Insert COM Classes
COM elevations are a form of elevation which are typically initiated from Explorer, when an integrated task requires administrator rights. Explorer uses COM to launch the task with admin rights, without having to elevate Explorer. Every COM class has a unique identifier, called a CLSID, that is used to launch the task.
COM tasks usually trigger Windows UAC prompts because they need administrative privileges to proceed. Privilege Management for Windows allows you to target specific COM CLSIDs and assign privileges to the task without granting full administration rights to the user. COM based UAC prompts can also be targeted and replaced with custom messaging, where COM classes can be allowed, audited, or both.
- Select the Application Group you want to add the COM Class to.
- In the right pane, select Actions > Add Application > COM Class.
- We recommend that you add a Description so that you can identify the COM Class in the Application Group table. The Description is not used as matching criteria for the application definition. Alternatively, you can click the Template button to add a COM Class from a list of templates.
- You need to configure the matching criteria for the application. COM classes are hosted by a COM server DLL or EXE, so COM classes can be validated from properties of the hosting COM server. You can configure:
- File or Folder Name matches
- Drive matches
- File Hash (SHA-1 Fingerprint) matches
- Product Name matches
- Publisher matches
- CLSID matches
- App ID matches
- COM Display Name matches
- Product Description matches
- Product Version matches
- File Version matches
- Trusted Ownership matches
- Application Requires Elevation (UAC): Match if Application Requires Elevation (User Account Control) is always enabled, as COM classes require UAC to elevate
- Source URL matches
- You need to configure the Advanced Options for the application. You can configure:
- Allow child processes will match this application definition
- Force standard user rights on File Open/Save common dialogs
- Click OK. The application is added to the Application Group.