How to read the text inside a credential / UAC prompt?

Question

Is there a way to read the text inside a credential / UAC prompt? The aim is to identify the name of the application which causes the UAC prompt.

In this attached image, the prompt shows up with name of the application which initiated it (outlook in this case). How to identify the application source with PowerShell or with any script? Already tried reading the auditing logs (event 4688), which was useful. However, that cannot specifically narrow down the source of the UAC prompt.

Answer 1

You can do it; but you shouldn't.

Normally the UAC prompt is shown on a secure desktop so that applications cannot read/write/programatically push buttons of the prompt (as it would defeat the entire point)

But for the purposes of screen-readers and the like, there are things you can do:

• first you have to manifest your application for uiAccess
• but in order for Windows to honor that manifest flag
• the application must be run from a "protected location" (e.g. Program Files)
• and it must be digitally signed

On top of that, User-Interface Privilege Isolation (UIPI) prevents a "medium" integrity process from trying to send messages (e.g. WM_MOUSEDOWN WM_GETTEXT) to the "high" integrity UAC window

But if the program that is monitoring the screen for UAC prompts, running in Program Files, with uiAccess enabled, is also running as administrator, then you can programatically send WM_GETTEXT messages.

But do the right thing instead

Instead of waiting for an application that has been manifested as requireAdministrator to show a UAC prompt when lauched: change it's manifest to run asInvoker.

That way it won't run as an administrator.