New
#70
I may have missed the lead up to your question.
If the program is an actual install program then you will get prompted (that "setup" information is contained in the program's manifest, not in its name). The list of names that are auto-identified as installers is in the registry somewhere. Just search for the string "setup.exe" and you'll find one or more settings.
Also anything ".msi" will initiate and execute the "installer services" (there are two of them) which can elevate a lowly installer exe to "Act As System" (TCB) access.
That, by the way, can be disabled by removing all permissions from a file called WUDFHost.exe (Windows Universal Device Foundation Host I think, but I can't look at it right now).
Many programs take advantage of WUDFHost, through a component-based setup scheme called "ComSysApp" (Component As System Application) that allows user mode programs to install device drivers on the fly. Microsoft does it all the time.
And some not so trustworthy installers have copied Microsoft's example to give themselves NT AUTHORITY SYSTEM access during the setup phase. All you need to do is say "yes" at the UAC prompt. The Freemake company is one example I know of which does that and installs for itself eternal system level access via components for use when needed.
- Alan