What is the difference between "asInvoker" and "highestAvailable" execution levels?

Question

I've been wondering what the difference between embedding

<requestedExecutionLevel  level="asInvoker" uiAccess="false" />

and

<requestedExecutionLevel  level="highestAvailable" uiAccess="false" />

in your application's manifest is.

Answer 1

This is described on MSDN:

Basically, "asInvoker" will use the user's default security settings. It's described as "The application runs with the same access token as the parent process.", which means the same security token is used as the calling process, which is typically the desktop shell (or the process that launches this, if you launch your app from another program).

Using "highestAvailable" will cause the application to run using the highest priveledges the user can obtain. If they're an administrator, for example, they'll get a UAC prompt and the app will run with admin rights. However, if they're a normal user, they'll get normal security settings, etc.

In general, you'll want to use "asInvoker" unless you have a specific reason to request more rights.

Answer 2

A good example of "highest available" is someone who is a member of the Backup Operators group.

Starting with Windows Vista, it is not just "Administrators" who are stripped of their privileges and given a split-token. The system looks to see if you are:

• a member of certain groups
• have certain privileges

So if you are a member of the Backup Operators groups, your security token is filtered exactly like it is for members of the Administrators group.

From MSDN Magazine article:

Least Privilege
Teach Your Apps To Play Nicely With Windows Vista User Account Control
by Chris Corio

UAC starts working when a user logs onto a machine. During an interactive logon, the Local Security Authority (LSA) takes the user's credentials and performs the initial logon, evaluating the user's token to see if it has what are defined as elevated privileges. If the LSA determines that the user has elevated privileges, it will filter this token and then perform a second logon with the filtered token.

 

User Account Control defines the following groups as having elevated privileges:

• Built-In Administrators (S-1-5-32-544)
• Power Users (S-1-5-32-547)
• Account Operators (S-1-5-32-548)
• Server Operators (S-1-5-32-549)
• Printer Operators (S-1-5-32-550)
• Backup Operators (S-1-5-32-551)
• RAS Servers Group
• BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
• BUILTIN\Network Configuration Operators (S-1-5-32-556)
• Domain Admins (S-1-5-21-domain-512)
• Domain Controllers (S-1-5-21-domain-516)
• Cert Publishers (S-1-5-21-domain-517)
• Schema Admins (S-1-5-21-root domain-518)
• Enterprise Admins (S-1-5-21-root domain-519)
• Group Policy Administrators (S-1-5-21-domain-520)

Therefore, if the LSA notices that any of those group memberships or privileges are listed in the user's initial token, a filtered token will be created during an interactive logon, using a version of the CreateRestrictedToken API, and the fully privileged token is saved by LSA. These two tokens are linked and the fully privileged token can be obtained from the filtered token using the Get­Token­Infor­mation API with the new TokenLinkedToken information type. Note, however, that UAC does not affect service, network, or batch logons.

 

If the user does not belong to any of the groups listed above but has certain privileges, a filtered token will be created with these privileges removed. The privileges in question are:

• SeCreateTokenPriv­i­lege - User Right: Create a token object.
• SeTcbPrivilege - User Right: Act as part of the operating system.
• Se­Take­Owner­ship­Priv­ilege - User Right: Take ownership of files or other objects.
• Se­Back­up­Priv­i­lege - User Right: Back up files and directories.
• Se­Re­store­Privilege - User Right: Restore files and directories.
• Se­De­bug­Priv­ilege - User Right: Debug programs.
• Se­Im­personatePrivilege - User Right: Impersonate a client after authentication.
• Se­Re­labelPrivilege - User Right: Modify an object label.

If i create a backup user, i need to run with my backup related privileges returned to me:

• Se­Back­up­Priv­i­lege
• SeRestorePrivilege

That means that i don't need (or want) to run as a full fledged Administrator. I want to run with my highest available set of permissions back.

This is where your three options for requestedExecutionLevel start to come out:

• asInvoker: The application will run with the same permissions as the process that started it. The application can be elevated to a higher permission level by selecting Run as Administrator.

• highestAvailable: The application will run with the highest permission level that it can. If the user who starts the application is a member of the Administrators group, this option is the same as requireAdministrator. If the highest available permission level is higher than the level of the opening process, the system will prompt for credentials.

• requireAdministrator: The application will run with administrator permissions. The user who starts the application must be a member of the Administrators group. If the opening process is not running with administrative permissions, the system will prompt for credentials.

Bonus Reading

• https://superuser.com/a/610253/8169
• Teach Your Apps To Play Nicely With Windows Vista User Account Control (archive.is)
• Privilege Constants (archive.is)
• Well-known security identifiers in Windows operating systems