> Why the help viewer does anything as NT AUTHORITY\SYSTEM is beyond me.
I don't get it either. From poking around in Process Explorer the help viewer window isn't its own process, it's still part of "7zFM.exe" which is running at medium integrity (not admin). Don't know where the high integrity context is coming from.
I wonder if it's silent elevation, in which case just putting UAC on "always ask" is good enough (and what I do anyway).
The PoC video showed that the current user isn't in the "Administrator" group (though there is another user "zeroday" in there), which makes it look like not a simple UAC bypass. Or perhaps I misunderstood something.
Pretty much every other CHM viewer than the original one has multiple issues displaying CHM files properly or at all.
Even Free Pascal and Lazarus that use their own tools to both produce and view CHM files (Lazarus has its own cross-platform CHM implementation) have their own CHM files working better with the Microsoft CHM viewer than their own viewer.
I don't get it either. From poking around in Process Explorer the help viewer window isn't its own process, it's still part of "7zFM.exe" which is running at medium integrity (not admin). Don't know where the high integrity context is coming from.
I wonder if it's silent elevation, in which case just putting UAC on "always ask" is good enough (and what I do anyway).