The UAC section of an application’s manifest contains two simple settings under the <requestedExecutionLevel> element of the <requestedPrivileges> node:
- level – asInvoker, requireAdministrator, or highestAvailable. This setting controls whether the application will require elevation before it runs.
- uiAccess – true or false. This setting determines whether the application will exempt from UIPI rules introduced as part of the Windows Integrity Mechanism.
If you really need the uiAccess element (and you should be really convinced that you understand why you need it before proceeding), then your application must be signed, and by default, must reside in one of the secure locations, namely \Program Files, \Windows\system32, or \Program Files (x86).
This latter setting can be changed through group policy (see the screenshot below), but there’s no way to circumvent the certificate verification.
If your application doesn’t comply with these requirements but the manifest still contains the uiAccess=true setting, your process will fail to launch with the cryptic “A referral was returned from the server” error message:
This isn’t the friendliest way of saying that there’s something wrong with your UAC manifest setting, but that’s why I’m writing this post.