Well , when ever I am trying to run my application as administrator I am getting the following
error, and whether to allow or not.
If I am running the app directly and not as an administrator then this seems to work. Is there Some thing I need to do to get rid of the UAC , no I dont want user to manually change the UAC settings.
Do I need to tweak registry settings only for my programe or any certificate I need to sign with.
In general, you can't disable UAC. The goal of UAC is to provide a defense in depth against malware. It would be counterproductive if an Tojan could just disable UAC.
What you can do is accept that UAC exists, and roll with it. You shouldn't usually run as Administrator, so it's perfectly fine to get a UAC dialog when you do. For instance, Auto Start can be handled as a per-user setting, which means you don't need to be an admin to change that.
As a workaround on your machine, you can create a scheduled task that launches your application and tick the "run with highest privileges" in the general settings. Then you create a link to the sheduled task with schtasks /run /tn "TASKNAMEINQUOTES" as the link text. This will call the task that will run the application with elvated privileges without the UAC prompt.
More on this here: http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
In
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
there is such item as ConsentPromptBehaviorAdmin. Change it.
Configure an application to always run elevated:
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx#BKMK_S2
I had a program (Notepad2)suddenly require admin rights on a win-7 system. Seems that this can be changed easily.
Right-click the applicaiton, select properties, go to the compatibility tab, at the bottom is
Privilege level: Run this program as an administrator.
Unclick it and OK your way out. Worked for me.
Your process needs to elevate its privileges. There are couple of articles about this in CodeProject but have a look at this one first.
Related
We have an exe which actually checks the contents of a folder and then kicks off a windows service to do some processing on the files in that folder.
So, we made this exe as part of System start up program so it runs everytime the system reboots/starts.
Now the user is very annoyed as he gets pop up for UAC everytime he restarts. But we need to have admin rights for this exe as it kicks off a windows service. Therefore I researched and found a couple of solns for this prob.
This and This
But couldn't decide which is better and less vulnerable for security implications.
Another potential solution can be in the code of .exe itself detect the system start up and if we have any content in the target folder then only ask for UAC from user and kick off the windows service . Else just don't run the exe. I am not sure how to do this in C++. Any pointers would be helpful. If there is any better solution, always welcome.
You probably want to use Task Scheduler here.
Just create a task as part of the install process, with "When the computer starts" as the trigger, and set the "Run with highest privileges" security option.
The problem is that you're mixing up the system and user sessions.
If the processing of those files is done on behalf of a user, it probably should not be done by a service. What if two users wanted their files processed? What security context should the service use for that? And obviously you shouldn't need Administrator right to process some user files.
If the service is performing some system-level task, it shouldn't depend on a user. And in fact running at startup suggests you want this mode. (User applets start at login, not after reboot). The main problem in your design therefore seems to be that you try to run an app (with UI) at the wrong moment which requires far too many permissions (causing UAC). Redesign the service so that it does all the tasks which require admin permissions, and when installing the service set it to start automatically. This still requires UAC at installation, but that is when UAC is expected.
i'm writing a security program for vista and 7 (Right now my main os i'm using is 08 server which i'm testing it on as well) and I would like to block the fast user switching option from within windows. The problems is that I can't edit the registry under a normal user as its under the HKLM and I need to be able to edit the key to block it or find another way to accomplish this.
I tried running it as admin and that hasn't worked. With wxDev C++ I tried the manifest option and I still can't get it to work. If the program runs under an admin account though it does.
Would anyway happen to know how to do this? I've been looking on Google all day today now and all I keep finding out is how to edit the reg or group policy to turn it off but I need a way to do it though c++.
Again thank you
The registry key that controls fast user switching is in key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
it is a DWORD value named AllowMultipleTSSessions.
Set it to 0 to disable fast user switching. Windows uses terminal services to implement multiple desktops.
To write to the HKEY_LOCAL_MACHINE hive, the process must be running with administrator privileges.
The manifest needed to make your process automatically prompt for administrator privileges is:
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
Am working on a vc++ background application which installs in the program files folder. It works fine when it was manually started, it creates xml file in the same folder. But however the application is not creating the file when it was configured to startup.
Even when I provide the requireAdministrator privilege it is not creating the file at the startup.
This is same as the issue with Granting administrator privileges to an application launched at startup without UAC prompt?
but when program runs as Administrator it doesn't start at startup, this is my problem
But am working for a solution in vc++.
Please help am working on this more than a week
Did you add a proper manifest to your project?
In VC++ you must add one(http://msdn.microsoft.com/en-us/library/windows/desktop/bb756929.aspx)
Move the XML file to ProgramData (CSIDL_APPDATA).
I assume you have UAC enabled (i.e. UAC prompt appears). If that so, you would see it always when you start from Explorer, and will not see from Admin mode Visual Studio (since VS is elevated), and hence your process would be elevated.
