用户帐户控制的工作原理How User Account Control Works

适用于:Windows 服务器 (半年频道),Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

用户帐户控制 (UAC) 有助于防止恶意程序(也称为恶意软件)损坏计算机,并帮助组织部署更好的托管桌面。User Account Control (UAC) helps prevent malicious programs (also called malware) from damaging a computer and helps organizations deploy a better-managed desktop. 通过 UAC,应用程序和任务可始终在非管理员帐户的安全上下文中运行,除非管理员特别授予管理员级别的系统访问权限。With UAC, applications and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC 可以阻止未经授权的应用程序自动进行安装,并防止无意中更改系统设置。UAC can block the automatic installation of unauthorized applications and prevent inadvertent changes to system settings.

UAC 进程和交互UAC Process and Interactions

每个需要管理员访问令牌的应用程序必须提示管理员给予同意。Each application that requires the administrator access token must prompt the administrator for consent. 一种例外情况是父进程和子进程之间存在关系。The one exception is the relationship that exists between parent and child processes. 子进程会从父进程继承用户访问令牌。Child processes inherit the user access token from the parent process. 但是,父进程和子进程必须具有相同的完整性级别。Both the parent and child processes, however, must have the same integrity level. Windows Server 2012 通过标记其完整性级别来保护的进程。Windows Server 2012 protects processes by marking their integrity levels. 完整性级别是对信任的衡量。Integrity levels are measurements of trust. “高”完整性应用程序执行修改系统数据的任务(如,磁盘分区应用程序),而“低”完整性应用程序则执行可能潜在损坏操作系统的任务(如,Web 浏览器)。A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. 具有低完整性级别的应用程序无法修改具有高完整性级别的应用程序中的数据。Applications with lower integrity levels cannot modify data in applications with higher integrity levels. 当标准用户尝试运行需要管理员访问令牌的应用程序时,UAC 会要求该用户提供有效的管理员凭据。When a standard user attempts to run an application that requires an administrator access token, UAC requires that the user provide valid administrator credentials.

为了更好地了解此过程如何发生务必查看 Windows Server 2012 登录过程的详细信息。In order to better understand how this process happens it is important to review the details of the Windows Server 2012 logon process.

Windows Server 2012 Logon ProcessWindows Server 2012 Logon Process

下图演示了管理员的登录进程与标准用户的登录进程有何差异。The following illustration demonstrates how the logon process for an administrator differs from the logon process for a standard user.

演示如何为管理员身份登录过程不同于标准用户在登录过程的图

默认情况下,标准用户和管理员都会在标准用户的安全上下文中访问资源和运行应用程序。By default, standard users and administrators access resources and run applications in the security context of standard users. 当用户登录到计算机时,系统会为该用户创建一个访问令牌。When a user logs on to a computer, the system creates an access token for that user. 访问令牌包含有关向用户授予的访问级别的信息,包括特定安全标识符 (SID) 和 Windows 权限。The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.

当管理员登录时,系统会为该用户创建两个单独的访问令牌:一个标准用户访问令牌和一个管理员访问令牌。When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. 标准用户访问令牌包含与管理员访问令牌相同的用户特定信息,只是删除了 Windows 管理权限和 SID。The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. 标准用户访问令牌用来启动不执行管理任务的应用程序(标准用户应用程序)。The standard user access token is used to start applications that do not perform administrative tasks (standard user applications). 之后,标准用户访问令牌将用来显示桌面 (Explorer.exe)。The standard user access token is then used to display the desktop (Explorer.exe). Explorer.exe 是父进程,用户启动的其他所有进程都将从该进程继承访问令牌。Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. 因此,所有应用程序都将以标准用户身份运行,除非用户给予同意或提供凭据以批准应用程序使用完全管理访问令牌。As a result, all applications run as a standard user unless a user provides consent or credentials to approve an application to use a full administrative access token.

是管理员组的成员的用户可以登录、 浏览 Web,并使用标准用户访问令牌时,读取电子邮件。A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. 当管理员需要对其执行自动需要管理员访问令牌,Windows Server 2012 的任务会提示用户批准。When the administrator needs to perform a task that requires the administrator access token, Windows Server 2012 automatically prompts the user for approval. 此提示称为提升提示,其行为可以通过使用本地安全策略管理单元 (Secpol.msc) 或组策略进行配置。This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.

备注

使用术语"提升"来指代 Windows Server 2012 的提示用户同意或提供凭据以使用完全管理员访问令牌中的过程。The term "elevate" is used to refer to the process in Windows Server 2012 that prompts the user for consent or credentials to use a full administrator access token.

