Windows Vista, 7, 8, 10; Windows 64-bit

User Account Control

Windows Vista has a new security feature - User Account Control (UAC). With UAC, even on administrator accounts most processes (running programs) have limited privileges. It creates problems for many programs. This topic describes problems that may have QM when running on Vista, and gives workarounds for most of them. You also may want to read about running QM-created programs on Vista.

 

Here "Vista" actually means "Vista and later". On Windows 7, 8 and 10 everything is similar as on Vista.

 

On Vista, there are several predefined privilege sets, also called integrity levels (IL). An IL is assigned to a process (running program) before starting it, and cannot be changed while it is running. The table gives some information about different integrity levels.

 

IL Comments
High

The process runs as administrator, like on Windows XP.

 

When starting a process that needs administrator privileges, usually is shown a dialog with name "User Account Control" (consent dialog). The process then is called elevated. The program can be marked to require such privileges, or you can run it as administrator using the right-click menu, or you can set it to run as administrator in file properties dialog, or if Windows decides that it is a setup program. A process launched by a process that has administrator privileges also has administrator privileges, but does not require a consent.

 

By default, QM runs with High IL (as administrator), although you can change it in Options. To create better user experience, a consent dialog is not shown when QM starts. Otherwise QM would be blocked at Windows startup. Also, processes launched by QM have Medium IL by default.
Medium

The process runs as standard user, like on a non-administrator account. It has limited privileges. For example, It cannot write to Windows and Program Files folders, cannot write to most registry keys, cannot manipulate services, and much more. Also, it cannot interact (use keyboard, mouse and menu commands, send messages, use hooks, etc) with higher IL processes.

 

On Vista, most processes have Medium IL. Windows Explorer also has Medium IL. QM runs with Medium IL if in Options is selected UAC: run as User, which is not recommended.
uiAccess

The process has Medium IL, but is allowed to interact (use keyboard, mouse and menu commands, send messages, use hooks, etc) with High IL and uiAccess processes.

 

Only few programs have uiAccess privileges. QM runs with uiAccess privileges if in Options is selected UAC: run as uiAccess, which is recommended if you don't want QM running as administrator. On non-administrator accounts, QM runs as uiAccess by default.
Low The process has minimal privileges. It can write only to several predefined folders and registry keys. Normally, with Low IL runs only Internet Explorer, when protected mode is on. QM does not have an option to run as Low, but macros that are set to run in separate process can run as Low.
System Highest privileges. Normally only services and some system processes run with System IL. QM does not have an option to run as System.

 

Q. What IL uses QM? Can it be changed?

A. By default QM runs as administrator. It can be changed in Options.

 

Q. Should QM run as administrator, uiAccess, or standard user? When it has less problems with UAC?

A. QM has less problems when it runs as administrator. Then almost everything that worked in previous operating systems also works on Vista.

 

Q. Is it safe if QM runs as administrator?

A. It is quite safe. Programs started by QM (run) have medium IL. If you think it is not safe, you can set it to run as uiAccess. The User mode (Medium IL) is not recommended.

 

Q. Can some macros run with different IL than QM?

A. Yes, if they run in separate process. You can set it in Properties.

 

Q. Is it possible to turn off UAC?

A. Yes, you can completely turn off UAC in Control Panel -> User Accounts. Then security level will be the same or slightly higher than on Windows XP. Also, some options can be changed in local security policy (run "secpol.msc"). For example, you can set to elevate without consent, or to show consent in default desktop.

 

Q. Is it possible to run a program as administrator without a consent dialog?

A. Use flag 0x10000 or 0x20000 with run. Or use function StartProcess. Or, in macro properties, check "Run in separate process" and select "Administrator" or "Highest available". It is possible only from QM (except portable). Without QM, it is possible for example using Windows Task Scheduler.

 

Q. Is it possible to automatically close the consent dialog for some programs?

A. There is no such option in Windows. QM also cannot automate it because the dialog is created in a secure desktop. If the dialog is not in a secure desktop (you can set it in local security policy), then you can create a function that closes it.

 

You can find more information about UAC in Vista Help and on the Internet. If you need QM-specific information, you can ask about it in QM forum.

 

See also: GetProcessUacInfo, IsUserAdmin

What does not work on Vista

These problems are common to all integrity levels.

  1. When you launch protected mode Internet Explorer, actually are started two processes. The first process usually exits immediately (but in IE8 not). For this reason, all "wait for" options don't work with run. For the same reason, SHDocVw.InternetExplorer functions don't work if you create the object using _create. Possible workarounds: 1. Use web instead. 2. In Properties, check "Run in separate process" and select Low. 3. Turn off IE protected mode. 4. Turn off UAC.
  2. May fail file functions that use mapped network drive (like "Z:\file"). Workaround: Use path like "\\server\share\file".
  3. And maybe more (not yet discovered).

To solve most other UAC-related problems, you can set QM or separate macros to run with appropriate IL. The information below should help you decide what IL you should use.

What does not work on Vista when QM is running as Administrator or uiAccess

Some operations are not allowed between different IL processes. Although most of them are not allowed only when initiated by the lower IL process, some of them also are not allowed when initiated by the higher IL process.

  1. _getactive, GetObject (VBScript) and some other COM functions cannot get COM objects from different IL processes. _getactive also is used in some other functions. Possible workarounds: 1. In Properties, check "Run in separate process" and select same privileges as of the target app (usually User). 2. Start the target app using _create. 3. Run both QM and the target app as administrator. 4. Turn off UAC.
  2. Drag and drop from Medium IL processes (e.g. Windows Explorer) to QM. QM uses another process to reenable its drag and drop feature. However, WM_DROPFILES in custom dialogs does not work. Possible workarounds: 1. Use QmRegisterDropTarget instead. 2. In Properties, check "Run in separate process" and select User. 3. Turn off UAC.
  3. And maybe more.

