Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
UAC: COM Per-User Configuration
Feature Impact
Medium
Brief Description
The Component Object Model (COM) leverages the registry to maintain information about all of the COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for both per-user and per-machine object registration. Per-user COM objects configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, per-user configurations take precedence.
Beginning with Windows Vista® and Windows Server® 2008, if the integrity level of a process is higher than Medium, the COM runtime ignores per-user COM configuration and accesses only per-machine COM configuration. This action reduces the surface area for elevation of privilege attacks, preventing a process with standard user privileges from configuring a COM object with arbitrary code and having this code called from an elevated process.
Manifestation
Applications that are run-elevated (whether manifested as Require Administrator or user-selected by right-clicking and selecting Run as Administrator), as well as applications run from an account that is a member of the Administrators group where User Account Control (UAC) is disabled, will not be able to access any COM objects configured per-user.
Remedies
Applications that will require administrator rights should register any dependent COM objects during installation to the per-machine COM configuration store (HKEY_LOCAL_MACHINE\Software\Classes).