UAC 用户体验The UAC User Experience

启用 UAC 后,标准用户的用户体验将不同于管理员批准模式中管理员的用户体验。When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. 运行 Windows Server 2012 的建议的更安全的方法是使您的主要用户帐户的标准用户帐户。The recommended and more secure method of running Windows Server 2012 is to make your primary user account a standard user account. 以标准用户身份运行将有助于最大程度地确保托管环境的安全性。Running as a standard user helps to maximize security for a managed environment. 使用内置的 UAC 提升组件,标准用户可以通过输入本地管理员帐户的有效凭据来轻松执行管理任务。With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. 用于标准用户的默认内置 UAC 提升组件就是凭据提示。The default, built-in UAC elevation component for standard users is the credential prompt.

以标准用户身份运行的替代方法是在管理员批准模式中以管理员身份运行。The alternative to running as a standard user is to run as an administrator in Admin Approval Mode. 使用内置的 UAC 提升组件,本地管理员组的成员可以轻松地通过提供批准执行管理任务。With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative task by providing approval. 用于管理员批准模式中管理员帐户的默认内置 UAC 提升组件称为同意提示。The default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called the consent prompt. UAC 提升提示行为可以通过使用本地安全策略管理单元 (Secpol.msc) 或组策略进行配置。The UAC elevation prompting behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.

同意提示和凭据提示The consent and credential prompts

启用了 UAC,Windows Server 2012 提示同意或提供有效的本地管理员帐户的凭据启动的程序或需要完全管理员访问令牌的任务之前。With UAC enabled, Windows Server 2012 prompts for consent or prompts for credentials of a valid local administrator account before starting a program or task that requires a full administrator access token. 此提示可确保不会在无提示的情况下安装恶意软件。This prompt ensures that no malicious software can be silently installed.

同意提示The consent prompt

当用户尝试执行需要用户管理访问令牌的任务时,系统会出现同意提示。The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. 下面是 UAC 同意提示的屏幕截图。The following is a screen shot of the UAC consent prompt.

UAC 同意提示的屏幕截图

凭据提示The credential prompt

当标准用户尝试执行需要用户管理访问令牌的任务时,系统会出现凭据提示。The credential prompt is presented when a standard user attempts to perform a task that requires a user's administrative access token. 此标准用户默认提示行为可以通过使用本地安全策略管理单元 (Secpol.msc) 或组策略进行配置。This standard user default prompt behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. 此外可以要求管理员通过设置用户帐户控制提供其凭据:凭据将值设置为提示管理员批准模式策略中的管理员的提升提示行为。Administrators can also be required to provide their credentials by setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting value to Prompt for credentials.

以下屏幕截图是 UAC 凭据提示的示例。The following screen shot is an example of the UAC credential prompt.

显示 UAC 凭据提示的示例的屏幕截图

UAC 提升提示UAC elevation prompts

UAC 提升提示针对应用程序进行了颜色编码,从而可以立即识别应用程序的潜在安全风险。The UAC elevation prompts are color-coded to be application-specific, enabling for immediate identification of an application's potential security risk. 当应用程序尝试使用管理员的完全存取令牌运行时,Windows Server 2012 将首先分析以确定其发布服务器的可执行文件。When an application attempts to run with an administrator's full access token, Windows Server 2012 first analyzes the executable file to determine its publisher. 应用程序首先被划分为基于可执行文件的发布服务器上的三个类别:Windows Server 2012 中,发布服务器验证 (有符号) 和未验证的发布服务器 (无符号)。Applications are first separated into three categories based on the executable file's publisher: Windows Server 2012 , publisher verified (signed), and publisher not verified (unsigned). 下图说明了 Windows Server 2012 如何确定向用户显示的颜色的提升提示。The following diagram illustrates how Windows Server 2012 determines which color elevation prompt to present to the user.

提升提示的颜色编码如下所示:The elevation prompt color-coding is as follows:

  • 红色背景带红色防火墙图标:应用程序被组策略阻止,或从被阻止的发布者。Red background with a red shield icon: The application is blocked by Group Policy or is from a publisher that is blocked.

  • 蓝色背景带蓝黄相间图标:应用程序是管理的 Windows Server 2012 的应用程序中使用,例如控制面板项。Blue background with a blue and gold shield icon: The application is a Windows Server 2012 administrative application, such as a Control Panel item.

