How to launch an application with admin rights in c++? - c++

I need to do some registry operations & other system operations for that i need admin permission. currently user have to start my application as "Run as administrator".
so How could i launch my application with admin rights?

CreateProcessAsUser or CreateProcessWithLogonW is the main thing you need. For CreateProcessAsUser, you'll need to use a few other things to make it do its tricks though (e.g., AdjustTokenPrivileges to enable the privileges it uses, and LogonUser to get a user's token).

You can also use ShellExecuteEx() for this purpose. This routine expects a SHELLEXECUTEINFO structure to be passed to it. The relevant attribute of this structure is "lpverb" which has to be set to a value "runas". This will ensure that the task that is run with elevated priveleges.

The answers deal with starting it programatically, but if the program's entire purpose is to run as admin to make these changes, you can add an appropriate manifest to make Windows elevate for you.

If just part of your application needs admin access, look at COM elevation.

Related

Fail-safe code in c++ after access is denied

I am very new to programming. I want to run a program with C++ which will prompt administrative permission to the user in windows. Is there any way to run another bunch of code if the permission is not granted??
system("setup.exe");//This will prompt administrative permission to the user. If permission is denied then I want to execute some other codes, for example, printif("Give administrative permission next time");
It is impossible to do for the already executing process. You can only start one more process (even if this is the same application). Another approach is to add appropriate application manifest which would force the runtime system to request the user for UAC elevation confirmation from the very beginning.
For the first approach, please see: CreateProcessAsUser function (Windows).
For the second (manifest) approach, please see, for example, this answer: C++ — How to run application with Admin privileges using Manifest file in Visual Studio 2005?.
Note that it is impossible to elevate the privileges without explicit user's consent. If it was possible, it would defeat the purpose of UAC. Please see: User Account Control — Wikipedia, the free encyclopedia.
As I told I am very new to programming. So U was trying different codes without knowing what actually they are supposed to do. So finally a simple code servrd my purpose though I dont know what actually happening there. The code is
if(system("setup.exe")){printf("Give administrative permission next time");}

How can I view whether my application requires elevated privileges or not?

I'm developing an application in C++ which needs to be as portable as possible and be able to run without elevated privileges, so a regular user can run it.
But I'm not sure how can I check it because in my system it runs without any popup like UAC or asking for privileges. Is there a way to check required privileges by an application?
There are two ways how an application can cause windows to display the UAC prompt to aquire higher privileges:
Heuristic
Windows includes a heuristic-based detection mechanism that tries to detect whether your application should be classified as an "installer" and should thus require elevated privileges. This is done automatically and can cause problems if it has a false-alarm and this causes your program to require elevated privileges.
Explicit
If you do not want to rely on the automatic detection system to correctly classify your application, you can explicitely state what elevation level your application needs by modifiying your application's manifest.
Quoting this MSDN article:
asInvoker requesting no additional permissions. This level requires no additional trust prompts.
This is what you should use in your case if you want to guarantuee that your application will not be categorized wrongly.
If you will not mark it explicitly in app manifest it should not require elevated privileges, however you need to ensure all functionalities would work.

Can AdjustTokenPrivileges elevate the privilege as Administrator?

