views:

217

answers:

2

Hi,

We want to restrict files being saved to the virtual store in Vista/Windows 7 if the user tries to save files from our application to a protected folder such as "Program files" - we want an "Access Denied" message displayed if the user tries to do this. Is there a way to do this from our Delphi 2009 app similarly to what MS Word etc. do?.

Thanks very much,

Paul

A: 

For example, if you use a TSaveDialog component to allow your user to navigate to their chosen save location, you could check the filename returned for whether it contains the string 'Program Files' and popup your desired message.

var ValidPath: boolean;
begin
  ValidPath := False;
  repeat
    SaveDialog1.Execute;
    if (Pos('Program Files', SaveDialog.Filename) = 0) then
      ValidPath := True
    else
      ShowMessage('Access Denied. Please choose alternative location.');
  until ValidPath;

  YourObjectName.SaveTo(SaveDialog.Filename);
end;
Sam
to me, code like this is why a lot of the UAC issues caught out programmers.'Program Files' might not always be called 'Program Files'
Christopher Chase
People upgrade Windows because they have to, not because they're convinced MS is producing better products. MS has their developer community by the balls, continually relearning the reinvented wheel, every 6 months or so. In this world, MS is forever trying to tell us how we have to do things their way, in order that they can skim a little off the top of each keystroke and mouse click. Windows is just another app that either facilitates or hinders your productivity. M$ will submit to the market, in due season :-)
Sam
+ This solution could work, but you'll have to use the environment variables to determine the system paths.
Chris
What? Is it bad to read manual for BMW's mechanics before messing with engine? Sam, you have some serios problems with MS hate.
Alexander
with this poor function, it will show a Access Denied message if the path is: 'c:\users\yourname\screenshots\program files\yourapp\mainform.png', WTF!
jachguate
Yes, it's not perfect, it should be Pos('PROGRAM FILES', UpperCase(SaveDialog1.Filename)... big deal... still works. It's not like MS writes perfect code first time, and that's totally besides the user's question. The other answer you people seem to be so fond of doesn't even bother to provide any code, which illustrates that the code itself is not the answer. The point is to not save until you're happy with the save location chosen by the user. WTF!
Sam
@Alexander, I don't want to buy eggs today, so I don't put eggs into my shopping basket. Do I also have to check my basket for eggs intermitently just incase they were put there while I wasn't looking? Program Files = Program Files, otherwise it's not Program Files we're talking about. Bloody MS logic is gonna be the end of logic altogether!
Sam
@jachguate, the code above is intended to illustrate that you don't have to save until you're happy with the save location chosen by the user. It works for that purpose. Windows is supposed to do what its users want it to do. It doesn't work. I blame God for my imperfections and I don't feel guilty at all. Perhaps it's a philosophical difference. :-)
Sam
@Sam, Microsoft has been telling Win32 programmers not to write to \Program Files since 1999. For Win2000, they said it will still work but not for much longer. For WinXP, they introduced the "Power User" security group to make it easier for poorly written applications to work in WinXP without giving the user full access rights. With Vista/Win7, they implemented file virtualization to make it easier for poorly written applications to work.
Jon Robertson
@Sam, If everyone started following the published guidelines in 1999, UAC would have been a non-issue. Everyone likes to complain about how poor the security is in Windows. Yet Microsoft has to maintain certain security holes in the name of application compatibility because some programmers don't follow the published guidelines. If you want to write programs for Windows, follow the guidelines and best practices. Or don't complain when your app is broken in the new version of Windows because your code didn't follow said guidelines.
Jon Robertson
@Jon, I've heard you can add a manifest file to your app and force it to run with elevated privileges! Seems like a lot of people could care less about those MS guidelines. Who's MS to be issuing guidelines. We have IEEE among others. I heard a judge issued guidelines to MS and they didn't exactly like it either. If I wanted to make money, I wouldn't be issuing guidlines to my customers. I'd give them a product that did its best to please them and had a magic emergency button to correct the inevitable stuff-ups customers are entitled to make. "Access denied" on my own PC is audaciously rude.
Sam
That's exactly the point. The OS is a facilitator for applications, not an app worth enjoying in itself. It's job is to serve the apps. From that perspective, why expose Program Files to the user if you don't want them to write to it? Next they'll tell us we can't install our own applications unless they have digitally signed certificates or something! Somebody's forgetting who's the customer in all this. I'm not complaining, I can always learn how to circumvent the next MS invention on stack-overflow.
Sam
@Sam, if you don't know, Microsoft is the creator of the operating system and the API calls that allow programmers to write software that runs on Windows. I'd say they not only have every right to issue guidelines to software developers, they have a responsibility to do so if non-Microsoft developers want to write software that works well on the OS. Note I was not referring to guidelines on how you, the computer owner, should use Windows. Also, some programs require elevated rights and are simply useless without those rights. That's the purpose of forcing an app to only run elevated.
Jon Robertson
@Sam, I suppose you'd prefer the users have the ability to modify kernel32.dll and user32.dll as well. What exactly is the point of circumventing Microsoft? I hope you haven't written anything installed on my machines.
Jon Robertson
Do you remember the term "IBM-compatible"? That means an "open-system". It's fair enough for them to protect the integrity of their operating system (eg. by trying to prevent write access to certain locations), but why couldn't they do that without interfering with other applications' RIGHT to run unhindered. Applications should not require the OS's approval. That's anti-competitive practices. I can't build "the next great app" if I keep having to relearn simple things like saving a file to Program Files. They're trying to keep us stuck in a hampster wheel. The judges saw throught it. :-)
Sam
+10  A: 

If you make your application "UAC aware", Windows will disable registry and file virtualization for your application. The OS will then return errors if your application tries to write to a protected area and the process does not have elevated admin rights.

You can do this by adding a manifest that requests a requestedExecutionLevel. There are numerous articles online that describe this process. Here are a couple of good ones:

Making Your Application UAC Aware http://www.codeproject.com/KB/vista-security/MakingAppsUACAware.aspx

UAC Virtualization – Allowing standard users to update a system protected area http://blogs.technet.com/b/mrsnrub/archive/2010/08/11/uac-virtualization-allowing-standard-users-to-update-a-system-protected-area.aspx

Jon Robertson
+1 for the code project link - I will keep this in mind for future development
Gerry
Thanks very much for that - I was looking for a non coding solution for this given our app. runs on XP, Vista and Windows7 and XP does not have the virtualization features or restrictions that the others do.
PJP