  • 蓝色背景带蓝色防火墙图标:应用程序通过使用验证码签名,并且受本地计算机。Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.

  • 黄色背景带黄色防火墙图标:应用程序未签名或签名,但尚不受本地计算机。Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.

防火墙图标Shield icon

某些控制面板项(如“日期和时间”属性)同时包含管理员操作和标准用户操作。Some Control Panel items, such as Date and Time Properties, contain a combination of administrator and standard user operations. 标准用户可以查看时钟和更改时区,但是若要更改本地系统时间,则需要完全管理员访问令牌。Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. 以下是“日期和时间”属性控制面板项的屏幕截图。The following is a screen shot of the Date and Time Properties Control Panel item.

屏幕截图显示 * * 日期和时间属性 * * 控制面板项

“更改日期和时间”按钮上的防火墙图标指示该进程需要完全管理员访问令牌,并将显示 UAC 提升提示。The shield icon on the Change date and time button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.

确保提升提示的安全Securing the elevation prompt

通过将提示定向到安全桌面,可以进一步确保提升进程的安全。The elevation process is further secured by directing the prompt to the secure desktop. Windows Server 2012 中默认情况下在安全桌面上显示同意提示和凭据提示。The consent and credential prompts are displayed on the secure desktop by default in Windows Server 2012 . 只有 Windows 进程可以访问安全桌面。Only Windows processes can access the secure desktop. 对于更高级别的安全性,我们建议保持用户帐户控制:提示提升时切换到安全桌面启用策略设置。For higher levels of security, we recommend keeping the User Account Control: Switch to the secure desktop when prompting for elevation policy setting enabled.

当可执行文件请求提升时,交互式桌面(也称为用户桌面)便会切换到安全桌面。When an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the secure desktop. 安全桌面会隐去用户桌面,并显示必须响应才能继续的提升提示。The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. 当用户单击是或不可以,桌面会切换回用户桌面。When the user clicks Yes or No, the desktop switches back to the user desktop.

恶意软件可以显示模拟的安全桌面,但用户帐户控制:同意策略设置设为提示管理员批准模式中管理员的提升提示行为,恶意软件不会获得提升如果用户单击是桌面上。Malware can present an imitation of the secure desktop, but when the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent, the malware does not gain elevation if the user clicks Yes on the imitation. 如果策略设置设置为提示输入凭据,模拟凭据提示的恶意软件可能能够从用户收集的凭据。If the policy setting is set to Prompt for credentials, malware imitating the credential prompt may be able to gather the credentials from the user. 但是,恶意软件不会获得提升的权限,而且系统还具有其他防护措施,可以避免恶意软件控制用户界面,即使这些软件具有截获的密码。However, the malware does not gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.

虽然恶意软件可以显示模拟的安全桌面,但是此问题不会发生,除非用户以前在计算机上安装了恶意软件。While malware could present an imitation of the secure desktop, this issue cannot occur unless a user previously installed the malware on the computer. 由于在启用 UAC 的情况下,需要管理员访问令牌的进程无法进行无提示安装,因此用户必须通过单击“是”或提供管理员凭据来明确给予同意。Because processes requiring an administrator access token cannot silently install when UAC is enabled, the user must explicitly provide consent by clicking Yes or by providing administrator credentials. UAC 提升提示的具体行为取决于组策略。The specific behavior of the UAC elevation prompt is dependent upon Group Policy.

UAC 体系结构UAC Architecture

下图详细介绍了 UAC 体系结构。The following diagram details the UAC architecture.

详细介绍了 UAC 体系结构关系图

若要更好地了解每个组件,请查看下表:To better understand each component, review the table below:

