?
Solved

UAC prompting on startup program with “asInvoker” on the “requestedExecutionLevel”

Posted on 2014-04-09
4
Medium Priority
?
2,280 Views
Last Modified: 2014-04-11
I am developing a very simple C# Windows Application (it only displays a message box saying "UACtest") that I want it to run at startup without prompting UAC.

For that I created a registry key for it under HKCU, and in the machine that I compiled it (Windows 8 64-bit using Visual Studio 2013) it runs at startup without promping UAC, as expected.

However, if I run the executable on a Windows 7 machine and do exactly the same thing, a UAC prompt is shown at startup.

Please note that the manifest of the executable has "asInvoker" on the "requestedExecutionLevel", the whole manifest is this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
   <security>
     <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
     </requestedPrivileges>
   </security>
 </trustInfo>
</assembly

Also when I directly double click the executable, it never prompts UAC neither on Windows 7 32-bit or in the Windows 8 64-bit, the UAC prompting problem is only at startup.

I also tried to compile the executable on the Windows 7 32-bit machine (to maybe bypass some compatibility issues) and a strange thing happened, in that machine now UAC is not prompted at startup as expected, however, when I make the test on another machine (Windows 7 64-bit under Virtual Box) it prompted UAC at startup.

This has now really puzzled me, can someone please tell me a way to compile it so that it never prompts UAC at startup on all versions of Windows?

The project properties I used on Visual Studio 2013 are the default ones, except: *Target framework: 2.0 *Platform target: x86

And the UAC settings on all machines where the default one: "Notify me only when applications try to make changes on my computer (default)"

Also the name of the executable does not contain words like "install" or "update" to not trigger UAC installer heuristics.
0
Comment
Question by:miguelanjelo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 65

Expert Comment

by:btan
ID: 39991862
I was suspecting  you can't access the HKCR (or HKLM) hives in Vista and newer versions of Windows unless you have administrative privileges. Therefore, you'll either need to be logged in as an Administrator before you run your utility, give it a manifest that says it requires Administrator level (which will prompt the user for Admin login info), or quit changing things in places that non-Administrators shouldn't be playing.

Also from http://www.codeproject.com/Articles/66259/Requesting-Admin-Approval-at-Application-Start

Why do I need administrator privileges? Means, what are the resources that are protected? The answer is very simple. Most operations that may affect the system or other users on the machine are access protected. For example, writing a file on the system drive requires admin approval, reading from the registry requires admin approval, and changing file association requires admin approval.
0
 

Author Comment

by:miguelanjelo
ID: 39992124
But I am writing my key to HKCU to not trigger UAC. And actually it doesn't, when a client downloads my program and double-clicks it, it copies itself to the user's %appdata% folder and adds itself to HKCU, all without triggering UAC.

The problem is when my clients restarts their machines, UAC is prompted at startup asking them if they want to run my application (which can be run as a standard user as it never tries to access restricted areas like %programfiles% or HKLM, and should be run as a standard user because in its manifest it requests to be run "asInvoker".

Maybe there is some problem with the "zone identifier"? I.e. Windows thinks that the program was downloaded from a dangerous place in the internet? How could I make Windows to run my program at startup without never prompting UAC? Because it could be very annoying to my clients :(
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39993367
I was thinking if this past tool can help in troubleshooting with log generated or event viewer surface any useful log to aid isolation of issue for this symptom

http://blogs.msdn.com/b/aaron_margosis/archive/2006/08/07/luabuglight.aspx
http://technet.microsoft.com/en-us/library/cc838034(v=ws.10).aspx

This is a good article on UAC - the integrity level also impact UAC trigger, maybe we can find out the IL on the registry - rightfully as you say should not matter. I also do not see ZoneID should impact it


Windows assigns every process an IL that it places in the process’s token alongside the SIDs of the groups to which the user running the process belongs. Figure 16 lists examples of processes assigned to different ILs. Processes usually inherit the IL of their parent, but a process can also launch a process at a different IL, as AIS does when it launches an elevated process. You can view process integrity levels with the built-in Whoami utility by specifying the /all option, or with Sysinternals Process Explorer or AccessChk. Process Explorer can display process ILs with the addition of the Integrity Level column.

Every securable object has an IL that’s either explicit or implicit. Process, thread, and token objects always have an explicitly assigned IL that’s usually the same as the IL stored in the corresponding process token. Most objects have no explicit IL and so default to an IL of Medium. The only objects created with an IL other than Medium are the objects created by a process running at Low IL, which therefore have a Low IL. You can use the built-in iCacls tool (%SystemRoot%\System32\iCacls.exe) to view the ILs of files and the Sysinternals AccessChk utility to view the ILs of files, registry keys, services and processes.
0
 

Author Comment

by:miguelanjelo
ID: 39994949
Yes the problem was the zone identifier, I just downloaded http://jameskovacs.com/2005/04/11/zonestripper-updated/ and deleted it.
 
Now it startups without prompting UAC :D

Thanks a lot !!!
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question