Imagine that some software in your Windows PC needs to be run in a given time and it was supposed that it's user would start it, but he forgot to do it. And that software was supposed to run as administrator (i.e. with administrator rights). So, in order to garantee that the given software will be open at that time, you put a watchdog than can perform what the user should have done.
This is not exactly my situation, but that's what I need. It must work in C++ and I'm using Qt (though I think that will not make much difference).
I searched almost all files in MSDN about CreateProcess() and similar functions and saw some dozens of examples in the net, but till now I wasn't able to do what I want (in fact, I wasn't even capable of running the software, much less with the details).
It's important to notice that the watchdog is supposed to just open the software as administrator and immediately "forget it"; it should have no control and the opened software must not be in anyway dependent on the watchdog (e.g. if the watchdog is closed, the opened software continue to run normally).
I'ld be glad if somebody helps.
Momergil
Typically, if a program requires Administrator Rights to run, then a user with Administrator Rights is required to install it.
This gives Administrator Rights to the program.
Update: Based on your comment about trying to get another process to run another application with Admin Rights, you should look into the following code:
using System.Security.Principal;
public static void ProcessStart(string fileName, string arguments) {
ProcessStartInfo startInfo = new ProcessStartInfo(fileName, arguments);
#if !PocketPC
try {
WindowsIdentity id = WindowsIdentity.GetCurrent();
WindowsPrincipal pal = new WindowsPrincipal(id);
if (pal.IsInRole(WindowsBuiltInRole.Administrator)) {
Process.Start(startInfo);
}
} catch (Exception e) {
Console.WriteLine(e.Message);
}
#else
Process.Start(startInfo);
#endif
}
This code excludes Microsoft PocketPC devices and only executes if the person running the program is in the Administrator group.
What you would need to do is initiate a WindowsIdentity for an account (on the PC you want to run your application on) that has Administrator rights and Impersonate that account to run your application.
There is a working example of how to do this on CodeProject entitled User Impersonation in .NET that can give you a lot more information.
Related
I've just developed a .NET program which has the ability to patch itself.
I've noticed that the patching process only runs if I choose "run as administrator".
It seems I need to "create and embedd an Application Manifest", according this this:
https://msdn.microsoft.com/en-us/library/bb756929.aspx
So my question:
Is it normal for applications like mine (which can patch themselves) to require Admin rights, and is this the route I should be going?
Thanks
If your application does not normally require elevation then I don't recommend that you request it in your manifest because it will be very annoying for your users. Firefox uses a NT service to get around the UAC dialog but I can't really recommend that either unless your updates are very frequent.
I would suggest that you write a little updater application that does the patching. It can request elevation in its manifest and this way the user only has to elevate when there is something to patch. If you don't want another .exe in your bundle, you can execute yourself again with the runas verb when you need to patch.
Edited the NSIS script to include this line:
AccessControl::GrantOnFile \"$INSTDIR" "(S-1-5-32-545)" "FullAccess"
This gave the User account full access to the application folder within Program Files, meaning my patcher could write to it without any problems.
I am using the Limited edition and in my installer I have a custom action where I open a cmd.exe and passing a batch file for executing.
The cmd is executing but its not in the elevated permission. I need to execute this in elevated permission since my batch file has operations which needs admin privilege.
I tried many options and the screen shots attached describes what I have done.
Let me know if this is possible with Limited Edition. I am installing in windows 10 machine.
the whole "Elevetad privilege" thing changed a lot during the lasts years.
if I were you, I'd put the schema to version 500 (the last one)
you'll might wan't to double check that your batch file is correctly found, as properties in system context can be unavailable. (use /k so the cmd prompt will not close and you'll be able to see the result of your batch file.)
also if the UAC is disabled on the client machine the user won't have the right to elevate your installer so setting the Require Administrative privilege won't change anything.
in order to be sure, you'll might wan't to use a install condition validating the Privileged property.
