Windows displays UAC prompts on the "secure desktop" when certain security-related operations need to be performed. There's obviously some API somewhere that creates the secure desktop and creates a window on it, but I have no idea where I would find out about the mechanisms involved. I guess I could reverse engineer the UAC mechanisms, but I'm not that good at that level of reverse engineering (and I'm pretty sure there's some legal ramifications involved...)

Anyway, I know there's an API to create new desktops on the current session, but there's no mention of secure desktops in any documentation I can find. Out of curiosity, I'd like to know how the whole secure desktop / UAC prompt creation works.

Disclaimer: This is purely theoretical, and I'm not looking to deploy this in any of my code.

It seems likely that, from the point of view of the system, the secure desktop is just a perfectly normal desktop with a suitable ACL. Note that CreateDesktop allows you to specify a security descriptor for the new desktop.

So far as I know, the secure desktop has no special behaviour, so I see no reason to suppose that any additional API (documented or not) is involved.

You may have seen this but just in case, and for other users reading this, there is a nice flow chart here on the UAC Architecture here....

http://msdn.microsoft.com/en-us/library/bb756945.aspx

As for UAC as far as I know all of the information for how UAC is to work with a specific application is in the manifest which embedded in the exe or dll in the linking phase.

Since the .Net change, even non-.Net applications are required to have a manifest in them to tell Windows that they are not .Net. Everything built in the newer versions of Visual Studio, or at least the ones that I have built in, have a wide range of UAC options in the manifest section of the linker options, including ones which allow you to disable it.

There is a UAC clone with source that also works on XP. It is called SuRun and contains some more features like automatic elevation for specific apps.

Blog and docs are in German : http://kay-bruns.de/wp/software/surun The German docs contains lots of detailed information: http://kay-bruns.de/download/SuRun1209.pdf

Sourceforge Page: http://sourceforge.net/projects/surun/ It is C++

The way a process is launched in Windows is using CreateProcess.

CreateProcess performs 3 checks to see if the application requires elevation:

• the application asks to run elevated (requestedExecutionLevel=requireAdministrator)
• a heuristic thinks the app might be an installer (e.g. named setup.exe, installer.exe, update.exe) (which can be disabled by group policy)
• AppCompat says that the shit application needs to be elevated

If CreateProcess decides the process needs to be launched with administrator privileges, and the user doesn't currently have administrator privileges, it fails and returns the error:

ERROR_ELEVATION_REQUIRED (740)

ShellExecute knows how to handle this new error code

ShellExecute is a higher level wrapper around CreateProcess. It knows how to handle this new error code from CreateProcess.

ShellExecute is the function that calls into the AppInfo (Application Information) service. AppInfo service launches Consent.exe, which is the UAC prompt. And it performs the elevation.

• if the user is an administrator with admin privileges denied, it prompts for authorization
• if the user is a standard user, it prompts for credentials

AppInfo launches the new process, and ShellExecute returns.

Source

• Channel 9: UAC - What. How. Why. (3/5/2007)