Documenting the command line that UAC attempts to launch

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is there a way to set UAC to capture or log the entire command line of a
program including all switches that is requesting elevation? I have an
unknown potentially suspicious program that is requesting elevation and I am
unable to see the entire command line or path to the binary to investigate
it. To be safe, I have declined running the program, and briefly examined
the Windows event logs but have not been able to find the details I am
looking for.
As a temporary work-around, I am going to connect via remote desktop to
take a screenshot of the UAC prompt, but this only gives me part of the
command since the display dialog cuts of the text.
 
Is there a way to set UAC to capture or log the entire command
line of a
program including all switches that is requesting elevation? I have
an unknown potentially suspicious program that is requesting elevation
and I am unable to see the entire command line or path to the binary
to investigate it. To be safe, I have declined running the program,
and briefly examined the Windows event logs but have not been able to
find the details I am looking for.
As a temporary work-around, I am going to connect via remote
desktop to
take a screenshot of the UAC prompt, but this only gives me part of
the command since the display dialog cuts of the text.
Click to expand...

Darned good question. I'm hoping someone else will explain how to add
**auditing** for UAC elevation prompts to the Vista event log.
In the meantime:

There are utilities that let you grab text from most dialog boxes.
Try SysExporter.
<http://www.raymond.cc/blog/archives...or-messages-from-any-dialog-boxes-in-windows/>
I don't know if it works with the UAC prompt. Hint: turn on every
option under "Filter", click an item in the list, and the associated
text is displayed underneath.
 
Hi,

Based on my knowledge, we cannot set UAC to capture or log your request.
However, I hope Standard User Analyzer can help you. Standard User Analyzer
(SUA) tool enables you to test your applications to detect potential
compatibility issues due to the User Account Control (UAC) feature.

For more information, please refer to the following links:

Standard User Analyzer Technical Reference
http://technet.microsoft.com/en-us/library/cc765948(WS.10).aspx

Microsoft Application Compatibility Toolkit 5.5
http://www.microsoft.com/downloads/details.aspx?FamilyID=24DA89E9-B581-47B0-
B45E-492DD6DA2971&displaylang=en

Thanks.

Best regards,

Robinson Zhang
Microsoft Online Support
 
Is there a way to set UAC to capture or log the entire command line
of a program including all switches that is requesting elevation? I
have an unknown potentially suspicious program that is requesting
elevation and I am unable to see the entire command line or path to
the binary to investigate it. To be safe, I have declined running the
program, and briefly examined the Windows event logs but have not been
able to find the details I am looking for.
As a temporary work-around, I am going to connect via remote
desktop to take a screenshot of the UAC prompt, but this only gives me
part of the command since the display dialog cuts of the text.
Click to expand...

You might look into having the prompt not displayed on the secure
desktop, and then seeing if it acts differently on the user's desktop.
 
Hi,

I am currently standing by for an update from you and would like to know
how things are going. If you have any questions or concerns on the recent
information I've provided you, please don't hesitate to let me know.

Best regards,

Robinson Zhang
Microsoft Online Support
 
Sorry for the delay in responding Robinson Zhang, it looks like UAC
doesn't have the logging features I need, so it looks like I'll need to use
one of the Sysinternals tools instead to try and capture the program syntax.
 
Hi,

Thank you for your reply and I understand you will use Sysinternals tool as
a workaround to your problem. Regarding the UAC logging features, I will
add it as a feature request to Microsoft's database. Thank you for your
effort on the issue.

If you have any other questions or concerns, please do not hesitate to
contact us. It is always our pleasure to be of assistance.

Have a nice day.

Robinson Zhang
Microsoft Online Support
 
Back
Top