* Posts by Alun Harford

1 post • joined 23 Apr 2007

Program Names govern admin rights in Vista

Alun Harford

Eugh.

I don't know who Dr Brian Chess is, but he's just made a fool of himself (unless you've misquoted him, in which case he should sue).

This has precisely nothing to do with spyware.

When a program is run, Vista has to work out whether it needs admin rights to work correctly. If it doesn't have a manifest (the preferred method) Vista tries to work out whether it's an installer and if it is, assume that it needs to run as admin, and display the UAC prompt (Windows su).

If a malware author doesn't include a manifest file and 'tricks' the system to make sure that it doesn't appear as an installer, the program will not be run with admin access, and so won't be able to screw the system over.

The downside of this idea happens when a normal user wants to install an application only to their own account. If Vista detects that it's an installer (and it's very good at that - it's not only the name it looks at) Vista won't let it run without admin rights (to 'protect' the user from the installation failing) when in fact they have the rights they'd need to install the program.

An admin can disable this behaviour by setting the security policy item: "User Account Control: Detect application installations and prompt for elevation" to Disabled.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022