Programs under windows need administrator privilege must get user's permission when they start. And they can also run with administrator privilege by right click the EXE and select "Run as Administrator". But, before the EXE start, a message box will show up. It's really disgusting.
Now I want my application to run as the Administrator, and I don't want the popup message box when user click the EXE file.
Now I wonder whether the AdjustTokenPrivileges function can help me achieve this.
Any one can help me?
You're getting confused between rights and privileges. At least from the viewpoint of the Windows API, the two are entirely different (though they're otherwise treated as synonymous a great deal of the time, at least when dealing with "what you can do on Windows").
What you're really looking for is the ability to elevate rights. Short of some defect in the security model of the system, you shouldn't be able to do this. To get administrative rights, the intent is that the code should have to run under an administrative account -- either by the user initially logging in as an administrator, or else by them entering the credentials at run time as you've seen.
Privileges (which are what AdjustTokenPrivileges actually manipulates) are things you have the right to do, but still aren't allowed to do without specifically enabling that privilege. For example, let's assume you start out logged in as an administrator. That gives you the right to adjust the system clock -- but adjusting the system clock is something normal programs almost never have a reason to do, so they added an extra step, before you can do it -- you need to enable the SE_SYSTEMTIME privilege before you can make use of that right.
If you're logged in under an account that doesn't have the right to change the system time, you simply can't do it. If you're logged into an account that can change it, you have to enable the privilege first before you can do it.
Bottom line: AdjustTokenPrivileges won't accomplish what you're trying to do.
Actually there is a way, which allows you to change security credentials for the thread by calling LogonUser API function. It returns handle to a token which could be used in ImpersonateLoggedOnUser and CreateProcessAsUser calls. This technique is called impersonalization.
Howewer, I think you are trying to achieve a different thing - to run a process with elevated administrative rights without UAC user notification. You could either disable UAC completely in msconfig utility, which is a pretty bad solution, or leave your program as it is, because to be quite frank, user has a right to know, when your program is running with superuser privileges, and disabling this notifications should be his decision.

Is it possible for the executable to ask for Administrator rights? (Windows 7)

I am developing a partition disk program, and for me to read the \\\\.\\PhysicalDrive0 I need admin rights.
I am wondering if it is possible, in the run time, for the program to gain admin rights? Is there any win api for that?
I want to do that because I want the program to execute with admin rights only when it is reading/writing the disk. For security reasons, I don't want the program to execute all the time with admin rights, because someone could find a bug (stack or heap overflow for example) in some module and execute arbitrary commands as adm.
You cannot acquire elevated privileges after the process has started. Your options are:
Put the part of your application that requires elevated privileges into a separate process and manifest that with requireAdministrator.
Run the part of your application that requires elevated privileges as an out-of-proc COM object.
I have never seen a way to transition rights once a process has begun executing. The only way I know of is for the process to be created as privileged.
I look forward to other answers in case there is another way.
(update)
The article Teach Your Apps To Play Nicely With Windows Vista User Account Control (about halfway down) confirms that admin rights can be granted only at process creation time.
You need to embed manifest with requireAdministrator flag
http://msdn.microsoft.com/en-us/library/bb756929.aspx
Project's Propeties (Alt + Enter) -> Linker -> Manifest File
-> UAC Execution level (in VS2015, in 2010 it's similar)
-> requireAdministrator or highestAvailable
Edit: Also, if it's updating program, simply make your program's name starting with Update and Windows will automatically recognize it.

How to Disable UAC for my application

Well , when ever I am trying to run my application as administrator I am getting the following
error, and whether to allow or not.
If I am running the app directly and not as an administrator then this seems to work. Is there Some thing I need to do to get rid of the UAC , no I dont want user to manually change the UAC settings.
Do I need to tweak registry settings only for my programe or any certificate I need to sign with.
In general, you can't disable UAC. The goal of UAC is to provide a defense in depth against malware. It would be counterproductive if an Tojan could just disable UAC.
What you can do is accept that UAC exists, and roll with it. You shouldn't usually run as Administrator, so it's perfectly fine to get a UAC dialog when you do. For instance, Auto Start can be handled as a per-user setting, which means you don't need to be an admin to change that.
As a workaround on your machine, you can create a scheduled task that launches your application and tick the "run with highest privileges" in the general settings. Then you create a link to the sheduled task with schtasks /run /tn "TASKNAMEINQUOTES" as the link text. This will call the task that will run the application with elvated privileges without the UAC prompt.
More on this here: http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
In
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
there is such item as ConsentPromptBehaviorAdmin. Change it.
Configure an application to always run elevated:
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx#BKMK_S2
I had a program (Notepad2)suddenly require admin rights on a win-7 system. Seems that this can be changed easily.
Right-click the applicaiton, select properties, go to the compatibility tab, at the bottom is
Privilege level: Run this program as an administrator.
Unclick it and OK your way out. Worked for me.
Your process needs to elevate its privileges. There are couple of articles about this in CodeProject but have a look at this one first.