Insert COM Classes

COM elevations are a form of elevation which are typically initiated from Explorer, when an integrated task requires administrator rights. Explorer uses COM to launch the task with admin rights, without having to elevate Explorer. Every COM class has a unique identifier, called a CLSID, that is used to launch the task.

COM tasks usually trigger a Windows UAC prompt because they need administrative privileges to proceed. Endpoint Privilege Management for Windows allows you to target specific COM CLSIDs and assign privileges to the task without granting full administration rights to the user. COM based UAC prompts can also be targeted and replaced with custom messaging, where COM classes can be allowed and/or audited.

  1. Select the Application Group you want to add the COM Class to.
  2. Right-click and select Insert Application > COM Class .
  3. Enter a Class ID (CLSID) if required. Endpoint Privilege Management for Windows extracts information from this for the criteria if required. Or click Browse Class or Template.
  4. Enter a description if required. By default, this is the name of the application you're inserting.
  5. You need to configure the matching criteria for the executable. COM classes are hosted by a COM server DLL or EXE, so COM classes can be validated from properties of the hosting COM server. You can configure:
    • File or Folder Name matches
    • Drive matches
    • File Hash (SHA-1 Fingerprint) matches
    • File Hash (SHA-256) matches
    • Product Name matches
    • Publisher matches
    • CLSID matches
    • App ID matches
    • COM Display Name matches
    • Product Description matches
    • Product Version matches
    • File Version matches
    • Trusted Ownership matches
    • Application Requires Elevation (UAC): Match if Application Requires Elevation (User Account Control) is always enabled, as COM classes require UAC to elevate
    • Source URL matches
  6. You need to configure the Advanced Options for the application. You can configure:
    • Allow child processes will match this application definition
    • Force standard user rights on File Open/Save common dialogs
  7. Click OK . The application is added to the Application Group.
For more information, see the following: