Strange UAC prompts led me to search the web and I landed on the Wix Toolset. Looking for information.

[rmscode]

Hey there. I work in IT and a user for two weeks in a row was prompted by UAC for elevated credentials. Same day of the week and approximate time btw. I'll have to look in the task scheduler.

Before nuking the machine and reinstalling Windows, I'm trying to figure out what this is. The contents of the UAC prompt can be seen below:

Verified publisher: .NET

File origin: Hard drive on this computer

Program location: "C:\Users\USER~1\AppData\Local\Temp\{0959F622-867D-48DD-8441-550208B3C33A}\.be\windowsdesktop-runtime-8.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{5C23EC4F-0942-44A8-A95D-89AC9A333E5C} {4C9FD60A-8137-42C4-8E0A-971482057F3E} 19976

Searching for BurnPipe had actually led me to a sourceforge thread first...thats what prompted me to start looking into the "WiX Toolset". I'm not a programmer but I have noticed that WiX is backed by the .NET foundation which was a little relieving. However, being that it is a "toolset", I guess it could be used in the development of any .NET/windows installer project...even nefarious ones.

Should I be worried or is this part of some regular update process to the .NET framework?

---

Update: Appears to be related to a scheduled task for "Microsoft Compatibility Appraiser" among other things like OneDrive. My colleague and I have the same scheduled tasks on our machines. Feeling less paranoid now, but now I wonder why this user is getting UAC prompts while we are not.

[wmanning]

Appears .net runtime uses the wixtoolset (burn/bundle in particular). Should talk to them.
https://dotnet.microsoft.com/en-us/download/dotnet/8.0

Basically Wixtoolset can be used to create two things: MSI packages or bundles (executables that can install one or more packages (MSI, MSU, other EXEs, ...).

The burnpipe is how bundles communicate with each other securely. Don't know much details though. Sometimes a bundle might upgrade another bundle (like an MSI does) or a bundle contains child bundles to install.

[rmscode]

Thanks for that info.