How To Insert TrustInfo into Manifest to Identify the Application Security Requirements on Windows Vista

Developers need a way to deploy the same build of the application on both Windows Vista and Windows XP. However, a new feature of Windows Vista, User Access Control (UAC) causes processes to run as standard user even if you are logged in with a user that is the member of the Administrators group.

If your application needs administrative privileges, and you want it to run elevated as an administrator, you have to create and embed an application UAC manifest for your application that identifies the privilege level and tells Vista to run the application elevated.

Resource Tuner allows you to patch a pre-existing binary exe to inject the Require Administrator info into it so that it would be forced to run as Administrator on Windows Vista, providing the application the same operational behavior as in Windows XP. A modified exe should still work correctly on prior Windows operating systems.



I tried using mt.exe [from MS Visual Studio] to manifest my files. It worked on some but not on others. It seems your method of parsing the .EXE is more robust than the one that mt.exe uses. Brad Siegfried,

BLS, Inc. more user testimonials

Manifests were used in Windows XP to help application developers identify which versions of ComCtl DLLs the application was tested with. The Windows Vista application manifest schema has been enhanced with attributes that allow developers to mark their applications with a requested execution level. These new attributes indicate to the system that you have a legitimate administrative application. The system will automatically ask for approval from the user to launch the application with full privileges.

Microsoft has implemented an extension to the trustInfo section of the current Windows XP application manifest schema. The following is the format for this:

<requestedExecutionLevel

level="asInvoker|highestAvailable|requireAdministrator"

uiAccess="true|false"/>

where

level

asInvoker — The application runs with the same token as the parent process.

— The application runs with the same token as the parent process. highestAvailable — The application runs with the highest privileges the current user can obtain.

— The application runs with the highest privileges the current user can obtain. requireAdministrator — The application runs only for administrators and requires that the application be launched with the full token of an administrator. If only a small number of features in an application will require administrative privileges (for example, an application needs to configure a firewall), the main process of the application must still be run as a standard user. The administrative features must be moved into a separate process that runs with administrative privileges.

uiAccess

false — The application does not need to drive input to the UI of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true.

— The application does not need to drive input to the UI of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true. true — The application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop. This setting should only be used for UI Accessibility applications. Applications that request uiAccess=true must have a valid, trusted digital signature to execute.

Six Easy Steps to Add the TrustInfo Section

1. Download Resource Tuner, open your file, and expand the Manifest folder that’s found in the Resource Tree view; select the Manifest resource to be edited in the Resource Tree.

Note: If your file has no manifest at all, skip all these steps and use Manifest Wizard instead.

2. You will see the XML script. It may look something like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

<assemblyIdentity

name="Microsoft.Windows.MyCoolApp"

processorArchitecture="x86"

version="5.1.0.0"

type="win32"/>

<description>Application description here</description>

<dependency>

<dependentAssembly>

<assemblyIdentity

type="win32"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

processorArchitecture="x86"

publicKeyToken="6595b64144ccf1df"

language="*"

/>

</dependentAssembly>

</dependency>

</assembly>

3. The important thing to note is that there should be no trustInfo statement in this manifest at this time.

4. Now we are going to insert the trust info into this manifest. Press the Resource Editor button to edit the selected manifest. Or simply double-click the manifest item directly.

5. Insert the TrustInfo section into the manifest:

<!-- Identify the application security requirements. -->

<!-- level can be "asInvoker", "highestAvailable", or "requireAdministrator" -->

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">

<security>

<requestedPrivileges>

<requestedExecutionLevel

level="requireAdministrator"

uiAccess="false"/>

</requestedPrivileges>

</security>

</trustInfo>





6. Press OK to close the Resource Editor and select 'File' -> 'Save File As ...' to save the changes you've just made to the target file. If warned that the image size has changed, click "Yes" to update the file size.

< previous | next >



Give Resource Tuner a trial run for 30 days free! Once you try it, we think you will find it hard to go back to other resource hacking utilities. So if you decide to purchase it, it's only $49.95 for a Personal License.