组件Component 描述Description
用户User
用户执行需要权限的操作User performs operation requiring privilege 如果操作更改文件系统或注册表,则会调用虚拟化。If the operation changes the file system or registry, Virtualization is called. 所有其他操作均调用 ShellExecute。All other operations call ShellExecute.
ShellExecuteShellExecute ShellExecute 调用 CreateProcess。ShellExecute calls CreateProcess. ShellExecute 会从 CreateProcess 中查找 ERROR_ELEVATION_REQUIRED 错误。ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. 如果接收到错误,ShellExecute 会调用应用程序信息服务以尝试通过提升提示执行请求的任务。If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.
CreateProcessCreateProcess 如果应用程序要求提升,则 CreateProcess 会拒绝出现 ERROR_ELEVATION_REQUIRED 的调用。If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.
SystemSystem
应用程序信息服务Application Information service 一种系统服务,可帮助启动运行时需要一种或多种提升权限的应用程序(如,本地管理任务),以及需要更高完整性级别的应用程序。A system service that helps start applications that require one or more elevated privileges or user rights to run, such as local administrative tasks, and applications that require higher integrity levels. 应用程序信息服务通过以下方式帮助启动此类应用程序:在要求提升且用户同意(取决于组策略)执行此操作时,使用管理用户的完全访问令牌为应用程序创建一个新的进程。The Application Information service helps start such applications by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.
提升 ActiveX 安装Elevating an ActiveX install 如果未安装 ActiveX,则系统会检查 UAC 滑块级别。If ActiveX is not installed, the system checks the UAC slider level. 如果安装 ActiveX,用户帐户控制:提示提升时切换到安全桌面选中组策略设置。If ActiveX is installed, the User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.
检查 UAC 滑块级别Check UAC slider level UAC 现在有四个通知级别可供选择,而且还有一个用于选择通知级别的滑块:UAC now has four levels of notification to choose from and a slider to use to select the notification level:

  • High

    如果将滑块设置为“始终通知”,则系统会检查安全桌面是否启用。If the slider is set to Always notify, the system checks whether the secure desktop is enabled.
  • 中等Medium

    如果将滑块设置为默认通知仅当程序尝试更改我的计算机时我,则用户帐户控制:只提升签名并验证的可执行文件选中策略设置:If the slider is set to Default-Notify me only when programs try to make changes to my computer, the User Account Control: Only elevate executable files that are signed and validated policy setting is checked:

    • 如果启用了该策略设置,则将对给定的可执行文件强制执行公钥基础结构 (PKI) 证书路径验证,然后才允许运行该文件。If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given executable file before it is permitted to run.
    • 如果未启用该策略设置(默认),则在允许运行给定的可执行文件之前,不会强制执行 PKI 证书路径验证。If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given executable file is permitted to run. 用户帐户控制:提示提升时切换到安全桌面选中组策略设置。The User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.
  • Low

    如果将滑块设置为“仅当程序尝试更改计算机时通知我(不降低桌面亮度)”,则会调用 CreateProcess。If the slider is set to Notify me only when programs try to make changes to my computer (do not dim by desktop), the CreateProcess is called.
  • 从不通知Never Notify

    如果将滑块设置为永远不通知我时,UAC 提示将永远不会在程序尝试安装或尝试在计算机上进行任何更改时通知。If the slider is set to Never notify me when, UAC prompt will never notify when a program is trying to install or trying to make any change on the computer. 重要说明: 不建议使用此设置。Important: This setting is not recommended. 此设置是设置相同用户帐户控制:管理员批准模式中管理员的提升提示行为策略设置可而不提示提升This setting is the same as setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting to Elevate without prompting.
是否启用安全桌面Secure desktop enabled 用户帐户控制:提示提升时切换到安全桌面选中策略设置:The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is checked:

-如果启用安全桌面,则所有提升请求都会都转到安全桌面而不考虑管理员和标准用户的提示行为策略设置。- If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
-如果未启用安全桌面,则所有提升请求都会都转到交互式用户桌面,并使用管理员和标准用户的每个用户设置。- If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.
CreateProcessCreateProcess CreateProcess 会调用 AppCompat、融合和安装程序检测以评估应用程序是否需要提升。CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the application requires elevation. 然后,将会检查可执行文件以确定其请求的执行级别,该级别存储在可执行文件的应用程序清单中。The executable file is then inspected to determine its requested execution level, which is stored in the application manifest for the executable file. 如果清单中指定的请求执行级别与访问令牌不匹配,则 CreateProcess 将会失败,并向 ShellExecute 返回错误 (ERROR_ELEVATION_REQUIRED)。CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.
AppCompatAppCompat AppCompat 数据库存储应用程序的兼容性修补程序项中的信息。The AppCompat database stores information in the application compatibility fix entries for an application.
融合Fusion 融合数据库存储应用程序描述清单中的信息。The Fusion database stores information from application manifests that describe the applications. 清单架构将会更新以添加新的请求执行级别字段。The manifest schema is updated to add a new requested execution level field.
安装程序检测Installer detection 安装程序检测可检测安装程序可执行文件,从而帮助防止在用户不知情和未经用户同意的情况下运行安装。Installer detection detects setup executable files, which helps prevent installations from being run without the user's knowledge and consent.
内核Kernel
虚拟化Virtualization 虚拟化技术可确保不兼容的应用程序不会在运行失败时或无法确定失败原因时不出现提示。Virtualization technology ensures that non-compliant applications do not silently fail to run or fail in a way that the cause cannot be determined. UAC 还为写入到受保护区域的应用程序提供文件和注册表虚拟化以及日志记录。UAC also provides file and registry virtualization and logging for applications that write to protected areas.
文件系统和注册表File system and registry 每用户文件和注册表虚拟化会将每计算机注册表和文件写入请求重定向到对等的每用户位置。The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. 读取请求会首先重定向到虚拟化的每用户位置,然后再重定向到每计算机位置。Read requests are redirected to the virtualized per-user location first and to the per-computer location second.

