How does the UAC know the application is going to need elevated privileges?

7
votes

I have a C# .NET application with about 20 supporting assemblies that I am maintaining.

When it starts, windows shows a UAC dialog that says:
Do you want to allow the following program to make changes to this computer.

If I disable the 'Run as administrator' checkbox on the file's properties dialog, I get a dialog of:
Unable to run [Application Name]. The user account '[Me]' does not have sufficient privileges to write to
C:\ProgramData[Company][Application Name]

This application will try to write to the ProgramData directory which is causing the UAC to ask the user for permission.

How does the UAC know the application is going to write to ProgramData?
What can I change so that the UAC does not complain?

2
c#.netuac
there are several SO questions that cover this particular topic. has any of them fixed your issue? As far as UAC not complaining - you have 2 options - 1. you are required to click past it, or 2. you need to disable UAC. UAC is there for a User's protection (no matter the annoyance :\ )ddavison
Have you tried not to write C:\ProgramData[Company][Application Name]?Dennis
The application stores numerous files to ProgramData that are shared with all the users. Maybe there's a better place to put shared data.Robert
@sircapsalot - I want to know what I am doing to cause Windows to get worried that my application is doing something potentially dangerous. The goal is to allow the user to run UAC correctly and let the application run correctly.Robert
There is no mechanism in Windows to express this requirement, this must have been programmed into the app. One way to find that code is to use a debugger and use Debug + Break All when the dialog is displayed. Look at the Call Stack for the main thread.Hans Passant

2 Answers

4
votes

  1. How does UAC know the application is going to write to ProgramData

    • ProgramData MIGHT be under the list of "Protected Directories" during the virtualization process of the UAC Architecture. (source needed) enter image description here

  2. What can I change so that the UAC does not complain?

    • Couple options here -
      1. It appears that you are trying to write to C:\ProgramData[Company][Product]
        To me, this looks like a path separation issue. you are trying to create [or use] a directory named C:\ProgramDataAdobePhotoshop if your application is not seperating these directories, then i'd assume that this is causing your UAC issue. try adding your path seperators. C:\ProgramData\Adobe\Photoshop [as an example]
      2. Disable UAC? The UAC is there to prevent unauthorized activity, and if you look at the flowchart above, any application that has a signature of writing to a "restricted directory" or any "elevated actions", it will fall under, and spark a UAC prompt. Your user would click through it, and all is well.
      3. Use the Application Data folder, instead of the ProgramData folder. That folder seems to be hidden for a reason.

My recommendation - For any application that needs to story data - use the users Application Data rather than the ProgramData folder. You will not get any UAC prompts if you use this directory. (this question could help with that)

0
votes

It is possible that the application has a manifest file such as this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
            <requestedPrivileges>
                <requestedExecutionLevel level="requireAdministator" uiAccess="false"/>
            </requestedPrivileges>
        </security>
    </trustInfo>
</assembly>

If it has, the requestedExecutionLevel level="requireAdministator will cause it to show the UAC dialog.

The manifest file would normally be called app.manifest