tags:

views:

281

answers:

2
+2  Q: 

Understanding UAC on windows vista / 7

I don't really understand windows UAC...

I need for my program to be able to update and add files to a specific directory belonging to a program. This directory may be a subdirectory of an application in Program Files, for example c:\Program Files\MyApp\Data or it may be installed elsewhere.

I believe that if it's under Program Files then my program will be prevented from writting there unless it is running as an administrator AND has elevated it's access rights. Is that correct?

I need to be able to update files in that directory preferable without invoking elevated privileges and with the main application still "protected", just allow access to that one directory. I can't move the Data folder elsewhere as this as it's a 3rd party application I need to interface with.

How is it determined that UAC is needed for folders in Program Files? Is Program Files special in some way or is just permissions? If I were to adjust the permissions on that Data subdirectory so that the user account running the program had write access would that allow my application to update files in that directory without special privileges?

Or is there a better way to achieve this that I'm not thinking of? My update program needs to be in java so getting elevated privileges is a pain. I imagine I'll need to write a C++ wrapper to run the java VM so that i can give that wrapper an appropriate manifest. Not impossible but I don't really want to have to do this.

+2  A: 

Try changing your application's directory security settings on-install to allow "Authenticated Users" write permissions.

DxCK  2009-11-28 09:20:25
And this will work? That was really my question, is "bypassing" UAC for one directory as simple as changing the permissions on that directory?
John Burton  2009-11-28 09:35:15
yes, adding write permission to "Authenticated Users" should work, at least it worked for me.
DxCK  2009-11-28 19:21:16
Thanks, it gives me options. I do feel uncomfortable about changing the permissions though even though I'm only going to change them to what they would be if the folder was in the correct location.
John Burton  2009-12-01 12:13:16
+1  A: 

Usually, when you need both protected and unprotected UAC modes you do the following.

  1. Create two executable (one should be the main one and not require privileges for any operation, the second one should be able to perform privileges operations).
  2. Start the first (main) one using limited privileges.
  3. When you need to perform an privileged operation, create a new process with administrative rights (will pop the UAC window) and start the second application in it.
  4. When done with the second application close it and you'll be back to limited mode.

This is how VMWare Workstation does when you change global settings.

Edit: Changing the permissions on a folder is not a good approach. Is just a dirty hack because anybody can write to that folder and this will just invalidate the role of UAC - after all this is the role of UAC: to prevent unprivileged changes in special folders.

Victor Hurdugaci  2009-11-28 09:53:29
I don't feel in this case it's a dirty hack particularly. The application should have been designed to put the Data directory in the user's documents area, not under it's own program files so by granting write access to it there I'm not giving any permissions that a *good* design wouldn't have given - it's just not a good thing to encourage... At least that's my understanding.The problem I have with 2 executables is that this program needs to be in java so it's not a simple thing to do.The points are good though so +1, just not quite sure I can easily do that
John Burton  2009-12-01 12:12:09
Accepted this as it's the correct answer I suppose even if it's not the answer I wanted :)
John Burton  2009-12-04 08:18:38

related questions

How to get the actual path of a file in Vista with UAC ?
MAPI, UAC & .NET
Why does my application allow me to save files to the Windows and System32 folders in Vista?
VS2008, IIS7 web project, non-admin. When?
UAC/VS/W2K8: Why does VS not launch with admin privleges when I am in the Administrators group?
What is the best way to specify whether InstallPrivileges is limited or elevated at the command line in WIX?
Mark MSI so it has to be run as elevated Administrator account
Application will not behave under UAC even though it requires no privileges
TortoiseSvn and Windows Server 2008 user account control.
Where can I write data to on Windows Vista using any account and be viewable from all other accounts?
Running as admin some times.
Preserve mapped drive letter information during UAC elevation
Vbscript detect whether UAC-elevated
UAC need for console application
Using SSPI (NTLM) Api's With Windows AccessCheck() On Vista With UAC
How to run NOT elevated in Vista (.NET)
Request UAC elevation from within a Python script?
When developing, do you turn off UAC in Vista?
How to UAC elevate a COM component with .NET
Can't attach to w3wp under Vista with UAC turned on
How can I detect if my process is running UAC-elevated or not?
How to detect whether Vista UAC is enabled?
Vista UAC, Access Elevation and .Net
How can I make a shortcut start in a different directory when running it as an administrator on Windows Vista?
Request Windows Vista UAC elevation if path is protected?