UAC

This article is part of my small series about AppLocker, a technology built into Windows that enables administrators to audit and optionally block application execution. AppLocker and UAC One of the default rules allows unrestricted application execution for administrators. That is only sensible. After all, someone needs to be able to troubleshoot and perform maintenance. However, if UAC is enabled, that rule is not very useful. Remember: UAC filters the SID for the group Administrators from the access token during normal operation. With the Administrators’ SID gone, AppLocker is active for administrators in the same way it is for all other users. Administrators wishing to bypass AppLocker need to start executables from an elevated command prompt (or right-click and select run as administrator), which is often impractical.

Under certain circumstances, you cannot connect to administrative shares (e.g. C$) on remote computers, even though you use the right credentials. Accessing a normal (i.e. non-administrative) share works flawlessly, though.

Finding good information on how to enable drag and drop for MFC applications is hard enough (why?). But just when you think you should have it working, you hit a very solid wall: UIPI (User Interface Privilege Isolation, a variant of UAC, User Account Control). Because of “security” reasons, UIPI disables drag and drop from medium integrity processes (Explorer) to high integrity (aka elevated) processes by filtering out most window messages, including those required for drag and drop. In essence drag and drop from Explorer to your elevated application does not work.