Do not automatically update on systems where UAC is disabled

[valinet]

EP update files are ShellExecuteExWed with the runas verb (i.e. elevated), because they need to update files in system folders etc.

As the registry entry for automatic updates is located in HKCU, any application can potentially hijack it and have the updater in EP download and execute an arbitrary file from the Internet as an administrator, and even at logon when the update policy is set to "Prompt to install available updates".

On UAC enabled systems, this is not a security problem, because UAC will prompt the user for confirmation before elevating the application. The message displayed by UAC is specially created by EP to contain the URL from which the file was downloaded, allowing the user to quickly and reliably verify the source and authenticity of the update.

The problem is on systems where UAC is disabled, as that executes the downloaded file automatically and elevates it immediately, since there is no UAC prompt to potentially prevent that. This scenario is a security issue.

The fix proposed is to use the undocumented CheckElevationEnabled API call to verify whether UAC is enabled. If it is not, before executing the update file, display a message similar to what the UAC prompt would show, allowing the user to cancel the update if something hijacked the download location.

[valinet]

Implemented.

In addition to CheckElevationEnabled, the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin also indicates that a UAC prompt won't be displayed when an application would be elevated.