Vista - Vista UAC interfering with operation of program

Hi,

The company I work for is developing a product that will auto launch a small
application (necessary for the usage of the product) when plugged into a USB
port. The application (an .exe file) resides on the device itself, and
Windows recognizes the device as a USB Mass Storage Device / CD-ROM.
Unfortunately, the way the product was developed, you have to be a local
administrator on the machine in order for it to work, at least for Windows
2000 and XP. When it comes to Vista, it seems being a local administrator
isn't enough, because for some reason the program still doesn't run with
administrative privileges and the end user receives an error. A work-around
I've discovered is to browse to the application .exe file and right click on
it and choose "run as administrator" (I'm then prompted with the UAC
allow/deny - but at least when I choose allow it work) but its annoying to
ask the end users to do this each and every time. Additionally, because its
set to auto-run, the program launches of the device each time its plugged in
and gives the user the administrative rights error. I've tried setting the
application .exe file on the device to always run as an administrator, but
for some reason when I do this and then next plug the device in, I get stuck
in a UAC allow/deny loop. If I copy the application .exe file to the
computer and set it to always run as an administrator, it works with only one
UAC allow/deny prompt, so I'm not sure why its looping when its set to always
run as administrator on the device itself. I'm looking for some sort of
work-around that doesn't require the end user to disable UAC and will
hopefully allow the end user to either go through one set of steps initially
and have it always work after that, or at least get a way to have it so that
initially the program doesn't launch in standard mode when plugged in and
give the user the administrative error. Any help is greatly appreciated. If
you have any questions, please feel free to ask. Thanks.

- Marc

"Marc" <Marc@discussions.microsoft.com> wrote in message
news:E1A839E1-047F-44A0-B0DA-0413B56BAEB0@microsoft.com...
> Hi,
>
> The company I work for is developing a product that will auto launch a
> small
> application (necessary for the usage of the product) when plugged into a
> USB
> port. The application (an .exe file) resides on the device itself, and
> Windows recognizes the device as a USB Mass Storage Device / CD-ROM.
> Unfortunately, the way the product was developed, you have to be a local
> administrator on the machine in order for it to work, at least for Windows
> 2000 and XP. When it comes to Vista, it seems being a local administrator
> isn't enough, because for some reason the program still doesn't run with
> administrative privileges and the end user receives an error. A
> work-around
> I've discovered is to browse to the application .exe file and right click
> on
> it and choose "run as administrator" (I'm then prompted with the UAC
> allow/deny - but at least when I choose allow it work) but its annoying to
> ask the end users to do this each and every time. Additionally, because
> its
> set to auto-run, the program launches of the device each time its plugged
> in
> and gives the user the administrative rights error. I've tried setting
> the
> application .exe file on the device to always run as an administrator, but
> for some reason when I do this and then next plug the device in, I get
> stuck
> in a UAC allow/deny loop. If I copy the application .exe file to the
> computer and set it to always run as an administrator, it works with only
> one
> UAC allow/deny prompt, so I'm not sure why its looping when its set to
> always
> run as administrator on the device itself. I'm looking for some sort of
> work-around that doesn't require the end user to disable UAC and will
> hopefully allow the end user to either go through one set of steps
> initially
> and have it always work after that, or at least get a way to have it so
> that
> initially the program doesn't launch in standard mode when plugged in and
> give the user the administrative error. Any help is greatly appreciated.
> If
> you have any questions, please feel free to ask. Thanks.

With UAC enabled even the administrator account has a "filtered" user token.
The effect of this filtering is that all but five user rights are unavailble
unless the user "elevates" the process in some manner to enable the full
privileges of the account. In your case, you right-clicked on the file and
chose "Run as Administrator" and you were then presented with the UAC
elevation prompt. This allowed the application to run underneath the full
credentials of the Administrator.