The code is really quite simple:
var key = Registry.LocalMachine.OpenSubKey("Software").CreateSubKey("somekey", RegistryKeyPermissionCheck.ReadWriteSubTree);
...but I keep getting the exception "Cannot write to the registry key", even when I run VS2010 (or the compiled code) as Administrator.
What am I doing wrong?
Running .Net Framework 4 Client Profile.
You are trying to write to HKEY_LOCAL_MACHINE. Access to HKEY_LOCAL_MACHINE is restricted by UAC. Your user may well be an administrator, but unless the process is started with elevated rights, UAC will prevent write access.
In order to write to HKEY_LOCAL_MACHINE you will need to ensure that the Registry access is performed in code that is running with elevated rights. To do that, you will need to either:
Add a UAC manifest to your application to force it to execute with elevated rights. However, this means that the user will have to deal with the UAC elevation prompt every time the application is run.
If you do not want to elevate your application, you will need to separate the parts of code that need elevation into a separate process, or into a COM object instantiated via the COM Elevation Moniker, whenever your application needs to perform an elevated operation.
I have a small winforms app that creates a new event log source.
I run it as administrator for the elevated privileges.
The code checks to ensure the specified event log does not exist and then creates the source. This worked fine on my Windows 7 machine, but when I run the app on Windows Server 2008 R2 SP1 it tells me the source already exists. I know it doesn't because a) this is a fresh installed of Windows Server 2008 R2, and b) I added code to return a list of all the log sources and my new one was not in the list.
I know about the "first 8 characters" being the significant ones and I made sure my source names was completely unique.
Here's the super-easy code (of course I have try/catches around this):
if (!EventLog.SourceExists(sourceName))
{
EventLog.CreateEventSource(sourceName, logName);
}
Can anyone tell me why Windows Server 2008 is lying to me?
Local (or domain) administrators are not the most powerful accounts on a Windows box.
There are other accounts that have higher (though also more limited) access.
SourceExists() will return false if it exits but you don't have access rights to know about it, and it's perfectly possible for an administrator to be denied access to something.
Also, there are reserved names for things in odd places that can trip you up. Creating folders with the names CON COM or LPT used to cause odd issues on server 2003.
So there also are a whole bunch of reasons why CreateEventSource() can fail - dig into the inner exception(s) as well, often those provide critical detail.
Which event log source name was failing for you?
Would you post the exception stack?
Folks,
I've got a strange issue at the moment with a visual studio 2010 built MSI...
When I run the msi, it performs a few tasks, then executes a tool we built - this tool then carries out some more advanced work we couldn't do within a custom task.
The issue here, is then when the msi starts my custom built tool, it doesn't execute it with the same credentials as I start the MSI with (i.e. my administrative login).
Is there a parameter I can pass to an MSI to enforece this? Or perhaps I can pass the credentials to the process when I start it?
My process is started using Process process = Process.Start(procInfo) nothing fancy. I've also noted the ability to pass in a parameterised username/password/domain, but this will vary depending on the user who is installing - can this be extracted from the installer somehow?
Any help (or questions) welcomed.
Dave
EDIT: for clarity... I'm running the MSI under my domain account, and I want my custom process to run under that 'context'. At present, it starts (regardless of whether I start as administrator or not) under the SYSTEM account (rather than mydomain\me). I'm using Windows Server DataCenter edition if that helps...
I should also add, I think this is a policy issue, but I've no idea what to check/where to check...
By default Windows Installer runs custom actions as the current user. If the MSI is elevated, custom actions will run as the elevated user.
Please note that if you are running the MSI as an Administrator, it doesn't mean your custom actions will have full Administrator privileges. On Vista or higher any user can gain Administrator privileges through elevation.
So if your custom actions need Administrator privileges, make sure they use the msidbCustomActionTypeNoImpersonate flag so they run under the local system account.
If this is not the problem and you just need access to the current user data, can you please give me more details?