Upgrade.NET UAC permissions summary

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

[Digression]

Starting from Vista, due to the increase of the UAC (user account control, User Account Control) function, the administrator user usually does not have administrator permissions can control all function, so the need to improve access to achieve in many important function call. Sometimes written procedures need to invoke the privilege, it probably is divided into operation before the lifting and running and then increase two, here are as follows.


[The index]

  1. The program before running the elevated permissions
  2. Enhance the authority after the program is running
  3. The current permission judging program

[One, the program before running the elevated permissions]

If the application needs to use administrator rights (even if shown on the main interface of content need administrator permissions do), then you can make a program run will enhance administrator privileges, as most of the same setup. When the program is run to elevate permissions usually set the manifest file, you can add a &ldquo in the project; the application manifest file ”, added will generate a file as shown below. In addition, also can choose the project properties, and then enter the “ the security tab, and then select ” “ enable ClickOnce security settings ” also in the project's “ Properties” app.manifest file directory.

In comments is very clear that if in the program if higher authority need to modify any part of, but very curious, the notes did not say which way should be modified to.

In the search to the difference, the difference is as follows:

Possible requested execution level values

Value

Description

Comment

asInvoker

The application runs with the same access token as the parent process.

Recommended for standard user applications. Do refractoring with internal elevation points, as per the guidance provided earlier in this document.

highestAvailable

The application runs with the highest privileges the current user can obtain.

Recommended for mixed-mode applications. Plan to refractor the application in a future release.

requireAdministrator

The application runs only for administrators and requires that the application be launched with the full access token of an administrator.

Recommended for administrator only applications. Internal elevation points are not needed. The application is already running elevated.

The difference is, highestAvailable according to the current account can get permission to perform, and requireAdministrator is run as administrator has full permissions. If the current account is an administrator account, then both are possible through ascension permissions to access to the administrator permissions; and if the current account is Guest, then highestAvailable is giving up authority directly run, while requireAdministrator is allowed to enter other administrator account password to enhance the authority.

The App1 is using highestAvailable, and the App2 is using requireAdministrator, can be seen in the Administrator user needs to improve access to running, when closing UAC do not need to enhance the authority. For example in the Guest highestAvailable abandoned elevated privileges, but if you use the requireAdministrator statement will prompt similar to this input other administrator account password dialog box:

So, if a program must require administrator privileges to perform or to perform meaningful (such as the main interface of the information need administrator privileges to display and the like), then it is set to requireAdministrator, even if you use the Guest login words need to enhance administrator permissions can also be set to highestAvaliable; otherwise.


[Two, enhance the authority after the program is running]

If the program does not require permissions to run most of the default function, only need administrator privileges. In the individual functions, you can use the program running, when the user requires elevated permissions and permission to re run the program promotion. The authority is in process, so if you need to upgrade the entire process authority, after only with administrator privileges to create the process to the end of the program, or run with administrator privileges to other programs or program by different parameters to perform different functions. The administrator permissions to perform program is actually very simple, as long as the Verb object's ProcessStartInfo property is set to “ runas” then, for example, the following code that can restart the program administrator permissions.

 1 ProcessStartInfo psi = new ProcessStartInfo();
 2 psi.FileName = Application.ExecutablePath;
 3 psi.Verb = "runas";
 4 
 5 try
 6 {
 7     Process.Start(psi);
 8     Application.Exit();
 9 }
10 catch (Exception eee)
11 {
12     MessageBox.Show(eee.Message);
13 }

Of course, other running programs is the same.

In addition, we also need to draw a UAC shield in the button or menu icon, the system has provided such method.

1 [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
2 public static extern int SendMessage(IntPtr hWnd, UInt32 Msg, int wParam, IntPtr lParam);
3 
4 public const UInt32 BCM_SETSHIELD = 0x160C;

The call of time as long as the button's FlatStyle is set to System, then use the following code on it, finally a if set to 0 will cancel the show UAC shield Icon.

1 SendMessage(button1.Handle, BCM_SETSHIELD, 0, (IntPtr)1);

But if you want to go to the menu or the WPF Button drawing UAC shield icon can not do, but we can also obtain the icon to the system, do not mind can bring with.NET System.Drawing.SystemIcons.Shield, in fact, a lot of software is used by the original icon, as follows(32×32):

Of course, you can also get a system built from the system through the DllImport mode icon, the UAC shield icon ID is 77, the code as follows.

 1 [DllImport("shell32.dll", SetLastError = false)]
 2 public static extern Int32 SHGetStockIconInfo(SHSTOCKICONID siid, SHGSI uFlags, ref SHSTOCKICONINFO psii);
 3 
 4 public enum SHSTOCKICONID : uint
 5 {
 6     SIID_SHIELD = 77
 7 }
 8 
 9 [Flags]
10 public enum SHGSI : uint
11 {
12     SHGSI_ICON = 0x000000100,
13     SHGSI_SMALLICON = 0x000000001
14 }
15 
16 [StructLayoutAttribute(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
17 public struct SHSTOCKICONINFO
18 {
19     public UInt32 cbSize;
20     public IntPtr hIcon;
21     public Int32 iSysIconIndex;
22     public Int32 iIcon;
23 
24     [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)]
25     public string szPath;
26 }

Then the following call you can set the UAC shield icon in the menu.:

1 SHSTOCKICONINFO iconInfo = new SHSTOCKICONINFO();
2 iconInfo.cbSize = (UInt32)System.Runtime.InteropServices.Marshal.SizeOf(iconInfo);
3 SHGetStockIconInfo(SHSTOCKICONID.SIID_SHIELD, SHGSI.SHGSI_ICON | SHGSI.SHGSI_SMALLICON, ref iconInfo);
4 Icon icon = Icon.FromHandle(iconInfo.hIcon);
5 
6 menu.Image = icon.ToBitmap();

Figure menu1 is the use of the System.Drawing.SystemIcons.Shield, used by menu2 shell32.dll access to the icon, button1 is the use of SendMessage direct display of the UAC Icon.

Of course, should determine what version of the system, to ensure that the system is Vista and later versions, you will not need to enhance the authority. To determine whether the Vista only need to determine the main system version number is greater than or equal to 6 can be, for example, the following code.

1 Boolean afterVista = (Environment.OSVersion.Platform == PlatformID.Win32NT && Environment.OSVersion.Version.Major >= 6);

[Three, the current permission judging program]

If you want to determine whether the run as administrator at present, only need to reference the “ System.Security.Principal” this namespace, then can use the following code to obtain the current whether in running with administrator.

1 WindowsIdentity identity = WindowsIdentity.GetCurrent();
2 WindowsPrincipal principal = new WindowsPrincipal(identity);
3 Boolean isRunasAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);

In addition to obtain the current is run as administrator, can also through the DllImport access to whether the current user is an administrator and the current process is to enhance the authority (only for Vista and above version) and so on, for more details, see related links the code.


[Related links]

  1. Write C# program to run in the Win7 with administrator privileges:
  2. UAC self-elevation (CSUACSelfElevation):
  3. How to add an uac shield icon to a MenuItem
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Shirley at November 17, 2013 - 7:59 PM