I need to be able to programatically (from an installer program) install and run a windows service so that it will have elevated admin rights (the installer app has already elevated by this point), and also that it will restart at system startup with elevated rights. Is this possible?
You need to read up on OpenSCManager(), CreateService() and similar functions. Here's some sample code in C# that might get you started.
Cheers !
Related
I need to programmatically create a new Windows account for running a Windows service I recently developed.
Due to lack of sufficient privileges I cannot use any of the existing service accounts (LocalService, NetworkService and LocalSystem), so I have to create my own account during installation of my service.
Unfortunately, I have no idea on how to accomplish this from code (C#). However, I know that the steps I have to go through include:
Create the account
Deny account log on via console
Grant log on as a service.
Add the account to the local administrators group on the PC
My service must install and run on all Windows PC operating systems ranging from Windows XP SP3 and up.
Question: Which command line tools are available for this purpose (I can very well call those command line tools from code)?
Further, any relevant links, code snippets or scripts will be very much appreciated!
If you just want a single command you can probably do:
net user /ADD "newuser" "Pass phrase" /passwordchg:no
However I looked into 'grant logon as a service' in the past, and had to download an additional .exe from a Windows Server Resource Pack to do this. That may be a pain as you'll need to redistribute the .exe.
Unless someone suggests a better way which uses only built in .exes I'd try and do this with one of:
Powershell
VBscript
Firstly I want to emphasize that I'm not trying to do anything "nasty" or "hackerish", nor am I trying to hide anything from user here.
During installations (using InstallShield LE) of my application user is prompted by Windows UAC to allow it to run in Administrator mode; If user accepts it - installation continues (standard behavior) and user again can check the option to add this program to autorun list (by adding a registry key to HKLM/../Run). All is fine and normal. But after every Windows restart, when this application starts, UAC kicks in and asks for user permission. Question is, how to avoid it, since it's a bit annoying (yet my app needs Administrator privileges to run)?
I mean user already granted such permissions on installation, so I cannot see a reason why it needs to be prompted on every startup? Moreover, I believe most antivirus software and such, also require elevated permissions to operate, but UAC doesn't prompt for it at Windows Startup.
Thank you for any advises, information, comments or solutions.
Does your application really need to start elevated? Or will it need to elevated access later when the user uses it to perform an action? If you can, drop the later admin task into a separate exe, allowing the main exe to start with no elevation - when you shellexecute the worker process later it will UAC on demand.
At install time, as you have noted, you have elevated the installer. If you want to run elevated code on subsequent runs, automatically, this is the point to install a service - which is what all those other apps you mentioned do.
You can't get around UAC for a process started in an interactive session. You could use a service running as a privileged user but you would be far better off finding a way to do whatever you do without requiring admin rights.
It's not possible for a program to run elevated without prompting. What you want to do is factor those portions of your application that need elevation into a windows service that runs as system. Then your autostarting application can make remoting calls to the service to delgate those activities that the user can't do without elevating.
Not done it but I found this article Selectively disable UAC for your trusted Vista applications that says use 'Application Compatibility Toolkit' from microsoft.
The Compatibility Administrator allows you to create a database of
compatibility fixes that will allow you to run certain applications
without an accompanying UAC.
Run the Compatibility Administrator as admin
select a new database template
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard ... enter details about your app
Select a Compatibility Level
Select RunAsInvoker as the fix
It seems that the last one
Selecting the RunAsInvoker option will allow the application to launch
without requiring the UAC prompt.
Should do what you want provided that the invoker is admin and I think you can do this at start up using the scheduler : Create Administrator Mode Shortcuts Without UAC Prompts in Windows 7 or Vista
As you can see it runs your app in the compatibility mode which may or may not be acceptable for you.
I have written a WPF application.
When it is installed on client machines, they are prompted for a username and password so that they have administrator privileges to use the application.
I need administrator privileges because my application opens ports and writes files to the file system.
Is it possible to allow any user to run the application without being prompted for an administrator username and password and to elevate the application to run with administrator privleges?
Thanks
When your app is installed, it will prompt for admin rights if the installation program has been marked for admin execution. This is normally only required if you want to install to a location available to multiple users, such as within the Program Files folder hierarchy. An MSI will raise a UAC prompt by default, but it's easy to make an MSI with WIX that doesn't raise a UAC prompt.
When your app is run (by a user without admin rights), it will ask for admin rights if the app itself has been marked for admin execution. This is partly under your control, but can overridden by users on the client machine.
An app that writes to file system folders doesn't require admin rights as long as the user running the app has permission to those folders. Generally you can make this work by writing to a location that's accessible to each user.
However, I believe that opening a port does need admin rights if the app is doing anything more than querying statistical information.
If your app does need admin rights to run, and you don't want your non-admin users to see a UAC prompt during program execution, then I suggest you divide your app into 2 parts.
The first part is a Windows service that runs under a privileged user such as LocalSystem and is configured to interact with desktop programs. This service does all of the admin-related tasks, and will need to be setup by an installer that requests admin rights.
The second part is the WPF program that doesn't do anything privileged. If you mark this WPF program as not needing elevation, your end-users will never see a UAC prompt when running it, because all the privileged work is being done by a service that's always running.
Goal:
It sounds a little bit odd, but I have to prevent that a software starts with administrative rights.
Problem:
I have a setup tool that installs the software very well. After completion the setup starts the software itself. Because the setup tool runs with administrative rights, the software that will be startet automatically after the setup does the same.
But all Settings that the program need, won't be written/read correctly that time, because due to the UAC virtualization, the config directory is different to the config directory the user would have without administrative rights.
Question:
Is there any way to downgrade from admnistrative rights to user rights, if the parent process owns administrative rights. App.config? StartParameter? or something else
Info: I'm using the INNOSETUP to build the setup tool.
Thx for your help
Just set runasoriginaluser flag for running application.
Yes, you can start a process non-elevated, however I'm not sure how this integrates with InnoSetup. The instructions are How do I start a program as the desktop user from an elevated app.
Consider marking your application with appropriate manifest to suppress UAC virtualization, it will then use the same directories in both cases: non-elevated and elevated. And better use directories in user's profile without relying on virtualization.
i was making an installer for my app its working fine on xp but on vista the UAC is giving problem unless i do a run as administrator the Unexpected error appears when i run my app afters installation, any idea?
i am installing the application in C:\xfolder\x
There is nothing you can do. You MUST run the installer as administrator.
As for the application, you will also need to run it as administrator with elevated priviledges but thre are options to make it ask automatically for elevation via application manifest. You can do a search on stackoverflow.com because there are more post related to this issue.
Here is a link to a post that might help.
Here are a couple more usefull link on app manifest and UAC:
App Manifest (1)
App Manifest (2)
UAC technology.
They are in C# but then again translating to VB.net is like a walk in the park.
You can make a windows service. And put all operations that require elevated rights into that service. You install the service as SYSTEM account and you communicate with the client via .net remoting or any other way for vb6.
if your app exe is an active x exe then you will need to register all the ocx file using regsvr command and then register your exe with regsvr32 command, for an active class to be used in win vista it first must be registered. make a batch to do these registration.