views:

846

answers:

3

I have 2 applications written in Delphi. The first exe (with a user interface) calls another using ShellExecuteEx(), which runs as a background process.

When the first exe invokes the second, one of these two things happen:

  1. When I log in as an admin, a UAC dialog comes up with the Allow/Cancel prompts. Selecting Allow continues the execution.

  2. If I log in as non-admin, an admin credentials dialog box is displayed, and I need to enter the admin username/password to continue.

On both occasions, I want the second exe to run without any user intervention. How can I make it possible?

And yes, I tried applying the ElevateCreateProcess mitigation as suggested by SUA tool, but it doesn't seem to work - the behaviour is as before.

Thanks for your help.

+1  A: 

The first EXE needs to be launched with elevated privileges to invoke the second without a UAC prompt. Or...you can use a manifest for the second EXE telling Vista that it's not an admin tool and to just run as the current user.

Saved as Second.exe.manifest

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<!-- Vista UAC Support -->
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
  <ms_asmv2:security>
 <ms_asmv2:requestedPrivileges>
   <ms_asmv2:requestedExecutionLevel level="asInvoker" />
 </ms_asmv2:requestedPrivileges>
  </ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>
Paul Alexander
Sorry, could you please tell me how I should do the first - to launch with elevated privileges?As for the second, I tried using a manifest, but it didn't seem to make any difference. Probably I was using the wrong values. I'll check that.Thanks for the quick response!
I didn't know that particular namespace (ms_asmv2) was required; I can build without it
Jason Watts
To launch the first exe elevated, save the script as First.exe.manifest and change the level="asInvoker" to level="requireAdministrator"
Paul Alexander
Thanks Paul. But when I say requireAdministrator, wouldn't that actually require the user to be an admin or, in case of a non-admin user, prompt for admin credentials? That seems to be what I'm trying to avoid. Should I have the execution level as requireAdministrator or as Jason suggests below, highestAvailable?
It depends on what you're actually trying to accomplish. If you're trying to perform admin actions (write to common files, change registy, etc.) the requireAdmin is the right thing. If you're not doing admin stuff and just touching areas of the computer that the user already has rights to then asInvoker is the correct method. highestAvailable never really works well - you should be explicit either user or admin rights.
Paul Alexander
A: 

Yes, you'll need an application manifest that looks similar to this

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UacTest"   type="win32"/>   
       <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">   
       <security>  
          <requestedPrivileges>  
             <requestedExecutionLevel level="highestAvailable"/>    
          </requestedPrivileges>  
       </security>  
    </trustInfo>  
  </assembly>

Take note of the "requestedExecutionLevel" tag

Jason Watts
Bear with me a little more. I understand the solutions suggested. But what puzzles me is if the CreateProcess API was flagged by SUA because it didn't have enough privileges, will a non-Admin user with "highestAvailable" execution level be able to execute the call without any elevation?
+1  A: 

What is the file name of your second file?

Vista assumes administrator privileges are needed for certain file names - most notably files with the name "setup" or "install" in them.

Also: If what you want is to be able to run a program with administrator privileges without having Vista throw a UAC prompt up, then you're out of luck. That would be a serious breach of security if that was possible.

Does your second program need administrator privileges?

What happens when you try to execute the second program directly from Explorer? A UAC prompt? If so, then Vista is trying to run it as Administrator, either because of the file name of the file, or because a manifest (internal or external) requests is.

HeartWare
Note that it is true only if it is a GUI program. If such program is a console app (e.g. to register a service) the UAC prompt will fail miserably.
Marco van de Voort