Windows Vista, Windows 64-bit

User Account Control

Windows Vista includes a new security feature - User Account Control (UAC). With UAC, even on
administrator accounts most processes (running programs) have limited privileges. It creates problems
for many programs. This topic describes problems that may have QM when running on Vista, and gives
workarounds for most of them. You also may want to read about running QM-created programs on
Vista.

On Vista, there are several predefined privilege sets, also called integrity levels (IL). An IL is assigned to
a process (running program) before starting it, and cannot be changed while it is running. The table
gives some information about different integrity levels.

IL Comments

The process runs as administrator, like on Windows XP.

High
When starting a process that needs administrator privileges, usually is shown a dialog
with name "User Account Control" (consent dialog). The process then is called eleveted.
The program can be marked to require such privileges, or you can run it as
administrator using the right-click menu, or you can set it to run as administrator in file
properties dialog, or if Windows decides that it is a setup program. A process launched
by a process that has administrator privileges also has administrator privileges, but
does not require a consent.

By default, QM runs with High IL (as administrator), although you can change it in
Options. To create better user experience, a consent dialog is not shown when QM
starts. Otherwise QM would be blocked at Windows startup. Also, processes launched
by QM have Medium IL by default.
Medium The process runs as standard user, like on a non-administrator account. It has limited
privileges. For example, It cannot write to Windows and Program Files folders, cannot
write to most registry keys, cannot manipulate services, and much more. Also, it cannot
interact (use keyboard, mouse and menu commands, send messages, use hooks, etc)
with higher IL processes.

On Vista, most processes have Medium IL. Windows Explorer also has Medium IL. QM
runs with Medium IL if in Options is selected Vista UAC: run as User, which is not
recommended.
uiAccess The process has Medium IL, but is allowed to interact (use keyboard, mouse and menu
commands, send messages, use hooks, etc) with High IL and uiAccess processes.

Only few programs have uiAccess privileges. QM runs with uiAccess privileges if in
Options is selected Vista UAC: run as uiAccess, which is recommended if you don't
want that QM is running as administrator. On non-administrator accounts, QM runs as
uiAccess by default.
Low The process has minimal privileges. It can write only to several predefined folders and
registry keys. Normally, with Low IL runs only Internet Explorer, when protected mode is
on.
System Highest privileges. Normally only some services and some system processes run with
System IL.

Q. What IL uses QM? Can it be changed?

A. By default QM runs as administrator. It can be changed in Options.

Q. Should QM run as administartor, uiAccess, or standard user? When it has less problems with UAC?
A. QM has less problems when it runs as administrator. Then almost everything that worked in previous
operating systems also works on Vista.

Q. Is it safe if QM runs as administrator?

A. It is quite safe. Programs started by QM (run) have medium IL. If you feel it is not safe, you can set it
to run as uiAccess. The User mode (Medium IL) is not recommended.

Q. Can some macros run with different IL than QM?

A. Yes, if they run in separate process. You can set it in Properties.

Q. Is it possible to turn off UAC?

A. Yes, you can completely turn off UAC in Control Panel -> User Accounts. The security level will still
be the same or slightly higher than on Windows XP. Also, some options can be changed in local
security policy (run "secpol.msc"). For example, you can set to elevate without consent, or to show
consent in default desktop.

Q. Is it possible to run a program as administrator without a consent dialog?

A. Use flag 0x10000 or 0x20000 with run. Or use function StartProcess. Or, in macro properties, check
"Run in separate process" and select "Administrator" or "Highest available". It is possible only from QM.
Without QM, it is possible for example using the Windows Task Scheduler.

Q. Is it possible to automatically close the consent dialog for some programs?

A. There is no such option in Windows. QM also cannot automate it because the dialog is created in a
secure desktop. If the dialog is not in a secure desktop (you can set it in local security policy), then you
can create a function that closes it.

You can find more information about UAC in Vista Help and on the Internet. If you need QM-specific
information, you can ask about it in the Quick Macros forum.

See also: GetProcessUacInfo, IsUserAdmin

What does not work on Vista

1. When you launch protected mode Internet Explorer, actually are started two processes. The
first process usually exits immediately. For this reason, all "wait for" options don't work with run.
For the same reason, SHDocVw.InternetExplorer functions don't work if you create the object
using _create. Possible workarounds: 1. Use web instead. 2. In Properties, check "Run in
separate process" and select Low. 3. Turn off IE protected mode. 4. Turn off UAC.
2. And maybe more (not yet discovered).

To solve most other UAC-related problems, you can set QM or separate macros to run with appropriate
IL. The information below should help you decide what IL you should use.

What does not work on Vista when QM is running as Administrator or uiAccess

Some operations are not allowed between different IL processes. Although most of them are not
allowed only when initiated by the lower IL process, some of them also are not allowed when initiated
by the higher IL process.

1. _getactive, GetObject (VBScript) and some other COM functions cannot get COM objects from
different IL processes. _getactive also is used in some other functions. For example,
 ExcelSheet.Init cannot connect to Excel. Possible workarounds: 1. In Properties, check "Run in
separate process" and select same privileges as of the target app (usually User). 2. Start the
target app using _create. 3. Run both QM and the target app as administrator. 4. Turn off UAC.
2. Drag and drop from Medium IL processes (e.g. Windows Explorer). QM uses another process
to reenable its drag and drop feature. However, WM_DROPFILES in custom dialogs does not
work. Possible workarounds: 1. Use QmRegisterDropTarget instead. 2. In Properties, check
"Run in separate process" and select User. 3. Turn off UAC.
3. And maybe more.

What does not work on Vista when QM is running as User or uiAccess

Some functions and other QM features require administrator privileges. If QM (or exe) is not running as
administrator, these features don't work.

