When looking at UAC-related things, I found that I still don't know about its internal logic. To facilitate the subsequent work, I had to understand it. After reading some materials all day today, I have probably understood the logic, but it is still quite complicated. I 'd like to forget it here:
1. Run Program Explorer calls shellexecuteex (), and shellexecuteex () Further calls CreateProcess () to create a process. Because this process requires administrator privileges to run, CreateProcess returns
Error_elevation_required (740) ;
Success,
Consent is the UI process of the UAC dialog box. .
3. if you select allow in the UAC dialog box, consent returns the result to appinfo (svchost) and then exits. appinfo creates a high-permission process by calling a series of function based on the returned result:
1. appinfo first obtains the High-Permission token of the current login user;
2. appinfo initializes a startupinfoex struct:
Typedef struct _ startupinfoex {
Startupinfo;
Pproc_thread_attribute_list lpattributelist;
} Startupinfoex, * lpstartupinfoex; Mid-term:
A. When startupinfo is initialized, set its member lpdesktop to winsta0 \ default, so that the upgraded process created in the future will be on the current user's desktop (otherwise, it will be on the invisible desktop of the appinfo Service );
B. when initializing lpattributelist, the system uses OpenProcess () to obtain the process handle of the original calling process, and then calls updateprocthreadattribute (). The specified parameters are: the handle and proc_thread_attribute_parent_process, in the future, the parent process of the promoted process will be restored to the original calling process (otherwise, its parent process will be svchost (appinfo ))
3. Next, svchost (appinfo Service) calls createprocessasuser () to create a process for permission escalation: The parameter settings in the period are as follows:
A. dwcreationflags use extended_startupinfo_present (this is available only in Vista. It is used to specify that the second-to-last parameter lpstartupinfo points to startupinfoex rather than startupinfo)
B. the penultimate parameter lpstartupinfo uses the structure startupinfoex initialized in the preceding steps.
4. finally, appinfo returns the function call to Explorer. A process for permission escalation is created, the preceding steps make the process created by the Service run on the current user's desktop, and the parent process we see is "Explorer.
References:
Http://www.codeproject.com/KB/vista-security/UAC__The_Definitive_Guide.aspx? MSG = 2281654 http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspxhttp://channel9.msdn.com/shows/Going+Deep/UAC-What-How-Why/ from: http://blog.sinzy.net/127/entry/20243
