Setting Admin privileges for an Application - windows

I have created a win32 application in Visual Studio 2010. the application is sort of installer, it copies an exe to system32 folder.
The exe which is copied by installer is executed every time the windows is restarted. i have created an entry for it in the registry, now the problem i am having is i want to run that exe as administrator every time it is executed.
I can change the properties of the exe to run as administrator, but it works only for the specific system, i have mentioned my application is an installer, so it is quite hectic to change the privileges at every system.
Kindly guide me how can i solve this problem

First of all, please note that privileges and rights are specified for users rather than executables.
In order to have an executable run elevated, you typically need to add an application manifest to your executable that specifies the requireAdministrator execution level. Such an application will fail to run if the user is not an administrator, or cannot find an administrator to perform over-the-shoulder elevation.
Now, this probably won't help you much. If you want elevation to happen at logon (assuming your registry setting is HKLM\Software\Microsoft\Windows\CurrentVersion\Run) then this will lead to the user being presented with a UAC elevation dialog every time the program starts. I cannot imagine that behaviour is desirable.
Perhaps the cleanest way to avoid all of this would be to convert your application to run as a service. Services run in session 0 and are not subject to UAC. Simply run the service under a user account that has sufficient rights.
One final point, that I cannot stress enough. You should not be copying files to system32. That is the system folder and it belongs to the system.

Related

Windows asks for administrator password when starting my application in a non-administrator account

There is something my application is doing that is causing Windows to ask for an administrator password when starting my application in a non-administrator account.
At first I thought it was because I was writing some data in the run time folder in Program Files. I took care of that but still have the problem.
Do you have any idea how I can track down the problem ?
Harry Johnston's comment is correct.
If you don't have a manifest that specifies the level, then Windows assumes this is an "old" program written before manifests were common. In that case, it'll use heuristics to guess whether the program might require administrator privileges. In particular, if the name of the executable has "install" or "setup" in it, Windows might assume that it's an installer and that it will require administrator privileges.
If you provide a manifest that specifies a level (like asInvoker), then Windows won't guess, regardless of the name of your program.

How to update a program (exe) from internet using win32

I've written a Win32 program that at regular intervals retrieves content from a dedicated server on the internet.
Sometimes the Win32 program itself needs to be updated. What I do is exit the said program and run a download-program which replaces the main exe I need to uopdate. This works for users running in Administrator mode but not other mode that has sufficent rights for most tasks. The program runs on it own directory which is not under "c:\Windows\program files\".
I've set a manifest file to no avail.
Is there a workable workaround solution for this (any)?
For security reasons you cannot place files in Program Files without admin rights. If you would be able to this you could in theory change Windows files and place malware as well.
Same goes for Linux and OSX systems.
However you could prompt the user for an Administrator password and gain the admin rights in that way.
You need your updater program to have admin rights. You achieve that by adding the requireAdministrator option in the requestedExecutionLevel section of the application manifest. You said that you have tried this to no avail. Well, you must have got something wrong because this is the solution. You just need to persevere until you get the manifest correct.
I presume that when you say that the [program is not under the Program Files directory you refer to the updater. If the program being updated is not under the Program Files directory then there would seem to be no obvious reason that the updater needs admin rights. If that is so then you need to investigate further.

Handling admin rights in mixed user/admin windows app

My MFC app usually runs with admin rights, however, there is one operation which needs admin privileges (activation of the software where the status must be saved to HKLM).
For now, I created two .exe files: The ordinary app and "Activation.exe" which must run as admin and has requestedExecutionLevel=requireAdministrator in the Manifest. The activation is started with a button which makes ShellExecute(Activation.exe).
However, both applications share lots of code so I would like to merge the two exe into one exe. But how do I make sure then that specific parts of the code are executed with admin privileges? This method should/must be compatible down to NT4.
One idea is to integrate the functionality of Activation.exe in the main exe using a switch (e.g. "myapp.exe -activate"). A small bootstrapper makes sure that it can only run as admin (requireAdministrator in Manifest) and does nothing more than ShellExec(myapp.exe -activate). But is this really the best way?
I don't know if it's the best way (no-one answered) but I did that now :) The bootstrapper has just requireAdministrator in the Manifest and does a ShellExecute to the main executeable with switch "/Activate" ...
I would typically use a call to ShellExecuteEx with a verb of runas to launch any executable as administrator, even if it's manifested asInvoker.
Note that on systems where UAC has been disabled, the resulting launch may not receive administrator privileges; I believe this caveat also applies to the approach of launching an exe manifested requireAdministrator.

