tags:

views:

330

answers:

3
+1  Q: 

Application will not behave under UAC even though it requires no privileges

We have been having serious trouble getting an application we devlop running with UAC enabled for long.

Once installed (the installer fails almost immediately with UAC) it appears that UAC can be turned on and have the application work. However, after a while, it will stop working with strange errors about cannot find a file that it just created.

Just to get this straight: 

XP as admin:          Fine  
XP as limited user:   Fine
Vista no UAC admin:   Fine
Vista no UAC limited: Fine
Vista UAC admin:      FAIL
Vista UAC limited:    FAIL

The software contains no privilege checks anywhere. If I understand the documentation correctly, anything working as a limited user should work with UAC; however this is proving not to be the case.

EDIT: I must apologize for asking a problem much harder than it originally appeared. We have in fact found at least one bug in folder virtualization and think there are more out there. At this point, the only reasonable hope to get it running is to find an API call that can be executed as a limited user that disables folder virtualization for the calling process and any process it spawns (recursively). The reason we cannot just add a manifest is that the software calls into third-party software that actaully can vary per machine.

+1  A: 

Where is the application trying to write the file? If it is trying to write to it's install location under Program Files you may get strange errors since writing here is not allowed under Vista and any files created here are actually created in a virtual folder elsewhere - though to the application they (usually) appear to be where it expects them.

You may want to try running the application in XP compatibility mode.

 2008-11-04 04:01:12
You know, that's what I thought it was for the longest time, but it's not that by itself. The application does write to its own directory, but changes permissions on its directory so that it can.
Joshua  2008-11-04 19:01:55
+4  A: 

Look up virtualization of the filesystem and registry on Windows Vista. If your app uses certain parts of the filesystem and/or registry you will find that your app "works" - that is, the APIs succeed with no errors - but that data isn't stored where you expect. In particular, many areas that would have been shared between multiple users on one machine are now out-of-bounds, and the data actually goes into some storage that is specific to the current user. You'll only find out some time later that users aren't actually sharing the same data.

There is a way to stop this Virtualization from happening. Provide a manifest file for your application to say that it knows about UAC, as described here... http://msdn.microsoft.com/en-us/library/bb756929.aspx.

It doesn't matter specifically what level of privilege you ask for in the manifest file. The mere presence of it says that your app understands UAC and the OS won't try to be clever and virtualize access to "privileged" areas of the filesystem or registry. API calls will simply fail if you don't have the necessary privilege to access those things, and that will be a lot easier for you to debug.

Martin  2008-11-04 08:44:46
+1  A: 

After all this time I found a solution that works.

  1. Install somewhere else besides Program Files. This neatly sidesteps the filesystem virtualization that seems to be causing all the problems.

  2. Disable virtualization on the application's HLKM registry key. this fixes the one remaining glitch involving system updates.

Reference material: http://msdn.microsoft.com/en-us/library/aa965884%28VS.85%29.aspx

Joshua  2009-09-11 21:26:40

related questions

How to get the actual path of a file in Vista with UAC ?
MAPI, UAC & .NET
Why does my application allow me to save files to the Windows and System32 folders in Vista?
VS2008, IIS7 web project, non-admin. When?
UAC/VS/W2K8: Why does VS not launch with admin privleges when I am in the Administrators group?
What is the best way to specify whether InstallPrivileges is limited or elevated at the command line in WIX?
Mark MSI so it has to be run as elevated Administrator account
TortoiseSvn and Windows Server 2008 user account control.
Where can I write data to on Windows Vista using any account and be viewable from all other accounts?
Running as admin some times.
Preserve mapped drive letter information during UAC elevation
Vbscript detect whether UAC-elevated
UAC need for console application
Using SSPI (NTLM) Api's With Windows AccessCheck() On Vista With UAC
How to run NOT elevated in Vista (.NET)
Request UAC elevation from within a Python script?
When developing, do you turn off UAC in Vista?
How to UAC elevate a COM component with .NET
Can't attach to w3wp under Vista with UAC turned on
How can I detect if my process is running UAC-elevated or not?
How to detect whether Vista UAC is enabled?
Vista UAC, Access Elevation and .Net
How can I make a shortcut start in a different directory when running it as an administrator on Windows Vista?
Request Windows Vista UAC elevation if path is protected?