UAC和Consent.exe [英] UAC and Consent.exe
问题描述
大家好.
Hi all.
当普通用户需要将自己提升为管理员时,UAC会显示提升对话框(使用accept.exe).
When regular user need to elevate itself to administrator, UAC shows the elevation dialog (using the consent.exe).
是否存在自定义/替换concent.exe的标准方法.例如,我考虑通过开发凭据提供程序模块来加强管理员身份验证,因此,accept.exe的用户/密码对话框与我无关吗?
Is there a standard way to customize / replace concent.exe. For example, I consider strengthening administrator authentication by developing a credential provider module, so the consent.exe's user/password dialog is not relevant for me?
我猜想MS使得挂起accept.exe变得更加困难,因为它可以被恶意软件利用.但没有人知道的方式来做到这一点(我更喜欢一个标准的方式)
I guess MS makes it harder to hook consent.exe since its can be exploied by malwares. But does anyone know a way to do so (I prefer a standard way )
谢谢
Yair
推荐答案
假设您的凭据提供程序(自定义或来自Microsoft)支持
ICredentialProvider :: SetUsageScenario中的CPUS_CREDUI场景(
CREDENTIAL_PROVIDER_USAGE_SCENARIO cpus,
DWORD dwFlags
)
{
...
},
您要做的是加强Admin的UAC/同意政策.方法如下:
为管理员配置UAC提示行为
- 使用管理员批准模式"中的管理员帐户登录Windows Vista计算机.
- 单击开始按钮,单击运行,键入 secpol.msc ,然后单击确定.
- 在 Microsoft管理控制台的用户帐户控制"对话框中,单击继续.
- 在本地安全设置中,展开本地安全设置,展开本地策略,然后展开安全选项.
- 右键单击用户帐户控制:管理员在管理员批准模式下提升权限的行为设置,然后选择属性.
- Log on to a Windows Vista computer with an administrator account in Admin Approval Mode.
- Click the Start button, click Run, type secpol.msc, and then click OK.
- At the User Account Control dialog box for the Microsoft Management Console, click Continue.
- In Local Security Settings, expand Local Security Settings, expand Local Policies, and then expand Security Options.
- Right click the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting and select Properties.
| 同意加高政策 | |||||||
| 设置 | 说明 | 默认值 | |||||
|
用户帐户控制:在管理员批准模式下管理员的提升提示的行为
| |||||||
