8

Why does a simple console app require administrative privileges?

program LTUpdate;

{$APPTYPE CONSOLE}

begin
  WriteLn('Hello World');
end.
  • If I run this program from a command prompt nothing happens.
  • If I run the command prompt with administrative rights and then this program it outputs:

    Hello World

Is there somewhere a checkbox in the project which sets the app to require administrative rights?

(The final program will connect to a database, get some fields and update it elsewhere, now I could do it via VCL... but I thought I'd try a simple console app this time.)

AmigoJack
  • 5,234
  • 1
  • 15
  • 31
user1937012
  • 1,031
  • 11
  • 20
  • 7
    Because the word UPDATE is in your apps name. Windows is ...uhm... smart that way, as soon as it sees some keywords it automatically demands elevation. – Sherlock70 Apr 22 '22 at 08:59
  • 1
    I had to try it because I could not believe it, but it's true... Sad but True – GuidoG Apr 22 '22 at 09:33
  • 1
    Just name it `UPD8` or use a localized name. – AmigoJack Apr 22 '22 at 09:49
  • 1
    Can also include a manifest that tells Windows the execution level for the executable. Project Options -> Application -> Manifest, Auto Generate and leave Execution Level : As Invoker. This question might benefit from being re-opened so it gets a Delphi specific answer on how to fix. – Brian Apr 22 '22 at 11:53
  • 1
    @GuidoG it is true. It is UAC's "Installer Detection" feature, when a UAC `requestedExecutionLevel` manifest is not present – Remy Lebeau Apr 22 '22 at 14:49

1 Answers1

11

Your app is being compiled as 32bit, and lacks a UAC manifest containing a requestedExecutionLevel value, so UAC's "Installer Detection" feature kicks in, which is why your app requires elevation:

https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works

Installer detection technology

Installation programs are apps designed to deploy software. Most installation programs write to system directories and registry keys. These protected system locations are typically writeable only by an administrator in Installer detection technology, which means that standard users do not have sufficient access to install programs. Windows 10 and Windows 11 heuristically detect installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows 10 and Windows 11 also heuristically detect updates and programs that uninstall applications. One of the design goals of UAC is to prevent installations from being run without the user's knowledge and consent because installation programs write to protected areas of the file system and registry.

Installer detection only applies to:

  • 32-bit executable files.
  • Applications without a requested execution level attribute.
  • Interactive processes running as a standard user with UAC enabled.

Before a 32-bit process is created, the following attributes are checked to determine whether it is an installer:

  • The file name includes keywords such as "install," "setup," or "update.
  • "Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
  • Keywords in the side-by-side manifest are embedded in the executable file.
  • Keywords in specific StringTable entries are linked in the executable file.
  • Key attributes in the resource script data are linked in the executable file.
  • There are targeted sequences of bytes within the executable file.

The simplest way to fix this is to add a UAC manifest to your app to specify an execution level:

  • Go to "Project Options | Application | Manifest"
  • Enable "Auto Generate"
  • Set "Execution Level" as needed (in this case, "As Invoker" will suffice).

Otherwise, you would have to either recompile your app as 64bit, or change its name and version resource to avoid the designated keywords.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770