-1

I am looking for a method to use as an alternative to disabling UAC to keep application persistence throughout the lifetime of the system.

My application runs every time the system starts up, and it requires elevated privileges, so when UAC is enabled it asks the user whether or not to run my application, every time the system is rebooted. This is very tedious and can become annoying if it happens every time. If UAC is disabled this warning no longer appears but of course that is very harmful to the user as it could lead to threats on their computer.

My question is; In C++ how can I programmatically allow file/application persistence throughout any event on the users' PC just for my application without getting the UAC warnings each time!

I am looking for ANY possible method, an exploit, a bypass method, anything, I'm really desperate at the moment as I've been stuck with this program for several days now and I'm just 99.9% done my project. I really need to get this through. THANK YOU SO MUCH FOR ANY ADVICE you may offer me!

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
sysenter
  • 75
  • 1
  • 9
  • 6
    You can install a service to perform the necessary admin functions. There's no way for an application to elevate without asking the user in a system with UAC enabled. – Jonathan Potter Oct 24 '14 at 20:10
  • 1
    "Run my application on reboot" is pretty bizarre, that's not how UAC works. Do make sure you are actually talking about UAC :) – Hans Passant Oct 24 '14 at 21:07
  • Consider the possibility that it might be easier to change the app in such a way so that elevation is not required, than it is to try to bypass UAC prompt. – Dialecticus Oct 24 '14 at 23:59
  • If you could launch an app that requires admin privileges without prompting the user, it would be a pretty major security hole that would render UAC useless. Stop trying to bypass it and concentrate instead on fixing your application; if it requires admin privileges without user intervention, make it a service that can be configured to run under an account that has those privileges instead. This is really clear: Stop trying to fight UAC and learn to properly cooperate with it. – Ken White Oct 25 '14 at 00:35
  • How would your application react if UAC were disabled? The user is a standard user, they have no way to run your application as an administrator, what does your application do? Does it crash on startup? Does it detect that the user is not an administrator is throw a warning? What did your application do on Windows XP? – Ian Boyd Sep 26 '18 at 14:54

1 Answers1

3

The first step is to determine whether your program really needs admin privilege at all. Sometimes a program only runs with admin privilege, but for trivial reasons: a log file is being generated in the wrong place, for example, or a file that should be being opened for read-only access is being opened for full access. If that's the case you can fix the problem and avoid any further structural changes.

Secondly, ask whether your program needs admin privilege all the time, or only when the user performs certain actions. In the latter case, you should probably only elevate when it becomes necessary to do so; as well as meaning that the user does not need to approve the program launch on every reboot, it also helps protect the user from making an administrative change without intending to. This is particularly relevant if UAC is configured to require a password each time.

Thirdly, ask whether your program really needs a user interface. If not, then it should be a system service.

If your program really does need admin privilege all the time, and really does need a user interface, then you need to separate it into two parts, one containing the user interface and one containing the functionality that requires elevated privilege.

The user interface part should be a program that runs whenever a user logs in, just as your program does now. The elevated privilege part should be a system service.

The primary logic might belong in either part, or might also need to be split into two; it depends entirely on the context. (The system service does need to contain enough logic to ensure that the the privileged operations it is performing are safe and appropriate. It can't simply do anything the user interface part tells it to.)

These two parts can interact using whatever form of inter-process communication and/or synchronization is most convenient. You do need to be aware that they will be in different Remote Desktop sessions; for example, if you create an event object for synchronization the name must start with the Global\ prefix.

You will need to consider that more than one user may be logged in at the same time, either via Switch User or because the machine is a Remote Desktop server. This may mean that the service component needs to support multiple simultaneous clients, which affects your choice and implementation of IPC. Alternatively, the user interface component needs to detect that another instance is already running, and wait until that instance goes away before attempting to connect.

You will also need to consider how the program should react when the logged-in user does not have administrative privilege. At the moment such a user can't run your program at all, probably making the prompts even more annoying than they are to an admin user! If it is OK for the program to work as normal for a non-admin user then you don't need to do anything special. If the program should not work for a non-admin user, or if some of the functionality should be restricted, then (a) the GUI component needs to behave accordingly, by, e.g., exiting silently; and (b) the service component needs to check the context in which the GUI component is running. It is not enough for the GUI component to do the check, because the user can trick it if he or she wishes to; the service component must check too.

The easiest way to do that is probably to use GetTokenInformation with the TokenElevationType option; if the token type is TokenElevationTypeLimited or TokenElevationTypeFull, the user has administrator privilege. If the token type is TokenElevationTypeDefault, there is no split token; either the user is not an administrator, is the local Administrator account, or UAC is turned off; in this case, use CheckTokenMembership to check whether the user is in the Administrators group or not.

In some cases, it might also be sensible for certain tasks to require UAC approval, even if other tasks do not. Such tasks need not involve the service component; the GUI component can elevate itself, with the user's consent, to perform them.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • 1
    +1 for a very thorough analysis of the problem, guidance on how to solve several relevant scenarios, and pointing out some hidden obstacles. You might want to include that installing a system service requires elevation as well, as a one-time confirmation, typically at install time. – IInspectable Oct 25 '14 at 10:01