Programs under windows need administrator privilege must get user's permission when they start. And they can also run with administrator privilege by right click the EXE and select "Run as Administrator". But, before the EXE start, a message box will show up. It's really disgusting.
Now I want my application to run as the Administrator, and I don't want the popup message box when user click the EXE file.
Now I wonder whether the AdjustTokenPrivileges function can help me achieve this.
Any one can help me?
You're getting confused between rights and privileges. At least from the viewpoint of the Windows API, the two are entirely different (though they're otherwise treated as synonymous a great deal of the time, at least when dealing with "what you can do on Windows").
What you're really looking for is the ability to elevate rights. Short of some defect in the security model of the system, you shouldn't be able to do this. To get administrative rights, the intent is that the code should have to run under an administrative account -- either by the user initially logging in as an administrator, or else by them entering the credentials at run time as you've seen.
Privileges (which are what AdjustTokenPrivileges actually manipulates) are things you have the right to do, but still aren't allowed to do without specifically enabling that privilege. For example, let's assume you start out logged in as an administrator. That gives you the right to adjust the system clock -- but adjusting the system clock is something normal programs almost never have a reason to do, so they added an extra step, before you can do it -- you need to enable the SE_SYSTEMTIME privilege before you can make use of that right.
If you're logged in under an account that doesn't have the right to change the system time, you simply can't do it. If you're logged into an account that can change it, you have to enable the privilege first before you can do it.
Bottom line: AdjustTokenPrivileges won't accomplish what you're trying to do.
Actually there is a way, which allows you to change security credentials for the thread by calling LogonUser API function. It returns handle to a token which could be used in ImpersonateLoggedOnUser and CreateProcessAsUser calls. This technique is called impersonalization.
Howewer, I think you are trying to achieve a different thing - to run a process with elevated administrative rights without UAC user notification. You could either disable UAC completely in msconfig utility, which is a pretty bad solution, or leave your program as it is, because to be quite frank, user has a right to know, when your program is running with superuser privileges, and disabling this notifications should be his decision.
Related
I am very new to programming. I want to run a program with C++ which will prompt administrative permission to the user in windows. Is there any way to run another bunch of code if the permission is not granted??
system("setup.exe");//This will prompt administrative permission to the user. If permission is denied then I want to execute some other codes, for example, printif("Give administrative permission next time");
It is impossible to do for the already executing process. You can only start one more process (even if this is the same application). Another approach is to add appropriate application manifest which would force the runtime system to request the user for UAC elevation confirmation from the very beginning.
For the first approach, please see: CreateProcessAsUser function (Windows).
For the second (manifest) approach, please see, for example, this answer: C++ — How to run application with Admin privileges using Manifest file in Visual Studio 2005?.
Note that it is impossible to elevate the privileges without explicit user's consent. If it was possible, it would defeat the purpose of UAC. Please see: User Account Control — Wikipedia, the free encyclopedia.
As I told I am very new to programming. So U was trying different codes without knowing what actually they are supposed to do. So finally a simple code servrd my purpose though I dont know what actually happening there. The code is
if(system("setup.exe")){printf("Give administrative permission next time");}
I'm developing an application in C++ which needs to be as portable as possible and be able to run without elevated privileges, so a regular user can run it.
But I'm not sure how can I check it because in my system it runs without any popup like UAC or asking for privileges. Is there a way to check required privileges by an application?
There are two ways how an application can cause windows to display the UAC prompt to aquire higher privileges:
Heuristic
Windows includes a heuristic-based detection mechanism that tries to detect whether your application should be classified as an "installer" and should thus require elevated privileges. This is done automatically and can cause problems if it has a false-alarm and this causes your program to require elevated privileges.
Explicit
If you do not want to rely on the automatic detection system to correctly classify your application, you can explicitely state what elevation level your application needs by modifiying your application's manifest.
Quoting this MSDN article:
asInvoker requesting no additional permissions. This level requires no additional trust prompts.
This is what you should use in your case if you want to guarantuee that your application will not be categorized wrongly.
