» Short: Windows 7 Release Candidate auto-elevate white list Within Windows

May 2009

12 Comments

Short: Windows 7 Release Candidate auto-elevate white list

Bling Bling! Back in February, I posted a list of applications that have the authority to automatically elevate without prompt in Windows 7. This list has been shortening over the months, with the Release Candidate build featuring the shortest list of now only 62 entries.

Notable missing entries (good thing) are rundll32.exe and mmc.exe.

WindowsehomeMcx2Prov.exe
WindowsSystem32AdapterTroubleshooter.exe
WindowsSystem32BitLockerWizardElev.exe
WindowsSystem32bthudtask.exe
WindowsSystem32chkntfs.exe
WindowsSystem32cleanmgr.exe
WindowsSystem32cliconfg.exe
WindowsSystem32CompMgmtLauncher.exe
WindowsSystem32ComputerDefaults.exe
WindowsSystem32dccw.exe
WindowsSystem32dcomcnfg.exe
WindowsSystem32DeviceEject.exe
WindowsSystem32DeviceProperties.exe
WindowsSystem32dfrgui.exe
WindowsSystem32djoin.exe
WindowsSystem32eudcedit.exe
WindowsSystem32eventvwr.exe
WindowsSystem32FXSUNATD.exe
WindowsSystem32hdwwiz.exe
WindowsSystem32ieUnatt.exe
WindowsSystem32iscsicli.exe
WindowsSystem32iscsicpl.exe
WindowsSystem32lpksetup.exe
WindowsSystem32MdSched.exe
WindowsSystem32msconfig.exe
WindowsSystem32msdt.exe
WindowsSystem32msra.exe
WindowsSystem32MultiDigiMon.exe
WindowsSystem32Netplwiz.exe
WindowsSystem32newdev.exe
WindowsSystem32ntprint.exe
WindowsSystem32ocsetup.exe
WindowsSystem32odbcad32.exe
WindowsSystem32OptionalFeatures.exe
WindowsSystem32perfmon.exe
WindowsSystem32printui.exe
WindowsSystem32rdpshell.exe
WindowsSystem32recdisc.exe
WindowsSystem32rrinstaller.exe
WindowsSystem32rstrui.exe
WindowsSystem32sdbinst.exe
WindowsSystem32sdclt.exe
WindowsSystem32shrpubw.exe
WindowsSystem32slui.exe
WindowsSystem32SndVol.exe
WindowsSystem32spinstall.exe
WindowsSystem32SystemPropertiesAdvanced.exe
WindowsSystem32SystemPropertiesComputerName.exe
WindowsSystem32SystemPropertiesDataExecutionPrevention.exe
WindowsSystem32SystemPropertiesHardware.exe
WindowsSystem32SystemPropertiesPerformance.exe
WindowsSystem32SystemPropertiesProtection.exe
WindowsSystem32SystemPropertiesRemote.exe
WindowsSystem32taskmgr.exe
WindowsSystem32tcmsetup.exe
WindowsSystem32TpmInit.exe
WindowsSystem32verifier.exe
WindowsSystem32wisptis.exe
WindowsSystem32wusa.exe
WindowsSystem32DriverStoreFileRepositorybth.inf_x86_neutral_65c949576945c2a9fsquirt.exe
WindowsSystem32oobesetupsqm.exe
WindowsSystem32sysprepsysprep.exe

http://www.pretentiousname.com Leo Davidson

I checked in the RC and my code injection thing ( http://www.pretentiousname.com/misc/win7_uac_whitelist2.html ) still works so anything that wants to silently elevate under the default Win7 UAC settings still can.
Pingback: Windows 7 Has 62 Uplifting EXEs | The Minority Report
hp7

I noticed that \Windows\System32\sdbinst.exe is still on the list, and that was one of those that the list for build 7000 marked as “interesting from an elevate my own code standpoint”.
Vitaliy

By default user is in Administrators and HomeUsers groups. Does this injection still works if I remove user from Administrators group and add him to Users group (I will use local Admin. accaount for admin. tasks)? After this change UAC asks me Administrator password every time it needs to elevate. And nothing seems broken.
http://www.pretentiousname.com Leo Davidson

@Vitaliy:

The injection stuff only works if you’re running in admin-approval mode. If you’re doing over-the-shoulder elevation then nothing can silently created elevated “blessed” MS COM objects, not even Microsoft’s “blessed” executables like Explorer.exe, MSPaint.exe, Calc.exe, etc. Nothing can silently elevate at all. Same as if you turn UAC up to the always-prompt level, which gets you back to what was the default in Vista.

Switching to standard user accounts and over-the-shoulder elevation cannot be what Microsoft seriously expect people to do, though.

By adding silent elevation methods for their own code MS are acknowledging that Vista’s admin-approval UAC prompts were too annoying for too many users. (IMO, most of that annoyance was really due to the way Explorer etc. trigger far too many prompts, not the prompts themselves, but MS have chosen to give themselves a dodgy backdoor rather than refactor their code like everyone else is expected to, which is pathetic.)

Over-the-shoulder elevation is even more annoying than admin-approval mode, since you have to keep typing passwords instead of simply clicking buttons, so it’s hard to imagine MS seriously expect people to switch to that.
sirus

@ Leo
You have indeed risen a problem, I thought Microsoft guys have already taken care of that problem.
Pingback: At least 62 gaping security holes in Windows 7 Release Candidate « Reformed Musings
http://www.hardwaregeeks.com AlphaAlien

I like how msconfig is also there allowing 3rd party software to tweak any setting for startup, system services auto-run, and even disable uac entirely without UAC elevation.

Is it really that hard to implement a sudo style jail that can figure out basic user intent? If I open a dialog and decide to edit preferences in it prompt me and then don’t prompt me for that application again for a set period of time. Prompts are good, but crying wolf for every little detail is just as bad as allowing backdoors because your program managers are lazy.
Zorkzero

There’s an open source application for WIndows XP and Vista called Surun http://kay-bruns.de/wp/software/surun/ , that solves the problem, that UAC was designed to solve. It allows you to run as normal user and to easily run programs with elevated rights and you don’t need to type any password. It also allows you to easily administer your machine.

What do you think? Why can’t MS do what a single open source developer has done?
Pingback: Tutto quello che c’è da sapere su Windows 7 « Guiodic Blog
Pingback: Due video che mostrano l’insicurezza di Windows 7 « Guiodic Blog
Pingback: Windows 7 UAC whitelist: Code-injection Issue (and more) « Jasper Blog