locked
UAC and Consent.exe RRS feed

  • Question

  • Hi all.

     

    When regular user need to elevate itself to administrator, UAC shows the elevation dialog (using the consent.exe).

     

    Is there a standard way to customize / replace concent.exe. For example, I consider strengthening administrator authentication by developing a credential provider module, so the consent.exe's user/password dialog is not relevant for me?

     

    I guess MS makes it harder to hook consent.exe since its can be exploied by malwares. But does anyone know a way to do so (I prefer a standard way )

     

    Thanks,

    Yair

    Thursday, October 25, 2007 3:03 PM

All replies

  • Hi,
    Assuming your credential provider (custom or from microsoft) support CPUS_CREDUI scenario in
     ICredentialProvider :: SetUsageScenario(
        CREDENTIAL_PROVIDER_USAGE_SCENARIO cpus,
        DWORD dwFlags
        )
    {
    ...
    },

    then the only thing you have to do is to strengthen UAC/Consent policy for Admin . And here is how:

    To configure the UAC prompting behavior for administrators
    1. Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
    2. Click the Start button, click Run, type secpol.msc, and then click OK.
    3. At the User Account Control dialog box for the Microsoft Management Console, click Continue.
    4. In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
    5. Right click the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting and select Properties.
    Consent policy for elevation
    Setting Description Default Value

    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    There are three possible values:

    1.

    No prompt – The elevation occurs automatically and silently.

    2.

    Prompt for consent – UAC asks for consent before elevating.

    3.

    Prompt for credentials – UAC requires valid administrator credentials are entered before elevating. This policy is only in effect when UAC is enabled.

     

    Prompt for consent


    You can take a look at Getting Started with User Account Control on Windows Vista to have more details about UAC.

    • Proposed as answer by Fisnik Hasani Saturday, October 3, 2009 7:41 AM
    Tuesday, November 13, 2007 8:53 PM
  • I'm trying to make UAC and ClamAV (antivirus) work together.
    At first it would be nice to display similiar prompt with addition information about file scan results.
    Could I do this?
    Sunday, January 3, 2010 4:14 PM