There are several methods that you can use to require the user to elevate a
process. Perhaps the easiest in your case would be to include a manifest
file with a trustInfo node and a requestedExecutionLevel equal to
requireAdministrator. This would automatically show the elevation prompt
when the program is started if running under UAC.

For more information, see:
http://weblogs.asp.net/kennykerr/arc...t-Control.aspx

Ultimately, you need to determine exactly whay and what privileges your
application is requesting and determine whether it truly needs them or not.
If not, you will need to modify your code so that you can remove the
elevation requirement from your product.

-Pete

Pete,

Thanks for the reply. I'm going to forward your suggestion to our
developers (regarding including a manifest file with a trustInfo node and a
requestedExecutionLevel equal to requireAdministrator). So basically if this
was done, everytime the program was started it would automatically be
elevated to administrative privileges and the UAC prompt would pop up?

Also, if this was done to the program, would it lose its backwards
compatibility to WinXP and Win2000?

Thanks again!

- Marc

"Pete Delgado" wrote:

>
> "Marc" <Marc@discussions.microsoft.com> wrote in message
> news:E1A839E1-047F-44A0-B0DA-0413B56BAEB0@microsoft.com...
> > Hi,
> >
> > The company I work for is developing a product that will auto launch a
> > small
> > application (necessary for the usage of the product) when plugged into a
> > USB
> > port. The application (an .exe file) resides on the device itself, and
> > Windows recognizes the device as a USB Mass Storage Device / CD-ROM.
> > Unfortunately, the way the product was developed, you have to be a local
> > administrator on the machine in order for it to work, at least for Windows
> > 2000 and XP. When it comes to Vista, it seems being a local administrator
> > isn't enough, because for some reason the program still doesn't run with
> > administrative privileges and the end user receives an error. A
> > work-around
> > I've discovered is to browse to the application .exe file and right click
> > on
> > it and choose "run as administrator" (I'm then prompted with the UAC
> > allow/deny - but at least when I choose allow it work) but its annoying to
> > ask the end users to do this each and every time. Additionally, because
> > its
> > set to auto-run, the program launches of the device each time its plugged
> > in
> > and gives the user the administrative rights error. I've tried setting
> > the
> > application .exe file on the device to always run as an administrator, but
> > for some reason when I do this and then next plug the device in, I get
> > stuck
> > in a UAC allow/deny loop. If I copy the application .exe file to the
> > computer and set it to always run as an administrator, it works with only
> > one
> > UAC allow/deny prompt, so I'm not sure why its looping when its set to
> > always
> > run as administrator on the device itself. I'm looking for some sort of
> > work-around that doesn't require the end user to disable UAC and will
> > hopefully allow the end user to either go through one set of steps
> > initially
> > and have it always work after that, or at least get a way to have it so
> > that
> > initially the program doesn't launch in standard mode when plugged in and
> > give the user the administrative error. Any help is greatly appreciated.
> > If
> > you have any questions, please feel free to ask. Thanks.
>
> With UAC enabled even the administrator account has a "filtered" user token.
> The effect of this filtering is that all but five user rights are unavailble
> unless the user "elevates" the process in some manner to enable the full
> privileges of the account. In your case, you right-clicked on the file and
> chose "Run as Administrator" and you were then presented with the UAC
> elevation prompt. This allowed the application to run underneath the full
> credentials of the Administrator.
>
> There are several methods that you can use to require the user to elevate a
> process. Perhaps the easiest in your case would be to include a manifest
> file with a trustInfo node and a requestedExecutionLevel equal to
> requireAdministrator. This would automatically show the elevation prompt
> when the program is started if running under UAC.
>
> For more information, see:
> http://weblogs.asp.net/kennykerr/arc...t-Control.aspx
>
> Ultimately, you need to determine exactly whay and what privileges your
> application is requesting and determine whether it truly needs them or not.
> If not, you will need to modify your code so that you can remove the
> elevation requirement from your product.
>
> -Pete
>
>
>

"Marc" <Marc@discussions.microsoft.com> wrote in message
news:1B8E0098-5F04-4AFD-B8EC-64EDC9C124B4@microsoft.com...
> Pete,
>
> Thanks for the reply. I'm going to forward your suggestion to our
> developers (regarding including a manifest file with a trustInfo node and
> a
> requestedExecutionLevel equal to requireAdministrator). So basically if
> this
> was done, everytime the program was started it would automatically be
> elevated to administrative privileges and the UAC prompt would pop up?

