I want to execute ExecWait in NSIS with admin privileges, I was unable to find any documentation on this issue.
Generally I would recommend that the whole installer should run elevated in a case like this, it makes it clear to the user up-front that elevation is required.
If you cannot do this then you should make sure that the program you want to run requests administrator rights. For this to work you need to launch the program with ExecShell.
If that program does not requests administrator rights you basically have two options:
Use ExecShell with the "runas" verb and hope for the best (Fails if the user is not a member of the administrators group, UAC is off or on < Vista)
Write a small launcher application that requests administrator rights and then launches the real program.
Related
I currently have a huge number of VBS Scripts which are, when doubleclicked in Windows Explorer, run by wscript.exe. These scripts need to be run in UAC elevated mode, i.e. doubleclicking by default will not work.
One solution for this would be to alter all the scripts, and make the scripts run themselves elevated, this solution can be found on many places, but Altering all the scripts is a tedious work.
So I am currently thinking of another solution to alter the default Shell Extension behaviour in Windows 10, so that wscript.exe will always be started elevated wenn a vbs script is doubleclicked in Windows Explorer. The problem is that I currently cannot find any commandline option that I can pass to wscript.exe to run it elevated.
Is there any solution available to call wscript.exe always in elevated mode? The scenario that should work is that a user can doubleclick the .vbs-file in Windows Explorer, and then automatically be prompted with the UAC-elevation dialog (if configured in Windows)
You can use Task Scheduler to run your script as an administrator without having to go through User Account Control (UAC) every time.
You can run scripts as administrator with the runas verb, but the user must have admin rights on the machine to do so.
You could store admin credentials in the script, but it would be plain text and not secure.
Run elevated commands only work on machines where you have local admin privileges. Other non admins can't use the script.
Firstly I want to emphasize that I'm not trying to do anything "nasty" or "hackerish", nor am I trying to hide anything from user here.
During installations (using InstallShield LE) of my application user is prompted by Windows UAC to allow it to run in Administrator mode; If user accepts it - installation continues (standard behavior) and user again can check the option to add this program to autorun list (by adding a registry key to HKLM/../Run). All is fine and normal. But after every Windows restart, when this application starts, UAC kicks in and asks for user permission. Question is, how to avoid it, since it's a bit annoying (yet my app needs Administrator privileges to run)?
I mean user already granted such permissions on installation, so I cannot see a reason why it needs to be prompted on every startup? Moreover, I believe most antivirus software and such, also require elevated permissions to operate, but UAC doesn't prompt for it at Windows Startup.
Thank you for any advises, information, comments or solutions.
Does your application really need to start elevated? Or will it need to elevated access later when the user uses it to perform an action? If you can, drop the later admin task into a separate exe, allowing the main exe to start with no elevation - when you shellexecute the worker process later it will UAC on demand.
At install time, as you have noted, you have elevated the installer. If you want to run elevated code on subsequent runs, automatically, this is the point to install a service - which is what all those other apps you mentioned do.
You can't get around UAC for a process started in an interactive session. You could use a service running as a privileged user but you would be far better off finding a way to do whatever you do without requiring admin rights.
It's not possible for a program to run elevated without prompting. What you want to do is factor those portions of your application that need elevation into a windows service that runs as system. Then your autostarting application can make remoting calls to the service to delgate those activities that the user can't do without elevating.
Not done it but I found this article Selectively disable UAC for your trusted Vista applications that says use 'Application Compatibility Toolkit' from microsoft.
The Compatibility Administrator allows you to create a database of
compatibility fixes that will allow you to run certain applications
without an accompanying UAC.
Run the Compatibility Administrator as admin
select a new database template
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard ... enter details about your app
Select a Compatibility Level
Select RunAsInvoker as the fix
It seems that the last one
Selecting the RunAsInvoker option will allow the application to launch
without requiring the UAC prompt.
Should do what you want provided that the invoker is admin and I think you can do this at start up using the scheduler : Create Administrator Mode Shortcuts Without UAC Prompts in Windows 7 or Vista
As you can see it runs your app in the compatibility mode which may or may not be acceptable for you.
I have written a WPF application.
When it is installed on client machines, they are prompted for a username and password so that they have administrator privileges to use the application.
I need administrator privileges because my application opens ports and writes files to the file system.
Is it possible to allow any user to run the application without being prompted for an administrator username and password and to elevate the application to run with administrator privleges?