If you will not mark it explicitly in app manifest it should not require elevated privileges, however you need to ensure all functionalities would work.
We have an exe which actually checks the contents of a folder and then kicks off a windows service to do some processing on the files in that folder.
So, we made this exe as part of System start up program so it runs everytime the system reboots/starts.
Now the user is very annoyed as he gets pop up for UAC everytime he restarts. But we need to have admin rights for this exe as it kicks off a windows service. Therefore I researched and found a couple of solns for this prob.
This and This
But couldn't decide which is better and less vulnerable for security implications.
Another potential solution can be in the code of .exe itself detect the system start up and if we have any content in the target folder then only ask for UAC from user and kick off the windows service . Else just don't run the exe. I am not sure how to do this in C++. Any pointers would be helpful. If there is any better solution, always welcome.
You probably want to use Task Scheduler here.
Just create a task as part of the install process, with "When the computer starts" as the trigger, and set the "Run with highest privileges" security option.
The problem is that you're mixing up the system and user sessions.
If the processing of those files is done on behalf of a user, it probably should not be done by a service. What if two users wanted their files processed? What security context should the service use for that? And obviously you shouldn't need Administrator right to process some user files.
If the service is performing some system-level task, it shouldn't depend on a user. And in fact running at startup suggests you want this mode. (User applets start at login, not after reboot). The main problem in your design therefore seems to be that you try to run an app (with UI) at the wrong moment which requires far too many permissions (causing UAC). Redesign the service so that it does all the tasks which require admin permissions, and when installing the service set it to start automatically. This still requires UAC at installation, but that is when UAC is expected.
I need to do some registry operations & other system operations for that i need admin permission. currently user have to start my application as "Run as administrator".
so How could i launch my application with admin rights?
CreateProcessAsUser or CreateProcessWithLogonW is the main thing you need. For CreateProcessAsUser, you'll need to use a few other things to make it do its tricks though (e.g., AdjustTokenPrivileges to enable the privileges it uses, and LogonUser to get a user's token).
You can also use ShellExecuteEx() for this purpose. This routine expects a SHELLEXECUTEINFO structure to be passed to it. The relevant attribute of this structure is "lpverb" which has to be set to a value "runas". This will ensure that the task that is run with elevated priveleges.
The answers deal with starting it programatically, but if the program's entire purpose is to run as admin to make these changes, you can add an appropriate manifest to make Windows elevate for you.
If just part of your application needs admin access, look at COM elevation.
Well , when ever I am trying to run my application as administrator I am getting the following
error, and whether to allow or not.
If I am running the app directly and not as an administrator then this seems to work. Is there Some thing I need to do to get rid of the UAC , no I dont want user to manually change the UAC settings.
Do I need to tweak registry settings only for my programe or any certificate I need to sign with.
In general, you can't disable UAC. The goal of UAC is to provide a defense in depth against malware. It would be counterproductive if an Tojan could just disable UAC.
What you can do is accept that UAC exists, and roll with it. You shouldn't usually run as Administrator, so it's perfectly fine to get a UAC dialog when you do. For instance, Auto Start can be handled as a per-user setting, which means you don't need to be an admin to change that.
As a workaround on your machine, you can create a scheduled task that launches your application and tick the "run with highest privileges" in the general settings. Then you create a link to the sheduled task with schtasks /run /tn "TASKNAMEINQUOTES" as the link text. This will call the task that will run the application with elvated privileges without the UAC prompt.
More on this here: http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
In
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
there is such item as ConsentPromptBehaviorAdmin. Change it.
Configure an application to always run elevated:
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx#BKMK_S2
I had a program (Notepad2)suddenly require admin rights on a win-7 system. Seems that this can be changed easily.
Right-click the applicaiton, select properties, go to the compatibility tab, at the bottom is
Privilege level: Run this program as an administrator.
Unclick it and OK your way out. Worked for me.
Your process needs to elevate its privileges. There are couple of articles about this in CodeProject but have a look at this one first.