Deleted and reinstalled Malwarebytes 3.06 last night and I noticed after re installation when I open the program UAC (using windows 10) doesn't pop up anymore, I could almost swear it did before, the program just opens upon double click, unless I run as admin in which case it does pop up. Can someone running windows 10 and Malwarebytes free version verify if UAC doesn't pop up when opening the program normally? I am almost sure it did before.
On Win 8.1, UAC always popped up with MBAM v2, but this was probably a bug, because security tools shouldn't trigger UAC alerts. So it's actually a good thing.
I've tested it in VM and I also don't get UAC prompt (I've got it set on max). It seems that elevated actions are performed by it's service. OTOH service is stopped when MBAM is not running so I still don't know how program can start a service without admin credentials. Though when I close MBAM I do get UAC prompt.
Verify using Process Explorer what integrity level MBAM is running at. If your running as a limited admin and MBAM is running at medium integrity level, you will not receive a UAC alert since no privilege escalation is required.
Well there are three components (processes) running with application running in free mode. GUI runs at medium integrity level so it doesn't need UAC approval. When application is launched Malwarebytes service is started (System integrity level) which also launches mbamtray.exe (medium integrity level). To me only "mystery" is how MBAM service is started with no UAC prompt. Service has manual startup type and runs only when application is launched. There is no task scheduled to suppress UAC prompt. If I try to run service manually I need admin rights. There is also MBAMSwissArmy driver loaded, but I don't know if drivers can launch services... When app is closed mbamtray tries to shut down service that's why I get UAC prompt.
Some services can be switched from "Manual" to "Running" without admin-rights, but for stopping services admin-rights are always needed. It can also depend what manual startup type the services has: "Manual" or "Manual (trigger start)" If the service has the startup type of "Manual (trigger start)" the service can be started via a "trigger". Launching of an application can lead to the starting of a service or similar triggers, so admin rights might not be needed for starting these services.
Ok, no trigger start available and for starting of the service admin credentials are needed... but "GUI runs at medium integrity level / MBAM service is started with no UAC prompt" It still remains a mystery.
I believe this might be the answer. Note the underlined portion: Starting with Windows 7, certain executables auto-elevate (no UAC prompt under the default setting). They pretty much have some common characteristics, such as being digitally signed, are located in %System32% and/or are instanced from a trusted Windows executable. Svchost.exe is a trusted Windows executable.
Yes this might be a case, but MBAM service executable is not located in %System32% - it's in Program files folder - and is also not run by svchost.exe - it's executable is run as service and it doesn't use Windows' service host.
I misspoke, mbamservice.exe is probably running just like Eset's service is in the below screenshot. It's running under services.exe which is a trusted Windows system process. It doesn't matter where the actual physical location of the .exe is as long as it is installed initially as a service in the registry. Reason why malware love to do the same.
Yes, you're right. I checked by Process monitor and it is indeed run by services.exe. It's file is also accessed by svchost.exe and csrss.exe but process is created by services.exe. Will try to find installer for older version and see if anything changed in latest versions.
Update: Version 2.2.1 requires admin rights when it's run. Versions 3.0.4, 3.0.5. and 3.0.6 don't need them.