reason:
so that UAC won't virtualize file read/writes.

Why do you need one?

php can be used in any situations and inherits (or is set by) the UAC from the caller (in case of fcgi or another SAPI for example).

> Why do you need one?

as originally stated, to avoid Vista's (or 2k8's) virtualisation of the file system.

eg if from a script I attempt to write to c:\ProgramData\MyCompany\MyApp\file.ext and I don't have enough NTFS perms, then vista virtualises this into %USERPROFILE%\AppData\Local\VirtualStore\ProgramData\MyCompany\MyApp\file.ext instead of giving me an access denied error.

> inherits the UAC from the caller

no, but yes, but no.  it the caller is elevated, then yes the spawned task (php) inherits this elevation.  this is not the same thing that I am talking about though.  if an app has this manifest embedded, then no matter what the elevation status or what perms the user has, file and reg operations won't be virtulised.

..

note: this probably has very little relavence when run as cgi/fcgi on a webserver, but when running as a cli for misc scripts on my pc then it matters.

really there is no reason to not have one that I can see.

Hi,

php.exe, php-cgi.exe etc. of PHP 7.0.6 currently have the following manifest:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
   <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
       <application> 
           <!-- Windows Vista -->
           <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> 
           <!-- Windows 7 -->
           <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
           <!-- Windows 8 -->
           <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
           <!-- Windows 8.1 -->
           <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
           <!-- Windows 10 -->
           <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
       </application> 
   </compatibility>
</assembly>


As the OP noted, this manifest misses a <requestedExecutionLevel level="asInvoker" uiAccess="false" /> element that a application normally should have.

Without this element, Windows (since Vista) enables file/registry virtualization because it thinks this is an old application that is not aware of the limited permissions that a non-admin user has. Note however that this only applies to 32-bit executables, not to 64-bit ones.

For example, if you rename "php.exe" to "phpsetup.exe", you will get an UAC icon and if you try to run it, the UAC dialog appears to elevate the process. This is because without the entry, Windows has to guess e.g. by the filename if the EXE is a Setup program that needs administrative rights.

Also, if you write a file to "C:\Program Files\myfile.txt" when running php.exe non-elevated, it will succeed, but the file is actually written to "C:\Users\<Username>\AppData\Local\VirtualStore\Program Files\myfile.txt".

When adding the <requestedExecutionLevel>, trying to write a file in that location would correctly fail instead of being redirected (and renaming php.exe to phpsetup.exe would not display an UAC icon).


Ideally, php.exe and php-cgi.exe's manifest should look like this (the <compatibility> is needed for correctly detecting the Windows version with APIs like GetVersionEx() since Windows 8.1):

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
        <security>
            <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
                <requestedExecutionLevel level="asInvoker" uiAccess="false" />
            </requestedPrivileges>
        </security>
    </trustInfo>
    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
        <application> 
            <!-- Windows Vista -->
            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> 
            <!-- Windows 7 -->
            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
            <!-- Windows 8 -->
            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
            <!-- Windows 8.1 -->
            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
            <!-- Windows 10 -->
            <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
        </application> 
    </compatibility>
</assembly>

"asInvoker" means that the application doesn't need to be elevated.

Thanks!