Documenting the command line that UAC attempts to launch

Is there a way to set UAC to capture or log the entire command line of a
program including all switches that is requesting elevation? I have an
unknown potentially suspicious program that is requesting elevation and I am
unable to see the entire command line or path to the binary to investigate
it. To be safe, I have declined running the program, and briefly examined
the Windows event logs but have not been able to find the details I am
looking for.
As a temporary work-around, I am going to connect via remote desktop to
take a screenshot of the UAC prompt, but this only gives me part of the
command since the display dialog cuts of the text.

 

<Mltwwlco@noemail.noemail> wrote in
news:eAqkkzj2JHA.4412@TK2MSFTNGP06.phx.gbl:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Is there a way to set UAC to capture or log the entire command
> line of a
> program including all switches that is requesting elevation? I have
> an unknown potentially suspicious program that is requesting elevation
> and I am unable to see the entire command line or path to the binary
> to investigate it. To be safe, I have declined running the program,
> and briefly examined the Windows event logs but have not been able to
> find the details I am looking for.
> As a temporary work-around, I am going to connect via remote
> desktop to
> take a screenshot of the UAC prompt, but this only gives me part of
> the command since the display dialog cuts of the text. <!--colorc--><!--/colorc-->

Darned good question. I'm hoping someone else will explain how to add
**auditing** for UAC elevation prompts to the Vista event log.
In the meantime:

There are utilities that let you grab text from most dialog boxes.
Try SysExporter.
<http://www.raymond.cc/blog/archives/2008/05/25/how-to-copy-text-or-error-messages-from-any-dialog-boxes-in-windows/>
I don't know if it works with the UAC prompt. Hint: turn on every
option under "Filter", click an item in the list, and the associated
text is displayed underneath.

 

Hi,

Based on my knowledge, we cannot set UAC to capture or log your request.
However, I hope Standard User Analyzer can help you. Standard User Analyzer
(SUA) tool enables you to test your applications to detect potential
compatibility issues due to the User Account Control (UAC) feature.

For more information, please refer to the following links:

Standard User Analyzer Technical Reference


Microsoft Application Compatibility Toolkit 5.5

B45E-492DD6DA2971&displaylang=en

Thanks.

Best regards,

Robinson Zhang
Microsoft Online Support

 

<Mltwwlco@noemail.noemail> wrote in message
news:eAqkkzj2JHA.4412@TK2MSFTNGP06.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Is there a way to set UAC to capture or log the entire command line
> of a program including all switches that is requesting elevation? I
> have an unknown potentially suspicious program that is requesting
> elevation and I am unable to see the entire command line or path to
> the binary to investigate it. To be safe, I have declined running the
> program, and briefly examined the Windows event logs but have not been
> able to find the details I am looking for.
> As a temporary work-around, I am going to connect via remote
> desktop to take a screenshot of the UAC prompt, but this only gives me
> part of the command since the display dialog cuts of the text.<!--colorc--><!--/colorc-->

You might look into having the prompt not displayed on the secure
desktop, and then seeing if it acts differently on the user's desktop.

 

Hi,

I am currently standing by for an update from you and would like to know
how things are going. If you have any questions or concerns on the recent
information I've provided you, please don't hesitate to let me know.

Best regards,

Robinson Zhang
Microsoft Online Support

 

Thanks for asking.
Things are going well. I'm feeling much better.

Robinson Zhang [MSFT] wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi,
>
> I am currently standing by for an update from you and would like to know
> how things are going. If you have any questions or concerns on the recent
> information I've provided you, please don't hesitate to let me know.
>
> Best regards,
>
> Robinson Zhang
> Microsoft Online Support
>
> <!--colorc--><!--/colorc-->

 

Sorry for the delay in responding Robinson Zhang, it looks like UAC
doesn't have the logging features I need, so it looks like I'll need to use
one of the Sysinternals tools instead to try and capture the program syntax.


""Robinson Zhang [MSFT]"" <v-robzha@online.microsoft.com> wrote in message
news3UicwQ3JHA.5720@TK2MSFTNGHUB02.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi,
>
> I am currently standing by for an update from you and would like to know
> how things are going. If you have any questions or concerns on the recent
> information I've provided you, please don't hesitate to let me know.
>
> Best regards,
>
> Robinson Zhang
> Microsoft Online Support
>
> <!--colorc--><!--/colorc-->

 

Hi,

Thank you for your reply and I understand you will use Sysinternals tool as
a workaround to your problem. Regarding the UAC logging features, I will
add it as a feature request to Microsoft's database. Thank you for your
effort on the issue.

If you have any other questions or concerns, please do not hesitate to
contact us. It is always our pleasure to be of assistance.

Have a nice day.

Robinson Zhang
Microsoft Online Support