UAC in Metro style app (VS 2012) - styles

I want my app always run as administrator. I already created new manifest file (via New Items -> Manifest file), put requestedExecutionLevel as "requireAdministrator", but it doesn't ask for credentials at all, even when i try it on another non-administrator account (instal via appackages). Any ideas?

Windows store applications cannot be run as 'elevated'. They are run inside an app container, which restricts the permissions even further than a normal user.

Related

How do I get my application to run with administrator rights automatically?

I've made a console application that is supposed to update some registry entries so that I can access 32 bit COM components from a 64 bit application. If I have admin rights, it works great, but I can't seem to get the application run with admin rights out of the box.
This is what I've done.
Create a Windows Console Application.
Add my code.
Right click on my project and select Properties.
Navigate to Configuration Properties > Linker > Manifest File > UAC Execution Level and set to requireAdministrator (/level='requireAdministrator').
It took a lot to figure out this because all of the info on the web is for Visual Studio 2010 or earlier which required manually creating an XML manifest file and conflicts with the auto generated one that this creates.
However, this doesn't seem to be enough to get it to run as an admin. It is a real PITA that this information isn't made easily findable. Is there some other step that I am missing? Something like a signing process?
Turns out it is how this mini application is run.
From my main programme, using ShellExecute() or ShellExecuteEx() with the "runas" verb will allow running of this executable with administrator privileges without popping up a UAC dialog.
Running this from the command line however, will result in this mini app being executed in the user's security context, which is what I was doing.

IIS - AddDataProtection PersistKeysToFileSystem not creating

I've developing an asp.net core application to tun on a web far, and I'm using "AddDataProtection" to protect for key encryption at rest like, the documentation recommends, but when I deploy my application and run directly from IIS with AppPool identity, the key is never created and I get errors on the DpapiNG windows logs.
My code is the following:
services.AddDataProtection(opt => opt.ApplicationDiscriminator = ApplicationConfig.dataProtectionApplicationDiscriminator)
.PersistKeysToFileSystem(new DirectoryInfo(encKeyPath))
.ProtectKeysWithDpapiNG(string.Format("CERTIFICATE=HashId:{0}", ApplicationConfig.dataProtectionCertThumbprint),
flags: DpapiNGProtectionDescriptorFlags.None);
Debugging from visual studio, everything runs fine, but I'm running VS under administrator rights, so permission is not an issue here.
I've tried adding permissions to the AppPool App user to the private key it self directly from MMC, but it did not worked, and even gave permission on the full path to the location were the keys should be created like stated here https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview (check first comment) but also it did not worked.
I was only able to make it work by setting the AppPool to run with the identity of an Administrator, but clearly this is a no go, I just wanted to make sure this was a permission issue somewhere.
Is anybody facing the same issue that is able to help?
Regards,
André
Most likely your issue is you are trying to store your keys somewhere in a folder path that you are cobbling together (or even by using the default path that AddDataProtection provides) that uses an environment path such as %LOCALAPPDATA%. Example: "%LOCALAPPDATA%\ASP.NET\DataProtection-Keys".
Usually, by default IIS DOES NOT set up your app pool accounts with environment path variables such as %LOCALAPPDATA%. The value ends up being blank and your app then tries to write keys to the wrong folder (such as \ASP.NET\DataProtection-Keys instead of %LOCALAPPDATA%\ASP.NET\DataProtection-Keys).
Fix: Within %WINDIR%\System32\inetsrv\config\applicationHost.config set setProfileEnvironment=true. I think you have to restart IIS as well.

What permissions are required to run VS with IIS

When working on a project that uses IIS (not IIS Express) for local development, what permissions are actually required under window 8? I don't want to run as admin all the time...the first error message I get when running using the Local User Account (LUA) was about Metabase (probably a misnomer, as changing the permissions on that gave the same error message until the config files in inetsrv/config were also available). Now it builds, but then gives an error message "Unable to start debugging on web server. IIS does not list a web site that matches the launched URL".
The blog https://blogs.msdn.microsoft.com/jaredpar/2005/02/04/myth-creating-web-applications-with-visual-studio-requires-admin-privileges/ while old, at least hints that it should be possible to manually give myself (or a group that I create) the right permissions. Just need to figure out what those permissions are...
To run VS against IIS you need to run VS elevated (the process needs admin permissions).
From a non-admin account you could run VS "As Administrator", you will also need to do this with the tools necessary to configure IIS.
However I've never tried that, rather I run with a non-elevated admin account so any file changes from within an elevated VS are fully accessible to non-elevated processes.
Additional: note, VS really only needs the Debug Any Process privilege, but giving that one privilege gives the ability to gain all others (with some effort) going through the work to limit the VS process to just that one difference seems pointless.

How to run exe under command line by the web service deployed on IIS 8?

I have deployed a web service on IIS 8, the web service need to run some .exe utility tools by using command line console. It works perfectly on localhost, but it does not work when I use web browser to access it remotely. the exe did not get call at all. I did some research on internet, someone mentioned it is IIS user permission problem which I created a new account with full control permission, someone mentioned that is because application pool has different permission with the web service(which I checked it is not the case).Someone said it might because the exe file is 32 bit application so I enabled the 32 bit application run in application pool. However, none of above fixed my problem. I was wondering if I missed anything?Thanks for any help.
some updates, I have also changed the handler mapping on IIS to enable the Execute exe(under edit feature permission). The exe file I need to call is from a third party company. Now I can run system method like "dir .", "ping xx.xx.xx.xx" with now problem, but not this exe file.

Start exe after msi install but using current user privileges

I am using Visual Studio 2008 to build an MSI install package. Within the install I have numerous custom actions. Within the OnAfterInstall custom action I attempt to start an exe which is deployed by the install. The exe starts ok, but runs within a security context of NT AUTHORITY\SYSTEM (i.e. under the elevated privileges granted to the Windows Installer process). I actually need the exe to run in the security context of the currently logged-on user who started the install in the first place. Does anyone know how to start the exe so it runs in this 'reduced' context. I really want to avoid having to ask the user for their login credentials if possible.
You need to use Remote Desktop Services API: http://msdn.microsoft.com/en-us/library/aa383464%28v=VS.85%29.aspx . It is available starting from WinXP.
This API allows you to run your application in context of any logged in user account. You need to be running as a SYSTEM to be able to use it. And you are.
For instance you may enumerate sessions using WTSEnumerateSessions, then take user token by WTSQueryUserToken and run application using this token.

Resources