But, when your process starts, the UAC won't appear, and your application will fail to start. It is best bet not to make your application requiring Administrator rights (why do you need?). You can save the data in some other folder.
If you must, you may need to create a service, which would start your application in elevated-mode (yes, without any UAC prompt).
Do check the system event reporting for your application, since this cannot be easily debugged.
Programs under windows need administrator privilege must get user's permission when they start. And they can also run with administrator privilege by right click the EXE and select "Run as Administrator". But, before the EXE start, a message box will show up. It's really disgusting.
Now I want my application to run as the Administrator, and I don't want the popup message box when user click the EXE file.
Now I wonder whether the AdjustTokenPrivileges function can help me achieve this.
Any one can help me?
You're getting confused between rights and privileges. At least from the viewpoint of the Windows API, the two are entirely different (though they're otherwise treated as synonymous a great deal of the time, at least when dealing with "what you can do on Windows").
What you're really looking for is the ability to elevate rights. Short of some defect in the security model of the system, you shouldn't be able to do this. To get administrative rights, the intent is that the code should have to run under an administrative account -- either by the user initially logging in as an administrator, or else by them entering the credentials at run time as you've seen.
Privileges (which are what AdjustTokenPrivileges actually manipulates) are things you have the right to do, but still aren't allowed to do without specifically enabling that privilege. For example, let's assume you start out logged in as an administrator. That gives you the right to adjust the system clock -- but adjusting the system clock is something normal programs almost never have a reason to do, so they added an extra step, before you can do it -- you need to enable the SE_SYSTEMTIME privilege before you can make use of that right.
If you're logged in under an account that doesn't have the right to change the system time, you simply can't do it. If you're logged into an account that can change it, you have to enable the privilege first before you can do it.
Bottom line: AdjustTokenPrivileges won't accomplish what you're trying to do.
Actually there is a way, which allows you to change security credentials for the thread by calling LogonUser API function. It returns handle to a token which could be used in ImpersonateLoggedOnUser and CreateProcessAsUser calls. This technique is called impersonalization.
Howewer, I think you are trying to achieve a different thing - to run a process with elevated administrative rights without UAC user notification. You could either disable UAC completely in msconfig utility, which is a pretty bad solution, or leave your program as it is, because to be quite frank, user has a right to know, when your program is running with superuser privileges, and disabling this notifications should be his decision.
I have an MFC application developed in VS Studio 2008 which reads and writes to a JSON file in its installation folder. It works perfectly in vista(administrator) BUT ONLY when UAC is turned off. When UAC is ON, the application isn't able to write to its JSON file. I figured I had to create a manifest file but I haven't really tried creating one.
Questions:
reference: http://msdn.microsoft.com/en-us/library/bb384691.aspx.
It says here that you can simply set the linker options in the Visual Studio development environment.
What values do I need to select for:
a) Enable User Account Control (UAC)? [I tried NO].
b) UAC Execution Level? [I tried highestAvailable].
c) and UAC Bypass UI Protection? [I tried Yes].
Do I need to add the manifest file in the software package (exe, Dll's, etc.)?
Thanks...
The whole concept of UAC is that you can not bypass it. If you could, it would be useless.
The only solution (which is what you should do anyway, not just because of UAC) is to never ever write files in the install folder but in %APPDATA% where it belongs.
You should copy this file to AppData. Modifying a file in Program Files will always trigger a UAC prompt. This operation requires admin privileges and manifest won't help you with that.
Adding manifest file you can only declare that the application needs UAC permisison. This way the user will be prompted for UAC on application start.
If this is what you want here you can find description how to do it.
Other aprroach is to install a service which runs with LocalSystem account and is allowed to do (almost) anything without asking for UAC permission. For this to work you have to implement inter process communication between your UI applicaiton and the service. Kernel objects shared between processes have to be created from the service with appropriate security attributes in order to be accessed form not elevated programs.
The installation of the service will prompt the user for UAC ( as most other installations )
You mentioned you tried manifesting the executable as
UAC Execution Level: highestAvailable
It should be set to requireAdministrator.
The difference is that highestAvailable will only elevate if the user really is an administrator who's been (UAC) stripped of their admin privelages. If they really are a standard user then it won't elevate.
On the other hand requireAdministrator will require that they elevate. If the user is not an administrator, they will be presented with a prompt to enter a Username and Password of someone who is an administrator; they'll have to call someone to come down and type in their username and password.
If the user already was an administrator, then requireAdministrator will just ask them to Continue.
Set the EnableLUA DWORD value in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 0 and reboot.
This will disable UAC without a problem, I would do it to all your users, with or without permission is up to you.
Works in Windows Vista and Windows 7 as well.