I have a command line utility for some purpose. I start this utility from a COM DLL using ShellExecuteEx function. When calling ShellExecuteEx, i specify the lpVerb parameter as "runas" so that the utility is started elevated. I call the COM Interface function from an exe client on its startup. So when i start the client exe, the utility is also started. My problem is that since the utility is started elevated, it always asks for the UAC confirmation prompt. I can't stand this because there will be no manual intervention during this process. So I need the utility to be started without showing the UAC prompt, but still elevated when i start the client exe. Is there any way to achieve this? I would prefer some changes done within the utility itself like changing the manifest file rather than some system settings changes. Any help will be appreciated..
Asked
Active
Viewed 1,076 times
1 Answers
1
This is not possible the way you describe (manifest change) because this would defeat the purpose of UAC.
You can, however, use a scheduled task. This way, elevation with user interaction is required only once (when the task is created).
Take a look at the answer I've given here: https://stackoverflow.com/a/36838171/1871033
You can do the same, but without a logon trigger. So you will have a scheduled task which doesn't run on its own, but it exists. You can then use schtasks.exe /run /tn YourTaskName without elevation to run the task with elevated privileges.
-
But I start the application from a COM DLL using ShellExecuteEx. It is a command line utility that takes some arguments too. I pass these arguments in ShellExecuteEx. Is the same mechanism possible if I add a scheduled task? I mean instead of calling ShellExecuteEx i should be able to trigger the task from my COM DLL.That too by specifying the command line arguments. Then wait for the application to exit(Task to be finished) and then proceed. Is it possible programatically? If so can you please provide some information regarding this.. – Partha May 04 '16 at 09:56
-
Oh, I see... If you need to pass command line arguments at runtime, this won't work out of the box. You would need to write a special tool as a wrapper which for example accepts input through a named pipe, or reads it from a text file at a defined place - could then even be a batch script you call through `cmd /c` in the scheduled task (in both cases you would have to be careful so sanitize the input to make sure you are not introducing any privilege-escalation vulnerabilities), or look into writing a service. But it's not straight-forward either way. – CherryDT May 04 '16 at 10:05
-
I especially need to disable UAC notification because my utility application is supposed to start on a server, where there wont be any user interaction. But still I need admin privileges. I wonder if there is no such scenario in windows where an application has to be started in a dump(non-interactive) server with admin privileges? In such a scenario what will be the mechanism used there? I really hope there may be a solution because the above mentioned scenario can be a requirement for many people – Partha May 04 '16 at 10:33
-
You would usually use a service for that then. – CherryDT May 04 '16 at 10:34
-
What if I try to start the command line application in session 0.Is it possible ? If so, will there be UAC prompt? – Partha May 04 '16 at 10:39
-
It is possible, again through a service, and if you use a service which can be controlled by your application and starts the command line tool then there won't be a UAC prompt because the service already has the necessary rights. I don't know what's the programming language of your choice, but here would be a [tutorial for .NET languages](https://msdn.microsoft.com/en-us/library/d56de412(v=vs.110).aspx) by Microsoft for example. – CherryDT May 04 '16 at 10:43
-
The language I use is Visual C++. Is it possible to start a command line application in session 0 without using service. I mean using some APIs like ShellExecuteEx.. – Partha May 04 '16 at 10:53
-
I'm not sure if it's possible to access session 0 like this but even if it was, you would still have to get elevated rights first. So there is nothing you would have gained from that. – CherryDT May 04 '16 at 10:59
-
Yes i refer to some solutions like calling ShellExecuteEx with "runas" parameter and explicitly specifying the session as 0...something like this – Partha May 04 '16 at 11:15
-
As I just said, it isn't working like this and won't solve your UAC issue even if you would succeed in running something in session 0, because you would need to get eleveated through UAC to access session 0 and run something with higher rights there in the first place. – CherryDT May 04 '16 at 11:20