Solved

UAC prompting on startup program with “asInvoker” on the “requestedExecutionLevel”

Posted on 2014-04-09
4
1,881 Views
Last Modified: 2014-04-11
I am developing a very simple C# Windows Application (it only displays a message box saying "UACtest") that I want it to run at startup without prompting UAC.

For that I created a registry key for it under HKCU, and in the machine that I compiled it (Windows 8 64-bit using Visual Studio 2013) it runs at startup without promping UAC, as expected.

However, if I run the executable on a Windows 7 machine and do exactly the same thing, a UAC prompt is shown at startup.

Please note that the manifest of the executable has "asInvoker" on the "requestedExecutionLevel", the whole manifest is this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
   <security>
     <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
     </requestedPrivileges>
   </security>
 </trustInfo>
</assembly

Also when I directly double click the executable, it never prompts UAC neither on Windows 7 32-bit or in the Windows 8 64-bit, the UAC prompting problem is only at startup.

I also tried to compile the executable on the Windows 7 32-bit machine (to maybe bypass some compatibility issues) and a strange thing happened, in that machine now UAC is not prompted at startup as expected, however, when I make the test on another machine (Windows 7 64-bit under Virtual Box) it prompted UAC at startup.

This has now really puzzled me, can someone please tell me a way to compile it so that it never prompts UAC at startup on all versions of Windows?

The project properties I used on Visual Studio 2013 are the default ones, except: *Target framework: 2.0 *Platform target: x86

And the UAC settings on all machines where the default one: "Notify me only when applications try to make changes on my computer (default)"

Also the name of the executable does not contain words like "install" or "update" to not trigger UAC installer heuristics.
0
Comment
Question by:miguelanjelo
  • 2
  • 2
4 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39991862
I was suspecting  you can't access the HKCR (or HKLM) hives in Vista and newer versions of Windows unless you have administrative privileges. Therefore, you'll either need to be logged in as an Administrator before you run your utility, give it a manifest that says it requires Administrator level (which will prompt the user for Admin login info), or quit changing things in places that non-Administrators shouldn't be playing.

Also from http://www.codeproject.com/Articles/66259/Requesting-Admin-Approval-at-Application-Start

Why do I need administrator privileges? Means, what are the resources that are protected? The answer is very simple. Most operations that may affect the system or other users on the machine are access protected. For example, writing a file on the system drive requires admin approval, reading from the registry requires admin approval, and changing file association requires admin approval.
0
 

Author Comment

by:miguelanjelo
ID: 39992124
But I am writing my key to HKCU to not trigger UAC. And actually it doesn't, when a client downloads my program and double-clicks it, it copies itself to the user's %appdata% folder and adds itself to HKCU, all without triggering UAC.

The problem is when my clients restarts their machines, UAC is prompted at startup asking them if they want to run my application (which can be run as a standard user as it never tries to access restricted areas like %programfiles% or HKLM, and should be run as a standard user because in its manifest it requests to be run "asInvoker".

Maybe there is some problem with the "zone identifier"? I.e. Windows thinks that the program was downloaded from a dangerous place in the internet? How could I make Windows to run my program at startup without never prompting UAC? Because it could be very annoying to my clients :(
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39993367
I was thinking if this past tool can help in troubleshooting with log generated or event viewer surface any useful log to aid isolation of issue for this symptom

http://blogs.msdn.com/b/aaron_margosis/archive/2006/08/07/luabuglight.aspx
http://technet.microsoft.com/en-us/library/cc838034(v=ws.10).aspx

This is a good article on UAC - the integrity level also impact UAC trigger, maybe we can find out the IL on the registry - rightfully as you say should not matter. I also do not see ZoneID should impact it


Windows assigns every process an IL that it places in the process’s token alongside the SIDs of the groups to which the user running the process belongs. Figure 16 lists examples of processes assigned to different ILs. Processes usually inherit the IL of their parent, but a process can also launch a process at a different IL, as AIS does when it launches an elevated process. You can view process integrity levels with the built-in Whoami utility by specifying the /all option, or with Sysinternals Process Explorer or AccessChk. Process Explorer can display process ILs with the addition of the Integrity Level column.

Every securable object has an IL that’s either explicit or implicit. Process, thread, and token objects always have an explicitly assigned IL that’s usually the same as the IL stored in the corresponding process token. Most objects have no explicit IL and so default to an IL of Medium. The only objects created with an IL other than Medium are the objects created by a process running at Low IL, which therefore have a Low IL. You can use the built-in iCacls tool (%SystemRoot%\System32\iCacls.exe) to view the ILs of files and the Sysinternals AccessChk utility to view the ILs of files, registry keys, services and processes.
0
 

Author Comment

by:miguelanjelo
ID: 39994949
Yes the problem was the zone identifier, I just downloaded http://jameskovacs.com/2005/04/11/zonestripper-updated/ and deleted it.
 
Now it startups without prompting UAC :D

Thanks a lot !!!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now