Hi All,



I've got an app I need to modifiy that's written in C# VS2005/.NET 2.0 which
is dsigned to ONLY run when the logged in user has administrator privileges.
At one point it needs to delete a HKLM\Software\... registry value if it
has, in fact, created it. So there is a method that deletes this registry
key. The method has the following RegistryPermission attributes....

[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\Software\My Company Name"]

[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Write=@"HKEY_LOCAL_MACHINE\Software\My Company Name"]

This all works just fine on WinXP, but throws an exception under WinVista
Build: 5384:

"Request for the permission of type
'System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKey Token=b77a5c561934e089' failed."

I'm fairly new to security stuff under .NET. Has something changed in
WinVista as compared to WinXPSP2 that would be expected to cause this or is
this a known issue WinVista? What can I do to work around it? I'm NOT
allowed to move the setting to HKCU\Software\My Company Name" since other
programs rely upon it being there while this app is running and they will
NOT necessarily be changing to run under
WinVista.

TIA,


--
John C. Bowman
Software Engineer
Thermo Electron Scientific Instruments Div.
<Remove this before reply> john.bowman@thermo.com

Try some links,

http://www.google.com/search?hl=en&q...on%2C+mscorlib

abc

"John Bowman john.bowman@thermo.com>" wrote:

> Hi All,
>
> I've got an app I need to modifiy that's written in C# VS2005/.NET 2.0 which
> is dsigned to ONLY run when the logged in user has administrator privileges.
> At one point it needs to delete a HKLM\Software\... registry value if it
> has, in fact, created it. So there is a method that deletes this registry
> key. The method has the following RegistryPermission attributes....
>
> [RegistryPermissionAttribute(SecurityAction.PermitOnly,
> Read=@"HKEY_LOCAL_MACHINE\Software\My Company Name"]
>
> [RegistryPermissionAttribute(SecurityAction.PermitOnly,
> Write=@"HKEY_LOCAL_MACHINE\Software\My Company Name"]
>
> This all works just fine on WinXP, but throws an exception under WinVista
> Build: 5384:
>
> "Request for the permission of type
> 'System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
> Culture=neutral, PublicKey Token=b77a5c561934e089' failed."
>
> I'm fairly new to security stuff under .NET. Has something changed in
> WinVista as compared to WinXPSP2 that would be expected to cause this or is
> this a known issue WinVista? What can I do to work around it? I'm NOT
> allowed to move the setting to HKCU\Software\My Company Name" since other
> programs rely upon it being there while this app is running and they will
> NOT necessarily be changing to run under
> WinVista.
>
> TIA,
>
>
> --
> John C. Bowman
> Software Engineer
> Thermo Electron Scientific Instruments Div.
> <Remove this before reply> john.bowman@thermo.com
>
>
>

Hello,

If you need to delete a registry key in HKLM, your program will have to be
running elevated. Remember, in Windows Vista, programs are only given normal
user access to the system unless your program asks the user to elevate it.

The solution is to create a vista-compatible manifest for your program that
tells Windows Vista that your program requires administrator permissions.
This will cause your program to prompt the user for permission every time it
is started.

However, this should only be done if your entire program always needs admin
power. If possible, your program should be designed to run as a standard
user. If there are just a few chunks of your program that need admin
permission, you should seperate those chunks out of your main program into
secondary programs that have the special manifest, and call these programs
from your main program when you need to do those admin tasks. This way, your
program will only prompt the user for admin permission when it is doing
those certain tasks that requires admin powers. This will make your program
more secure. This is similar to the way Windows Explorer works when it needs
to perform privileged operations on files/folders that require administrator
permission.

--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

Jimmy,

Thanks for the additional info. Unfortunately this program happens to be a
program whose purpose in life is to manage and launch numerous other program
installers (all MSI based). There are times when the called MSI packages
that are not changing for quite a while) will need to read special settings
in the reg - which unfortunately they expect it in HKLM for historical
backward compatibility reasons - placed there by this calling program. When
all is complete this program needs to clean up after itself. So it needs
full admin while it's running.

That said, how do I create a "vista-compatible manifest"? Can you point me
to some doc's that describe how to go about this?

Thanks!

John

"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:ACA6DB21-FD31-4F79-8A43-695A0FEA7C46@microsoft.com...
> Hello,
>
> If you need to delete a registry key in HKLM, your program will have to be
> running elevated. Remember, in Windows Vista, programs are only given
> normal user access to the system unless your program asks the user to
> elevate it.
>
> The solution is to create a vista-compatible manifest for your program
> that tells Windows Vista that your program requires administrator
> permissions. This will cause your program to prompt the user for
> permission every time it is started.
>
> However, this should only be done if your entire program always needs
> admin power. If possible, your program should be designed to run as a
> standard user. If there are just a few chunks of your program that need
> admin permission, you should seperate those chunks out of your main
> program into secondary programs that have the special manifest, and call
> these programs from your main program when you need to do those admin
> tasks. This way, your program will only prompt the user for admin
> permission when it is doing those certain tasks that requires admin
> powers. This will make your program more secure. This is similar to the
> way Windows Explorer works when it needs to perform privileged operations
> on files/folders that require administrator permission.
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/

<snip>
> That said, how do I create a "vista-compatible manifest"? Can you point me
> to some doc's that describe how to go about this?

http://msdn.microsoft.com/windowsvis...cProtVista.asp

This should give you more than enough info


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

Hello Mr. Brush,

I have a similar situation, but in "native" windows...

You say:

"If there are just a few chunks of your program that need admin
permission, you should seperate those chunks out of your main program into
secondary programs that have the special manifest, and call these programs
from your main program when you need to do those admin tasks. "

In C++, that implies a COM component, how does one make such a component?
Available to perform secure tasks otherwise requiring higher permissions.

I know how to do this for IE7 (protected mode), but how to do it for another
application?

Is the component registered in a special way?

Is there a special registry location for such components?

Is there a .net manifest equivalent for C++ dev?

Other?


--
Thanks so much,

george

_________________________
George S. Lockwood
Lead Client Developer
peoplePC, an EarthLink company



"Jimmy Brush" wrote:

> Hello,
>
> If you need to delete a registry key in HKLM, your program will have to be
> running elevated. Remember, in Windows Vista, programs are only given normal
> user access to the system unless your program asks the user to elevate it.
>
> The solution is to create a vista-compatible manifest for your program that
> tells Windows Vista that your program requires administrator permissions.
> This will cause your program to prompt the user for permission every time it
> is started.
>
> However, this should only be done if your entire program always needs admin
> power. If possible, your program should be designed to run as a standard
> user. If there are just a few chunks of your program that need admin
> permission, you should seperate those chunks out of your main program into
> secondary programs that have the special manifest, and call these programs
> from your main program when you need to do those admin tasks. This way, your
> program will only prompt the user for admin permission when it is doing
> those certain tasks that requires admin powers. This will make your program
> more secure. This is similar to the way Windows Explorer works when it needs
> to perform privileged operations on files/folders that require administrator
> permission.
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/
>

Hello,

This MS blog post should help you out (note the code attachment they are
talking about is right above the comments section).

https://blogs.msdn.com/vistacompatte...ct-sample.aspx


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/