none
How to disable UAC for Startup Application with expired Code Certificate

    Question

  • I've been using the Avanquest Connection Manager v7 (Available from various sites, but master copy is here: http://ftp4.avanquest.com/pub/ConnectionManager/Free/7.0/) running on startup for all users, without problems on Windows 7 for sometime (it is a Windows 7 32-bit. For my purposes, it has a number of clear advantages over the comparatively rudimentary Windows Location Aware services. Unfortunately this product, whilst still available as a free download is no longer supported by Avanquest.

    This month, (SUA) Users have started getting the UAC "Do you want to allow the following program to make changes to this computer?" warning with the following details:

    • Program name: Internet Connection Firewall and Internet Connection Sharing
    • verified publisher: Avanquest
    • File origin: Hard drive on this computer
    • CLSID: {1E949A04-01FD-4C41-8711-CD092512BA5C}

    If I "show information about this publisher's certificate" I get to view the Avanquest code signing certificate, of which the most significant feature seems to be the validity, namely: from 21/01/2009 to 31/01/2012. Clicking 'Yes' enables Avanquest to run as per before. [Aside the warning is the same for those systems that only use the Windows firewall and those with a third-party firewall.]

    The main irritations with this pop-up are:

    1. UAC does not remember the user's response, so they always get the pop-up whenever they login to a new session.
    2. If the (SUA) user clicks 'No' it prevents the normal operation of the system; namely the auto-location detection and selection fails, so I get complaints...
    3. There seems to be no way for an administrator to instruct UAC to ignore the code signing certificate expiry date.

    A further irritation is that these messages don't seem to be written to the Event Log, so creating an analysis obstacle.

    Basically, as I consider it highly likely (in the lifecycle of WIndows 7) that I will see more expired code signing certificates and legitimate unsigned code, I want a simple method that enables me to create an exceptions whitelist for such applications, that will work for ALL users on a specific system ie. both Admin and Standard User Accounts.

    From my web searches, the solutions I have found seem to be either just for Admin User Accounts or require the wholesale disabling of UAC functionality, however as none of these are recent, I'm hopeful that either an update to UAC or a third-party utility is now available.

    The only viable alternatives I can think of are:

    1. Disable UAC functions (wholly or partially) and install a full function security suite on all systems that has some functional overlap with UAC (ie. monitors DLL's, EXE's and important registry keys). Query without UAC is the level of security equivalent to XP?
    2. Assess alternatives to ACM which are supported and have an unexpired signing certificate and hence doesn't upset UAC. (Whilst I'll be doing this in any case it does seem stupid discarding a working program and system build just because UAC can't handle it sensibly.)

    I do not consider making all user accounts Admin a viable alternative, particularly as these systems are used in classroom/public access situations and hence have Deep Freeze installed on them.

    Tuesday, February 21, 2012 4:47 PM

Answers

All replies

  • Hi,

    Your purpose cannot be achieved other than disabling UAC or change the application itself.

    Best regards,
    Della Li

    Thursday, February 23, 2012 4:42 AM
  • Thanks Della Li,

    I suspected as much, given the responses to related questions concerning unsigned applications.

    Additionally, since I originally posted I investigated the UAC Group Policy settings and the Application Compatibility Toolkit and also drawn a blank.

    It does look like the only real option is to turn off UAC and depend totally on the security software (lets hope that the security developers aren't assuming UAC is enabled...). Given that correctly signed code signing certificates only  seem to be available in 1 or 2 year validities,  I suspect in a few years having UAC disabled will become the de facto normal mode of operation for Win7...

    Thursday, March 01, 2012 9:41 PM