1. Writing to some file system locations, such as Program Files and Windows folders (cop, ren,
del, MkDir, SetAttr, str.setfile, etc).
2. Writing to some registry keys, such as HKEY_LOCAL_SYSTEM and HKEY_CLASSES_ROOT
(rset).
3. Automatic COM object registration by _create (because cannot write to the registry).
4. RegisterComComponent. You can use flag 4 to show consent dialog.
5. GetDiskUsage. It uses PDH functions that require administrator privileges.
6. SetPrivilege.
7. Manipulating services.
8. Changing computer date.
9. Some COM functions, including _getactive and GetObject (VBScript), don't work with different
IL processes. Read more above.
10. If you use shareware protection system for macros (available in the forum), make sure you
have the latest version, because older versions don't work on Vista when running not as
administrator. Also, some editing required.
11. And maybe more.

Everything above also does not work on non-administrator user accounts on all OS.

Possible workarounds: 1. In Properties, check "Run in separate process" and select Administrator. 2.
Run QM as administrator. 3. Turn off UAC.

What does not work on Vista when QM is running as User

The following functions don't work with higher IL windows unless QM (or exe) is running as
administrator or uiAccess. This is more actual for exe, because QM can run as administrator or
uiAccess.

1. Keyboard and mouse commands (key, outp, str.getsel, str.setsel, lef, mou, acc.Mouse, ifk, wait
K, wait M, and other). Mouse commands don't work in any window if currently active window
has higher IL.
2. Windows API functions that send messages (SendMessage, PostMessage, etc). Only few
messages can be sent.
3. Many Windows API functions that manipulate windows (SetWindowPos, EnableWindow, etc).
4. Functions that use SendMessage, SetWindowPos, etc . Most of them are menu and control
functions (men, but, CB_x, LB_x, acc.DoDefaultAction, etc) and window functions (hid, max,
mov, siz, ont, ArrangeWindows, Zorder, Transparent, etc).
5. Most hooks. For example, function BlockInput2 (available in the forum) uses low level keyboard
and mouse hooks.
 6. BlockInput does not work with all windows.
7. And maybe more.

This should not be a big problem, because normally most programs don't run as administrator.
Administrative programs usually are used briefly and don't need to be automated. However, currently
there are quite many non-Vista-aware programs that don't work without administrative privileges. For
example, if a program saves files in its home directory, which usually is in Program Files, it must run as
administrator.

Possible workarounds (QM): 1. In Properties, check "Run in separate process" and select Administrator.
2. Run QM as administrator. 3. Turn off UAC.

Possible workarounds (exe): 1. Run exe from QM: in Properties check "Run in separate process" and
select As QM (if QM runs as administrator or uiAccess) or Administrator. If you need to launch it from
e.g. desktop, create shortcut to run the macro (in Properties). Of course, QM must be installed. 2. Set
uiAccess="true" in the manifest, and sign the exe file. It works well on any computer (QM is not
needed). Read more about signing in the make exe topic. 3. Run exe as administrator. It requires
consent, unless exe is started from another program that is running as administrator. 4. If possible, don't
run target programs as administrator. 5. Turn off UAC.

Vista bugs

1. uiAccess programs cannot open folders using ShellExecute[Ex] if "Launch folder windows in a
separate process" is checked in Control Panel -> Folder Options -> View. It is unchecked by
default. The run command, which uses ShellExecuteEx, uses a workaround for this. However it
will fail in exe running with uiAccess privileges (exe can run with uiAccess privileges only if
launched by QM or marked as uiAccess in manifest). Also, if you use ShellExecute[Ex] or other
functions that call it, they will fail. Possible workarounds: 1. Uncheck the checkbox. 2. If QM is
running as uiAccess, and "Run in separate process" is checked in Properties, select something
other than As QM. 3. Use run "explorer.exe" "folder" instead of run "folder". 4.
Turn off UAC.
2. QM cannot load some type libraries (maybe about 1%) because they are incorrectly registered.
The OLE/COM Object Viewer also cannot open these type libraries. Possible workarounds: 1. If
possible, with typelib use path instead of GUID. 2. Edit the registry: remove double quotes from
type library path.
3. Since Vista SP1, when editing a scheduled task in QM, every time you press OK or Apply it
shows a password dialog. Click Cancel.
4. And maybe more.

Other problems on Vista

1. Scheduled tasks can be configured either for Vista or for XP/2000/2003. QM creates and
recognizes tasks configured for XP/2000/2003. You should edit QM-created tasks only from
QM. If you convert a task to the Vista format, it still works (starts the macro), but QM does not
recognize it, and you must not try to edit it through QM.
2. Scheduled tasks created while UAC is turned off have two problems: 1. Cannot be managed
from QM while UAC is on and QM is running not as administrator. 2. Checked 'Run with highest
privileges'. These problems will appear only when you turn on UAC. Scheduled tasks created
while UAC is on don't have these problems. Scheduled tasks created while QM runs as another
user (runs as administrator from an user account) also have these problems, even if UAC is on.

64-bit Windows
Although QM is a 32-bit program, it runs well on 64-bit windows. There are some differences. On 64-bit
Windows, there are separate System and Program Files folders for 64-bit and 32-bit programs. It does
not break macros written on 32-bit Windows. Special folder "$program files$" expands to the 32-bit
folder ("Program Files (x86)"). Special folder "$system$", although expands to the 64-bit folder
("C:\Windows\System32"), but actually is used the 32-bit folder ("C:\Windows\SysWOW64"). That is, the
run command most of the time will launch 32-bit versions of programs. Also, there are separate registry
locations for 32-bit programs. It does not break macros written on 32-bit Windows.