Geek Answers Handbook

Can we get a UAC invitation only once?

Is there a way for the application to present the user with a UAC prompt only once at first launch. After that, no further clues.

In other words, I understand that our application requires user-specific UAC permission to perform certain tasks. And that is wonderful. But we do not want him to keep asking every time he starts. Can a user give permission to our application at all times? Or does what I ask violate the basics of UAC? A.

We work with .NET and Windows 7

+5
source share
8 answers

The answer to your question: No, you cannot do this.

Microsoft specifically prohibits this behavior. If applications can add themselves to the exclusion list, we are back in the mess we had before.

What you need to do is make your program not requiring administrative access.

Ask yourself: What did you do in Windows XP?

  • Am I not allowed to run your software?
  • Does your software crash when I'm a standard user?
  • Does your software have no meaning and absolutely no functionality when launched by a standard user?

Windows XP lacks confidence in UAC. The only way for a user to run your program as an administrator is to log in with another user. And this is much worse than clicking the Continue button.

If you do not want to write software that is standard for the user, then you are part of the problem. UAC is not a problem; UAC is a belief. I can disable UAC, work as a standard user full time, and your software will not work yet .

Microsoft reviewed

  • white sheets
  • Remember my preferences
  • Do not ask me again.

If you have a white list, then each program will simply add itself to such a list during installation.

If such a whitelist exists, your application will become a target for malware. He would like to modify the binary to accomplish what he wants; as he knows that the program will be quietly raised.

Malicious programs would like to refer to your application using SendMessage, trying to pass invalid data or structures, trying to force your, administrative application to execute the code that it wants.

If the user had the opportunity to disable future tooltips for the programs, they just do it, and each program will work as an administrator, and we will return to how it was.

All these ideas do not solve the problem: almost no program requires administrative access .

It's time to get developers to come to terms with this fact.

Whitelists cannot work

Some people want to come up with ways to work with whitelists.

  • You have a checkbox where the user can say: "Don't ask me for this file anymore"
    If you save this file name, other programs with the same name will quietly work as administrators.

  • Well, then we write the full path or use the hash of the file as a whitelist. If there is a white list, then other programs will add themselves to this list when they are installed and will have programs with administrative access that the user did not want.

  • What to do if only signed applications are allowed and we know that they are safe. Applications are not safe because they are signed. The application does not have to be malware so that it can be abused by doing bad things. (for example, buffer overflow in flash, firefox, i.e. chrome, safari, opera, word, photoshop, Yahoo image upload tool).

You need to keep the list of valid code signatures in somehwere list. And no matter how you cut it, the presence of any whitelist means that applications will simply add themselves to this list.

  • Well, then do not allow them access to the list. Even administrators cannot add items to the list. If even administrators cannot add items to the list, how can a user add items to the list in the first place? You cannot add items to the white list if you are not allowed to add items to the white list!

And how do you manage the whitelist? Suppose a user changes his mind, or dad changes his mind, or IT changes his mind, or a corporation changes his mind, or a software publisher changes his mind: how do you remove items from a list — especially when no one is allowed to change the list.

Summary: Whitelists cannot work .

+13
source

Update: Oh, I initially read the question incorrectly and interpreted it as “only once, the first time I start”, and not “only once, every time it starts” (edited accordingly below).

You cannot grant application administrator rights for the whole time, which really contradicts the UAC design.

However, one way to solve this problem is to create a service with which your application interacts, which can run in the background and perform tasks with increased permissions, while the main application does not require elevated permissions.

The service will request only once when it is installed.

If this seems like too much work, you can take a look at the package with the SkipUAC utility, which uses this approach to allow users to run applications without asking for UAC every time they start.

My original answer:

If the executable file has a manifest with the requireAdministrator parameter set, it should call the UAC prompt only at each initial start, but not after that (i.e., all operations, including other applications launched by the initial process, will inherit elevated permissions, but if you exit from the application and run it again, the invitation will appear again).

You can configure the manifest for the EXE via the IDE in Visual Studio 2008/2010 or using the command line utility that comes with the latest service pack for VS 2005 (it can be integrated into the build step to automate the process, but this is a bit of a fiction in 2005) .

I would search the Internet for “UAC” and “manifest” for more information, it’s quite well documented in the MSDN online documentation (I will once find out what to look for).

This works the same on Windows 7 and Windows Vista.

+3
source

The only way is to install yourself as a service or device driver.

+3
source

If this is possible (I don’t think he thinks he says How to configure Visual Studio not to give a UAC prompt for every run? ), I am sure this should be done on the user side (for example, to disable the prompt first), and not on the application side.

0
source

Developers need a hit in the back of the head, right?

I created 2 backup programs.

Both require admin rights to run ... why? Thus, the user can back up files there, wherever they are, of course.

Can I run this as a service in the background? mabye? Probably not.

It is for this reason that all AV software, for example, has services in the background. Thus, a graphical interface is just a graphical interface that ... does not have functionality other than transferring the command / information back to the service, at that moment commands, etc. Start up.

Wether or will not use whitelists, it depends on the users ... I know users who actually just click "ALLOW" all the time ... they don’t even read. Since the UAC protects them, notices that they are stupid, etc. Do not help. They do this because the UAC asks them every time they do something.

Backup programs, application launch, compilers, generators. All these things, for example, need administrator rights.

Quite frankly, a service is not always the answer, since it takes a lot of time to implement, and you cannot be sure that it will be deleted / restarted (auto-update) when necessary.

0
source

DxO Optics Pro 11 Elite Whole Crack Free Download 100%

DxO Optics Pro 11 Crack is truly an image-enhancing application that is a demosuction to improve the quality of raw data. Discover the fantastic performance of DxO Optics Pro Crack. Whether in automatic or manual mode, quite a few smart tools can help you improve your visual effects. This is an ultra-accurate assessment of almost every combination of camera and lens. The entire DxO Optics Pro model mechanically corrects optical defects in your images with an incomparable level of quality.

0
source

The user should be able to right-click on the executable file and go to properties → compatibility → “run this program as administrator”

-2
source

More articles:


All Articles