consent when the user initiates an administrative action, such as double-clicking on a setup file or clicking on a button marked with an elevation shield icon.
注意 Windows Shell(Explorer.exe进程)以标准用户进程运行,任何其他标准用户运行进程仍然可以向Windows Shell发送keystrokes(击键)。由于这样的原因,当用户初始一个管理员级动作,例如双击一个安装文件、或在点击一个有提升盾牌图标标记的按钮时,将会提示管理许可模式的管理员账号提升确认。
Virtualization 虚拟化
Important Virtualization is implemented to improve application compatibility problems for applications running as a standard user on Windows Vista. Developers must not rely on virtualization being present in subsequent versions of Windows.
要点 实现虚拟化是为了改进Windows Vista上以标准用户运行的应用程序的兼容性问题。开发人员绝不能依靠随后的Windows版本的虚拟化。
For detailed information about "Virtualization" see the Windows Help file, which can be downloaded here. To find this article in the help file, expand Fundamentals, expand Secure Applications, expand Developing Secure Applications, and then click User Account Control (UAC).
想了解“虚拟化”的详细信息,请参看Windows帮助文件。
User Account Control Architecture UAC体系
The following diagram represents the process flow for executable launches in Windows Vista.
下图表示了在Windows Vista中可执行文件的运行流程。
Figure 1. UAC architecture
The following describes the process flow displayed in the UAC architecture diagram and how UAC is implemented when an executable attempts to launch.
以下描述UAC体系图中所示的进程流程,以及在试图执行可执行文件时如何实现UAC机制。
Standard User Launch Path
标准用户运行方式
The Windows Vista standard user launch path is similar to the Windows XP launch path, but includes some modifications.
Windows标准用户运行方式和Windows XP运行方式相似,但有一些修改。
1. ShellExecute() calls CreateProcess().
ShellExcute()调用CreateProcess()。
2. CreateProcess() calls AppCompat, Fusion, and Installer Detection to assess if the application requires elevation. The executable is then inspected to determine its requestedExecutionLevel, which is stored in the executables application manifest. The AppCompat database stores information for an applications application compatibility fix entries. Installer Detection detects setup executables.
CreateProcess()调用AppCompat, Fusion和Installer Detection检查应用程序是否需要提升权限。然后检测并决定执行程序的requestedExecutionLevel, requestedExecutionLevel存储于可执行应用manifest中。AppCompat库中存放应用程序的应用兼容性修正实体。Installer Detection检测Setup执行文件。
3. CreateProcess() returns a Win32 error code stating ERROR_ELEVATION_REQUIRED.
CreateProcess()返回一个标记为ERROR_ELEVATION_REQUIRED的Win32错误码。
4. ShellExecute() looks specifically for this new error and, upon receiving it, calls across to the Application Information service (AIS) to attempt the elevated launch.
ShellExecute()看起来是专门针对这个新error的,一旦收到此error,即通过调用AIS(Application Information service)试图执行提升。
Elevated Launch Path
提升运行途径
The Windows Vista elevated launch path is a new Windows launch path.
Windows Vista提升运行途径是一种新的Windows执行途径。
1. AIS receives the call from ShellExecute() and reevaluates the requested execution level and Group Policy settings to determine if the elevation is allowed and to subsequently define the elevation user experience.
AIS接收到ShellExecute()发出的调用命令,重新评估所需的执行级别,由Group Policy设置决定提升动作是否被允许,随后提升用户权限。
2. If the requested execution level requires elevation, AIS launches the elevation prompt on the callers interactive desktop (based on Group Policy), using the HWND passed in from ShellExecute().
如果requested execution level需要提升,AIS会使用由ShellExecute()传入的HWND,在调用者交互桌面运行提升提示框(基于组策略)。
3. Once the user has given consent or valid administrator credentials, AIS will retrieve the corresponding access token associated with the appropriate user, if necessary. For example, an application requesting a requestedExecutionLevel of highestAvailable will retrieve different access tokens for a user that is only a member of the Backup Operators group than for a member of the local Administrators group.
一旦用户许可或提供有效的管理员认证,AIS会补偿符合的与适当用户相关的访问令牌。例如,应用程序要求HighestAvailable的requestedExecutionLevel,将为用户补偿仅在Backup Operators组中成员的不同访问令牌,而不是本地管理员组的成员。
AIS reissues a CreateProcessAsUser() call, supplying the administrator access token and specifying the callers interactive desktop.
AIS重排CreateProcessAsUser()调用,提供管理员访问令牌,并指明调用者交互桌面。
未完待续......
