Is there an API call to request a user to boost UAC?

Question

Is there an API call to request a user to boost UAC?

My application needs to write a file to \ ProgramData that can be protected. This only happens once after installation.

Is there an API function that will receive ACL information and request user authorization for accessing the file? In other words, the application will prompt Windows to ask the user for confirmation and authorization. This should happen interactively and allow the application to resume execution after authorizing access to the file. The application works as a standard user, does not require administrator rights.

The file is opened using CreateFile ().

Edit: There is a subtle difference between my request and others that are said to be duplicates. I ask permission to access one specific object, a file. Others ask to elevate the privileges of the whole process. In any case, I am grateful for all the answers that include the solution.

+5

winapi uac

Pierre Aug 05 '15 at 23:43

source share

3 answers

Processes can only be launched with an increased token; they cannot receive it after the fact. Thus, you can either restart the application using the command line argument, telling him what to do (a simple solution), or implement a COM server outside the processor, which you can create over it and pass instructions to it (more complicated).

The third solution is to use the built-in UAC support of the IFileOperation interface, but this does not allow you to read / write, only copy. That way, you can make a copy of the file you need to modify, change the copy, and then use IFileOperation to copy the temporary over the original.

+4

Jonathan potter Aug 05 '15 at 23:50

source share

Thanks to @Remy for the ShellExecuteEx suggestion, here are the bad details. Pay attention to the use of "cmd" and the double command, so the user only needs to answer once. In addition, [1] must wait for the process to complete, otherwise you could create a file before deleting it, and [2] did not wait for the process if it did not work.

 // delete file with Admin privilege // 'file_name' is path of file to be deleted SHELLEXECUTEINFO shex; char param[512]; char *cmd = "/C \"attrib -H \"%s\" && del /F /Q \"%s\"\""; // double command _snprintf(param, sizeof(param), cmd, file_name, file_name); ZeroMemory(&shex, sizeof(shex)); shex.cbSize = sizeof(shex); shex.lpVerb = "runas"; // runas, open shex.lpFile = "cmd"; // not 'del' shex.lpParameters = param; shex.nShow = SW_HIDE; shex.fMask = SEE_MASK_NOCLOSEPROCESS; BOOL retshx = ShellExecuteEx(&shex); // wait otherwise could return before completed if(retshx) { time_t st = clock(); DWORD exitCode; do { if(!GetExitCodeProcess(shex.hProcess, &exitCode)) break; if(clock() - st > CLOCKS_PER_SEC * 5) // max 5 seconds break; } while(exitCode != STATUS_WAIT_0); // STILL_ACTIVE CloseHandle(shex.hProcess); }

+4

Pierre Aug 7 '15 at 11:41

source share

Remy lebeau · Accepted Answer · 2015-08-05T23:57:12+0000

If you do not want to raise your entire application, you have several options:

create a separate elevated process to access the file. Use ShellExecute/Ex() with the verb runas or CreateProcessElevated() to start a second copy of your application or other supporting application with command line parameters to tell you what to do. The main process can wait for the second process to complete, if necessary.
create a COM object to access the file, and then use COM Elevation Moniker to run the COM object in an elevated state.
offer the user credentials using CredUIPromptForCredentials() or CredUIPromptForWindowsCredentials() (see User request for credentials for more information), then log in to the specified account using LogonUser() to get token, impersonate this token using ImpersonateLoggedOnUser() , access the file as needed, and then stop impersonating the use of RevertToSelf() and close the token with CloseHandle() .

Is there an API call to request a user to boost UAC?

More articles: