How to implement custom UAC privilege UI? - windows-7

When deleting a file in Windows Explorer (Windows 7), if admin privileges are required to delete the file, this dialog is displayed:
Is there a way to achieve this kind of effect in my app?
Currently I am launching a process 'as administrator' to perform the same sort of action (replacing a file rather than deleting it), so the user is shown the generic UAC dialog, asking:
"Do you want to allow the following program to make changes to this computer?"
Is the kind of helpful UI shown by Explorer (as opposed to the generic UAC dialog) possible in a 3rd party app?
I'm guessing no, since it would allow 3rd parties to elevate privileges in a sneaky way.

Use Button_SetElevationRequiredState to add the shield to the button. When the user pushes the button, use the COM elevation moniker to create the helper object.

The default setting on Windows 7 is for most system components to not show the UAC dialog.
If you change your setting to always prompt, you will see that clicking Continue in the Explorer dialog would create the normal UAC prompt.
As a non-system binary, your code would always prompt except at the most lenient UAC setting (never prompt.)

Related

is there any option in windows registry that i can always run a program as admin without UAC and admin password

i am developing a desktop application.
how can i make it to always run as admin for non-admin user without UAC and admin password by making change in windows registry.
windows change registry option would be preferred but if there is any other option please tell.
any help will be appreciated
thanks
There is no such feature. The point of UAC is to ensure the user is aware that the program being started will have access to admin privileges. If there were a way to turn that off, then malware would do it.
The user can disable the UAC prompts via a control panel setting, but not for a particular program.
If your program always requires admin privileges to do what it needs to do, you should have an entry in its manifest. Modern versions of Visual Studio have options in the project settings for the executable for setting common items like this in the manifest automatically.

Is there a way to install software that prompts for privilege escalation(UAC) programmatically?

Basically I either need to Click the UAC button with my program(which i don't believe is possible) or somehow make it so I don't need to click the button to install the software. I will also need to click buttons during the install with my program but I know how to do that. I am only concerned with the UAC things.
One way or the other, the user is going to have to click that button to give you permission to proceed. That's the whole point of UAC, if there were a way to work around it, it would serve absolutely no purpose.
You can either ask for permission sooner (at the beginning of your installation) or later (at the point in the installation when the privileges are first actually required), but you have to do it one of those times.
The standard course of action is to embed a manifest in your application that indicates you require administrative privileges. The applicable line looks like this:
<requestedExecutionLevel level="requireAdministrator" />
Alternatively, you could choose to rely on UAC's "Installer Detection" functionality:
The first application compatibility technology that is part of UAC is called Installer Detection. Because most installers write binaries to the Program Files directory, they overwhelmingly need administrator privileges. Installer Detection is designed to scan the name and the resources of the EXE to determine whether an application is an installer. For example, an executable would be marked as an installer if the executable name or description contained the strings "install" or "setup". So an application named setup.exe, without an application manifest, would trigger a UAC elevation if launched by a token without administrator privileges.
Clicking buttons during your install isn't a very good idea, either. If this is an installer that you're writing, code in some "silent install" flags that you can specify when executing the installer app. If this is a third-party installer that you're using, check the documentation; chances are such flags already exist. The point of these flags is that interactive UI is not displayed at all during setup, meaning that no one has to bother clicking any buttons (which is very hard to get right).
you can install your program in the user's home directory or any other directories which is writable without administrator privilege.
if you're writing an installer wrapper, you can ask for UAC on the wrapper and the wrapper can start the real installer(s) with administrator privilege. Most installers also provides command line options for unattended installations, so you might want to check those instead of scripting button clicks.
You can't click button on UAC consent dialog.
Your other options depend on what you really try to achieve. So give us more details on the your task: there could be better design choices than clicking installer buttons from an application.
To avoid UAC, you can install a service which will start the installation. But user has to consent when you install the service.

Stop CMD from always opening with administrator privileges

No matter how I open it, cmd.exe always opens with admin privileges. How can I open it without? Is there some registry setting missing? Even if I open it directly from the run dialog or by double clicking in the system32 folder it still opens with admin privs.
Thanks.
Found out I was missing a registry key. In HKEY_CLASSES_ROOT\Directory\shell\cmd I was missing the String Value "Extended". Added this back in and restarted the machine got rid of the defaulting to admin privileges.
EDIT: I had UAC turned off for my profile (to stop incessant "are you sure you want to open this .exe" warnings), and turning that back on has stopped cmd always running with greater privileges.
After some unclear actions (switch UAC on/off ?) I ended up in the same situation as described above:
Cmd.exe always starts in Adminstration mode.
Linking in VS failed with the message:
Project : error PRJ0003 : Error spawning 'C:\windows\system32\cmd.exe'.
The Properties | Compatibility tab is greyed out, so switching this off seems impossible (Compatibility modes cannot be set on this program because it is part of this version of Windows).
To recover from this situation you have to edit the registry to remove the RUNASADMIN preferences that is associated with cmd.exe.
The 'RUNASADMIN' preference is stored in these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Delete the values named c:\windows\system32\cmd.exe and you are back in business !
Kees
Right click on the cmd.exe, select properties and check the compatibility tab. Is the Run this program as an administrator checkbox checked?
This is only happening because you're logged in as a user with administrative privileges.
Since doing so defeats the entire Windows security model, you shouldn't be doing that in the first place. Create a standard user account and log in with that, instead. The command prompt should then not open with administrative privileges since you don't have administrative privileges.
If, as a standard user, you need to open a command prompt with administrative privileges, you'll need to right-click on the shortcut and select the "Run as Administrator" option (just look for the UAC shield). You'll need to provide sufficient credentials to authenticate yourself as an administrator, and then you'll have the authority to wreak whatever havoc you wish.
Found a way to run as a specific user even when UAC is turned off from http://www.sevenforums.com/general-discussion/235987-run-cmd-exe-given-user-administrator-command-line.html
This is the way to start cmd.exe as any user. Replace "username" with the correct one:
cmd.exe> runas /user:username "cmd.exe"
Right click on the cmd shortcut, navigate to properties, select advanced options and uncheck the 'Run as admin' option.
Check this video for better understanding - https://www.youtube.com/watch?v=3Mxh5TNSIl8&list=PLg8CURsOKswrzPs9fMhnmdy9TP7AkOOX1&index=1

Sharing data between users with the Windows 7 registry

I have a program that was written on XP. What I've found out is that it doesn't work properly on Win7 because HLKM is no longer writable by non-admins.
Essentially, when you register the program, the licensing information is supposed to go into the registry. That information is valid for everyone on the computer, not just the one user, so I don't want to put it in HKCU. But any copy of the program needs to be able to edit that registry (even if it's a non-admin running it), because there are certain situations when it's going to go get updated license information from my web server (for example, if the registry data is lost or damaged, or if your current license is expired and it needs to see if we've applied an extension).
It's not horrible if it goes out to the web server for every unique user who starts up the program, but it causes some annoying issues, so I'd rather it continue to work the way it did in XP. Is there a way to store data in the registry and still have it shared under Win7, or am I going to have to start looking at storing an INI file on the drive?
Here is how I would architect it: your setup runs elevated and sets up the key. Then if their licensing gets corrupted or whatnot, you enable a button or menu item that has text like "fix license" or "update license". You put a shield on that button or menu item. When they click it, you launch a separate exe using ShellExecute. That exe has a manifest that requires elevation. It can then write to the protected area of the registry. The rest of the app can have a manifest with asInvoker.
If you want it to be completely invisible, either the whole app must always run elevated (annoying) or sometimes the app will just launch another exe that asks for elevation without warning - in which case the smart users will say no. A little less invisibility is a good thing imo.
Could you get the installer to make your particular area of the registry to be writeable by everyone? The installer will need to be run with elevated privileges anyway, I'd expect - so this would seem an ideal approach.

Install Shield 2009 - Shortcuts creation

Is it possible to create shortcuts in Install Shield 2009 based on user input?
In essnes, a shortcut will be created (on the desktop) only if the user (who runs the installation) wants to do so
We have a screen that prompts the user to create desktop and quicklaunch shortcuts.
The shortcuts are then each in individual components with a condition set to only install if the checkbox was selected.
You also should store this response in the registry somewhere, and read it back during a reconfigure, upgrade, repair, etc. Otherwise if the checkboxes were on by default and that screen does not display to the user, the condition will evaluate to true (because the default property is true) and although the shortcut was not initially installed, it will be created during the repair if the components condition is reevaluated.
I do something similar to Sacha, but I'm lazier. ;-)
I create a component for each desktop shortcut (I hate software that assumes it's allowed to dump shortcuts on my desktop); no file in the component. Then I assign each of these components to its own feature. Then I can use standard feature selection dialogs (which is built in automatically and used when the user selects a Custom installation) to let the user select the desktop shortcut features.
I don't see a lot of software installers offering to install optional shortcuts in the feature selection dialog, but it strikes me as a natural place to do it. More technical users may see this as mixing metaphors.
FWIW, I originally did this in an InstallScript/MSI project, and I've just done the exact same thing in a straight MSI project, and the technique works fine in both.
It's been a while since I've used installshield, my company is currently using WISE as an installer; however, it should be possible to do what you are asking.
In general installer terms you need to do the following:
Make a screen for your installer that presents the option to create the shortcut, this screen should have the prompt text and a checkbox.
There should be a mechanism for storing the response of the checkbox in an Installshield property.
During the execution phase, use the reponse to trigger the creation of the shortcut.
I don't know about the capabilities of Installshield 2009 for whether this can be done without editing the script itself.
I hope this helps.

Resources