i know that i can run app as admin by adding this line
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
but I want the application to run as normal and Only when I click on a button to do something will the user request access
An Android-like device that doesn't have access at run-time but requests access when you save a file
In Windows, a process cannot elevate after launch. Full stop.
You have five options, roughly ordered from worst to best:
The process runs as administrator all the time, which you've already said you don't want.
You trust the user to know when they'll need administrator privileges and run accordingly.
Enhance your installer to require administrator access in order to minimize needed administrator privileges later. For example, the installer can change the permissions on a shared folder so non-privileged users can access it.
Your application bundles two separate programs, where tasks which require administrator privileges are moved to the second program, and you build a way for the first program to trigger the correct task with the correct arguments in the second program and know when/if the task completes. In other words, you fake it.
Design your application to not need administrator access in the first place. Two examples: One, you should never need write access to the Program Files folder. This is a bad habit left over from the Windows 98 days, and in pretty much every case the Application Data folder should be used instead. Two, instead of a traditional deployment to the Program Files folder (which requires administrator access to do program updates), you can use something like ClickOnce, which can be run as a non-privileged user.
Related
I have an app of mine that I need to distribute to 5000 computers on my business domain via SCCM and i'm having problems with the windows security. The point is that my app requires administrative rights to access to registry keys and launch some "specific" featues on the local system and all the users on the domain (except for the IT support team of course) doesn't have such privileges.
I was wondering that I could make windows call a launcher on startup next, this launcher would get admin username and password on the app's server and then run the app with those credentials. But i'm having difficulties performing this task once i'm new on C# (i'm a java programer) and i haven't found any way of using the runas command with both username and password information.
Other point, it would be perfect if i could make use the admin privileges without the anoying windows UAC prompts.
Can anybody help me?
I'm not sure about what I'm going to say, but just did a bit of research that may help you.
You can try to schedule a task to run your program, and config this schedule to run it with admin rights, at startup.
Scheduling a task
Then the only thing left you need to look for is how to program easily this task for all your computers.
Hope this helps you
If your application must be run as an administrator in order to operate correctly: then tell Windows that:
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
So that if i'm a standard user (i.e. not an Administrator), and i try to use your program: i will be prompted to get an administrator to come to my desk and enter their credentials so i can run your program.
The downside of your program only functioning with admin privileges is that a standard user cannot run your program.
And you could try turning off UAC; but that doesn't fix anything. UAC is a quality-of-life feature.
if i turn off UAC
i'm still a standard user
except now i have to logout and login as an administrator
The correct solution is to let your program work as a standard user.
I have a C# application that needs to run with administrative permissions. In particular, it loads at Windows 7 start-up and executes a few scripts in the background. This process is fully invisible to the user and is covered up with a background when executing. The permissions implementation is via a manifest file. Now, the problem is that I need to automate the step where UAC prompt comes up, and invisibly accept it.
How would something like that be done in C#?
I think what you have to do is impersonate a user with administrator privileges.
Try this: http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx
I have had success with this method before, give it a shot!
Is it possible for code to work perfectly on the Administrator profile and not work at all while logged in as another user?
I am building certain applications at work, and while developing, coded and tested while logged on as Administrator. Every application working normally.
Now before deployment, when I execute the same application, but now logged in with a specific user account, I just get the error "Console Application stopped working" etc etc. I have handled all possible exceptions with my own Message Box, but this error is something I did not expect?!
In the exe's, I tried changing setting to "Run as Administrator", no use!
Any help would be much appreciated. Thanks!
PS - There are certain FTP methods I reuse from another class. And by handling all possible exceptions, I mean, I would have a try-catch block for the FTP method, so in case of error encountered after deployment, affected user may call helpdesk and notify the exact error.
Well, its not the right way to go, but right click and run as Admin, works butter smooth. Should I go ahead and modify all executables to - Run as Administrator under Properties->Compatibility??
You should firstly investigate if your application does need Admin rights indeed. A few scenarios that I can think of where an App needs admin rights are writing to protected locations of the system, writing to registry (excluding the areas that the user has rights on). If you think that admin access is not needed, you could always seek other ways to make it work. For example, instead of writing to a protected location, create a directory for you application in the user's application data folder and write to that location.
When you launch the application, if you're running on I believe Windows Vista or higher(7 works this way for sure)
You can Right click on the application and click on Run as Administrator
And yes, Sometimes the application won't work if you're not running as an administrator. For instance, If it's trying to change files in a protected location.
There are other variances that can cause your program to not work, For me, "Console Application stopped working" normally means that you don't have the right version of the .net framework installed, but it can mean any number of things.
Basically, I have an application that is installed on the users computers.
The users are on Windows 7.