Is there a way to avoid UAC for autorun app in Program Files?

Firstly I want to emphasize that I'm not trying to do anything "nasty" or "hackerish", nor am I trying to hide anything from user here.
During installations (using InstallShield LE) of my application user is prompted by Windows UAC to allow it to run in Administrator mode; If user accepts it - installation continues (standard behavior) and user again can check the option to add this program to autorun list (by adding a registry key to HKLM/../Run). All is fine and normal. But after every Windows restart, when this application starts, UAC kicks in and asks for user permission. Question is, how to avoid it, since it's a bit annoying (yet my app needs Administrator privileges to run)?
I mean user already granted such permissions on installation, so I cannot see a reason why it needs to be prompted on every startup? Moreover, I believe most antivirus software and such, also require elevated permissions to operate, but UAC doesn't prompt for it at Windows Startup.
Thank you for any advises, information, comments or solutions.
Does your application really need to start elevated? Or will it need to elevated access later when the user uses it to perform an action? If you can, drop the later admin task into a separate exe, allowing the main exe to start with no elevation - when you shellexecute the worker process later it will UAC on demand.
At install time, as you have noted, you have elevated the installer. If you want to run elevated code on subsequent runs, automatically, this is the point to install a service - which is what all those other apps you mentioned do.
You can't get around UAC for a process started in an interactive session. You could use a service running as a privileged user but you would be far better off finding a way to do whatever you do without requiring admin rights.
It's not possible for a program to run elevated without prompting. What you want to do is factor those portions of your application that need elevation into a windows service that runs as system. Then your autostarting application can make remoting calls to the service to delgate those activities that the user can't do without elevating.
Not done it but I found this article Selectively disable UAC for your trusted Vista applications that says use 'Application Compatibility Toolkit' from microsoft.
The Compatibility Administrator allows you to create a database of
compatibility fixes that will allow you to run certain applications
without an accompanying UAC.
Run the Compatibility Administrator as admin
select a new database template
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard ... enter details about your app
Select a Compatibility Level
Select RunAsInvoker as the fix
It seems that the last one
Selecting the RunAsInvoker option will allow the application to launch
without requiring the UAC prompt.
Should do what you want provided that the invoker is admin and I think you can do this at start up using the scheduler : Create Administrator Mode Shortcuts Without UAC Prompts in Windows 7 or Vista
As you can see it runs your app in the compatibility mode which may or may not be acceptable for you.

Running application with administrator privilege

I have made an application that copy the vb components to the system32 folder of the windows and register those components with “regsvr32”. It works well in Window XP, but in Windows Vista and Windows7 it can’t perform its task without right clicking the application .exe file and selecting “Run as administrator”. Is there any code in vb that automatically allows the application .exe file to run as administrator?
To do precisely what you ask you can add an application manifest that specifies an execution level of "requireAdministrator" within it. However this means the application will always run elevated, and the user will also have to provide admin credentials or approve elevated execution for every run (UAC prompt).
Please just do things the right way.
I'm going to second Bob's excellent comment above and suggest that you use a tool like Inno Setup http://www.jrsoftware.org (it's free) to build a proper installer. One of the benefits of using a proper setup tool is that the setup application can request to the OS to run with administrative privileges without using external files and manifests to make that happen. The setup.exe that you build will have the necessary code built in to ask the OS for elevated privilege.
In windows 7, we can go to the properties of the file or an application exe file and then "Compatibility" tab. Then check the "Run this program as an administrator".
It will force the application to be executed under the administrator privilege.
I used this and my problem was solved.

Resources