Thanks
When your app is installed, it will prompt for admin rights if the installation program has been marked for admin execution. This is normally only required if you want to install to a location available to multiple users, such as within the Program Files folder hierarchy. An MSI will raise a UAC prompt by default, but it's easy to make an MSI with WIX that doesn't raise a UAC prompt.
When your app is run (by a user without admin rights), it will ask for admin rights if the app itself has been marked for admin execution. This is partly under your control, but can overridden by users on the client machine.
An app that writes to file system folders doesn't require admin rights as long as the user running the app has permission to those folders. Generally you can make this work by writing to a location that's accessible to each user.
However, I believe that opening a port does need admin rights if the app is doing anything more than querying statistical information.
If your app does need admin rights to run, and you don't want your non-admin users to see a UAC prompt during program execution, then I suggest you divide your app into 2 parts.
The first part is a Windows service that runs under a privileged user such as LocalSystem and is configured to interact with desktop programs. This service does all of the admin-related tasks, and will need to be setup by an installer that requests admin rights.
The second part is the WPF program that doesn't do anything privileged. If you mark this WPF program as not needing elevation, your end-users will never see a UAC prompt when running it, because all the privileged work is being done by a service that's always running.
Goal:
It sounds a little bit odd, but I have to prevent that a software starts with administrative rights.
Problem:
I have a setup tool that installs the software very well. After completion the setup starts the software itself. Because the setup tool runs with administrative rights, the software that will be startet automatically after the setup does the same.
But all Settings that the program need, won't be written/read correctly that time, because due to the UAC virtualization, the config directory is different to the config directory the user would have without administrative rights.
Question:
Is there any way to downgrade from admnistrative rights to user rights, if the parent process owns administrative rights. App.config? StartParameter? or something else
Info: I'm using the INNOSETUP to build the setup tool.
Thx for your help
Just set runasoriginaluser flag for running application.
Yes, you can start a process non-elevated, however I'm not sure how this integrates with InnoSetup. The instructions are How do I start a program as the desktop user from an elevated app.
Consider marking your application with appropriate manifest to suppress UAC virtualization, it will then use the same directories in both cases: non-elevated and elevated. And better use directories in user's profile without relying on virtualization.
I have an app that normal users need to be able to run, but requires administrator privileges to actually function.
I tried to make the shortcut that my users run it with "Run as administrator" but this just causes a UAC prompt whenever they try to run the app.
Is there any way to elevate privileges programatically, without my users needing to go through a UAC prompt and/or knowing an administrator password? From a security standpoint, I understand that most applications shouldn't be allowed to do this, so I'm hoping there is some way to do it if I can provide a valid username/password pair, or something.
The app is written in C#, so a fully managed solution would be preferred, but p/Invoke Black Magic (or even writing an MC++ Wrapper Which We Do Not Speak About) would be more acceptable than disabling UAC entirely.
Generally this problem solved by installing a Windows Service which runs as SYSTEM or an admin account. Then your application can request the privileged action from this service.
Obviously to not pose a security threat ensure that your service can't run arbitrary code or something which might leave the all users vulnerable to privilege escalation attacks.
Winpcap and most of the other sniffing applications use a similar design to give sniffing access to unprivileged users.
Actually, why don't you just create a Task Schedule which runs the app with elevated privileges? As long as you setup the Task under elevation, it will not prompts you for a UAC when it is auto-run during reboot or whatever your trigger is.
Just make sure you set level=requireElevation in your manifest file, and task scheduler will run your app with admin rights without prompting your user for admin rights, as this had already been established when you setup the task with admin privileges.
It's not possible. You cannot decide to suppress UAC prompt.
You have to ask yourself:
What would happen on Windows XP?
The user is a standard user on Windows XP, and the application "needs" to run as an administrator. Are you:
going to refuse to run?
going to crash on startup?
going to show the user access denied error messages?
If the user is simply not allowed to run the application as a standard user on Windows XP, then UAC is your friend: it tells the user that they have to be an administrator.
And it even offers to let them (temporarily) gain administrative privileges.
But you have to ask yourself:
What would happen on Windows Vista?
In order to elevate, the user will need someone from IT to walk from three buildings over, so they can type in their credentials "over the shoulder". Perhaps you can make the user's life easier. Let 99.9% of the application run, and split off that 0.01% to an "administrative" module.