From: Nobody on
This has nothing to do with "kernel", but any service running as SYSTEM or
scheduled task like others mentioned(which could run as SYSTEM) can do
whatever it wants. Not to mention that Windows Installer itself runs as a
service. See also these articles which cover several OS'es:

Description of the RunOnceEx Registry Key
http://support.microsoft.com/kb/310593

A definition of the Run keys in the Windows XP registry
http://support.microsoft.com/kb/314866/EN-US/

Definition of the RunOnce Keys in the Registry
http://support.microsoft.com/kb/137367

INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/kb/179365


From: Jonathan de Boyne Pollard on
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<blockquote cite="mid:OECrbug4KHA.5548(a)TK2MSFTNGP04.phx.gbl" type="cite">
<blockquote type="cite">
<p>Scheduled Tasks can launch elevated without triggering a UAC
prompt&nbsp;
(you need admin rights to create such a task), so maybe the first half
of the installer schedules the second half to run at the next login.
</p>
<p>I have not checked that that is what it does, but I think it's
one way&nbsp;
it could work. </p>
</blockquote>
<p>It must be that. The only other way would be via some sort of
whitelist and surely Microsoft wouldn't be that stupid?!
</p>
</blockquote>
<p>Untrue.&nbsp; There's at least one other way for a setup program to be
invoked ahead of everything else &#8212; under the aegis of the Local System
account, no less &#8212; during system initialization: <a
href="http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/windows-nt-6-boot-process.html#SMSS"><code>SetupExecute</code></a>.&nbsp;
It's not really an appropriate environment for an <em>application</em>
setup program to run in, but it's there.&nbsp; It won't be what's happening
in this case, unless you are seeing the setup program run before you
even log in, but it's one of several ways to do this sort of thing
other than by scheduling tasks.&nbsp; (-:<br>
</p>
</body>
</html>
From: Stefan Kuhr on
Hello Nobody,

On 4/22/2010 7:29 PM, Nobody wrote:
> This has nothing to do with "kernel", but any service running as SYSTEM or
> scheduled task like others mentioned(which could run as SYSTEM) can do
> whatever it wants. Not to mention that Windows Installer itself runs as a
> service. See also these articles which cover several OS'es:
>
> Description of the RunOnceEx Registry Key
> http://support.microsoft.com/kb/310593
>
> A definition of the Run keys in the Windows XP registry
> http://support.microsoft.com/kb/314866/EN-US/
>
> Definition of the RunOnce Keys in the Registry
> http://support.microsoft.com/kb/137367
>
> INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
> http://support.microsoft.com/kb/179365
>
>

I am well aware of these keys but my perception is, that these keys
start child processes of Explorer.exe with the same unprivileged token
that explorer uses on Vista++ with UAC turned on. Please feel free to
correct me if I am wrong.

--
S
From: Stefan Kuhr on
Jonathan,

On 4/22/2010 7:22 PM, Jonathan de Boyne Pollard wrote:
>>
>>>
>>> Scheduled Tasks can launch elevated without triggering a UAC prompt
>>> (you need admin rights to create such a task), so maybe the first
>>> half of the installer schedules the second half to run at the next
>>> login.
>>>
>>> I have not checked that that is what it does, but I think it's one
>>> way it could work.
>>>
>> It must be that. The only other way would be via some sort of
>> whitelist and surely Microsoft wouldn't be that stupid?!
>>
> Untrue. There's at least one other way for a setup program to be invoked
> ahead of everything else � under the aegis of the Local System account,
> no less � during system initialization: |SetupExecute|
> <http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/windows-nt-6-boot-process.html#SMSS>.
> It's not really an appropriate environment for an /application/ setup
> program to run in, but it's there. It won't be what's happening in this
> case, unless you are seeing the setup program run before you even log
> in, but it's one of several ways to do this sort of thing other than by
> scheduling tasks. (-:
>

I assumed it was clear from my description that I logged in after reboot
and that the setup automatically continued as an interactively logged in
administrator user with a token that was *not* a restricted token. It
was not SYSTEM. Probably I should have described this more precisely.

--
S
From: Manfred on
Maybe look again at RunOnce again. From http://blogs.msdn.com/uac:

"A couple of exceptions to note: First, setup applications that need to
complete their setup after a reboot should be putting their application in
the RunOnce key. This key gets consumed by the next Administrator account
that logs on, and the setup will continue without the need for an elevation.
(This key can only be set by a program running with elevated privileges.)"

"Stefan Kuhr" <kustt110(a)gmx.li> wrote in message
news:#oDBM$s4KHA.1924(a)TK2MSFTNGP06.phx.gbl...
> I am well aware of these keys but my perception is, that these keys start
> child processes of Explorer.exe with the same unprivileged token that
> explorer uses on Vista++ with UAC turned on. Please feel free to correct
> me if I am wrong.