Solved

UAC prompting on startup program with “asInvoker” on the “requestedExecutionLevel”

Posted on 2014-04-09
4
2,082 Views
Last Modified: 2014-04-11
I am developing a very simple C# Windows Application (it only displays a message box saying "UACtest") that I want it to run at startup without prompting UAC.

For that I created a registry key for it under HKCU, and in the machine that I compiled it (Windows 8 64-bit using Visual Studio 2013) it runs at startup without promping UAC, as expected.

However, if I run the executable on a Windows 7 machine and do exactly the same thing, a UAC prompt is shown at startup.

Please note that the manifest of the executable has "asInvoker" on the "requestedExecutionLevel", the whole manifest is this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
   <security>
     <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
     </requestedPrivileges>
   </security>
 </trustInfo>
</assembly

Also when I directly double click the executable, it never prompts UAC neither on Windows 7 32-bit or in the Windows 8 64-bit, the UAC prompting problem is only at startup.

I also tried to compile the executable on the Windows 7 32-bit machine (to maybe bypass some compatibility issues) and a strange thing happened, in that machine now UAC is not prompted at startup as expected, however, when I make the test on another machine (Windows 7 64-bit under Virtual Box) it prompted UAC at startup.

This has now really puzzled me, can someone please tell me a way to compile it so that it never prompts UAC at startup on all versions of Windows?

The project properties I used on Visual Studio 2013 are the default ones, except: *Target framework: 2.0 *Platform target: x86

And the UAC settings on all machines where the default one: "Notify me only when applications try to make changes on my computer (default)"

Also the name of the executable does not contain words like "install" or "update" to not trigger UAC installer heuristics.
0
Comment
Question by:miguelanjelo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39991862
I was suspecting  you can't access the HKCR (or HKLM) hives in Vista and newer versions of Windows unless you have administrative privileges. Therefore, you'll either need to be logged in as an Administrator before you run your utility, give it a manifest that says it requires Administrator level (which will prompt the user for Admin login info), or quit changing things in places that non-Administrators shouldn't be playing.

Also from http://www.codeproject.com/Articles/66259/Requesting-Admin-Approval-at-Application-Start

Why do I need administrator privileges? Means, what are the resources that are protected? The answer is very simple. Most operations that may affect the system or other users on the machine are access protected. For example, writing a file on the system drive requires admin approval, reading from the registry requires admin approval, and changing file association requires admin approval.
0
 

Author Comment

by:miguelanjelo
ID: 39992124
But I am writing my key to HKCU to not trigger UAC. And actually it doesn't, when a client downloads my program and double-clicks it, it copies itself to the user's %appdata% folder and adds itself to HKCU, all without triggering UAC.

The problem is when my clients restarts their machines, UAC is prompted at startup asking them if they want to run my application (which can be run as a standard user as it never tries to access restricted areas like %programfiles% or HKLM, and should be run as a standard user because in its manifest it requests to be run "asInvoker".

Maybe there is some problem with the "zone identifier"? I.e. Windows thinks that the program was downloaded from a dangerous place in the internet? How could I make Windows to run my program at startup without never prompting UAC? Because it could be very annoying to my clients :(
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39993367
I was thinking if this past tool can help in troubleshooting with log generated or event viewer surface any useful log to aid isolation of issue for this symptom

http://blogs.msdn.com/b/aaron_margosis/archive/2006/08/07/luabuglight.aspx
http://technet.microsoft.com/en-us/library/cc838034(v=ws.10).aspx

This is a good article on UAC - the integrity level also impact UAC trigger, maybe we can find out the IL on the registry - rightfully as you say should not matter. I also do not see ZoneID should impact it


Windows assigns every process an IL that it places in the process’s token alongside the SIDs of the groups to which the user running the process belongs. Figure 16 lists examples of processes assigned to different ILs. Processes usually inherit the IL of their parent, but a process can also launch a process at a different IL, as AIS does when it launches an elevated process. You can view process integrity levels with the built-in Whoami utility by specifying the /all option, or with Sysinternals Process Explorer or AccessChk. Process Explorer can display process ILs with the addition of the Integrity Level column.

Every securable object has an IL that’s either explicit or implicit. Process, thread, and token objects always have an explicitly assigned IL that’s usually the same as the IL stored in the corresponding process token. Most objects have no explicit IL and so default to an IL of Medium. The only objects created with an IL other than Medium are the objects created by a process running at Low IL, which therefore have a Low IL. You can use the built-in iCacls tool (%SystemRoot%\System32\iCacls.exe) to view the ILs of files and the Sysinternals AccessChk utility to view the ILs of files, registry keys, services and processes.
0
 

Author Comment

by:miguelanjelo
ID: 39994949
Yes the problem was the zone identifier, I just downloaded http://jameskovacs.com/2005/04/11/zonestripper-updated/ and deleted it.
 
Now it startups without prompting UAC :D

Thanks a lot !!!
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question