wastingtimewithforums said:
ManipUni said:

"All the whitelist does is draw attention to a large hole that already exists in the way UAC functions. It *might* make automating escalation slightly easier, but I would say it is a relatively easy thing to do either way."


Is automatic escalation really easy in Vista? OK then, how do you circumvent Vista's UAC prompts? Show me an example.. Because, frankly, I have never seen one. Of course I have seen something that claims it can circumvent it, as example:


But at the end, it doesn't really circumvent it, quote:


"While digging around for possible solutions, it became clear that the only possible fix would be to split iReboot into two parts. One would run in the background as a service, running under the SYSTEM or LOCAL SERVICE accounts and having privileged access to the OS without requiring admin approval or UAC elevation, and with the second half running as an unprivileged userspace client program which interacts with the service backend to get stuff done.

The resulting application has an installer - which requires admin privileges, of course - which installs and launches the background service. The background service has full permission to do what we need to get operating system XXXX to be the default option for the next boot, but - in line with the Windows Service Model - cannot be interacted with by end users."


All the examples I have seen _still_ ask for a prompt at some point. Can you show me an .exe, that disables Vista's UAC instantly without any prompts?

I cannot show you an application that disables UAC instantly.

But what can be done is you can write an application that will monitor process launches within its session, inject code into them, and wait for a user to escalate any one of them. As soon as any process is escalated you've won. Since Win32 let's you alter other processes within the same session it is fairly trivial to do.

Alternatively, and as pointed out above, you could monitor downloaded files and inject code into any *.dll *.exe *.com etc files you run across. Even if it invalidates the signiture most people would assume that something from Microsoft.com for example is safe and launch it.