Impersonate vs. changing UAC

[WarrenW]

Hi Everyone,

I've read alot where users have disabled the UAC or tried to set the level higher in the manifest file. My application uses a control that requires admin user rights and I'm trying not to have it prompt the user each time. I read more about using the Impersonate another user in Windows for vb.net. Would using the impersonate user method not prompt for admin and give the user admin rights as long as it has the username and password? I hate to disable the UAC - not good at all!

Thanks

[mbutler755]

If the user runs the program as an administrator they will be fine. Most companies are getting around this by adding the domain user to the local administrators group on the computer itself.

[WarrenW]

I tried using the Impersonate class and it still prompts me saying my program is trying to access your computer. When i turn off UAC it does not do this. There are other programs that do not say this. Does anyone know what causes Windows to prompt for this?

Thanks

[weirddemon]

Why not just include the UAC access in the manifest like you mentioned? It will ask them when you open it. From there, it will continue to have UAC access until closed.

[.paul.]

Why not just include the UAC access in the manifest like you mentioned? It will ask them when you open it. From there, it will continue to have UAC access until closed.

as WarrenW said, he's:

trying not to have it prompt the user each time.

[chris128]

My application uses a control that requires admin user rights and I'm trying not to have it prompt the user each time

If your app needs admin permissions then you will be prompted by UAC unless you turn it off. If there was a way to prevent this then it would defeat the whole point of UAC...
Rather than looking at ways of getting round it, I would be questioning why your app needs admin permissions - are you sure there is no way you can get it to run without needing admin permissions? What exactly does it do?

[weirddemon]

as WarrenW said, he's:

If his post was 100% clear about that, I wouldn't have posted what I did.

There are a ton of apps that run normally and request elevation throughout various sections of the app when needed. From his post, it seemed like that was what was going on.

Otherwise, it's just one prompt. So who would care to click one prompt?

[.paul.]

There are a ton of apps that run normally and request elevation throughout various sections of the app when needed. From his post, it seemed like that was what was going on.?

so you DO understand the question, but you didn't answer it...

are you going to give me a negative rating every time i disagree with you?
that IS NOT what the rating system is for. next time i report you.

[TTn]

Yup, ofcourse try and create your program so that it need not admin permissions in the first place.
When this is simply not possible, and the app is an elaborate program then you can build the UAC, directly in.

In my signature there is an article for UAC permissions article , that can be used as a guide.
It describes an authorization program, but can be modified(i have done it)to to retrofit, and popup when your program loads for the first time.

Outline

There are four main elements to achieving this.

A kiosk-like desktop that's protected from input and execution.
Proper declaration and call of the CreatProcess API, so that processes can be launched on the new desktop. This was real tricky to get right while upgrading the old style declarations.
A declaration and proper call to the CreateProcessWithLogon API.
An encryption routine, to obscure your password, user name, and path to the executable shortcut.

EDIT: Vendors
Thus not defeating the point of the UAC, which was for vendors in the first place.

[weirddemon]

so you DO understand the question, but you didn't answer it...

are you going to give me a negative rating every time i disagree with you?
that IS NOT what the rating system is for. next time i report you.

I gave you a negative rating because you weren't contributing to the question and were just bashing me.

You can report me if you like because I am not abusing the system.

I didn't answer the question because I was asking a follow up one that the OP has not yet answered.

[.paul.]

I gave you a negative rating because you weren't contributing to the question and were just bashing me.

i was trying to clarify the question for other users, which does not deserve a negative rating.

[weirddemon]

i was trying to clarify the question for other users, which does not deserve a negative rating.

It didn't seem that way and unfortunately, perception is reality. With that being said, given my perception, I wasn't abusing the system.

But if you feel that the negative rating isn't just, you can always PM a moderator and request that it be removed.

But, back to the question at hand.

I agree with Chris. Disabling UAC or attempting to circumvent it makes the UAC pointless. If you tell us what specific action needs UAC elevation, we might be able to suggest an alternate method that does not require UAC elevation.

[TTn]

I guess he said a control required admin privs.

If it really does, and there is no other way around it, then my solution is appropriate, and there is a couple other ways to do it too.

It does not circumvent the UAC, but actually uses a UAC token behind the scenes of the API.
Acutally "running as different user" is unsafe from MS windows, so the article describes how secure desktop authorization is actually way safer.
In which case this is an upgrade to operating system functionality, not an inferior way to circumvent it. Indeed.

It's legally available, correctly used, and allows the user to authorize a program as normal, or on a semi-permanent basis. Maleware can't use your authorization directly by trying to open the said program, only the user can.

[weirddemon]

Hm... but I wonder why the control would need UAC access. If the OP is accessing a apart of the OS that is protected, then they're might be a non protected part that could be accessed.

I don't think we can give an informed recommendation until we know

[TTn]

I've seen references need it, but I can't think of any toolbox controls.

Perhaps there is a reference to a set of controls, yada, yada.