Windows 7 Security and .Net Framework

Question

Hello

 

I'm developing an application using .Net Framework 2.0...

In my application, I require to create a file to in C:\Windows folder and need to store some settings in registry (Read/Write Registry Both Operations)

 

I'm an administrator user but still I don't have rights to create folder from the application. Application throws "Access Denied" exception while creating a file/write data in registry. I only have rights to read file/read registry data.

My application works perfectly when I run that application as an administrator.

 

But every time end user can't run my application as an administrator.

So my problem is : 

Is there a problem with windows 7 or .net framework has feature to bypass this security check and allow my application to create file/write data to registry.

 

I surf an internet a lot... but I didn't get proper solution...

 

This my permission dialog of HKEY_LOCALMACHINE Folder

 

You can see administrator has full permission..But I don't have...

 

This is permission dialog of Software folder inside HKEY_LOCALMACHINE

 

You can see in above image that, I had given Full Control Permission to me manually.

 

End user can't do this may be due to security reason....

 

Please help me what do I do....I'm stuck at this issue...

 

Any help will greatly appreciated...

 

Thanks in advance

Answer 1

Window 7 contains feature called UAC (User Account Control) which doesn't allow user to change Registry and do changes in special folders like Windows Folder, Program Files Folder, etc. To allow application to do changes in these folder and registry you have to run the application in administrator mode (Right Click and Click 'Run as Administrator'). Following link contains more details about UAC Settings

http://msdn.microsoft.com/en-us/library/aa511445.aspx

One way is to  set your application to always run in Administrator mode, for which following link can help you.

http://www.developerfusion.com/code/7987/making-a-net-app-run-on-vista-with-administrator-priviledges/

 

---

Gaurav Khanna

Answer 2

Hello Krish, I am fully agree with the Mr. Khanna , That is the only option, if you go in details of how UAC works , you will get the clear idea.

According to the UAC , Even though you are administrator, when you start any application OS will give you token of normal/restricted user , It will not grant you admin/unrestricted token until and unless you request for it.

This is a design/architecture of Operating System, Which is a system software which ultimately going to run you application, So it will not allow your application to cross its boundary. 

You see often general users blame that Windows is not secure OS as linux, I think this is the only reason why microsoft has taken such initiative.

I think Mr. Khanna 's suggested options are work well , and by doing this you are not opening any security hole in your client machine, as for other application UAC again apply same policy.

Your client has to trust your application that is it, in Java world this is very often.

I have given answer based on my understanding and knowledge, Hope it will help you.

 

Thanks.

Answer 3

You could also decide to go through the route that every Windows developer should. Place the file not in the c:\windows directory, but in th eusers profile directory. Place the data not in the HKLM registry tree, but in the HKCU registry tree.

Microosft has pretty well defined rules on how applications should de built, these are at the very basis of the security rules.

So, you should either revisit your requirements to write to these locations, or you should choose to run this from an administrative account, or you should implement your functionality in a windows service and configure that to use the correct permissions.

What you should not do is disable UAC, lower the restrictions on your protected folders, give users more permissions. This will weaken your system and make it easier for virusses and other malware to wreak havoc on your system. 

Answer 4

Hello Gaurav, Harshdeep & Jesse

 

Thanks for your reply...

 

I did everything according to the link Gaurav had given...

But problem is still as it was...

 

This is my manifest file code named "RegistryTest.exe.manifest"

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="RegistryTest" type="win32"/>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
   <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
    <!-- UAC Manifest Options
      If you want to change the Windows User Account Control level replace the 
      requestedExecutionLevel node with one of the following.

    <requestedExecutionLevel level="asInvoker" uiAccess="false" />
    <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
    <requestedExecutionLevel level="highestAvailable" uiAccess="false" />

      If you want to utilize File and Registry Virtualization for backward 
      compatibility then delete the requestedExecutionLevel node.
    -->
    <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
   </requestedPrivileges>
  </security>
 </trustInfo>
</asmv1:assembly>

 

I have created a project named "RegistryTest"

I have added one form named "Form1". And I have also added one button. The button click event code is as follow...

 

public partial class Form1 : Form
  {
    public Form1()
    {
      InitializeComponent();
    }

    private void button1_Click(object sender, EventArgs e)
    {
      string path = "C:\\Windows\\abc.txt";
      //It will not create a file and even it will not throw an exception of Access Denied also for "txt" extension. 
      //But if I change an extension of this file from "txt" to "dll" then it gives Access Denied error. Don't know why.
       FileStream fs = File.Create(path);
      
      string data = "This is a temporary file";

      byte[] info = new UTF8Encoding(true).GetBytes(data);
      fs.Write(info, 0, info.Length);

      fs.Close();

      // Same Error here
      RegistryKey rootKey = Registry.LocalMachine;

      rootKey.CreateSubKey("abc");
    }

  }

 

This is my solution explorer image to show whether manifest file is in wrong folder or not. Do I have to set any properties for manifest file?

