ansaurus

Question

Windows 7 - Displaying "Access denied" message when user tries to save file to a protected folder rather than save in virtual store

Answer 1

A:

For example, if you use a TSaveDialog component to allow your user to navigate to their chosen save location, you could check the filename returned for whether it contains the string 'Program Files' and popup your desired message.

var ValidPath: boolean;
begin
  ValidPath := False;
  repeat
    SaveDialog1.Execute;
    if (Pos('Program Files', SaveDialog.Filename) = 0) then
      ValidPath := True
    else
      ShowMessage('Access Denied. Please choose alternative location.');
  until ValidPath;

  YourObjectName.SaveTo(SaveDialog.Filename);
end;

Sam 2010-09-09 02:29:47

to me, code like this is why a lot of the UAC issues caught out programmers.'Program Files' might not always be called 'Program Files'

Christopher Chase 2010-09-09 04:18:55

People upgrade Windows because they have to, not because they're convinced MS is producing better products. MS has their developer community by the balls, continually relearning the reinvented wheel, every 6 months or so. In this world, MS is forever trying to tell us how we have to do things their way, in order that they can skim a little off the top of each keystroke and mouse click. Windows is just another app that either facilitates or hinders your productivity. M$ will submit to the market, in due season :-)

Sam 2010-09-09 06:22:42

+ This solution could work, but you'll have to use the environment variables to determine the system paths.

Chris 2010-09-09 06:33:09

What? Is it bad to read manual for BMW's mechanics before messing with engine? Sam, you have some serios problems with MS hate.

Alexander 2010-09-10 00:19:10

with this poor function, it will show a Access Denied message if the path is: 'c:\users\yourname\screenshots\program files\yourapp\mainform.png', WTF!

jachguate 2010-09-10 00:25:28

Yes, it's not perfect, it should be Pos('PROGRAM FILES', UpperCase(SaveDialog1.Filename)... big deal... still works. It's not like MS writes perfect code first time, and that's totally besides the user's question. The other answer you people seem to be so fond of doesn't even bother to provide any code, which illustrates that the code itself is not the answer. The point is to not save until you're happy with the save location chosen by the user. WTF!

Sam 2010-09-10 00:56:32

@Alexander, I don't want to buy eggs today, so I don't put eggs into my shopping basket. Do I also have to check my basket for eggs intermitently just incase they were put there while I wasn't looking? Program Files = Program Files, otherwise it's not Program Files we're talking about. Bloody MS logic is gonna be the end of logic altogether!

Sam 2010-09-10 01:41:57

@jachguate, the code above is intended to illustrate that you don't have to save until you're happy with the save location chosen by the user. It works for that purpose. Windows is supposed to do what its users want it to do. It doesn't work. I blame God for my imperfections and I don't feel guilty at all. Perhaps it's a philosophical difference. :-)

Sam 2010-09-10 01:55:23

@Sam, Microsoft has been telling Win32 programmers not to write to \Program Files since 1999. For Win2000, they said it will still work but not for much longer. For WinXP, they introduced the "Power User" security group to make it easier for poorly written applications to work in WinXP without giving the user full access rights. With Vista/Win7, they implemented file virtualization to make it easier for poorly written applications to work.

Jon Robertson 2010-09-13 06:16:49

@Sam, If everyone started following the published guidelines in 1999, UAC would have been a non-issue. Everyone likes to complain about how poor the security is in Windows. Yet Microsoft has to maintain certain security holes in the name of application compatibility because some programmers don't follow the published guidelines. If you want to write programs for Windows, follow the guidelines and best practices. Or don't complain when your app is broken in the new version of Windows because your code didn't follow said guidelines.

Jon Robertson 2010-09-13 06:20:33

@Jon, I've heard you can add a manifest file to your app and force it to run with elevated privileges! Seems like a lot of people could care less about those MS guidelines. Who's MS to be issuing guidelines. We have IEEE among others. I heard a judge issued guidelines to MS and they didn't exactly like it either. If I wanted to make money, I wouldn't be issuing guidlines to my customers. I'd give them a product that did its best to please them and had a magic emergency button to correct the inevitable stuff-ups customers are entitled to make. "Access denied" on my own PC is audaciously rude.

Sam 2010-09-13 06:58:41

That's exactly the point. The OS is a facilitator for applications, not an app worth enjoying in itself. It's job is to serve the apps. From that perspective, why expose Program Files to the user if you don't want them to write to it? Next they'll tell us we can't install our own applications unless they have digitally signed certificates or something! Somebody's forgetting who's the customer in all this. I'm not complaining, I can always learn how to circumvent the next MS invention on stack-overflow.

Sam 2010-09-13 07:10:46

@Sam, if you don't know, Microsoft is the creator of the operating system and the API calls that allow programmers to write software that runs on Windows. I'd say they not only have every right to issue guidelines to software developers, they have a responsibility to do so if non-Microsoft developers want to write software that works well on the OS. Note I was not referring to guidelines on how you, the computer owner, should use Windows. Also, some programs require elevated rights and are simply useless without those rights. That's the purpose of forcing an app to only run elevated.

Jon Robertson 2010-09-13 07:12:01

@Sam, I suppose you'd prefer the users have the ability to modify kernel32.dll and user32.dll as well. What exactly is the point of circumventing Microsoft? I hope you haven't written anything installed on my machines.

Jon Robertson 2010-09-13 07:19:33

Do you remember the term "IBM-compatible"? That means an "open-system". It's fair enough for them to protect the integrity of their operating system (eg. by trying to prevent write access to certain locations), but why couldn't they do that without interfering with other applications' RIGHT to run unhindered. Applications should not require the OS's approval. That's anti-competitive practices. I can't build "the next great app" if I keep having to relearn simple things like saving a file to Program Files. They're trying to keep us stuck in a hampster wheel. The judges saw throught it. :-)

Sam 2010-09-13 23:20:38

Answer 2

+10 A:

If you make your application "UAC aware", Windows will disable registry and file virtualization for your application. The OS will then return errors if your application tries to write to a protected area and the process does not have elevated admin rights.

You can do this by adding a manifest that requests a requestedExecutionLevel. There are numerous articles online that describe this process. Here are a couple of good ones:

Making Your Application UAC Aware http://www.codeproject.com/KB/vista-security/MakingAppsUACAware.aspx

UAC Virtualization – Allowing standard users to update a system protected area http://blogs.technet.com/b/mrsnrub/archive/2010/08/11/uac-virtualization-allowing-standard-users-to-update-a-system-protected-area.aspx

Jon Robertson 2010-09-09 03:39:18

+1 for the code project link - I will keep this in mind for future development

Gerry 2010-09-09 07:16:23

Thanks very much for that - I was looking for a non coding solution for this given our app. runs on XP, Vista and Windows7 and XP does not have the virtualization features or restrictions that the others do.

PJP 2010-09-10 11:43:48

ansaurus

tags:

views:

answers:

Windows 7 - Displaying "Access denied" message when user tries to save file to a protected folder rather than save in virtual store

related questions