没有从以前的 Windows 版本上 Windows Server 2012 UAC 的更改。There is a change on Windows Server 2012 UAC from previous Windows versions. 新的滑块将永远不会关闭 UAC 完全。The new slider will never turn UAC completely off. 将新设置:The new setting will:

  • 保持运行的 UAC 服务。Keep the UAC service running.

  • 原因启动管理员而不显示 UAC 提示是自动批准所有提升都请求。Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.

  • 自动拒绝为标准用户的所有提升请求。Automatically deny all elevation requests for standard users.

重要

若要完全禁用 UAC,则必须禁用策略用户帐户控制:以管理员批准模式运行所有管理员In order to fully disable UAC you must disable the policy User Account Control: Run all administrators in Admin Approval Mode.

警告

定制应用程序将无法在 Windows Server 2012 时禁用 UAC。Tailored Applications will not work on Windows Server 2012 when UAC is disabled.

虚拟化Virtualization

由于企业环境中的系统管理员力求确保系统的安全,因此设计的许多业务线 (LOB) 应用程序都仅使用标准用户访问令牌。Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. 因此,IT 管理员不需要时启用了 UAC 的运行 Windows Server 2012 替换大多数应用程序。As a result, IT administrators do not need to replace the majority of applications when running Windows Server 2012 with UAC enabled.

Windows Server 2012 包含不兼容 UAC 且需要管理员的访问令牌才能正常运行的应用程序的文件和注册表虚拟化技术。Windows Server 2012 includes file and registry virtualization technology for applications that are not UAC compliant and that require an administrator's access token to run correctly. 虚拟化可确保即使不兼容 UAC 的应用程序与 Windows Server 2012 兼容。Virtualization ensures that even applications that are not UAC compliant are compatible with Windows Server 2012 . 当不兼容 UAC 的管理应用程序尝试写入受保护的目录(例如 Program Files)时,UAC 将为该应用程序提供一个其自己尝试更改的资源的虚拟化视图。When an administrative application that is not UAC compliant attempts to write to a protected directory, such as Program Files, UAC gives the application its own virtualized view of the resource it is attempting to change. 该虚拟化副本存放在用户的配置文件中。The virtualized copy is maintained in the user's profile. 此策略将为每个运行非兼容应用程序的用户创建一个单独的虚拟化文件副本。This strategy creates a separate copy of the virtualized file for each user that runs the non-compliant application.

大多数应用程序任务都可使用虚拟化功能正常运行。Most application tasks operate properly by using virtualization features. 尽管虚拟化允许大多数应用程序运行,但这只是短期的修补程序,而不是长期的解决方案。Although virtualization allows a majority of applications to run, it is a short-term fix and not a long-term solution. 应用程序开发人员应修改其应用程序能够符合 Windows Server 2012 徽标计划越早越好,而不是依赖于文件、 文件夹和注册表虚拟化。Application developers should modify their applications to be compliant with the Windows Server 2012 logo program as soon as possible, rather than relying on file, folder, and registry virtualization.

对于下列情形,不提供虚拟化选项:Virtualization is not in option in the following scenarios:

  1. 虚拟化不适用于使用完全管理访问令牌提升并运行的应用程序。Virtualization does not apply to applications that are elevated and run with a full administrative access token.

  2. 虚拟化仅支持 32 位应用程序。Virtualization supports only 32-bit applications. 当未提升的 64 位应用程序尝试获取 Windows 对象的句柄(唯一标识符)时,它们只会收到访问拒绝消息。Non-elevated 64-bit applications simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. 本机 Windows 64 位应用程序需要与 UAC 兼容并且可将数据写入正确的位置。Native Windows 64-bit applications are required to be compatible with UAC and to write data into the correct locations.

  3. 如果某个应用程序的清单含有请求的执行级别属性,则会为该应用程序禁用虚拟化。Virtualization is disabled for an application if the application includes an application manifest with a requested execution level attribute.

