Reputation: 49
Admin Process Bit in Windows PE Structure
Lets say we have the PIMAGE_NT_HEADERS or PIMAGE_DOS_HEADER structures filled for any given PE image. My question is, which variable inside either of these structures tells us if the process requires Admin privileges to execute (if it has the little security shield beside its application icon)? If neither, then please tell me how I can figure this out from the set of PE structures (without the use of APIs).
Upvotes: 0
Views: 511
Answers (1)
Reputation: 595295
That information is not stored in the app's PE header.
Elevation is controlled by an Application Manifest, which is usually stored in the app's resources in an RT_MANIFEST (type 24) resource with an ID of 1 (the manifest may also be stored as an external file in the same folder as the app, though that is less common).
An app will require admin privileges to run if UAC is enabled and the app's manifest has a <requestedExecutionLevel> element set to requireAdministrator.
See How User Account Control (UAC) Affects Your Application for more details.
The following flowchart describes how your application will run depending on whether UAC is enabled and whether the application has a UAC manifest
Upvotes: 2
Related Questions
- Loading PE Headers
- I am confused about PE file relocations
- What are the 2 bytes in the beginning of u1.AddressOfData in the memory mapped IAT of PE files?
- Running portable executable in memory using the WinApi - C Programming
- Names of PE directories
- What arguments are passed to entry point of a PE (Portable Executable) file?
- howto neatly modify a PE's datssection
- PE file section names
- About the entry point of PE in Windows
- Find out where PE file ends through PE header?