Yes. However, depending upon your situation you may also wish to sign your
executable.

>
> Also, if this was done to the program, would it lose its backwards
> compatibility to WinXP and Win2000?

No. The trustInfo section of the manifest is ignored by previous operating
systems except for the following case:

http://support.microsoft.com/Default.aspx?kbid=921337

>
> Thanks again!

No problem.

-Pete

Thanks again for all the help. Is there any way we can avoid changing the
software, but rather make a setting change, etc. to Windows Vista (aside from
disabling UAC altogether) that would allow the software to run correctly when
it is first plugged in and auto-launched via auto-play. I've tried checking
the box under the properties for the .exe application to "always run this
program as an administrator" but this just creates a UAC elevation prompt
loop. Any help is greatly appreciated. Thanks.

"Pete Delgado" wrote:

>
> "Marc" <Marc@discussions.microsoft.com> wrote in message
> news:1B8E0098-5F04-4AFD-B8EC-64EDC9C124B4@microsoft.com...
> > Pete,
> >
> > Thanks for the reply. I'm going to forward your suggestion to our
> > developers (regarding including a manifest file with a trustInfo node and
> > a
> > requestedExecutionLevel equal to requireAdministrator). So basically if
> > this
> > was done, everytime the program was started it would automatically be
> > elevated to administrative privileges and the UAC prompt would pop up?
>
> Yes. However, depending upon your situation you may also wish to sign your
> executable.
>
> >
> > Also, if this was done to the program, would it lose its backwards
> > compatibility to WinXP and Win2000?
>
> No. The trustInfo section of the manifest is ignored by previous operating
> systems except for the following case:
>
> http://support.microsoft.com/Default.aspx?kbid=921337
>
> >
> > Thanks again!
>
> No problem.
>
> -Pete
>
>
>
>

"Marc" <Marc@discussions.microsoft.com> wrote in message
news:5AA3E27F-274E-4B3A-918E-D7E1A76F34BC@microsoft.com...
> Thanks again for all the help. Is there any way we can avoid changing the
> software, but rather make a setting change, etc. to Windows Vista (aside
> from
> disabling UAC altogether) that would allow the software to run correctly
> when
> it is first plugged in and auto-launched via auto-play. I've tried
> checking
> the box under the properties for the .exe application to "always run this
> program as an administrator" but this just creates a UAC elevation prompt
> loop. Any help is greatly appreciated. Thanks.


You might look into making a custom "shim" to act as a wrapper around your
app.

But the proper answer is to modify the app to be Vista compliant.

"Marc" <Marc@discussions.microsoft.com> wrote in message
news:5AA3E27F-274E-4B3A-918E-D7E1A76F34BC@microsoft.com...
> Thanks again for all the help. Is there any way we can avoid changing the
> software, but rather make a setting change, etc. to Windows Vista (aside
> from
> disabling UAC altogether) that would allow the software to run correctly
> when
> it is first plugged in and auto-launched via auto-play. I've tried
> checking
> the box under the properties for the .exe application to "always run this
> program as an administrator" but this just creates a UAC elevation prompt
> loop. Any help is greatly appreciated. Thanks.

I don't *think* so. There are a variety of things that you may be able to
try programmatically, but ultimately it will come down to the fact that it
would be a huge security risk to allow an arbitrary program to run from a
removable disk on connection. If you recall, this is how many viruses were
transmitted via floppy drive.

-Pete