Why is AV able to run without elevating UAC?

[Crash]

This is an additional question from the post http://www.autoitscript.com/forum/index.php?showtopic=106698

Crash, on 11 December 2009 - 08:10 AM, said:

I am creating a program and make itin such a way so that every user can run the program will full admin rights without having to call UAC and enter the password.

I have think of letting the admin type his/her username and password and my program will save it inside the computer.

Whenever my program needs to execute another exe (my program got many exe files), it will use RunAs() function and include the username and password. But this is all too risky.

What I need to know is that:

-When I attempt to delete a file in my HomeDrive (c:) using AutoIt, the file is sometimes deleted and sometimes not. (Mostly not)

FileDelete("C:\lalala.txt")

Is there a way to delete the file without elevating UAC? Antiviruses program can even delete a file (virus) from system directories without permission granted.

If UAC is enabled then no. AV is run with all permissions.

Crash, on 11 December 2009 - 08:10 AM, said:

P.S. If you say that AV programs are able to delete viruses because viruses are not protection by the system; then why is my innocent (and useless) TXT file protected?

Location of that file is important. Location of your executable can be important too.

AVs run with full privileges (you/administrator gave them that right).

Run your script that way and you will be able to do whatever you want to.

Crash, on 11 December 2009 - 08:10 AM, said:

P.P.S. If there a way to edit registry keys without UAC elevating too?

That would depend what registry key and what system. On pre-Vista systems you can do whatever you want with registry. For others all depends on your permissions. For example HKLM can be read but not changed without running in elevated mode.

Crash, on 11 December 2009 - 08:10 AM, said:

Many thanks if solutions or ideas are provided.

Sure

By the way, all the answers here are provided by trancexx. Many thanks to you!

So my question is how do AV get their permission (although you said that I granted it)? I did not type my password or whatever. I just installed it and it is able to run in full permission mode. How is it done so?

Edited December 14, 2009 by Crash

[99ojo]

Hi,

the main parts are installed as service and running under LocalSystem Account!

This account is a special account, mostly like admin account.

If you have a look at NTFS file settings, you will see, that SYSTEM has full rights everywhere by default. You will see the same at security settings reg hives.

;-))

Stefan

[Richard Robertson]

It requires administrative ability to set up processes that run under the system account though. Keep this in mind. It will be a one time admin instead of an every time thing.

AutoIt doesn't run that way though.

[Crash]

99ojo: Thanks for telling me the trick!! Now I fully understand!

Richard Robertson: Too bad, isn't it? But thanks to you too!

But for me, it'll be better is AutoIt can't, because if it can, it will be further abused by virus programmer. Don't you think so? There are already many "autoit viruses" out there. For your info, XMSS virus is also programmed using AutoIt.

Edited January 3, 2010 by Crash

[Richard Robertson]

Any program, even AutoIt, can install processes that run under the system account. It just requires the original application to be run as admin in the first place.