 

 

It is not working on my side....Please help me if I had done some wrong code in manifest file

 

Thanks to all for replying me....

Answer 5

Hello Jesse,

Thanks for your reply.

I can change my requirement...

But can you tell me that is there any secure place in windows operating system...where I can store application's sensitive data.

And only application can change, delete & store information...no other user should not be allowed to change that information...not even PC administrator...

 

If this kind of secure place exists then my problem is solved...

 

Thanks again for your reply...

Answer 6

You could use User's Application Data folder to save data from your application. You don't need Administrator rights to save data in this folder.

Dim Path as String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)

Dim Path as String = My.Computer.FileSystem.SpecialDirectories.CurrentUserApplicationData 'In VB.NET

 

But Administrator can access any files on the system. So administrator can access this data. But other users cannot access it.

---

Gaurav Khanna

Answer 7

Hello Gaurav,

Thanks for your reply.

You are right that Administrator can access any file.

The path you suggested me to save application's data is my last option.

But my question is that I had followed everything from the link you gave, but still why my app can't run as an administrator everytime.

I gave you my manifest file code. Is there any problem in that file?

 

Do you have any sample project which is running perfectly as an administrator?

If you have, then can you mail me that project on my email id : krish.kapadia9676@gmail.com

 

Thank you.

Answer 8

Try following code in your manifest file

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
   <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
    <!-- UAC Manifest Options
      If you want to change the Windows User Account Control level replace the 
      requestedExecutionLevel node with one of the following.

    <requestedExecutionLevel level="asInvoker" uiAccess="false" />
    <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
    <requestedExecutionLevel level="highestAvailable" uiAccess="false" />

      Specifying requestedExecutionLevel node will disable file and registry virtualization.
      If you want to utilize File and Registry Virtualization for backward 
      compatibility then delete the requestedExecutionLevel node.
    -->
    <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
   </requestedPrivileges>
  </security>
 </trustInfo>
 
 <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
  <application>
   <!-- A list of all Windows versions that this application is designed to work with. Windows will automatically select the most compatible environment.-->

   <!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node-->
   <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>-->
   
  </application>
 </compatibility>
 
 <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
 <!-- <dependency>
  <dependentAssembly>
   <assemblyIdentity
     type="win32"
     name="Microsoft.Windows.Common-Controls"
     version="6.0.0.0"
     processorArchitecture="*"
     publicKeyToken="6595b64144ccf1df"
     language="*"
    />
  </dependentAssembly>
 </dependency>-->

</asmv1:assembly>

To run the application in administrator mode following line should not be in comment.

<requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />

---

Gaurav Khanna

Answer 9

Hello Gaurav,

 

Thanks for your reply.

Actually I got the solution making exes always run as an administrator but I tried your manifest code also.

I added your code but still it is as it was.

I have 3 questions.

- After Adding your manifest file code, Do I have to set its BuildAction property to Embedded Resource or it should be as it is or something else.

- What cares needs to be taken before and after adding manifest file. and what settings I have to do for that.

- Suppose, it starts working fine then when I run project from visual studio then it will run as an administrator. or I have to run from debug/release folder.

 

My problem is solved using "Microsoft Application Compatibility Toolkit 5.6". I added my application exe in this toolkit and did some settings and now my app is running by default as an administrator. but it is asking every time when user open my app. whether to open as an administrator or not. But I have no problem with that.

 

Thanks to all and specially you...

Answer 10

You may simply create a console project, in the Solution Explorer window, right click project and select ‘Add’ -> ‘New Item’ -> ‘Application Manifest File’ and click Add button.

 You just open the app.manifest and modify

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

To

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

Then, build and run your application.

 

----- app.manifest Properties: ----

    Build Action : None

    Copy to Output Directory : Do not copy

 

---

Sincerely,
Eric
MSDN Subscriber Support in Forum
If you have any feedback of our support, please contact msdnmg@microsoft.com.
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 11

Hi Krish,

How things going? please feel free to let us know if you have any concern on this issue.

---

Sincerely,
Eric
MSDN Subscriber Support in Forum
If you have any feedback of our support, please contact msdnmg@microsoft.com.
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 12

Hello Gaurav,

 

Thanks for your code...

 

Its working fine in new project I have created...don't know why it was not worked well in old project....

 

and Thanks again to everyone for replying....

Answer 13

Hi eryang,

 

the code you suggest me is working fine in new project but don't why it was not worked in old project...

sorry for my late reply...

and thanks for replying...

Answer 14

Thank you for posting this info. I was also having a problem with the .NET Framework security when running my office software on a new Windows 7 laptop as the server for a Microsoft SQL database. This solved my issue and the program is functioning fine now!

Thanks again,

Rich Story