The users are NOT given admin access.
The application, however, needs to be able to save files to its own Program Files directory.
The path I wanted to take was:
Download various binaries (web service).
Write binary to files in temporary folder.
Launch a console app. (Console App waits for the main app to shutdown)
Console App copies the temporary files to the Program Files directory.
Console App relaunches the main app.
Console App shuts down.
The problem is that I know Windows 7 does not allow applications that are not running as administrator to write to the Program Files directory, and I understand why (for security), but since I am writing this app myself, installing it on the machines myself, is there any way to make my app be able to write to whichever directory it resides in (platform independent because it uses relative paths) without having a popup box ask to run the app as admin? Can't the app be signed to ALWAYS run as admin?
In fact, I don't even need the main application to be the one that runs with administrative access. I need the console-app (the one that copies the temporary files) to be able to copy those temporary files as permanent files.
Update: Yes, this is for an auto-updating application. I thought about ClickOnce and the such, but there are additional requirements which lead me to create my own internal updating, mainly because the updates need to be silent and piece by piece. Sometimes (depending on the pieces updated) the application needs to shutdown, move the files in, restart. Other times the application simply needs to move the files in and continue running.
ClickOnce just didn't work for my situation, and our organization was looking for something in-house so it can be customized to fit our future needs.
As the comments already pointed out: ProgramFiles is inaccessible if you have a somewhat recent version of Windows (Vista+), UAC enabled (the default) and non-admin users.
Your updated question says that you need to update (at least parts of) your application and that might need a restart. You created your own way to update the modules.
My suggestion is the following: Don't write to ProgramFiles
Either install your application completely to the user profile or split it up.
I'd try to create an executable that does very litte:
Sets up shadowing so that assemblies are not locked
Look up an assembly in a writable location (ProgramData or in the user profile) and load it
Run the app from there
In case of an update you can overwrite your assemblies (since they are shadowed and stored in a sensible location) and, if necessary, stop the program/ask the user to relaunch/implement a restart mechanism. You shouldn't need administrative privileges for this.
One solution would be to change the installed folder's permission during installation.
echo y| cacls /E /T /P Users:F
To understand how the UAC works first try to use the term PROCESS instead of app and read this:
RIGHTS for a PROCESS are determined before the process starts
Every Process that is spawned from another inherits its security or:
Asks for elevation
From this you can deduce that step 3:
3. Launch a console app. (Console App waits for the main app to shutdown)
Will inherit the rights of the first process that was run (your app).
At some point you will need to ask for elevation. If that is before your app is run or before running asubprocess, is your choice.
The most user friendly way to do this is to modify folder permissions once at first start or installation. That is a way to not bother the user each time. But some UAC will surely pop to the user at some point.
I found this nice snippet of code online:
rkApp = Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
Which runs great but alas on windows 7 and vista I suspect, it crashes cause it doesn't have permission to write there.
So then I research (on stackoverflow of course) how to avoid this, quickest method:
rkApp = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
Simple enough! Though there is two issues remaining. One is with both methods (on a XP Box that is), the program thinks its relative path is somewhere in the C:\windows folder now...so I.e. it won't find my path relative help files etc. The second issue is, on windows 7, my program won't startup until I log in. I want it to start up in the background if possible before anyone logs in.
Its a simple .exe that hangs out in the systray when its running. I didn't want to create this monstrosity of an installer to get around these admin and pathing issues.
I Think I would have to create it as a service (no clue how to do that) to get it to start up when the machine reboots before anyone logs in. Secondly to do that I am sure I have to figure out the admin privileges, and since I don't want to have to approve the program to run every time it starts up it sounds like I would have to figure out its admin privileges during install time, but alas no installer.
So just curious what routes I might take to get this to work. I can even suffer it coming up only after when the user logs in, but my current methods that work this way really screw up the pathing of my program since it tries to write stuff out to a new directory (not the one I originally started the EXE from). Etc...and I have no clue how to go about fixing that pathing issue.
It sounds like you need two programs here.
You can't have an application run in the system tray and run prior to login. The system tray doesn't "exist" until the user logs in and has a valid desktop.
The normal way to handle this is to make two programs. First, create a windows service that does the bulk of your work. This will run on startup, and be independent of any user logins.
Then, make a user mode application which uses IPC to communicate with the service. This can run on login, and "talk" to the service remotely, thereby providing your system tray requirements.
If you want your program to start as a service before anyone logs on, then it's going to need to be installed and run as an admin user. There's not getting round this fact.
There's a Microsoft Knowledge Base article on creating a service which should get you started.
There's a project template for a Windows Service installed by default in Visual Studio 2008:
"File > New > Project > Visual C# > Windows > Windows Service"