Windows Vista Specifying the Privelege Elevation for Legacy Applications

One of the interesting things about Windows Vista is the User Acccount Control (UAC) and the Elevation it requires when executing activities that require Administrative Priveleges.  Windows Vista, by default runs users as a Standard User and as such when an administrative task is attempted, it prompts you to verify the permission.  If you are running your applications on Windows Vista for the first time, you may be a little amused by this operation but it shows the security model that has been the core of Windows Vista.

We just did a Developer Tour on Windows Vista and Office 2007 and during my security session, an interesting question that was asked was how to make legacy applications request for the required privelege elevation.

One of the ways in which you can specify that admin priveleges are requied for the legacy application to run, is through the applications' manifest file.

To do that, all you need to do is to add a Text File to your project and rename it as ApplicationName.exe.manifest (Example UACDemo.exe.manifest).  Once that file is created, add the following XML Configuration setting into the UACDemo.exe.manifest file and save it.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"

   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UacDemo" type="win32"
/>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"
>
      <security
>
         <requestedPrivileges
>
            <requestedExecutionLevel level="requireAdministrator"
/> 
         </requestedPrivileges
>
      </security
>
   </trustInfo
>
</assembly>

Once we do the above, we need to attach the manifest to the EXE of the application.

If you are using Visual Studio 2005, Switch to the Project's Properties and switch to the "Build Events" Tab.  In the "Post-build event command line"  Textbox, paste the following:-

"$(DevEnvDir)..\..\VC\bin\mt.exe" -manifest "<Path to the Manifest file>"  –outputresource:"$(TargetDir)$(TargetFileName)";#1

In my case the path to the manifest file was <DriveName>:\Samples\UACDemo\UACDemo.exe.manifest.

Build the project and run the application.  You should now receive a "User Account Control" alert which warns you against the operation.  This can help you in making your legacy applications run on Windows Vista and still perform Administrative Tasks.

More references and a step by step instruction can be found at the following resources:-

http://msdn.microsoft.com/msdnmag/issues/07/01/UAC/default.aspx

http://www.frameworkx.com/frameworkx/contentblogdetail.aspx?blog=56&id=530

http://community.bartdesmet.net/blogs/bart/archive/2006/10/28/Windows-Vista-_2D00_-Demand-UAC-elevation-for-an-application-by-adding-a-manifest-using-mt.exe.aspx

Cheers !!!

P.S.

1. The application manifest marking is only relevant to EXEs, not DLLs. This is because UAC does not inspect DLLs during the creation of the process.

2. If you are running Visual Studio 2005 as an Administrator, the security popup wont come up when debugging / running from within Visual Studio 2005.  However, it pops up when you run the application from the EXE, by directly invoking the EXE.

3. If you have correctly associated the manifest to the EXE, you would find a security shield embedded to the EXE Icon.

4. If you disable the UAC via control panel for your login, the elevation request popup won't occur when you run the application (outside of VS also) or for any other application for that matter. This is also indicated by a regular icon for the application and the security shield is no longer visible. 

Print | posted on Wednesday, February 28, 2007 1:14 PM

Comments on this post

No comments posted yet.

Your comment:

 (will show your gravatar)