Start elevated application on OS startup, without UAC prompt

2
votes

I am developing a program for Windows which consists of two components:

  1. A kernel driver (signed with an EV certificate)
  2. A user-level GUI component, the .exe file (written in Delphi).

The .exe requires to be run elevated, in order to start the driver and perform other elevated tasks.

How can such a program be automatically run on Windows startup without displaying UAC prompt?

I saw that many similar applications, such as Anti-Malware programs, are able to startup elevated, without UAC prompt.

I am considering the following options, and would be grateful if you can point to the right direction:

1. Set driver startup as automatic, launch .exe from kernel service

However, my research indicates that there is no documented way to start a user-level process from the kernel.

2. Create a separate user-level service which will start the .exe

I read that user-level services are exempt from UAC.

A possible approach would be to create an automatic startup user-level service, which just runs the .exe process (using CreateProcessAsUser()) and then terminates itself.

3. Convert the .exe program from a Delphi GUI application to a user-level service

Similar to option 2, but instead of creating a separate .exe for the service, we are converting the current GUI application to work also as a service. I found some documentation about this on this StackOverflow thread. However, this approach seems more complicated then creating a separate dedicated service.

4. Does an EV certificate provide some advantage to allow this task?

5. Is there any better way other then the above mentioned ones?

1
windowsdelphistartupuacelevated-privileges
Keep it simple, have a GUI part and a service part that runs under System account and establish IPC between those 2. If the gui part would need to do elevated actions, it can instruct the service the carry those out (assuming you don't need GUI interaction on the elevated part) - whosrdaddy
Another way to perform the elevated tasks without writing a separate service is to have the .exe spawn an elevated copy of itself, where the copy just performs a task and then exits. But that would require prompting the user for elevation each time a task is spawned, but at least the main process does not need to be started elevated, and this doesn't require making separate executables. - Remy Lebeau
What about if I create a simple service which just launches the main process, elevated? I suppose that would be more convenient (in this case), then having to split the code between service and GUI. When it comes to Delphi applications, GUI code is often mixed with logic. - Flavio
Task scheduler can do this if you store sufficient credentials. - Sertac Akyuz

1 Answers

1
votes

As it was pointed out by Sertac Akyuz in his comment you should use windows Task Schedluer for this.

With Task Scheduler you can create a task that will run at user logon and run your EXE with highest privileges available.

And when I say highest privilege available I mean the highest privilege of current user when you specify a group of users in When running the task, use the following user account field provided that current user is a member of that group. So if current user does not have sufficient right to execute programs with elevated privileges the task will execute your application with standard privileges.

But as field name suggest you can also specify that this task will always run your application using a specific user account meaning that it will use that account privilege levels instead of of the current user account.

Any way using task scheduler to execute GUI application that comes with some drivers is quite popular. For instance ASUS uses such approach to launch their AI Suite program that allows monitoring and tweaking various settings of their motherboards. Here is how such task is configured on my computer.

ASUS AI Suite II task properties - General ASUS AI Suite II task properties - Triggers ASUS AI Suite II task properties - Actions ASUS AI Suite II task properties - Settings

PS: I have purposely chose to show you task properties for ASUS AI Suite as it is actually made with Delphi