13

consent.exe is responsible for showning the UAC dialog. Looking at the command line parameters with Process Explorer, I see the following:

consent.exe 1316 748 000000004385BD60

I have

So far, I only figured out the first number: it is the process ID (PID) of the parent process, which happens to be svchost.exe in my case.

How does consent.exe figure out from that command line information what the path of the executable to be started is?

Thomas Weller
  • 3,366
  • 3
  • 22
  • 40

2 Answers2

2

As you can see, the first argument is the PID of consent.exe's parent process. And by monitoring the APIs that this parent process (which is a "svchost") called before creating the consent process, I was able to find out that the third argument is a pointer to a structure within the svchost's heap, and the second argument is the length of the structure. The structure seems to contain the path of the process to run, its working directory, and its arguments. Also there are some bytes I can not figure out. But the information is certainly enough for grubbing the full path of the exe.

This answer is tested only on Windows 10 x64 1809

SixZiv
  • 31
  • 1
  • 1
    Would you mind sharing the steps you took? – Thomas Weller Dec 22 '18 at 20:30
  • 1
    My pleasure. I just used the API monitor mentioned in the question to monitor the svchost, and then triggered an UAC prompt manually. Then search for the CreateProcessAsUserW which started the consent.exe. Just short before that we can find several memset actions which copied the name,path and working directories(maybe) into somewhere inside the heap. Looking for the allocation of the buffer, I got to see that the address of the buffer is exactly the third parameter, and the length is the second. – SixZiv Dec 23 '18 at 06:35
2

Based on the Russinovich TechNet article you linked: Remember that applications call out to the Application Information Service (AIS) to elevate. So consent.exe doesn't need to know how to launch programs. It exists solely to establish user consent, and return the result to AIS. AIS then does the actual launching (assuming consent.exe returns success).

  • It is true that it does not need to launch programs, but it displays the program's (Exe's) full path. To get all the other information, it needs to read the Exe's digital signature and display the manufacturer name. Therefore, what I'm looking for is: how does consent.exe get to know this Exe full file name? – Thomas Weller Apr 13 '15 at 19:14
  • 3
    Presumably it's sent the information by AIS over some IPC pipe or similar. – Justin King-Lacroix Apr 13 '15 at 19:39