Win C#: Run app as administrator without UAC prompt

views:

1789

answers:

+2 Q:

Win C#: Run app as administrator without UAC prompt

Hello,

I need one of my .exe to always run as administrator without UAC prompt. My program will be installed with setup, which will have for one time admin rights, and I need to perform such step in this setup that my exe will be always executed as admin without UAC prompt.

I've found 2 solutions so far:

1. Use custom service, which will elevate the program for me.

2. Use Task Scheduler.

Is there any other solution? Some manifest probably?

Thanks.

+18 A:

If it were possible to do this, then UAC would be completely ineffective. The inability of applications to elevate themselves without user consent is the fundamental principle behind UAC.

Aside from already having an elevated process that launches it (i.e. service or task scheduler), the answer is no, it can't be done.

Aaronaught 2010-03-21 20:47:15

Sounds like someone wants to write a virus.

Karl 2010-03-21 20:49:23

+1 Just as @Aaronaught wrote, a design goal of UAC is to **not** provide a way for applications to circumvent the prompts.

andras 2010-03-21 20:55:49

@Karl: I don't presume to know his motivation - lots of legitimate software products try to do similarly obnoxious things that Windows explicitly prohibits, like steal focus or install shortcuts in the Quick Launch. Of course, such programs usually crash and burn when there's anything "non-standard" about the installation like directory structure or language.

Aaronaught 2010-03-21 20:57:43

No I don't want to write a virus :-D I need elevated application since I'm writing automation application which will send clicks to apps, and I need admin rights if I want to click in elevated processes. But I don't want to bother the user with prompts. I've solved it using the service, which gets installed with the setup, hovewer I would like some more elegant solution not requiring service, because service adds additional complexity to the program.

Paja 2010-03-21 21:01:53

@Aaronaught: Well I don't want the app to elevate itself or break any UAC rules, I just need the setup to perform such steps, that the app will get always elevated. The setup will be elevated, so it CAN perform such steps, as installing the service or using task scheduler. I'm just looking for other solutions...

Paja 2010-03-21 21:08:14

The only other solution is to turn off UAC but DO NOT go that way.

ZippyV 2010-03-21 21:12:08

I would never want to turn off the UAC. If there is no other way, then the service or task scheduler will be good.

Paja 2010-03-21 21:37:09

@Paja: That's fair, as I said, I'm not questioning your motives. Nevertheless, UAC has just one main "rule", which is that a request for elevation always brings up a protected UAC prompt. If applications could selectively turn this off for themselves during their installations, then (a) every application would do it, thus rendering UAC ineffectual, and (b) it would constitute a serious security hole, as hostile programs could take advantage of programs on the safe list. That is why it's simply not allowed; the only workaround is to already be elevated when you launch the program.

Aaronaught 2010-03-21 21:44:27

@Aaronaught: But every application installed by elevated setup CAN turn UAC off for that application, by using custom service, which will automatically elevate the program.

Paja 2010-03-21 21:49:03

@Paja: As you must have realized if you already went with that approach, it's not nearly as simple as that. Designing a service to do this that is both secure and reliable is not simple, and even when done correctly, the entire system will break if the user disables the service (which can be done at any time). I personally would be loathe to install any application that did this, but in a corporate environment it might be OK.

Aaronaught 2010-03-21 22:10:46

So you would be loathe to install pretty much any modern AV product? As they almost certainly have an update service which can gain elevated privileges to run certain things which has been show in a number of case to contain bugs which actually weaken the machine (oh the irony :P)

tyranid 2010-03-21 23:11:10

@tyranid: I dislike A/V products intensely, and not for only that reason, but I think we're getting a little off-topic here. When you install an A/V product, you expect it to run as a service with local system privileges; however, you don't expect an application to sneak a service onto your system in order to bypass the UAC prompt when running with elevated privileges. That's distinctly malware-like behaviour, which again, might make sense in a locked-down corporate environment but would almost certainly be unacceptable for a retail application.

Aaronaught 2010-03-22 02:39:06

+4 A:

Of course what you are supposed to do if you want to just drive UI is to use the UI access flag in your manifest (see http://msdn.microsoft.com/en-us/library/ms742884.aspx). If you install your application in a trusted location (e.g. system32) and it is signed (bleh!) then when you run your application it will be elevated to high (for an admin account).

The signing requirement makes it slightly annoying but at least it reduces slightly the attack surface as your code gets run with high integrity but not with an administrator token.

tyranid 2010-03-21 23:05:45

Thank you very much. This looks very interesting. I would sign my app anyway in the future. And if I would get higher integrity level without admin token, that's exactly what I need.

Paja 2010-03-21 23:14:36

BTW I've found very cheap COMODO certificates here: https://secure.ksoftware.net/code_signing.html

Paja 2010-03-22 13:33:08

ansaurus

tags:

views:

answers:

Win C#: Run app as administrator without UAC prompt

related questions