Thursday, March 20, 2014

Application Information Service - The heart of UAC



In this article/blog we will talk about the Application Information Service, which is the core of the Windows User Account Control. The center piece of the modern post-visa security framework.

Introduction
When running an application you may come across a scenario where an application causes a UAC prompt to be presented to the user to get his/her consent to proceed with the execution of an application with elevated privileges. The action is first checked for
For definitions the concepts consult the following:
Concept
Reference Link
Elevated Token
Manifest
User Account Control
Consent.exe

The Application Information Service (AIS) is at the heart of the User Account Control prompt. Whenever an application requires an elevated token it is referred to the AIS. AIS communicates with consent.exe which decides finds out whether the user gives his consent or not. The control is passed to the application and the binary code of the application gets control of the processor, explorer does not read the manifest, explorer just gives the application control of the processor.
In order to show that the consent prompt is launched by a service (AIS) and not the explorer.exe, we cause a prompt to be displayed and as soon as we return to the normal desktop, with process explorer running, we press the space bar to pause process explorer from updating. In the screenshot below Fig1 we see that svchost.exe calls consent.exe.


Fig1: Who calls consent.exe ? (Click Image to expand)


The svchost.exe is the one that was launched using the ‘–k netsvcs’ switch as shown in the Fig2. This particular svchost.exe is the particular instance that hosts the Application Information Services.

 Fig2: svchost.exe calls consent.exe (Click Image to expand)

When is the Application Information Service started?
It runs under netsvcs. The command is given in the SCM panel when looking up details for the service. It runs with the command ‘C:\WINDOWS\system32\svchost.exe -k netsvcs and uses the ‘appinfo.dll’. If we find the appinfo.dll in process explorer it is found to be loaded in a svchost.exe (PID 628 in this example).  As shown in Fig3 below:
Fig3: Who hosts appinfo.dll (AIS ?) (Click Image to expand)

When we look at the properties of process 628 we see that it is the svchost.exe that starts with the ‘netsvcs’ parameter, as shown in the Fig4 below:
 Fig4: svchost hosts appinfo.dll (Click Image to enlarge)

AIS Facilitates the running of interactive applications with additional administrative privileges.  If this service is stopped, users will be unable to launch applications with the additional administrative privileges they may require to perform desired user tasks.
The shell checks with this service when it launches an application. AIS is the one that reads the manifest and the ‘trustInfo’ xml section that has the requirements for the ‘requestedExecutionLevel’, since AIS is a service it can re-spawn a process with the appropriate execution level. The child is then re-parented and made the child process of the calling application. The process is explained in the diagram Fig4 below:
 Fig4: The process flow of UAC prompt (Click Image to enlarge)

 If the AIS is not running the applications that require an elevated token would not be able to run with an elevated token.