What does not work on Vista when QM is running as User or uiAccess

Some functions and other QM features require administrator privileges. If QM (or exe) is not running as administrator, these features don't work.

  1. Writing to some file system locations, such as Program Files and Windows folders (cop, ren, del, MkDir, SetAttr, str.setfile, etc).
  2. Writing to some registry keys, such as HKEY_LOCAL_SYSTEM and HKEY_CLASSES_ROOT (rset).
  3. Automatic COM object registration by _create (because cannot write to the registry).
  4. RegisterComComponent. You can use flag 4 to show consent dialog.
  5. GetDiskUsage. It uses PDH functions that require administrator privileges. Does not work on Vista only; works on 7/8/10.
  6. SetPrivilege.
  7. Manipulating services.
  8. Changing computer date.
  9. Some COM functions, including _getactive and GetObject (VBScript), don't work with different IL processes. Read more above.
  10. On Windows 8 QM does not see Windows store app windows.
  11. And maybe more.

Everything above also does not work on non-administrator user accounts on all OS.

 

Possible workarounds: 1. In Properties, check "Run in separate process" and select Administrator. 2. Run QM as administrator. 3. Turn off UAC.

What does not work on Vista when QM is running as User

The following functions don't work with higher IL windows unless QM (or exe) is running as administrator or uiAccess. This is more actual for exe, because QM can run as administrator or uiAccess.

  1. Keyboard and mouse commands (key, paste/outp, str.getsel, str.setsel, lef, mou, Acc.Mouse, ifk, wait K, wait M, and other). Mouse commands don't work in any window if currently active window has higher IL.
  2. Windows API functions that send messages (SendMessage, PostMessage, etc). Only few messages can be sent.
  3. Many Windows API functions that manipulate windows (SetWindowPos, EnableWindow, etc).
  4. Functions that use SendMessage, SetWindowPos, etc . Most of them are menu and control functions (men, but, CB_x, LB_x, Acc.DoDefaultAction, etc) and window functions (hid, max, mov, siz, ArrangeWindows, Zorder, Transparent, etc).
  5. Most hooks. For example, function BlockInput2 (available in the forum) uses low level keyboard and mouse hooks.
  6. BlockInput does not work with all windows.
  7. Toolbars cannot be attached to higher IL windows.
  8. Windows 8/10: sending system hotkeys (Alt+Tab, Win+R etc) with key. This does not depend on the currently active window.
  9. And maybe more.

This should not be a big problem, because normally most programs don't run as administrator. Administrative programs usually are used briefly and don't need to be automated. However, currently there are quite many non-Vista-aware programs that don't work without administrative privileges. For example, if a program saves files in its home directory, which usually is in Program Files, it must run as administrator.

 

Possible workarounds (QM): 1. In Properties, check "Run in separate process" and select Administrator. 2. Run QM as administrator or uiAccess. 3. Turn off UAC.

 

Possible workarounds (exe): 1. Run exe from QM: in Properties check "Run in separate process" and select As QM (if QM runs as administrator or uiAccess) or Administrator. If you need to launch it from e.g. desktop, create shortcut to run the macro (in Properties). Of course, QM must be installed. 2. Set uiAccess="true" in the manifest, sign the exe file, and put it in Program Files folder. It works well on any computer (QM is not needed). Read more about signing in the make exe topic. 3. Run exe as administrator. It requires consent, unless exe is started from another program that is running as administrator. 4. If possible, don't run target programs as administrator. 5. Turn off UAC.

Vista bugs

  1. uiAccess programs cannot open folders using ShellExecute[Ex] if "Launch folder windows in a separate process" is checked in Control Panel -> Folder Options -> View. It is unchecked by default. The run command, which uses ShellExecuteEx, uses a workaround for this. However it will fail in exe running with uiAccess privileges (exe can run with uiAccess privileges only if launched by QM or marked as uiAccess in manifest). Also, if you use ShellExecute[Ex] or other functions that call it, they will fail. Possible workarounds: 1. Uncheck the checkbox. 2. If QM is running as uiAccess, and "Run in separate process" is checked in Properties, select something other than As QM. 3. Use run "explorer.exe" "folder" instead of run "folder". 4. Turn off UAC.
  2. QM cannot load some type libraries (maybe about 1%) because they are incorrectly registered. The OLE/COM Object Viewer also cannot open these type libraries. Possible workarounds: 1. If possible, with typelib use path instead of GUID. 2. Edit the registry: remove double quotes from type library path.
  3. And maybe more.

64-bit Windows

QM is a 32-bit program, but it runs well on 64-bit Windows.

 

If QM is running on 64-bit Windows, special variable _win64 is 1, else 0.

 

Notes

 

On 64-bit Windows, there are separate System and Program Files folders for 64-bit and 32-bit programs.

 

Special folder "$program files$" expands to the 32-bit folder ("Program Files (x86)"). QM is installed there. Environment variable "%ProgramW6432%" expands to the 64-bit folder ("Program Files").

 

Special folder "$system$" expands to the 64-bit folder path ("C:\Windows\System32"), but actually is used the 32-bit folder ("C:\Windows\SysWOW64"). That is, run will launch 32-bit versions of programs, unless flag 0x4000 used. See also this forum post.

 

Also, there are some separate registry locations for 32-bit programs.

 

More info.