I'm not sure there are any events sent when UAC prompt displays. Basically it makes a screenshot of the desktop, and switches to another session where UAC prompt window is displayed.

我不确定在显示 UAC 提示时是否发送了任何事件。基本上它制作桌面的屏幕截图，并切换到另一个显示 UAC 提示窗口的会话。

When the UAC switches desktops, your graph will receive a device-lost event raised by the renderer (EC_DEVICE_LOST or something like that). You can override the default handling for this, but if you don't, the default handling will stop, disconnect and reconnect the renderer (so it can reacquire the device) and then seek to the previous position and restart. You could also put the renderer in a separate graph using a bridge, so that your capture is not interrupted.

当 UAC 切换桌面时，您的图形将收到渲染器引发的设备丢失事件（EC_DEVICE_LOST 或类似的东西）。您可以为此覆盖默认处理，但如果不这样做，默认处理将停止、断开连接并重新连接渲染器（以便它可以重新获取设备），然后寻找到先前的位置并重新启动。您还可以使用桥将渲染器放在单独的图形中，这样您的捕获就不会中断。

G

G

This was answered in another thread here (superuser), The solution name is: UAC Auditing.

这是在此处的另一个线程（超级用户）中回答的，解决方案名称是：UAC 审计。

Source: https://superuser.com/questions/273236/reason-for-user-account-control-dialog

来源：https: //superuser.com/questions/273236/reason-for-user-account-control-dialog

Edit for essinital part: (Summary of the URL above)

编辑基本部分：（上面网址的摘要）

Uac Auditing is done by changing windows policy (Local\Group). The policy in interest is found at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

Audit Privilege Usewill give you information about elevated usage using the UAC consent.exe dialog box in the System Event log. The Event IDs created by this: 4648 and 4624.

Audit Process Trackingwill give you information about processes and their creation/termination. Event Id created by this: 4688.

Also, look at event id 4696 to see when a new token (user-logon handle) was assigned to process. Using all these events, you can get a clear picture of the timeline for every process that requested an elevated rights with UAC dialog.

Uac 审计是通过更改 Windows 策略 (Local\Group) 来完成的。感兴趣的策略位于： 计算机配置\策略\Windows 设置\安全设置\本地策略\审计策略

审核权限使用将使用系统事件日志中的 UAC 同意.exe 对话框为您提供有关提升使用的信息。由此创建的事件 ID：4648 和 4624。

审核流程跟踪将为您提供有关流程及其创建/终止的信息。由此创建的事件 ID：4688。

此外，查看事件 ID 4696 以了解何时将新令牌（用户登录句柄）分配给进程。使用所有这些事件，您可以清楚地了解通过 UAC 对话框请求提升权限的每个进程的时间表。

Here is a site containig a short summary for every Event ID in the System Event log:

这是一个包含系统事件日志中每个事件 ID 的简短摘要的站点：

Description of security events in Windows 7 and in Windows Server 2008 R2http://support.microsoft.com/kb/977519

Windows 7 和 Windows Server 2008 R2 中的安全事件说明http://support.microsoft.com/kb/977519

Edit 2: Not all Windows versions has a Policy editor included (like Windows 7 Home premium). However, Local Audit Policy editor (Not Group Policy) is accesible in Windows 7 Home Premium with Auditpol.exe and on Windows XP SP2 with Auditusr.exe

编辑 2：并非所有 Windows 版本都包含策略编辑器（如 Windows 7 家庭高级版）。但是，本地审核策略编辑器（不是组策略）在带有 Auditpol.exe 的 Windows 7 Home Premium 和带有 Auditusr.exe 的 Windows XP SP2 中是可访问的

For more information about using Auditpol.exe see here: http://technet.microsoft.com/en-us/library/a02cfb9d-732f-4e77-aeba-f18265daa3af

有关使用 Auditpol.exe 的更多信息，请参见此处：http: //technet.microsoft.com/en-us/library/a02cfb9d-732f-4e77-aeba-f18265daa3af