UAC question
-
I've got this app -- that wants to run with elevated priv's. I've added to the manifest: <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="highestAvailable" uiAccess="false"> </requestedPrivileges> </security> </trustInfo> Is it possible to make the app auto-start with elevation? The app can run without elevation... but in order to make use of some API's I need more rights. The question -- is there a way to register the app so that it's pre-approved to run elevated? I'd like if the user can approve it once and never be asked again? The app needs to run at the startup of the user session. I find that it won't start itself at login with this manifest.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com) -
I've got this app -- that wants to run with elevated priv's. I've added to the manifest: <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="highestAvailable" uiAccess="false"> </requestedPrivileges> </security> </trustInfo> Is it possible to make the app auto-start with elevation? The app can run without elevation... but in order to make use of some API's I need more rights. The question -- is there a way to register the app so that it's pre-approved to run elevated? I'd like if the user can approve it once and never be asked again? The app needs to run at the startup of the user session. I find that it won't start itself at login with this manifest.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com)Peter Weyzen wrote:
Is it possible to make the app auto-start with elevation?
There is an autoElevate flag but it seems that it only works for certain executables signed by Microsoft. I do not know if Microsoft plans on supporting auto-elevation for signed third-party applications.
Peter Weyzen wrote:
The question -- is there a way to register the app so that it's pre-approved to run elevated? I'd like if the user can approve it once and never be asked again?
No thats not how UAC elevation is implemented. Best Wishes, -David Delaune
-
Peter Weyzen wrote:
Is it possible to make the app auto-start with elevation?
There is an autoElevate flag but it seems that it only works for certain executables signed by Microsoft. I do not know if Microsoft plans on supporting auto-elevation for signed third-party applications.
Peter Weyzen wrote:
The question -- is there a way to register the app so that it's pre-approved to run elevated? I'd like if the user can approve it once and never be asked again?
No thats not how UAC elevation is implemented. Best Wishes, -David Delaune
I looked at autoElevate -- Microsoft looks quite restrictive on that, as most of their own apps aren't allowed to use it. Is my only recourse here to tell the user they "can't have it" unless they elevate it or disable UAC? Are there any runtime API's which I can call to request elevation of the process? Or, is it the case that the security mode cannot change once the app has started?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com) -
I looked at autoElevate -- Microsoft looks quite restrictive on that, as most of their own apps aren't allowed to use it. Is my only recourse here to tell the user they "can't have it" unless they elevate it or disable UAC? Are there any runtime API's which I can call to request elevation of the process? Or, is it the case that the security mode cannot change once the app has started?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com)In vista there are 2 modes, one is with UAC enabled (in which u r currently working) and other is UAC disabled. In 2nd case the OS will be running as without security and it will be possible for you to run ur application with required priviledges. But to make UAC disabled you need to have Admin rights. The code that you have provided is for manifest file and using this file it will prompt user to provide admin priviledges while running any application.
SNI
-
In vista there are 2 modes, one is with UAC enabled (in which u r currently working) and other is UAC disabled. In 2nd case the OS will be running as without security and it will be possible for you to run ur application with required priviledges. But to make UAC disabled you need to have Admin rights. The code that you have provided is for manifest file and using this file it will prompt user to provide admin priviledges while running any application.
SNI
to go a little further -- how does the whole world of UAC apply to services? How would a service go about getting admin priveleges?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com) -
I looked at autoElevate -- Microsoft looks quite restrictive on that, as most of their own apps aren't allowed to use it. Is my only recourse here to tell the user they "can't have it" unless they elevate it or disable UAC? Are there any runtime API's which I can call to request elevation of the process? Or, is it the case that the security mode cannot change once the app has started?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com)Peter Weyzen wrote:
I looked at autoElevate -- Microsoft looks quite restrictive on that, as most of their own apps aren't allowed to use it.
As it should be. :)
Peter Weyzen wrote:
Is my only recourse here to tell the user they "can't have it" unless they elevate it or disable UAC?
Correct. In my opinion the UAC changes are just as much a cultural change as a functional change. In my opinion both Windows users and developers have really bad habits. I have never hear any Unix/Linux develpers complain because they don't automatically have root access.
Peter Weyzen wrote:
Are there any runtime API's which I can call to request elevation of the process? Or, is it the case that the security mode cannot change once the app has started?
A process with a restricted token cannot impersonate a higher access level. You will have to deal with the UAC prompts if you continue to use functions which require administrative access. You could however use an elevated DCOM component or an out-of-process COM server with broker functions. Some documentation: Redesign for UAC Compatibility[^] How Access Tokens Work[^] The COM Elevation Moniker[^] Best Wishes, -David Delaune
-
Peter Weyzen wrote:
I looked at autoElevate -- Microsoft looks quite restrictive on that, as most of their own apps aren't allowed to use it.
As it should be. :)
Peter Weyzen wrote:
Is my only recourse here to tell the user they "can't have it" unless they elevate it or disable UAC?
Correct. In my opinion the UAC changes are just as much a cultural change as a functional change. In my opinion both Windows users and developers have really bad habits. I have never hear any Unix/Linux develpers complain because they don't automatically have root access.
Peter Weyzen wrote:
Are there any runtime API's which I can call to request elevation of the process? Or, is it the case that the security mode cannot change once the app has started?
A process with a restricted token cannot impersonate a higher access level. You will have to deal with the UAC prompts if you continue to use functions which require administrative access. You could however use an elevated DCOM component or an out-of-process COM server with broker functions. Some documentation: Redesign for UAC Compatibility[^] How Access Tokens Work[^] The COM Elevation Moniker[^] Best Wishes, -David Delaune
UAC is a good thing -- I think process security is an important thing. But think about me. I write backup software, and I want to add "volume shadow copy" support to my stuff. When UAC is in place, I am denied access to it to the shadow services... Is there a way the user can get backup rights without getting into the UAC mess? (for me it's a mess)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Peter Weyzen Staff Engineer [SoonR Inc -- PC Power delivered to your phone](http://www.soonr.com)