Video Screencast Help
Endpoint Management Community Blog

Checking an Executable for Manifests and Digital Signing.

Created: 26 Jun 2008 • 3 comments
R-Vijay's picture
0 0 Votes
Login to vote

To avoid UAC prompts for applications on launch, there exists a manifest file which contains key information on the privileges. Many times, these manifest files are present along with the executable in the same directory. For example: Altair.exe will have a manifest file called Altair.exe.manifest in the same directory. There can also be cases where the manifest is embedded in the exe itself. In this case, identifying the launch condition for this exe involves a lot of research.

Here is a simple executable which will help research those launch conditions.

Sigcheck.exe is an executable from the Sysinternals team that enables you to check whether a file has been digitally signed. The -m switch allows you to view any manifest within the file. All we need to do is run this sigcheck.exe with -m switch along with the executable, the full manifest will be displayed on the command prompt window.

If the XML manifest is going to prompt an elevation then there will be a tag "requiredExecutionLevel" set to "requireAdministrator".

You can then re-create a manifest on these 3 categories:

  • Runasinvoker
  • Runasadmin
  • Runwithleastprivilages

Its advised to use Run as Invoker for manifests (Launch condition).

Signcheck.exe can be downloaded here.

Comments 3 CommentsJump to latest comment

mailhareesh's picture

Can we use this approach for all types of applications or specific for .NET based applications.

+2
Login to vote
DustyPete's picture

Yes. Perhaps I should write an article on this topic because there is a lot of various documentation (and some right here on the Juice I believe) on how to use manifest files. Over a year ago, when we started shipping software on Windows Vista, I had to dig to find the proper information.

First off, you can also use MT.EXE which comes with the Platform SDK and Visual Studio to verify if an executable contains an embedded manifest. It's also the tool that you can use to embed a manifest.

Most applications I see these days use an embedded manifest instead of having a manifest file "on the side."

Obviously, installers and tools that require administrative powers (and thus display an elevation prompt if UAC is enabled), should be marked as 'requireAdministrator'. Most end-user applications should have an AsInvoker requested level.

Note: Windows Vista has a backward compatibility feature for older applications. If no requestedExecutionLevel is found, Vista will try to figure out if the application is an installation and if it's the case, a UAC elevation prompt will appear. This check can be a bit broad though and you can have some surprises. :)

The point: Always set a manifest and requestedExecutionLevel.

0
Login to vote
R-Vijay's picture

Yep. buddy !!!

Thats true. Its always a better practice to use "Runasinvoker" for applications which need launch condtion for executable shortcut.

Microsoft MVP [Setup-Deploy]
Weblog: www.msigeek.com

+2
Login to vote