I have a program that monitors malicious files and deletes them. However it needs administrator rights to run. This program runs at startup, however the UAC popup is annoying for end users, especially if it appears every time the user logs in. Anyway, I am wondering if there is a way to run the program with administrator rights at startup with out nagging the user with the UAC popup.
P.S: Disabling UAC is not a good idea because of security issues for the users.
You cannot. Windows Vista (thankfully) blocked applications on startup that tried to elevate. Windows 7 removed the block; causing applications to try to do it.
Your best choice is to:
add a Scheduled Task to run your application "At system startup", and have it run "With highest privileges available"
Related
Simple Question: Is there a way to only ask for administrative privileges if you run the application on Windows 8?
The only method I saw so far is calling an external program to kill and reopen it with admin privileges, if it is on Windows 8. By external program I mean a vb script for example.
But this method is really unsafe and kind of dirty.
I'm asking because on Windows 8 there are a lot of little things that you can't do anymore without admin rights. Like write/delete files in the program files folders and accessing/manipulating other processes that have admin rights.
To the best of my knowledge, there is no way for a process running without an elevated token to become elevated. It can launch a new process elevated using ShellExecute with the "runas" verb (see http://blogs.msdn.com/b/vistacompatteam/archive/2006/09/25/771232.aspx). Of course a UAC prompt will show. If you really want to detect Windows 8 and only have the UAC prompt come up there and not on Windows 7, you can write a wrapper over your main application which launches your main application with UAC prompt on Win8.
We have a native GUI application which runs on a windows machine, and recently we have found out that the application terminates unexpectedly. After days I have found that this is happening because the application is run by explorer.exe and it gets killed unexpectedly, random somehow, so it causes termination of all child processes including our application.
Is there a way to invoke/call our app as system process (not with explorer.exe)?
Also assume that application/user has administrator access too.
Thanks in advance.
Killing explorer does not in general kill other processes. This is very easy to verify yourself by killing explorer from the task manager. Notice that other processes stay alive when you kill explorer. Something else is killing your process.
If killing explorer leads to your process dying, then the obvious explanation is that something in your process is leading to its death. In other words the problem is most likely in your code, and you need to work out what that problem is.
Also note that explorer isn't really a special "system process" as such. It's just a normal process that that runs under the logged on user's token.
You may need to give some hand of a OS services, then run the service as admin(run as system boot), then start he application from the service ,this will ensures you the app will started as admin and without the explorer.exe(as child)
Well I noticed that on Windows 7, sometimes even when you are an administrator, you can't do a lot of things, probably it's some sort of bug, my application I check if an user is administrator before start the program because my program creates file in folders that are protected default like the root folder ( C: ), and if you aren't an administrator on Windows 7, you can only create folders there.
So if I right click in my application and go "Run as Administrator", it just works fine.
Is there a way to make my application run as administrator automatically? I would like to be able to make a line of code like: ActivateAdministrator(); and be available for the code completely, because I change attributes, create files with ifstream.
You could add a manifest to your executable - http://msdn.microsoft.com/en-us/library/bb756929.aspx
If the user is running on a system with the UAC switched on, and are not an administrator, a manifest which contains requestedExecutionLevel
level="requireAdministrator" will produce a prompt for the Administrator password before your application can run with administrative privileges. (requiring administrator privileges means that an incorrect password or no password will stop it from running altogether)
If they are an administrator with the UAC switched on, then that same manifest will cause a Yes/No prompt to ask whether your application should be granted administrative privileges.
Of course, the real issue is that whatever your application is doing which requires administrative privileges needs to be examined.
Most of the time the privilege is simply not required for normal user-level applications. This is an application design issue really - what is your application doing which requires admin privileges? is it really necessary? e.g. If you're modifying files, then why are those files in a protected area on the file system instead of in the user's profile space?
You might find the Windows Dev Center article on Priviliges helpful, specifically Enabling and Disabling Privileges in C++ .
Although this is in C#, it might be easier for you I don't know. What I did was to Detect if running as Administrator with or without elevated privileges?, and if not rerun the current process while requesting administrative access (which if the UAC is enabled, would do a popup to the current user and ask if it is ok for the program to run with administrative privleges).
Then some simple (but C# code) looks like:
// UAC is a class from the previous link on SO
if (UAC.IsCurrentProcessElevated())
{
string currentProcess = Assembly.GetEntryAssembly().Location;
string arguments = string.Join(" ", this._Args.ToArray());
ProcessStartInfo startInfo = new ProcessStartInfo(currentProcess, arguments);
startInfo.UseShellExecute = true;
startInfo.Verb = "runas";
Process.Start(startInfo);
}
The un-elevated process would quite, with a new one started that requested administrative privileges.
I have a single thread that I'd like to run as an administrator in my application. The rest of the application I can happily run as the default user level (asInvoker). Is this possible? I notice there is an "ImpersonateLoggedOnUser" function. Can I somehow use this to log the administrator on and then get the thread to impersonate that person?
It seems as though this ought to be something pretty trivial to do ... but there doesn't appear to be any obvious way to do it. Can anyone help me out?
Edit: So if I have to fire off a seperate process is there any way I can CreateProcess a new process and have it launch from a specific entry point. I can, of course use command line processing to do it, but i'd really rather I could stop the user from entering the command line and starting an unclosable process!
No, elevation is per process, not thread.
If the rest of the application has to run non-elevated, you could run yourself elevated with some parameter (myapp.exe /uac "ipcparamhere") and use some sort of Inter-process communication to communicate back to the "main instance" of your app. (If the elevated process only performs a simple operation, you could probably check for success by using the exit code of the process)
This is not possible. You'll need to gain admin privileges by including a manifest in the app. Google "requireAdministrator" to find the manifest you'll need. Your user will probably quickly tire of doing this over and over again, your best bet is to spin-off the task that requires these privileges into a separate process. A service for example.
You can launch a separate exe and have a manifest on it saying it requires administrator. Then be sure to launch it with shell execute, which uses manifests, and you're all set. As a thoughtful touch, put a UAC shield on the button that kicks off that thread. (Send it a BCM_SETSHIELD message if you're doing this all by hand.)
You can decided whether you want a visible window or not on the separate process. Meanwhile the user can still drag and drop into the main app.
I'm doing some crazy impersonation stuff to get around UAC dialogs in Windows 7 so the user does not have to interact with the UI (I have the admin creds of course).
I have a process running as the Administrator and elevated past UAC. The issue that I'm facing is that when I make a call to WNetAddConnection2, within this process, I am not getting a new mapped net drive. The function returns ERROR_SUCCESS but no net drive is visible. We have another method of adding network drives using 'subst' but this, again, returns successful does does not add a net drive. I have tried to use the default user (which is the Administrator because of process's security context) and I have tried using specific user credentials. I can map the drive just fine through Explorer.
Of course the same functionality works fine in XP/2003. I haven't got around to testing on Vista because of issues with impersonation that are limiting my ability to spin up the process. Are there unique Windows 7 limits on this function? MSDN does not glean any that I can find.
Any help would be greatly appreciated!
The issue was that the process was running as Administrator. Impersonation will not work because WNetAddConnection2 evaluates on processes user. You must start a separate process to accomplish this.