[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 16929
  • Last Modified:

Embedding a manifest in a Delphi 7 app. to elevate Vista priveleges

Hi,
  I have been trying to embed a manifest into a Delphi 7 application which elevates the priveleges to "administrator" without the user having to right click and 'Run As Administrator' on Windows Vista. The program has to have access to particular folders and the registry to operate correctly ( as do most :).
The manifest is :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity
    version="1.0.0.0"
    processorArchitecture="*"
    name="UACAwareApplication"
    type="win32"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="requireAdministrator"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

My .RC file for this is simply :

1 24 "UAC.manifest"

... and the whole basis of this is the excellent article by Aleksander Oven at :

http://developersoven.blogspot.com/2007/02/leveraging-vistas-uac-with-delphi-part_27.html

Unfortunately it fails to elevate. Can anybody help me with a reason why ? Perhaps I have to use RT_MANIFEST instead of "24" ? Maybe the manifest is incorrect ? (should 'UACAwareApplication' be replaced by the name of the application executable) ... don't think so but ...

thanks and best wishes

RR
0
RetroRocker
Asked:
RetroRocker
  • 3
  • 3
1 Solution
 
JohnjcesCommented:
How exactly is it failing to activate? When a user runs the app does it ask for Admin credentials?

John
0
 
RetroRockerAuthor Commented:
Johnjces : OK, this app. on running requires that it can write a configuration file to the user's appdata folder which is restricted by Vista unless the app. is 'run as administrator'. In actual fact the file in question is none other than pdoxusrs.net (the BDE network config file). The program implements this location because ordinarily this file would be in C: root which is Vista restricted (OK in that case maybe I could just let it write to C: root in any case but that's another story ;-). There is also access required to the HKLM registry branch, another Vista restriction.
  Simply starting the app. in an admin account does not allow any of these requirements so an exception is thrown. If 'Run As Administrator' is used, then all is well and it runs fine. Using RAA is a bit like a sledgehammer to crack a nut in this case but for now it has to suffice.
  My contention was that embedding the manifest as above would 'emulate' the RunAsAdministrator option as I concluded (perhaps incorrectly ?) from Aleks Oven's article.
  Embedding the manifest and not using RAA throws the exceptions, then using RAA results in the app. again running fine - it's as though the embedded manifest has no effect.
  I am embedding the manifest in the app's. main form immediately after the {$R *.DFM} directive which is logical to me and the resource is definitely being linked ... but does not work as expected.
  Any ideas as to why this is will be genuinely appreciated ... thanks
RR
0
 
RetroRockerAuthor Commented:
I should probably add, to make it absolutely clear, that when the app. is not RAA the app. throws the exception because it is not being allowed to write. There is not a UAC window in this case. When RAA is used then I get one of the 'aggresive' style UAC prompts 'an unidentified program requires access ...' and the app. has to be allowed. The app. is currently not digitally code signed, hence the aggressive prompt, but it will be soon which will improve the UAC prompting to be a little more pleasant. I don't think that not being signed though affects the core issue of 'Run As Administrator' in this case ... unless of course anyone know better ...
RR
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
JohnjcesCommented:
Sorry to have abandoned you there but was out of town.

SOunds like you are doing things right. Vista still nags users for permissions no matetr how you set up the manifest. But, there are two things that may help. A good manifest, and a good installation program that sets file and folder permissions.

Just in case, here is a manifest that works well for me.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
        <dependency>
                <dependentAssembly>
                        <assemblyIdentity
                                type="win32"
                                name="Microsoft.Windows.Common-Controls"
                                version="6.0.0.0"
                                processorArchitecture="X86"
                                publicKeyToken="6595b64144ccf1df"
                                language="*"
                        />
                </dependentAssembly>
        </dependency>
        <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
                <security>
                        <requestedPrivileges>
                                <requestedExecutionLevel
                                       level="requireAdministrator"
                                       uiAccess="false"/>
                        </requestedPrivileges>
                </security>
        </trustInfo>
</assembly>

In the same directory, add a file named "administrator.rc" containing a single line:
1 24 "administrator.manifest"

Use the delphi resource compiler to build the file administrator.res:
brcc32 administrator.rc

Finally in your delphi project, (dpr), add this line to include the resource:
{$R 'administrator.res' 'administrator.rc'}

That should do it.

More INfo, which you probably have...

The Windows Vista application manifest has been enhanced with attributes that permit developers to mark their applications with a requested execution level. The following is the format for this.

<requestedExecutionLevel
   level="asInvoker|highestAvailable|requireAdministrator"
   uiAccess="true|false"/>

level

    * asInvokerThe application runs with the same token as the parent process.

          Important note   For Windows Vista Beta-1, the term used for this level is leastPrivilege. Developers wishing to mark their code for this level on Windows Vista Beta-1 should use leastPrivilege. Developers will need to update their manifest to use the term asInvoker in subsequent versions of Windows.

    * highestAvailableThe application runs with the highest privileges the current user can obtain.
    * requireAdministratorThe application runs only for administrators and requires that the application be launched with the full token of an administrator.

uiAccess

    * falseThe application does not need to drive input to the UI of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true.
    * trueThe application is allowed to bypass UI protection levels to drive input to higher privilege windows on the desktop. This setting should only be used for UI Accessibility applications.

Lastly, Vista gives higher priveledges automatically to setup programs or those programs that have install or setup in their name, I use Inno and I ensure that my apps have basic user permissions assigned to files and to ALL the folders. I have found that in order to write to the Program Files directory under my app, I needed to create/change permissions on that directory and ensure the file I create programatically also is assigned user read/write permissions.

I do not know if this helps in your app, but let us know and I hope I helped somehow.

John

You might also try which would be for Vista only. (The above manifest is OK for XP)....

<?xml version="1.0" encoding="utf-8"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="requireAdministrator" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

0
 
RetroRockerAuthor Commented:
Johnjces : I definitely do not feel abandoned, quite the opposite in fact, your detailed response is certain testimony to this ! Understandably I have been working on this while you were away and I came up with an exact same set of solutions. I researched the privilege levels and indeed as you typed my app. was already deployed (BTW I use InstallAware) with the combined XP/Elevation manifest embedded because I needed both. To be honest, but I can assure you in no way disrespectfully, your reply at this point has not imparted anything new to me. However,  a bare few days ago it would have been virtually all I needed to know, so for that reason it is accepted as the solution.
  I say virtually, for this reason : This original app. committed (in Vista terms at least) a 'sin' in that it tried to write to HKLM during startup. As we know this is a no no, so the program throws an exception. That situation is for 'normal' ops. ie. admin account but NO RAA. RAA allows the HKLM write to happen. My contention is that a manifest containing "requireAdministrator" would be the same as RAA selected by the user but this does not appear to be the case and I have not unearthed why this is. Bottom line here is that I removed the HKLM dependency from the program (it was something of a legacy item which really didn't ought to be there anyhow) and of course the problem ceased. Now, I know the manifest works because the XP portion is visibly functional but I'm not over confident that the UAC/elevation is operational as well ... but there is not really a problem now so I'm going to leave the issue. It's just that academically a "requireAdministrator" manifest, IMHO should have taken care of the HKLM issue mentioned above, just like RAA does, but it never did ...
  Thanks for all the time and effort, genuinely appreciated !
0
 
JohnjcesCommented:
No problem! Sorry it was late!

John
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now