I have a c# project, and I have to save some critical files in the Application directory in the C:\
then I need to use these files while my APP is running.
When I made the Setup project, I couldn't run my app unless I run it as administrator privilege.
So how can I solve this problem I don't need each time of run a message like this appear.
any idea?
If your app needs admin privilege to run, then it will need elevation to admin privilege at some point. The normal way to do this is embed an elevation manifest, your build tool probably has (in the linker) a UAC setting for requireAdministrator. This is the way everything works - elevation to administrator privilege requires user consent, and elevation dialogs are normal when an app starts. The alternative is to save files in some other location that doesn't require admin privilege. If you need to do that saving of files rarely, then do it an another program that you start and it will ask for elevation, then your app isn't asking every time it runs.
I wouldn't make the C drive available to limited users - that allows access of limited users to everything.
Related
I am developing a windows application in .Net C#. The application is using some third party drivers which requires admin rights for it's execution. I know we can use app manifest and provide the required privilege there, but it prompts UAC everytime when user runs the application which is annoying for the user. So, Is there any other way so that we can run the application without prompting the user or it only prompts once and when user runs the application next time it should run with admin rights.
Thanks
This task can be delegated to a shortcut to an executable file in the properties of which the "Run as Administrator" flag is set.
Learn more about programmatic process privilege elevation here.
P. S. Applications that can run themselves as admin without asking administrator rights exists and are called rootkits, backdoors or trojans. Such programs are malicious. Writing them is a tricky and sometimes illegal.
I have a C# application that is used to capture users screen, this application will be installed using an installer that requires administrator permissions. the application itself needs an active user session but doesn't display any UI elements of its own. My question how to make sure that the application is running whenever a user logs in? and how to make sure that no user (with no admin permission) can close the application?
The application should run on windows XP, 7, 8.
You can install the application so that it starts with every start of windows. You can use the registry for that or the (default user) startup folder.
An user without admin rights will not be able to kill an application that is not his, so if you start the application using i.e. the local system account, he won't be able to kill it. He will not even be able to see it, because the function "show processes from all users" in task manager is limited to users with admin permissions.
Disclaimer: Be aware that under certain legislations, it might be illegal to install such an application in a company network without the users knowing about it.
Use the Task Scheduler. It can launch apps at user logon with elevated privileges. Otherwise if it does not have to be a foreground App use a Windows service.
How does Chromeframe install without admin privileges?
If I wanted to create a BHO in C#, would it be possible to follow the same process?
If I understand correctly, I need to save the DLL on the client, I then also have to add a registry key to register the DLL as a BHO. How does chrome-frame do this in a restricted environment?
Chrome Frame is writing to the current user (HKCU) registry hive (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions), not the local machine (HKLM). You do not need administrative permissions to write to the current user hive.
Secondly, Google puts the DLL somewhere in %APPDATA% (like the Chrome Browser itself), not Program Files, which also does not require Administrative permissions.
The sum it up, Chrome Frame is just being installed into places that do not require elevated permissions to access, and yes, you can do it too.
As Serge pointed out in the comment below, this also means that the BHO must be installed for every user that wants to use it, which to me, is a good thing.
I am trying to create a program similar to Folder Lock which prevents users from accessing a particular folder. I tried using DirectorySecurity class and AccessRules to change the AccessControl for folders.
However, the settings which i assign can easily be changed by going to "Security Tab" and changing the permissions.
Is there any secure way of preventing access to directories ?
I think my answer to this question: "How could I prevent a folder from being created using a windows service?" is probably what you'd need to do to achieve what you want:
Unfortunately I don't know anywhere
near enough about the how to help you,
but I'm fairly sure that you'll need
to either write or obtain a File
System Filter Driver that can
communicate with your windows service
to tell it that someone has attempted
to create a directory/file so that
your service can make a decision for
it. This way when someone/something
attempts to create a file or folder
that's not allowed they could be
returned "Access Denied" or another
Win32 error of your choice.
If you did go down the route of using
a driver, I'd guess it'd still be best
to do the heavy lifting of deciding if
the creation/modification in the
service, i.e. outside of Kernel mode.
As long as a user is the owner of directories or files, he can change the permissions. You'd have to change the ownership of the directories in order to really secure the directories (and making this change of ownership requires administrative rights).
But a user with administrator right can always take the ownership back.
If you are in an enterprise and people are not admins of their machines, you could write a Windows service that runs as domain admin and makes the needed changes. In a home environment, there's no way.
There are 2 things which can overrule the rights of a local administrator.
The domain policy (but your pc has to be a member of a domain)
A process running under SYSTEM privileges (drivers for example), this is the way virus scanners and rootkits work, they analyse your file system request before the results reached the user, and intercept it if deemed necessary.
But the second option you can't do with c#, and the first option is more a Active Directory configuration solution.
No, you can't prevent the computers administrator account from accessing or taking ownership of any folder.
You can prevent restricted accounts (as you have described), but the administrator will always be able to change the security settings.
I have what the UAC Development Guides refer to as a "Administrative Choice Application." If you're familiar with what this is skip to the next section.
Background:
I want to let a "Standard" user have the ability to select/deselect a Run On Startup option in the preferences for my application.
Since my application is per machine (not per user), what needs to happen is it will either need to Delete or Copy a shortcut file into the Start Menu/Programs/Startup folder which will require administrative access to perform this operation.
So, what i'd like is for the "User Account Control credential prompt" to appear and that way if the user has an admin account also they can put in the credentials. This is apparently how applications are supposed to be designed to keep the user from having to switch to another account each time they need to do something administrative.
Excerpt from MSDN documentation:
An Administrative Choice Application
An Elevated Process or COM Object
The initial application launches without requiring elevation. Those items in the user interface that would require an administrative access token are decorated with a shield icon as identification. This decoration indicates to the user that using that feature will require administrator approval. When the application detects that one of these buttons has been selected, it has the following two choices.
The application launches a second program using ShellExecute() to perform the administrative task. This second program would be marked with a requestedExecutionLevel of requireAdministrator, thus causing the user to be prompted for approval. This second program would be running with a full administrative access token and would be able to perform the desired task.
-OR-
The application launches a COM object using CreateElevatedComObject(). This API would launch the COM object with a full administrative access token following approval and this COM object would be able to perform the desired task.
I just need to copy a file... seems excessive to fork a new process using ShellExecute() and I don't know enough about COM to know if I could use it to copy a file. I am hoping someone can post some code which provides a way to copy the file and ideally also explain how to decorate a MenuItem with the "sheild decorator".
Notes:
I have looked at the UAC Demo provided by microsoft which is referenced in several StackOverflow posts such as (Request Windows Vista UAC elevation if path is protected?) on topics related to permissions. The code only has an example of the calling a separate process.
Though it still appears to involve at least restarting or spawning a process, you can find some help here:
UAC Shield for Elevation at CodeProject.com
I ended up going in a different direction. I had my installer create a startup shortcut in the All Users/Startup folder that passes an argument to the application "startup".
When the application started I would check for the existence of the arg[0].equals("startup") and then check if Settings1.Default.RunOnStartup == true.
If both conditions were true I'd exit the application immediately. When the application is started without that argument (ie the Start Menu Program Group), the application loaded normally.
The RunOnStartup setting is a user scoped setting so each user can change without effecting others.