I need to develop an application that will run on clients. The main focus is to let the application update another -specific- application and be able to monitor own defined states for clients. I'm considering something like a console application with TopShelf because it makes debug a lot easier. However... to install or update this specific application I must use a MSI. But if for example I create a process that executes msiexec the client/end user will be prompt with UAC. This is a big issue because clients should be updated unattended. And UAC must stay the way it is : highest level.
I've read a lot of questions/answer concerning UAC prompt... and to be honest I'm starting to doubt my own approach. I was not able to find any question that I could relate to.. so I would appreciate it if someone could give me some good advise, tips, references etc on a possible way to approach this issue.
Thanks in advance
Create a Task Scheduler job with the "Run with highest privileges" option checked.
You can easily create this job programatically, even using a XML configuration file.
This way the user is prompted to allow UAC only once (when first clicking an exe for example).
Related
I have developed an application which will run at system startup.
And it is working fine at system startup,i could see the application in System Configuration -> Startup.
All the applications shown at Startup can be enabled / disabled.
But my question : is it possible to make an application which cannot be disabled
at Startup ?
How are Startup properties controlled in registry?
The image shows an application which cannot be disabled at startup.
On Apply it gets enabled again.
This question seriously screwed-up my machine. I'll write it up as a cautionary tale so nobody will do the same stupid thing I did.
I didn't think the OP's claim that these checkboxes could be disabled was very credible. Never heard of anything like that, surely it would be widely abused if it were possible. Only way it could work is when he's logged-in as a regular user, that's trite, or by removing the modify permission on the registry value for the Admin group. So I decided to just try it, what could possibly go wrong?
Ran Regedit.exe, picked an entry I didn't care about anyway (Intel shovel-ware). Edit + Permissions, broke the inheritance chain first so I could control the permissions on each individual value. Unticked the Full Control option so only Read access remained.
That worked. Went to restore the permissions. And discovered something I didn't know before. These permissions do not apply to the values, they apply to the key. Obvious only in hind-sight, Regedit however does nothing to make this obvious. And I didn't just remove the modify right, I also removed the right to change the permissions again. On all the values.
Oh, horror. I have to fix this damage, somehow, it is going to bomb installers in the future. The only account that still has modify permission is the System account. I'll have to do something frightful at boot time, maybe write a service.
This is a bad, bad idea. If you have any idea how I can easily repair this then please post a comment.
EDIT: I got it back, of sorts, managed to regain control by changing the owner of the key from System to Administrators.
The Simple answer. You cannot.
However, you can hide your startup program from the user (MSConfig) and make it more difficult to disable. Take a look at activex startup method for more info
You can create/delete/list startup programs with wmic on the command line. For example if you wanted to get a list of all startup programs in html format you could run wmic startup list /format:htable > startup.html at the command prompt and then open the resulting file in a web browser. You can also get the table in CSV (wmic startup list /format:csv > startup.csv) or a variety of other formats. There are also the Create and Delete options for use. I'm sure you can use System.Diagnostics.Process.Start in VB.NET or C# with the appropriate arguments to accomplish your goal. Good Luck!
We are currently looking at modifying the update process for our application, there are many possible ways to do this however I will give a little background first. We are currently running a MVVM WPF / Silverlight application, which has a SQL Server 2008 R2 database running locally and online. We currently have an update process which checks online for an update and then launches an updater program to elevate the permissions ahead of running the MSI or MSP patch files to apply the update.
Unfortunately due to the setup of most of our clients we find that most users struggle with access rights as their local administrators aren't always available. This has led us to looking at alternative approaches.
Our ideal situation would be to have a process run silently in the background under a system user account, which would check the server periodically for updates. When an update was deemed to be available the current user should be informed that an update is available and asked if they wish to download it (There is also discussion of a silent download with a user clicking to run the update when ready). The process could then run a UI to show the downloads in progress, it would again be ideal if this was displayed in the notification area of the Toolbar. At the end of this process it should then run the MSI file under raised permissions to allow the user to update the software without Administrator privileges.
The initial install of the software would be performed by an administrator who would be made aware of this full automated update process.
So my question is:
What is the best practice approach to performing this kind of process?
What suggestions would you have for coding this, for example should we have an application or run the process off Tasks or Services?
Is there software specifically designed to solve this problem?
Is there a specific Windows account which is designed for such as purpose?
Any examples and Pros and Cons of different practices.
I realise this is a very vague question but I would prefer to follow a recommended approach as opposed to reinventing the wheel.
Thanks.
I might be off track here but why not make your application a Click Once application. That way every time your app starts it can check if there is a newer version and prompt the end user to install the updated version.
If there did happen to be a problem with a new version then the end user would be able to roll back to a previous version.
We have used this approach with several WPF applications to great effect.
We tend to publish to a folder on the development machine and then ftp to the public server.
i've created an setup project for a .net-application which works fine. The problem is, that the application begins to write log-files after startup and this requires administrative rights on windows vista and windows 7. I know there are some folders which i could use to write into without administrative rights. When i start the application as administrator, everything works fine.
I asked myself, if it's possible to change the setup project in visual studio in a way that the installed application automatically owns administrative rights on the target system?
Thanks for every help in advance!
Alex
You don't want to do this. If it needs rights to a particular directory, then create an account that has them (or modify the subdirectory's rights so that anyone can access it). But don't run as admin just for one feature. Also, look into whether there's another directory you could be writing to, which you already have rights to.
To answer your direct question, yes you can setup a launch condition for the setup project to require administrator, I believe this will take care of the proper escalation for you.
here is a thread with detailed instructions.
Now, to expand, I agree with Steven that you SHOULDN'T do this, at least not just to be able to write a log file.....
You could technically do this with a bad hack: The idea is to have the Setup program which runs elevated create a scheduled task that runs the program as admin.
