Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2331
  • Last Modified:

UAC prompting on startup program with “asInvoker” on the “requestedExecutionLevel”

I am developing a very simple C# Windows Application (it only displays a message box saying "UACtest") that I want it to run at startup without prompting UAC.

For that I created a registry key for it under HKCU, and in the machine that I compiled it (Windows 8 64-bit using Visual Studio 2013) it runs at startup without promping UAC, as expected.

However, if I run the executable on a Windows 7 machine and do exactly the same thing, a UAC prompt is shown at startup.

Please note that the manifest of the executable has "asInvoker" on the "requestedExecutionLevel", the whole manifest is this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
   <security>
     <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
     </requestedPrivileges>
   </security>
 </trustInfo>
</assembly

Also when I directly double click the executable, it never prompts UAC neither on Windows 7 32-bit or in the Windows 8 64-bit, the UAC prompting problem is only at startup.

I also tried to compile the executable on the Windows 7 32-bit machine (to maybe bypass some compatibility issues) and a strange thing happened, in that machine now UAC is not prompted at startup as expected, however, when I make the test on another machine (Windows 7 64-bit under Virtual Box) it prompted UAC at startup.

This has now really puzzled me, can someone please tell me a way to compile it so that it never prompts UAC at startup on all versions of Windows?

The project properties I used on Visual Studio 2013 are the default ones, except: *Target framework: 2.0 *Platform target: x86

And the UAC settings on all machines where the default one: "Notify me only when applications try to make changes on my computer (default)"

Also the name of the executable does not contain words like "install" or "update" to not trigger UAC installer heuristics.
0
miguelanjelo
Asked:
miguelanjelo
  • 2
  • 2
1 Solution
 
btanExec ConsultantCommented:
I was suspecting  you can't access the HKCR (or HKLM) hives in Vista and newer versions of Windows unless you have administrative privileges. Therefore, you'll either need to be logged in as an Administrator before you run your utility, give it a manifest that says it requires Administrator level (which will prompt the user for Admin login info), or quit changing things in places that non-Administrators shouldn't be playing.

Also from http://www.codeproject.com/Articles/66259/Requesting-Admin-Approval-at-Application-Start

Why do I need administrator privileges? Means, what are the resources that are protected? The answer is very simple. Most operations that may affect the system or other users on the machine are access protected. For example, writing a file on the system drive requires admin approval, reading from the registry requires admin approval, and changing file association requires admin approval.
0
 
miguelanjeloAuthor Commented:
But I am writing my key to HKCU to not trigger UAC. And actually it doesn't, when a client downloads my program and double-clicks it, it copies itself to the user's %appdata% folder and adds itself to HKCU, all without triggering UAC.

The problem is when my clients restarts their machines, UAC is prompted at startup asking them if they want to run my application (which can be run as a standard user as it never tries to access restricted areas like %programfiles% or HKLM, and should be run as a standard user because in its manifest it requests to be run "asInvoker".

Maybe there is some problem with the "zone identifier"? I.e. Windows thinks that the program was downloaded from a dangerous place in the internet? How could I make Windows to run my program at startup without never prompting UAC? Because it could be very annoying to my clients :(
0
 
btanExec ConsultantCommented:
I was thinking if this past tool can help in troubleshooting with log generated or event viewer surface any useful log to aid isolation of issue for this symptom

http://blogs.msdn.com/b/aaron_margosis/archive/2006/08/07/luabuglight.aspx
http://technet.microsoft.com/en-us/library/cc838034(v=ws.10).aspx

This is a good article on UAC - the integrity level also impact UAC trigger, maybe we can find out the IL on the registry - rightfully as you say should not matter. I also do not see ZoneID should impact it


Windows assigns every process an IL that it places in the process’s token alongside the SIDs of the groups to which the user running the process belongs. Figure 16 lists examples of processes assigned to different ILs. Processes usually inherit the IL of their parent, but a process can also launch a process at a different IL, as AIS does when it launches an elevated process. You can view process integrity levels with the built-in Whoami utility by specifying the /all option, or with Sysinternals Process Explorer or AccessChk. Process Explorer can display process ILs with the addition of the Integrity Level column.

Every securable object has an IL that’s either explicit or implicit. Process, thread, and token objects always have an explicitly assigned IL that’s usually the same as the IL stored in the corresponding process token. Most objects have no explicit IL and so default to an IL of Medium. The only objects created with an IL other than Medium are the objects created by a process running at Low IL, which therefore have a Low IL. You can use the built-in iCacls tool (%SystemRoot%\System32\iCacls.exe) to view the ILs of files and the Sysinternals AccessChk utility to view the ILs of files, registry keys, services and processes.
0
 
miguelanjeloAuthor Commented:
Yes the problem was the zone identifier, I just downloaded http://jameskovacs.com/2005/04/11/zonestripper-updated/ and deleted it.
 
Now it startups without prompting UAC :D

Thanks a lot !!!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now