CIS 170F: Windows 7 Administration

Week 7

Windows 7 Security Features
User Account Control
Application Manifest

For applications to receive a Certified For Windows Vista or Certified For Windows 7 logo, they must include an embedded requested execution level manifest that specifies the privileges required. The privilege level is one of the following:

  • asInvoker or RunAsInvoker: The application runs using the standard user privileges and will not initiate a UAC prompt.
  • highestAvailable or RunAsHighest: The application requests privileges higher than standard users and generates a UAC prompt. However, if the user does not provide additional credentials, the application will run anyway, using standard privileges. This is useful for applications that can adjust to either higher or lower privilege levels, or for applications that might need more privileges than a standard user, but fewer than a full administrator. For example, backup applications typically need the user to be a member of the Backup Operators group but do not require the user to be a member of the Administrators group.
  • requireAdministrator or RunAsAdmin: The application requires administrative privileges, generating a UAC prompt. The application will not run with standard privileges.

To add a manifest to existing applications, use the Application Compatibility Toolkit (ACT), which you can download at http://go.microsoft.com/fwlink/?LinkId=23302. The ACT also includes the Microsoft Standard User Analyzer tool, which allows you to diagnose issues that would prevent a program from running properly as a standard user.

For more information about application manifests, visit:
http://msdn.microsoft.com/en-us/library/aa374191(VS.85).aspx.