Instead of directly creating a shortcut to your application, the setup creates an shortcut to execute this scheduled task.
See this as reference on how to do that manually: http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
You just need to find a way to create the task programatically from your setup.
On the other hand, I totally agree with Steven too. Try to do it the 'right' way and don't trick the Windows security. It's a good thing and working around it makes the system potentially unsecure, and you don't want to be the one compromising tht Security of others computers.
Okay I've spent the afternoon researching and haven't had much luck finding the answer to this. I am trying to prevent an application from launching via some sort of dll or background application. It is to be used in monitoring application usage and licenses at my institution. I have found leads here regarding WqlEventQuery and also FileSystemWatcher. Neither of these solutions appear to work for me because:
With WqlEventQuery I was only able to handle an event after the process was created. Using notepad as a test, notepad was visible and accessible to me before my logic closed it. I attempted to Suspend/Resume the thread (I know this is unsafe but I was testing/playing) but this just hung the window until my logic finished.
With FileSystemWatcher I was not able to get any events from launching a .exe, only creating, renaming and deleting files.
The goal here is to not let the application launch at all unless my logic allows it to launch. Is this possible? The next best solution I came up with was forcing some type of modal dialog which does not allow the user to interact with anything, once the dialog is closed the application is killed. My concern here is killing the application nicely and handling applications with high overhead when they load such as Photoshop or something. This would also interfere with a feature I was hoping to have where the user could enter a queue until a license is available. Is this my best route? Any other suggestions?
Thanks
edit: To clarify this is not a virus or anything malicious. It's not about preventing access to a blacklist or allowing access through a whitelist. The idea is to check a database on a case by case basis for certain applications and see if there is a license available for use. If there is, let the app launch, if not display a dialog letting the user know. We also will use this for monitoring and keeping track if we have enough licenses to meet demand, etc. An example of one of these apps is SPSS which have very expensive licenses but a very limited pool of people using it.
Could you use
System.Diagnostics.Process.GetProcessesByName
in a loop to look for the process?
It might work if you don't use too aggressive a polling rate.
You are indeed close, take a look at the WMI Management Events. http://msdn.microsoft.com/en-us/library/ms186151%28VS.80%29.aspx
Sample code from Microsoft: http://msdn.microsoft.com/en-us/library/ms257355(VS.80).aspx
Subscribing to the appropriate event will provide your application with the appropriate information to perform what you described.
Not sure if this is a GOOD solution but you could do something like pass a key into main so that if the key is not present or valid the application shuts down. Then when you open the application in your code, just pass the key in. Someone would then have to know the key in order to start the application.
This is assuming you have access to the application in question's source code, which upon reading your question again, I'm not so sure of.
I assume you don't have source for the application you want to prevent from loading...
Have you considered using a system policy? That would be the best-supported way to prevent a user from launching a program.
You could have a service running that force-kills any app that isn't "whitelisted", but I can't say how well that would work.
I wonder if you are taking the wrong approach. Back in the day there was a Mac app that would prevent access to the desktop and had buttons to launch a set list of applications.
IDEA
What if you had a wrapper for the approved apps then only allow your wrapper to run on the computer?
I would expect there is some way of hooking an application launch, but can't help directly on that front.
You may be able to improve your current approach by detecting the application's window opening and hiding it (move it offscreen) so that the user can't attempt to interact with it while you are trying to shut it down.
However, another approach that may be possible (depending on your circumstances) would be to write an application launcher. This simply is a replacement for the shortcut to the application that checks your licencing conditions, and then does a Process.Start to launch the real .exe at that point. This would work well for any application. (I used a system like this for starting up applications with specialised environment settings and it works beautifully)
You could combine this with your current approach as a fall-back for "clever" users who manage to circumvent your launcher.
If my understanding is right you want to create an application what will prevent the computer user to start any other process except ones for a white-list.
If this is the case, monitor the process list of processes (in a while loop) using System.Diagnostics.Process (the GetProcesses method gives the list of all running ones)
Just kill the process when it starts.
Or if your machines have Windows 7 (Windows 2008??) you can use AppLocker. http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#applocker Just let Windows prevent the startup.
You might want to look at this product: http://www.sassafras.com/licensing.html Personally I can't stand it, but that's because it does what you describe. Might save you some coding.
You could actually edit the registry so when you click a psd, your launcher gets called instead of photoshop. Your launcher then checks for licenses and if there is one starts photoshop with the path of the file.
This is a long shot but you may find it helpful.
Perceived Types and Application Registration
http://msdn.microsoft.com/en-us/library/cc144150(VS.85).aspx
I need my winform program to run as another user (it will run under task scheduler) and not the logged on user. I suspect the trouble is my app is gui based and not command line based (does this make a difference) so the gui needs to load do its thing and then close. Is this possibly under XP or Vista?
Thanks
Scheduled Tasks can be 'run as' a specified user, which can be different to the logged-in user.
You can specify this user when creating the task, or by editing the properties of an existing task.
If your app needs to run as a sheduled task then it can't really have a UI. As a bare minimum it should really be capable of being run via the command line.
The best approach would be to separate the UI from the actual processing so that the you can still run it interactively if required. This would also make testing your app a whole lot easier.
EDIT: Edited for typing and sense
I'd vote for the first option, or to provide an extra possibility: Use Impersonation in your code. Although it might be overkill/not fit your needs here.
Another way you could execute the program is to Programmatically change the user based on a config file or even a DB connection. One sample project is on Code Project:
http://www.codeproject.com/KB/cs/runas.aspx
Hope this helps.
You're looking for the Process.Start method. One of the overloads accepts a user name / password pair. The process will be created using those user credentials.
var app = Process.Start(#"c:\path\to\some\app.exe", userName, password, domainOrEmptyString);