请求执行级别Request Execution Levels

应用程序清单是一个 XML 文件,该文件描述并标识应用程序在运行时应绑定到的共享和专用并排程序集。An application manifest is an XML file that describes and identifies the shared and private side-by-side assemblies that an application should bind to at run time. 在 Windows Server 2012 中,应用程序清单包含用于实现 UAC 应用程序兼容性的条目。In Windows Server 2012 , the application manifest includes entries for UAC application compatibility purposes. 管理应用程序在应用程序清单中包含一个条目,可提示用户提供对用户访问令牌的访问许可。Administrative applications that include an entry in the application manifest prompt the user for permission to access the user's access token. 虽然这些应用程序在应用程序清单中缺少一个条目,但是大多数管理应用程序都可以通过使用应用程序兼容性修补程序,无需修改即可运行。Although they lack an entry in the application manifest, most administrative applications can run without modification by using application compatibility fixes. 应用程序兼容性修补程序是数据库条目,使不兼容 UAC 正常运行 Windows Server 2012 的应用程序。Application compatibility fixes are database entries that enable applications that are not UAC compliant to work properly with Windows Server 2012 .

所有兼容 UAC 的应用程序应在应用程序清单中添加了一个请求的执行级别。All UAC-compliant applications should have a requested execution level added to the application manifest. 如果应用程序需要系统的管理访问权限,则用“需要管理员”的请求执行级别标记应用程序,可以确保系统将此程序标识为管理应用程序,并执行必需的提升步骤。If the application requires administrative access to the system, then marking the application with a requested execution level of "require administrator" ensures that the system identifies this program as an administrative application and performs the necessary elevation steps. 请求的执行级别用于指定应用程序所需的权限。Requested execution levels specify the privileges required for an application.

安装程序检测技术Installer Detection Technology

安装程序是用于部署软件的应用程序。Installation programs are applications designed to deploy software. 大多数安装程序会写入到系统目录和注册表项中。Most installation programs write to system directories and registry keys. 在安装程序检测技术中,这些受保护的系统位置通常只可由管理员写入,这意味着标准用户不具有安装程序的足够访问权限。These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows Server 2012 会试探性地检测安装程序和请求提供管理员凭据或来自管理员用户的批准才能运行具有访问权限。Windows Server 2012 heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows Server 2012 还会试探性地检测更新和卸载应用程序的程序。Windows Server 2012 also heuristically detects updates and programs that uninstall applications. UAC 的其中一个设计目标是防止在用户不知情和未经用户同意的情况下进行安装,因为安装程序会写入到系统文件和注册表的受保护区域。One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.

安装程序检测仅适用于:Installer detection only applies to:

  • 32 位可执行文件。32-bit executable files.

  • 不具有请求的执行级别属性的应用程序。Applications without a requested execution level attribute.

  • 在启用 UAC 的情况下以标准用户身份运行的交互式进程。Interactive processes running as a standard user with UAC enabled.

在创建 32 位进程之前,将会检查下列属性以确定其是否为安装程序:Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:

  • 文件名是否包含“install”、“setup”或“update”等关键字。The file name includes keywords such as "install," "setup," or "update."

  • 版本控制资源字段包含以下关键字:供应商、 公司名称、 产品名称、 文件描述、 原始文件名、 内部名称和导出名称。Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.

  • 并排清单中的关键字是否嵌入在可执行文件中。Keywords in the side-by-side manifest are embedded in the executable file.

  • 特定 StringTable 条目中的关键字是否链接在可执行文件中。Keywords in specific StringTable entries are linked in the executable file.

  • 资源脚本数据中的关键属性是否链接在可执行文件中。Key attributes in the resource script data are linked in the executable file.

  • 可执行文件中是否存在字节的目标序列。There are targeted sequences of bytes within the executable file.

备注

关键字和字节序列是从利用多种安装程序技术观察出的共同特征派生而来的。The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.

备注

用户帐户控制:检测应用程序安装并提示提升策略设置必须启用安装程序检测才能检测安装程序。The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. 此设置在默认情况下处于启用状态,并且可以通过使用本地安全策略管理单元 (Secpol.msc) 进行本地配置,或通过组策略 (Gpedit.msc) 针对域、OU 或特定组进行配置。This setting is enabled by default and can be configured locally by using the Local Security Policy snap-in (Secpol.msc) or configured for the domain, OU, or specific groups by Group Policy (Gpedit.msc).