tags:

views:

846

answers:

3
+2  Q: 

Vista: Can an EXE bypass user confirmation while invoking another EXE?

I have 2 applications written in Delphi. The first exe (with a user interface) calls another using ShellExecuteEx(), which runs as a background process.

When the first exe invokes the second, one of these two things happen:

  1. When I log in as an admin, a UAC dialog comes up with the Allow/Cancel prompts. Selecting Allow continues the execution.

  2. If I log in as non-admin, an admin credentials dialog box is displayed, and I need to enter the admin username/password to continue.

On both occasions, I want the second exe to run without any user intervention. How can I make it possible?

And yes, I tried applying the ElevateCreateProcess mitigation as suggested by SUA tool, but it doesn't seem to work - the behaviour is as before.

Thanks for your help.

+1  A: 

The first EXE needs to be launched with elevated privileges to invoke the second without a UAC prompt. Or...you can use a manifest for the second EXE telling Vista that it's not an admin tool and to just run as the current user.

Saved as Second.exe.manifest

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<!-- Vista UAC Support -->
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
  <ms_asmv2:security>
 <ms_asmv2:requestedPrivileges>
   <ms_asmv2:requestedExecutionLevel level="asInvoker" />
 </ms_asmv2:requestedPrivileges>
  </ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>
Paul Alexander  2009-06-18 17:33:01
Sorry, could you please tell me how I should do the first - to launch with elevated privileges?As for the second, I tried using a manifest, but it didn't seem to make any difference. Probably I was using the wrong values. I'll check that.Thanks for the quick response!
 2009-06-18 17:39:12
I didn't know that particular namespace (ms_asmv2) was required; I can build without it
Jason Watts  2009-06-18 17:39:20
To launch the first exe elevated, save the script as First.exe.manifest and change the level="asInvoker" to level="requireAdministrator"
Paul Alexander  2009-06-18 18:15:23
Thanks Paul. But when I say requireAdministrator, wouldn't that actually require the user to be an admin or, in case of a non-admin user, prompt for admin credentials? That seems to be what I'm trying to avoid. Should I have the execution level as requireAdministrator or as Jason suggests below, highestAvailable?
 2009-06-18 18:50:50
It depends on what you're actually trying to accomplish. If you're trying to perform admin actions (write to common files, change registy, etc.) the requireAdmin is the right thing. If you're not doing admin stuff and just touching areas of the computer that the user already has rights to then asInvoker is the correct method. highestAvailable never really works well - you should be explicit either user or admin rights.
Paul Alexander  2009-06-18 20:25:49
A: 

Yes, you'll need an application manifest that looks similar to this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>


    <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UacTest"   type="win32"/>   
       <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">   
       <security>  
          <requestedPrivileges>  
             <requestedExecutionLevel level="highestAvailable"/>    
          </requestedPrivileges>  
       </security>  
    </trustInfo>  
  </assembly>

Take note of the "requestedExecutionLevel" tag

Jason Watts  2009-06-18 17:33:46
Bear with me a little more. I understand the solutions suggested. But what puzzles me is if the CreateProcess API was flagged by SUA because it didn't have enough privileges, will a non-Admin user with "highestAvailable" execution level be able to execute the call without any elevation?
 2009-06-18 18:16:29
+1  A: 

What is the file name of your second file?

Vista assumes administrator privileges are needed for certain file names - most notably files with the name "setup" or "install" in them.

Also: If what you want is to be able to run a program with administrator privileges without having Vista throw a UAC prompt up, then you're out of luck. That would be a serious breach of security if that was possible.

Does your second program need administrator privileges?

What happens when you try to execute the second program directly from Explorer? A UAC prompt? If so, then Vista is trying to run it as Administrator, either because of the file name of the file, or because a manifest (internal or external) requests is.

HeartWare  2009-06-18 20:19:31
Note that it is true only if it is a GUI program. If such program is a console app (e.g. to register a service) the UAC prompt will fail miserably.
Marco van de Voort  2009-06-20 12:23:44

related questions

How do you implement Levenshtein distance in Delphi?
Reintroducing functions in Delphi
Does Delphi call inherited on overridden procedures if there is no explicit call
HelpInsight documentation in Delphi 2007
Is it possible to deploy a native Delphi application with ClickOnce
In Delphi 7, why can I assign a value to a const?
Best way to sort an array in delphi
What's the best Delphi book for a newbie?
Visual Studio equivalent to Delphi bookmarks
What's the idiomatic way to do async socket programming in Delphi?
64bit Memory allocation
Documenting Delphi
How to implement Type-safe COM enumerations in Delphi ?
TClientDataSet Aggregates specification aren't added automatically when creating an Aggregate field.
Multiple form Delphi applications and dialogs
Unit testing in Delphi - how are you doing it ?
How to keep track of the references to an object?
Delphi and COM: TLB and maintenance issues
Changing CURRENT save/default directory in Delphi 2007 without using Save-As
What is the best way to make a Delphi Application completely full screen ?
Are there any "mind mapping" components for Delphi? (native VCL preferably)
Delphi resources for existing .NET developer.
What is needed to get Delphi back on top?
Delphi MDI Application and the titlebar of the MDI Children
Can a windows dll retrieve its own filename?