Difference between revisions of "Windows UAC and Elevation"

From HashVB
Jump to: navigation, search
m (And another..)
m (Updates MSDN links)
 
(3 intermediate revisions by one user not shown)
Line 6: Line 6:
 
This can be set per executable/process by using a Vista aware manifest:
 
This can be set per executable/process by using a Vista aware manifest:
  
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+
<pre>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assemblyIdentity
+
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    version="1.0.0.0"
+
  <assemblyIdentity
    processorArchitecture="X86"
+
    version="1.0.0.0"
    name="Company.Product"
+
    processorArchitecture="X86"
    type="win32"
+
    name="company.product"
/>
+
    type="win32"
<description>Product Name</description>
+
  />
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
+
  <description>Product name</description>
  <security>
+
 
    <requestedPrivileges>
+
  <!-- Vista aware, Admin privileges needed -->
      <requestedExecutionLevel
+
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
        level="requireAdministrator"
+
    <security>
        uiAccess="false"/>
+
      <requestedPrivileges>
      </requestedPrivileges>
+
        <requestedExecutionLevel
      </security>
+
          level="requireAdministrator"
</trustInfo>
+
          uiAccess="false"
</assembly>
+
        />
 +
      </requestedPrivileges>
 +
    </security>
 +
  </trustInfo>
 +
</assembly>
 +
</pre>
  
 
This method works were the entire application needs elevation from the very beginning.
 
This method works were the entire application needs elevation from the very beginning.
Line 38: Line 43:
 
In addition to this, you need to create an "Elevation" key containing the DWORD value "Enabled" set to 1.
 
In addition to this, you need to create an "Elevation" key containing the DWORD value "Enabled" set to 1.
  
Once the registry has been set as necassary, you can use this code in VB to create an instance of the object when needed:
+
Once the registry has been set as necessary, you can use this code in VB to create an instance of the object when needed:
  
 
  Set VarName = GetObject("Elevation:Administrator!new:LibraryName.ClassName")
 
  Set VarName = GetObject("Elevation:Administrator!new:LibraryName.ClassName")
  
Please not that this does NOT work on anything before Vista so you need to check the [[Windows version]] prior to calling this method. If running on 2K or XP, you can safely use just CreateObject()
+
Please note that this does NOT work on anything before Vista so you need to check the [[Windows version]] prior to calling this method. If running on 2K or XP, you can safely use just CreateObject()
  
 
==See also==
 
==See also==
* http://www.microsoft.com/downloads/details.aspx?FamilyID=ba73b169-a648-49af-bc5e-a2eebb74c16b - Windows Vista Application Development Requirements for User Account Control Compatibility
+
* http://msdn.microsoft.com/en-us/library/bb530410.aspx - Windows Vista Application Development Requirements for User Account Control Compatibility
* http://msdn2.microsoft.com/en-us/library/ms679687.aspx - The COM Elevation Moniker in MSDN
+
* http://msdn.microsoft.com/en-us/library/ms679687.aspx - The COM Elevation Moniker in MSDN
 
* http://msdn.microsoft.com/msdnmag/issues/07/01/UAC/ - Teach Your Apps To Play Nicely With Windows Vista User Account Control
 
* http://msdn.microsoft.com/msdnmag/issues/07/01/UAC/ - Teach Your Apps To Play Nicely With Windows Vista User Account Control

Latest revision as of 12:22, 5 June 2014

float
 This article is based on Visual Basic 6. Find other Visual Basic 6 articles.
 This article is currently work in progress. Please come back later.

Windows Vista now has a feature to stop regular "admin" users running with full access all the time. This is called User Account Control (UAC) and requires the user to confirm whether to allow an application to "elevate" to full admin access or not.

This can be set per executable/process by using a Vista aware manifest:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity
    version="1.0.0.0"
    processorArchitecture="X86"
    name="company.product"
    type="win32"
  />
  <description>Product name</description>

  <!-- Vista aware, Admin privileges needed -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="requireAdministrator"
          uiAccess="false"
        />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

This method works were the entire application needs elevation from the very beginning. If you do NOT want to be elevated for the life of the process but require access at the users request, you will need to shell out to another process with the above manifest or use the COM Elevation moniker.

COM elevation

To do this in VB, you need to have an out of process COM object (ActiveX EXE) with the manifest as above. You then need find the objects Class ID in the registry under the HKCR hive. In here, you need to add the "LocalizedString" string value to the registry containing a dll/exename and string resource ID to load the name from of the format:

@modulename,-resourceid

In addition to this, you need to create an "Elevation" key containing the DWORD value "Enabled" set to 1.

Once the registry has been set as necessary, you can use this code in VB to create an instance of the object when needed:

Set VarName = GetObject("Elevation:Administrator!new:LibraryName.ClassName")

Please note that this does NOT work on anything before Vista so you need to check the Windows version prior to calling this method. If running on 2K or XP, you can safely use just CreateObject()

See also