How the User Account Control Compatibility Evaluator Works

Applies To: Windows 7, Windows Vista

The User Account Control Compatibility Evaluator (UACCE) enables you to identify potential compatibility issues due to permission restrictions enforced by the User Account Control (UAC), formerly known as Limited User Accounts (LUA). Through compatibility logging, UACCE provides information about potential application permission issues and ways to fix the problems so you can deploy a new operating system.

This topic includes:

  • UACCE terminology

  • UACCE high-level process

  • UACCE data collection

  • UACCE detected issues

UACCE Terminology

Term Definition

ACT Log Processing Service

The service that processes the log files uploaded from your client computers, adding the information to your ACT database.

Application Compatibility Manager (ACM)

The user interface (UI) that enables you to view reports based on the UACCE information generated from the ACT database. This is also where you create the data-collection packages used to deploy UACCE.

Application Compatibility Toolkit (ACT)

A suite of tools that enables software developers, independent software vendors (ISVs), and enterprise IT professionals to determine whether their applications are compatible with a new version of the Windows® operating system and newly released Windows security updates.

Application Compatibility Toolkit Data Collector (ACT-DC)

A self-extracting executable (.exe) file containing your configuration manifest and installation file for the data collector and compatibility evaluators. After deployment, ACT-DC installs the compatibility evaluators, maintains their scheduling and data collection, and uploads the issue data to your ACT database.

application profile

A list of the system state settings and files on which an application has been observed to be dependent.

Built-in Administrator (BA)

The default Administrator account, created during a clean installation of the Windows operating system.

compatibility evaluator

A command-line program launched by the ACT-DC and configured by the user through the data-collection package (DCP) settings. An evaluator might run immediately and exit, or continue to monitor system activity through the duration configured by the user.

compatibility-evaluator definition package

The collection of files and data created by a partner defining a compatibility evaluator.

compatibility-evaluator installation package

The installation package used by the ACT-DC to install a compatibility-evaluator module. The provider of the compatibility evaluator produces the compatibility-evaluator installation package that is included in the compatibility-evaluator definition package.

compatibility-evaluator module

A compatibility-evaluator component that is exposed to the ACT-DC. A compatibility-evaluator module generates data and can have dependencies on other compatibility evaluators.

component

A part of the ACT that specifies the compatibility-evaluator resources and settings.

configuration manifest

A file that contains all of the user-configurable settings, such as which compatibility evaluators will run, when, and for how long the compatibility evaluators will run, where to store the log files, and other parameters configurable in the Advanced Settings dialog box.

data-collection package (DCP)

A Microsoft® Windows® Installer (.msi) file created in the ACM for deployment to each of your client computers. Each data-collection package can include one or more compatibility evaluators, depending on what you are trying to evaluate.

data collector

A set of compatibility-evaluator modules that produce or gather data and then store the data locally in a raw or nearly raw form. All compatibility evaluators act as data collectors, and are installed and deployed by ACT-DC.

post-processor

A compatibility-evaluator module that takes volumes of raw data and produces data in a format that matches the ACT schema, with extensions supplied by the compatibility-evaluator provider. More than one post-processor might depend on a single data collector, and a post-processor might depend on data from more than one data collector.

Protected Administrator (PA)

An account in the Administrators group. Users with this account type must consent to perform administrative activities.

Standard User (SU)

An account in the Standard Users group. Users with this account must supply credentials to perform administrative activities.

User Account Control Data Collector (UAC Data Collector)

The compatibility-evaluator module that produces or gathers data related to the User Account Control (UAC) functionality, storing the data locally in a raw or nearly raw format.

User Account Control post-processor (UAC Post-Processor)

The compatibility-evaluator module that takes the raw data from the UAC Data Collector and produces data matching the ACT data schema with extensions defined by the UACCE.

UACCE High-Level Process

The UACCE high-level process is as follows:

  1. The ACT-DC deploys and invokes the UACCE compatibility evaluator, passing the parameters through either the compatibility-evaluator manifest or the command-line options.

  2. UACCE configures its settings according to the parameters, and the UAC Data Collector enables logging, resulting in raw events from your client computers.

  3. After UACCE finishes, the UAC Post-Processor creates an XML representation of the logged application's interactions with the operating system.

UACCE Data Collection

The UACCE collects the UAC data from your client computers, separating the data in the following manner:

  • Log Identification. Compatibility evaluator log identification, including header and metadata, version information, run date and time, and so on.

  • User Account Inventory. Information about the user account, including the account type.

  • UAC Property Inventory. Inventory of the static and dynamic properties, exhibited by the applications and installers on the computer. The Application Compatibility Manager maps these properties to the UAC issue report.

The data collected by the UACCE appears in your ACT database, associated with a user account type, such as Protected Administrator, Standard User, and so on.

UACCE Detected Issues

UACCE detects and reports the following issues.

Non-Virtualized File Accessed

The UACCE logs an event if an executable other than an installer attempts to write to a file and you are logged on as a Standard User, or if the path is not virtualized on the Windows operating system. The following table shows the text as it would appear in the UACCE log.

Heading Description

Symptom

An application might fail to run for a user logged on with the Standard User role.

Cause

An application attempts to access a file to which the Standard User role does not have rights.

Report Message

An application attempted to perform an operation on a file to which the Standard User role does not have permissions.

-or-

This path is not virtualized, and your applications might not function properly for users logged on with the Standard User role.

Mitigation

You can release the access control lists (ACLs) for the file or folder causing the problem, or you can fix your application so that the file does not attempt to write to the folder.

Non-Virtualized Registry Key Accessed

The UACCE logs an event if an executable other than an installer attempts to write to a file and you are logged on as a Standard User, or if the path is not virtualized on the Windows operating system. The following table shows the text as it would appear in the UACCE log.

Heading Description

Symptom

An application might fail to run for a user logged on with the Standard User role.

Cause

An application attempts to access a registry key to which the Standard User role does not have rights.

Report Message

An application attempted to perform an operation on a registry key to which the Standard User role does not have permissions.

-or-

This path is not virtualized, and your applications my not function properly for users logged on with the Standard User role.

Mitigation

You can enable virtualization or release the access control lists (ACLs) for the registry key causing the problem, or you can fix your application so that the file does not attempt to write to the registry key.

Administrative Credentials Required

The UACCE logs an event if an executable other than an installer attempts to write to a file and you are logged on as a Standard User. The following table shows the text as it would appear in the UACCE log.

Heading Description

Symptom

An application might fail to run for a user logged on with the Standard User role.

Cause

An application attempts to elevate the permissions level for a user logged on with the Standard User role.

Report Message

An application attempted to create, write, or delete a registry key for a non-virtualized path. Users logged on with the Standard User role cannot access this registry key.

Mitigation

You can enable virtualization or release the access control lists (ACLs) for the registry key causing the problem, or you can fix your application so that the file does not attempt to write to the registry key.

See Also

Concepts

User Account Control Compatibility Evaluator (UACCE) Technical Reference
Phase 1: Collecting Your Compatibility Data
Phase 2: Analyzing Your Compatibility Data