Selectively disabling UAC for specific programs on Windows Programatically
There are dozens of posts questions/answers on stack and other forums about disabling/bypassing/suppressing UAC. There are solutions as well. But progmatically perhaps not.
-
If you want to bypass the protections that you gain by running as a standard user, then the better solution is to change permissions on the folder and registry key so that all users are allowed to modify your application's folder.
GrantAllUsersFullControlToFileOrFolder("C:\Program Files\Grobtastic");with a pseudocode implementation of:
void GrantAllUsersFullControlToFileOrFolder(String path) { PACL oldDACL; PACL newDACL; PSECURITY_DESCRIPTOR sd; //Get the current DALC (Discretionary Access Control List) and Security Descriptor GetNamedSecurityInfo(path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, ref oldDACL, nil, ref sd); //Create an SID for the "Users" group PSID usersSid = StringToSid("S-1-5-32-545"); // Initialize an EXPLICIT_ACCESS structure for the new Access Control Entry (ACE) EXPLICIT_ACCESS ea; ZeroMemory(@ea, SizeOf(EXPLICIT_ACCESS)); ea.grfAccessPermissions = GENERIC_ALL; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea.Trustee.ptstrName = PChar(usersSID); // Create a new ACL that merges the new ACE into the existing ACL. // SetEntriesInAcl takes care of adding the ACE in the correct order in the list SetEntriesInAcl(1, @ea, oldDACL, ref newDACL); //use LocalFree to free returned newDACL //Attach the new ACL as the object's new DACL SetNamedSecurityInfo(path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, newDACL, nil); LocalFree(HLOCAL(sd)); LocalFree(HLOCAL(newDACL)); FreeSid(usersSID); }This works even with UAC disabled (i.e. the user is a standard user and there is no convenient way for them to elevate). It also works on Windows XP, where there was no UAC convenience feature and you had to fast-user switch to run something as an administrator.
You then manifest your executable to run asInvoker, since you do not need administrative permissions.
Ask yourself:
What would I have done on Windows XP?
What would I have done on Windows 7 with UAC disabled?If they're a standard user, does your program fall over dead?
讨论(0) -
The proper methodology wouldn't be to ignore the User Access Control (UAC) but rather test within those parameters. That way you don't disrupt security, you instead work within it's confines.
By disabling security, you run the risk of exploits. According to Secuna which provide several security test have noticed that small companies, lazy developer applications, and blatantly disregard for security are applications that have been focused on.
Which means your application may become a victim at some point.
The approach I would take, is test within UAC. Ensure the proper permissions exists to carry out your task, that way it isn't constantly running with Elevated Permission. An example may be:
class Elevated_Rights { // Token Bool: private bool _level = false; #region Constructor: protected Elevated_Rights() { // Invoke Method On Creation: Elevate(); } #endregion public void Elevate() { // Get Identity: WindowsIdentity user = WindowsIdentity.GetCurrent(); // Set Principal WindowsPrincipal role = new WindowsPrincipal(user); #region Test Operating System for UAC: if (Environment.OSVersion.Platform != PlatformID.Win32NT || Environment.OSVersion.Version.Major < 6) { // False: _level = false; } #endregion else { #region Test Identity Not Null: if (user == null) { // False: _level = false; } #endregion else { #region Ensure Security Role: if (!(role.IsInRole(WindowsBuiltInRole.Administrator))) { // False: _level = false; } else { // True: _level = true; } #endregion } } }Something along those lines would allow you to test against the UAC, then perform a task. I'm not quite sure why you would like to disable the UAC, but that would be my approach.
Hopefully that helps.
讨论(0) -
Quick description: Make a new console/window application to run any application bypassing UAC choosing the path of your target application in this application as guided below, compile this program once, and run anytime
Step by step
- Download Microsoft.Win32.TaskScheduler.dll from This Codeplex link
- Make a c# application (Windows or Console) and add reference to the above dll
- Add New Item (Application Manifest File) to your project (this application)
- Change
<requestedExecutionLevel level="asInvoker" uiAccess="false" />to<requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> - Write following code in your program.cs file
using System; using Microsoft.Win32.TaskScheduler; class Program { static void Main(string[] args) { TaskService ts = new TaskService(); TaskDefinition td = ts.NewTask(); td.Principal.RunLevel = TaskRunLevel.Highest; //td.Triggers.AddNew(TaskTriggerType.Logon); td.Triggers.AddNew(TaskTriggerType.Once); // string program_path = @"c:\wamp\wampmanager.exe"; // you can have it dynamic //even of user choice giving an interface in win-form or wpf application td.Actions.Add(new ExecAction(program_path, null)); ts.RootFolder.RegisterTaskDefinition("anyNamefortask", td); } }6.Now compile and run your Application(this app)
Now your application (e.g WAMP) will run without prompting any UAC dialog on your desired schedule (every time your log on windows in my case)
Sources
Initiated from : Can you turn off UAC for a single app? and Selectively disabling UAC for specific programs on Windows 7
Basic Idea from : Make Vista launch UAC restricted programs at startup with Task Scheduler
Basic Implementation from Creating Scheduled Tasks
讨论(0)
加载中...
- 热议问题