Re: Problems with uiAccess = true

Hi Martin,

I have performed some intensive debugging over this issue.

It seems that the "A referral was returned from the server" error dialog is
shown by the shell32.dll in ShellExecuteEx API. Below is the stack
regarding the error dialog:

ChildEBP RetAddr
002ee380 778a0690 ntdll!KiFastSystemCallRet
002ee384 77667e09 ntdll!ZwWaitForMultipleObjects+0xc
002ee420 763ec4af kernel32!WaitForMultipleObjectsEx+0x11d
002ee474 7516161a USER32!RealMsgWaitForMultipleObjectsEx+0x13c
002ee494 75162cb6 DUser!CoreSC::Wait+0x59
002ee4bc 75162c55 DUser!CoreSC::WaitMessage+0x54
002ee4cc 763e15b0 DUser!MphWaitMessageEx+0x22
002ee4e8 778a0e6e USER32!__ClientWaitMessageExMPH+0x1e
002ee504 763eb5b4 ntdll!KiUserCallbackDispatcher+0x2e
002ee508 763e1588 USER32!NtUserWaitMessage+0xc
002ee53c 763e1450 USER32!DialogBox2+0x202
002ee564 763e1492 USER32!InternalDialogBox+0xd0
002ee584 763e14f5 USER32!DialogBoxIndirectParamAorW+0x37
002ee5a4 74eb6c51 USER32!DialogBoxIndirectParamW+0x1b
002ee5c8 74eb6beb comctl32!SHFusionDialogBoxIndirectParam+0x2d
002ee5fc 764aa8a9 comctl32!CTaskDialog::Show+0x100
002ee73c 76bca444 SHLWAPI!ShellMessageBoxW+0x169
002eeb84 76b65b51 SHELL32!SHSysErrorMessageBox+0xca
002eedd0 76a967d2 SHELL32!_ExecErrorMsgBox+0x287
002eede8 76a0a817 SHELL32!SHExecuteErrorMessageBox+0x2a
002eee00 76a0e4e1 SHELL32!CShellExecute::_TryErrorMsgBox+0x43
002eee1c 76a0db9d SHELL32!CShellExecute::_DoExecute+0xb7
002eee30 76a0e701 SHELL32!CShellExecute::ExecuteNormal+0x87
002eee44 76a0e696 SHELL32!ShellExecuteNormal+0x33
002eee5c 4a9756dc SHELL32!ShellExecuteExW+0x62
002eeffc 4a964a94 cmd!ExecPgm+0x2dc
002ef25c 4a964b28 cmd!ECWork+0x7f
002ef274 4a964c17 cmd!ExtCom+0x47
002ef6d0 4a961a47 cmd!FindFixAndRun+0xb3
002ef720 4a966070 cmd!Dispatch+0x14a
002ef764 4a96c703 cmd!main+0x21a
002ef7a8 77663833 cmd!__mainCRTStartup+0x102
002ef7b4 7787a9bd kernel32!BaseThreadInitThunk+0xe
002ef7f4 00000000 ntdll!_RtlUserThreadStart+0x23

As you can see, it is SHELL32!CShellExecute::_DoExecute that checks some
logic and display the "A referral was returned from the server" error
dialog.

After doing some further research, I find that there is an existing record
related with our issue, below is the comment provided by the Vista UAC team:

"Since UIAccess=true apps can bypass the process isolation boundaries, we
put two extra requirements on them before they will be launched by the O/S.

1) They are Authenticode signed with the signing cert chaining to a cert in
the machine's trusted root store
2) the application sits in a protected system location (like under \program
files or under \windows\system32)

The error you are getting indicated either one or both of these conditions
are not met."

Also, I was told that the setting "User Account Control: Only elevate
executables that are signed and validated." in secpol.msc does not apply to
the first condition. So we should always sign the Exe and add the publisher
into the trust store if we want to use it with Uiaccess.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: Can SSAS 2005 work in Novell network?
    ... windows account which was used to log on to the local machine. ... the server to the relevant OLAP roles you should be good to go. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.sqlserver.olap)
  • Re: Bad Querry Performance
    ... As Jeje mentioned, you'd isolate this issue to server or client, and you ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ... project analysis and dump analysis issues. ...
    (microsoft.public.sqlserver.olap)
  • RE: .net 3.5 Web Service in IIS on XP PRO SP2
    ... running in IIS server, correct? ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • RE: Problems with Code Coverage and Team Build
    ... How do you clear locks on files on the build server. ... It is capable of finding out the process that locks a certain file. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.vsnet.enterprise.tools)
  • Re: IIS7 with multiple web sites - Windows Auth only working on localhost
    ... The findings of you indicates the problem isn't on the IIS server itself. ... doesn't mean integrated auth is turned off. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.inetserver.iis.security)