Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

How To: Use Vista's UAC Feature To Avoid Always Requiring Admin Rights

Download

Right click “Save as…”

Windows Vista's UAC feature is designed to minimize security risks by running most applications under a standard user token, lessening the risk that an attacker could gain admin rights to the machine.  This is a great step forward for users, but it may leave developers wondering what to do when their apps do really need admin rights to complete a task.

Ian Griffiths to the rescue, with another screencast showing how to structure an app to enable certain admin tasks to run in an elevated context.

Be sure to also check out the UAC team's blog.

Tag:

Follow the Discussion

  • Details on CoCreateInstanceAsAdmin and how to use the elevate moniker are here.  It boils down to this:

    Elevation:Administrator!new:{guid}
  • Here's the snippet from the RGS files to register the COM component correctly for elevation:

    HKCR
    {
      NoRemove CLSID
     {
      ForceRemove {8E29BED3-2E02-49DC-A9B7-3A5984BCD95F} = s 'CanElevateWork Class'
      {
       ProgID = s 'CanElevate.CanElevateWork.1'
       VersionIndependentProgID = s 'CanElevate.CanElevateWork'
       ForceRemove 'Programmable'
       InprocServer32 = s '%MODULE%'
       {
        val ThreadingModel = s 'Apartment'
       }
       val AppID = s '%APPID%'
       'TypeLib' = s '{25CA48AF-1D18-4A9F-9749-7354C41CDCEC}'
       Elevation
       {
           val Enabled = d 1
       }
       val LocalizedString = s '@%MODULE%,-101'
      }
     }
    }


    HKCR
    {
     NoRemove AppID
     {
      '%APPID%' = s 'CanElevate'
      {
          val DllSurrogate = s ''
      }
      'CanElevate.DLL'
      {
       val AppID = s '%APPID%'
      }
     }
    }
  • Hi jmazner,

    Can we have your sample codes for reference?

    Thanks,
    Larry
  •  Not directly related to the content, but I'm wondering how you made that recording? The video has footage of the UAC desktop -- isn't that meant to be secure and inaccessible to normal applications like screen grabbers -- did you point a camera at your monitor, or is there some other way for apps to "see" that they're at the UAC desktop?

     I know you can try things like OpenInputDesktop(0,FALSE,0) and watch for failure to know if the secure desktop is up, but that's the opposite, that's _failing_ to get the desktop, not capturing images of it..
  • Hi Guys,
             I'm having a really tough time trying to implement the elevated COM method under VB.NET. I'm not an API guru, but need to be able to migrate some of my VB.NET utils for my company to use UAC.

    I've managed to create my own custom control which implements the Shield icon via a SendMessage API call, but the actual UAC part, I'm really stuck on.

    I've segmented out my Admin functions into COM classes, but am having a lot of difficulty figuring out how to use CoCreateAdminAsInstance through VB.NET.

    There doesn't seem to be any sample code available for VB.NET so any help in explaining this to me, or assisting in any way would be greatly appreciated!

    Thanks in advance, Dan.
  • eakeak

    The computer may restart when you add a manifest that has the Windows Vista extension to an .exe file or to a .dll file in Windows XP Service Pack 2 (SP2)

    http://support.microsoft.com/Default.aspx?kbid=921337


    Resolution 
    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=463884&SiteID=1
  • Check out this managed wrapper -:

    http://robgarrett.com/cs/blogs/software/archive/2007/02/12/net-wrapper-for-com-elevation.aspx

    Encapsulates all the hard stuff for non-C++ and non-COM developers.
  • Hi jmazner,

    Could I have your sample codes for reference?

    Thank you,

    Vincent Kao
  • Hello,

    That is an excellent video.  Your help is very much appreciated.  I noticed you have a video showing how to include the manifest with managed applications...

    When I launch a "requireAdministrator" .NET app, it gives the ugly "Allow/Cancel" prompt instead of the nice "Continue/Cancel" prompt -- the consent prompt.  But when I sign the file with an authenticode signature, it uses the consent prompt.  However, I don't know how to specify the application name like you do in this COM elevation demo.  Basically what I'm asking is how do you set the application / assembly name in a Managed app.  I've tried the <assemblyIdentity> element in the uac.manifest, but it seems to have no effect.  Any help?  Thanks.
  • Hi jamazner,

       Can I have your sample code for reference ?
     
    Jesper Lin
  • IanGIanG IanG
    "I'm wondering how you made that recording? The video has footage of the UAC desktop -- isn't that meant to be secure and inaccessible to normal applications like screen grabbers -- did you point a camera at your monitor,"

    A bit late to be replying, but better late than never I suppose...

    The video capture was done by a 2nd PC with a video capture card whose input was wired into the VGA output of my laptop.

    So it was slightly higher tech than pointing a camera at the laptop, but it sort of has the same effect: it lets you grab exactly what's on screen, without falling foul of internal security barriers in the machine.


    Ian Griffiths

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.