Execute an application with admin rights on system without UAC

3
votes

I have an application that must be executed with admin rights. There is everything fine, if UAC is on. But, if UAC is turned off, there is no prompt on start (even for standard user) and application starts with restricted rights.

Start process with verb "runas" does not work.

Is there any way to show the standard UAC login dialog for and execute an application with admin rights even if UAC if turned off?

Update: Manifest is included:

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <assemblyIdentity version="1.1.6.0" processorArchitecture="X86" name="setup" type="win32"/>
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
        <security>
            <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
                <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
            </requestedPrivileges>
        </security>
    </trustInfo>
</asmv1:assembly>

and everithing is OK, when UAC is active. But it does not work if UAC is OFF.

Update 2:: This behavior is documented by MSDN Step 6: Create and Embed an Application Manifest (UAC) (see table "Application launch behavior for a standard user account" last row). So i can't solve this problem with any manifest. Is there any other solution?

1
c#uac
is this what you want to do? stackoverflow.com/questions/2818179/…Arie
The "UAC is turned off" angle is a murky one. Sounds like the admin of that machine does not want to permit programs that require elevation to run at all. You therefore cannot run your program on that machine. This doesn't get better until either you make do without elevation or the admin relents. We can't help you get there.Hans Passant
@HansPassant is correct. If your app requires admin rights, and the machine will not permit elevated apps to run, then you cannot run your app, sorry. (Why does your app require admin rights?)Bill_Stewart
If the computer's security settings prevent you from running an app that requires admin rights, and your app requires admin rights, then you cannot run your app on the computer.Bill_Stewart
If it's an installer, why not use an approved install method, such as Windows Installer or InstallShield? Trying to do it yourself is only going to bring you headaches, and it's by (good) design that you're not allowed to do these things in your own code.dodexahedron

1 Answers

2
votes

I had a very similar problem, and I don't think the comments so far addressed your actual issue. I believe they are mistaking the intent of your question. While my answer will not show the actual UAC dialog as you first asked, it will show a workaround.

UAC being off does NOT preclude an application from being run as Administrator (assuming you have an administrator password, as it seems you do), just makes it harder. As you rightfully pointed out, with UAC disabled and requireAdministrator set in the manifest, right-clicking and selecting Run as administrator does not actually elevate the process, as Microsoft indicates: "Application might launch but will fail later"

Two Steps:

1) Hold Shift while Right-clicking on the application and select Run as a different user. Then simply use your Administrator user name and password to authenticate, and your application should run as Administrator. It worked for me.

screenshot

2) Build a small executable that runs asInvoker and checks for Administrative privileges. When it is run without them, warn the user and tell them to Shift-Right Click, then Run as a different user. If your small program has administrator access, then use ShellExecute to invoke your primary requireAdministrator application. See Figure 9 here for a flow diagram.

Here is a small code sample in C++ from somewhere on StackOverflow that checks for administrator access:

BOOL IsUserAdmin(VOID)
{
   BOOL b;
   SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
   PSID AdministratorsGroup; 
   b = AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup); 
   if(true==b) 
   {
      if (!CheckTokenMembership( NULL, AdministratorsGroup, &b)) 
      {
         b = FALSE;
      } 
      FreeSid(AdministratorsGroup); 
   }
   return(b);
}