Application Compatibility: UAC: COM Per-User Configuration
UAC: COM Per-User Configuration
Feature Impact
Medium
Brief Description
The Component Object Model (COM) leverages the registry to maintain information about all of the COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive, which allows for both per-user and per-machine object registration. Per-user COM objects configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, per-user configurations take precedence.
Beginning with Windows Vista® and Windows Server® 2008, if the integrity level of a process is higher than Medium, the COM runtime ignores per-user COM configuration and accesses only per-machine COM configuration. This action reduces the surface area for elevation of privilege attacks, preventing a process with standard user privileges from configuring a COM object with arbitrary code and having this code called from an elevated process.
Manifestation
Applications that are run-elevated (whether manifested as Require Administrator or user-selected by right-clicking and selecting Run as Administrator), as well as applications run from an account that is a member of the Administrators group where User Account Control (UAC) is disabled, will not be able to access any COM objects configured per-user.
Remedies
Applications that will require administrator rights should register any dependent COM objects during installation to the per-machine COM configuration store (HKEY_LOCAL_MACHINE\Software\Classes).