Simple Question: Is there a way to only ask for administrative privileges if you run the application on Windows 8?
The only method I saw so far is calling an external program to kill and reopen it with admin privileges, if it is on Windows 8. By external program I mean a vb script for example.
But this method is really unsafe and kind of dirty.
I'm asking because on Windows 8 there are a lot of little things that you can't do anymore without admin rights. Like write/delete files in the program files folders and accessing/manipulating other processes that have admin rights.
To the best of my knowledge, there is no way for a process running without an elevated token to become elevated. It can launch a new process elevated using ShellExecute with the "runas" verb (see http://blogs.msdn.com/b/vistacompatteam/archive/2006/09/25/771232.aspx). Of course a UAC prompt will show. If you really want to detect Windows 8 and only have the UAC prompt come up there and not on Windows 7, you can write a wrapper over your main application which launches your main application with UAC prompt on Win8.
Related
I have a program that monitors malicious files and deletes them. However it needs administrator rights to run. This program runs at startup, however the UAC popup is annoying for end users, especially if it appears every time the user logs in. Anyway, I am wondering if there is a way to run the program with administrator rights at startup with out nagging the user with the UAC popup.
P.S: Disabling UAC is not a good idea because of security issues for the users.
You cannot. Windows Vista (thankfully) blocked applications on startup that tried to elevate. Windows 7 removed the block; causing applications to try to do it.
Your best choice is to:
add a Scheduled Task to run your application "At system startup", and have it run "With highest privileges available"
I wrote an application using Qt under Windows 7. The application starts up with normal user privileges, but I want to gain the Administrator privileges because I want to modify the registry to auto-start the application.
How could I do this?
Take a look at the MSDN sample: UAC self-elevation (CSUACSelfElevation)
Also, Wikipedia actually has a pretty good reference including information on the ShellExecuteEx() "runas" verb and application manifest for elevation requests.
You should embedd correct manifest to your exe:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb756929.aspx.
I know, you said using win32 API, but consider this standard and recommended way.
You do not need administrator privileges to autostart your application.
Simply write the appropriate keys to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
which does not require administrator privileges (unlike the same path under HKEY_LOCAL_MACHINE).
to auto-startup the application, you don't need admin rights! Instead of adding the registry key under HKLM (where you need admin rights), use HKCU and you're fine.
Note that privileges cannot be changed while the program is running. It has to be killed and restarted with the correct privileges.
To make an application auto start in HKLM, the administrative privilege is needed. But the privilege of an application could not change while running.
So I made a new small application whose task is only write the registry to make the main application auto start.
The main application could call this application with ShellExecuteEx to require administrative privlege.
Well I noticed that on Windows 7, sometimes even when you are an administrator, you can't do a lot of things, probably it's some sort of bug, my application I check if an user is administrator before start the program because my program creates file in folders that are protected default like the root folder ( C: ), and if you aren't an administrator on Windows 7, you can only create folders there.
So if I right click in my application and go "Run as Administrator", it just works fine.
Is there a way to make my application run as administrator automatically? I would like to be able to make a line of code like: ActivateAdministrator(); and be available for the code completely, because I change attributes, create files with ifstream.
You could add a manifest to your executable - http://msdn.microsoft.com/en-us/library/bb756929.aspx
If the user is running on a system with the UAC switched on, and are not an administrator, a manifest which contains requestedExecutionLevel
level="requireAdministrator" will produce a prompt for the Administrator password before your application can run with administrative privileges. (requiring administrator privileges means that an incorrect password or no password will stop it from running altogether)
If they are an administrator with the UAC switched on, then that same manifest will cause a Yes/No prompt to ask whether your application should be granted administrative privileges.
Of course, the real issue is that whatever your application is doing which requires administrative privileges needs to be examined.
Most of the time the privilege is simply not required for normal user-level applications. This is an application design issue really - what is your application doing which requires admin privileges? is it really necessary? e.g. If you're modifying files, then why are those files in a protected area on the file system instead of in the user's profile space?
You might find the Windows Dev Center article on Priviliges helpful, specifically Enabling and Disabling Privileges in C++ .
Although this is in C#, it might be easier for you I don't know. What I did was to Detect if running as Administrator with or without elevated privileges?, and if not rerun the current process while requesting administrative access (which if the UAC is enabled, would do a popup to the current user and ask if it is ok for the program to run with administrative privleges).
Then some simple (but C# code) looks like:
// UAC is a class from the previous link on SO
if (UAC.IsCurrentProcessElevated())
{
string currentProcess = Assembly.GetEntryAssembly().Location;
string arguments = string.Join(" ", this._Args.ToArray());
ProcessStartInfo startInfo = new ProcessStartInfo(currentProcess, arguments);
startInfo.UseShellExecute = true;
startInfo.Verb = "runas";
Process.Start(startInfo);
}
The un-elevated process would quite, with a new one started that requested administrative privileges.
I need the ability in C++ code to logoff the console user when call from an administrator process or if it is called by that user and maybe a windows service in the future. The issue I am running into is that ExitWindowsEx will only logoff the user that calls it. If an administrator process calls a logoff the console user is unaffected. The only application that I know of that can do this is psShutdown.exe, except that psShutdown can only be run by the administrator. Does anyone know in C++ how to identify the console user and then do a logoff against that user? What is the magic inside psShutdown? I'm looking for something that works in WindowsXP and up. Also I cannot use WMI because some machines are running windows Embeded and do not have WMI.
(The reason psShutdown.exe must be run as administrator is because it installs a service and a normal user does not have the rights to do this.)
Use WTSGetActiveConsoleSessionId to identify the console session, but to go further you are going to need some permissions, you would have to call WTSQueryUserToken (You need to run as SYSTEM to do this) to get a token handle and then CreateProcessAsUser or impersonate and call ExitWindowsEx, or if you are not in a service, call WTSLogoffSession. (I tried calling WTSLogoffSession on my XP box and it did not work, probably because the terminal server service is not running on this system)
I have never actually done this, but it seems like it should be possible with the combination of WTSGetActiveConsoleSessionId() and WTSLogoffSession()
I'm doing some crazy impersonation stuff to get around UAC dialogs in Windows 7 so the user does not have to interact with the UI (I have the admin creds of course).
I have a process running as the Administrator and elevated past UAC. The issue that I'm facing is that when I make a call to WNetAddConnection2, within this process, I am not getting a new mapped net drive. The function returns ERROR_SUCCESS but no net drive is visible. We have another method of adding network drives using 'subst' but this, again, returns successful does does not add a net drive. I have tried to use the default user (which is the Administrator because of process's security context) and I have tried using specific user credentials. I can map the drive just fine through Explorer.
Of course the same functionality works fine in XP/2003. I haven't got around to testing on Vista because of issues with impersonation that are limiting my ability to spin up the process. Are there unique Windows 7 limits on this function? MSDN does not glean any that I can find.
Any help would be greatly appreciated!
The issue was that the process was running as Administrator. Impersonation will not work because WNetAddConnection2 evaluates on processes user. You must start a separate process to accomplish this.