none
C#, Windows 7 , UAC and autostart

    Question

  • Hello,

    I have  a .NET 2.0 application 'Manager.exe' written in C# and compiled with VS2010 SP1.

    This application is registered for autostart.

    On Windows 7 with enabled UAC 'Manager.exe' doesn't start automatically and if started manually there's a popup asking

    whether you allow changes made by this program.

     

    I use this manifest

     

    <?xml version="1.0" encoding="utf-8"?>
    <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"
    xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" 
    xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
        <security>
          <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
            <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
          </requestedPrivileges>
          <applicationRequestMinimum>
            <defaultAssemblyRequest permissionSetReference="Custom" />
            <PermissionSet class="System.Security.PermissionSet" version="1" ID="Custom" SameSite="site" Unrestricted="true" />
          </applicationRequestMinimum>
        </security>
      </trustInfo>
      <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
        <application>
          <!-- A list of all Windows versions that this application is designed to work with.
     Windows will automatically select the most compatible environment.-->
          <!-- If your application is designed to work with Windows 7,
     uncomment the following supportedOS node-->
          <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
        </application>
      </compatibility>
      <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
      <!-- <dependency>
        <dependentAssembly>
          <assemblyIdentity
              type="win32"
              name="Microsoft.Windows.Common-Controls"
              version="6.0.0.0"
              processorArchitecture="*"
              publicKeyToken="6595b64144ccf1df"
              language="*"
            />
        </dependentAssembly>
      </dependency>-->
    </asmv1:assembly>


    Any hints, tips or ideas ?

     

    with best regards

      Hendrik Schmieder

     



    Tuesday, December 13, 2011 10:26 AM

All replies

  • You shouldn't play around with the manifest if you're not sure what you're doing.

    As tip; create a new project and check that manifest, it has a bit of lines explaining how the UAC system works.


    Regards, MusicDemon
    Tuesday, December 13, 2011 10:32 AM
  • Are you trying to get a GUI to show for a standard user, running on their desktop, that runs with administrative privledges, and not prompt for UAC?
    Tuesday, December 13, 2011 5:19 PM
  • Hi Hendrik,

    You can disable UAC in manifest to make the application be able to autostart.

    Disable UAC

    There are several ways to do that, I suggest two ways for you:

    1.      Modify the registry to disable UAC.

    You can set the disableUAC  Value in the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System)  to be 0 to disable and to 1 to enable.

    2.      Disable UAC in manifest.

    You can follow the solution from this thread.

     

    Much further information:

    UAC: All Information Developers need about the User Account Control (UAC)

    /MANIFESTUAC

    How to embed a manifest in an assembly


    Paul Zhou [MSFT]
    MSDN Community Support | Feedback to us
    Thursday, December 15, 2011 4:44 AM
  • I thought I have disabled UAC via Manifest (solution 2), see my manifest in my original post.

    Maybe I should say something to the C# program 'manager.exe'.

    After start it stays in the systray.

    Is supplies a button with wich the user can start / stop several specific services in the correct order with one click on this button.

     

     

    Thursday, December 15, 2011 1:19 PM
  • If you want to start/stop services then you should install the manager assembly as service, or run it each time you really need it.
    Regards, MusicDemon
    Thursday, December 15, 2011 9:02 PM
  • UAC systems don't let admin privilege programs just automatically run, that's all there is to it.  I'm not sure why you think your program should run without the normal dialog asking for elevation just because it's set to autostart/autorun. 

     


    Phil Wilson
    • Proposed as answer by Dave_Anderson Saturday, February 04, 2012 1:12 AM
    • Unproposed as answer by h_schmieder Monday, February 06, 2012 9:09 AM
    Thursday, December 15, 2011 9:12 PM
  • Installing it as a service wouldn't do what he wants because services can't interact with the desktop.
    Thursday, December 15, 2011 9:43 PM
  • Installing it as a service wouldn't do what he wants because services can't interact with the desktop.

    Forgotten that, thanks.

    Regards, MusicDemon
    Thursday, December 15, 2011 9:44 PM
  • I am hesitant to suggest this (users shouldn't be mucking with services), but I think there's a solution to your problem. You can write a WCF service which listens to a named pipe, and configure the service to run on startup and as System. This process with muck with the services in the way you want. Then, when a user logs in you can have another process kick off which creates a WCF client to your service. This is your GUI process, which runs as the user and can interact with the desktop.
    • Marked as answer by Paul Zhou Wednesday, December 21, 2011 8:28 AM
    • Unmarked as answer by h_schmieder Wednesday, December 21, 2011 11:29 AM
    Thursday, December 15, 2011 9:49 PM
  • Hello Mr. Schmieder

    I would try an entry in the Task Scheduler (which is not subject to UAC), tick the checkbox "[X] Run with highest privileges", create a trigger "at log on" (and maybe also "on connection to user session", not sure) and I cross the fingers for you that it works. In theory it should.

    Best regards

    Chris

    Tuesday, January 03, 2012 3:21 PM
  • This is not fully correct. You can install a service with the option to interact with the desktop, see below:

    And this service is able to display a try-icon. Many services do, that' s why this try usually is that clustered!

    But I agree with jader3rd, it's probably better practice to have a service and a controller-app that interacts with that service.

    Best regards
    Chris

    Tuesday, January 03, 2012 3:43 PM
  • Sorry for the delay.

    Allow service to interact with desktop doesn't change anything.

    And  the programm manager.exe is just a controller-app which starts and stops an specific bundle of service in a specific order.

    When executed manually on an english Windows 7 with enabled UAC, you will get a popup with the message:

    Do you want to allow the following program from an unknown publisher to make changes to this computer.

     

    The strange thing is that it worked in February 2011 using the manifest described in my original post.

     

    with best regards

      Hendrik

     

     

     

     

    Thursday, February 02, 2012 8:55 AM
  • If the problem you're trying to solve is making sure that some services start before others, you can configure them as dependent services and service manager will make sure that they start and stop in the correct order.
    Thursday, February 02, 2012 3:08 PM
  • manager.exe if for the convenience of the user, so that they needn't go to to the service panel.

    With manager.exe they just need two clicks to start/stop the services .

    With the first click a form with a button shows up (to be correctly there are more buttons) and with the second click on this button

    the services are either started or stopped.

     

    Friday, February 03, 2012 10:04 AM
  • Hi h_schmeider,
    PhillWilson already provided the correct answer to your question. I don't know why others here are suggested what is very, very bad practice.

    The user account control is doing exactly what it is designed to do. And that is to prevent unknown software from gaining administrative access to the computer. It doesn't matter how safe your software is, the user doesn't know that. This is explicitly why UAC has been put in place, and is a very, very good design.

    If your application requires administrative rights to run, then it should be blocked by UAC until given those rights by a real administrator. Otherwise, you should design your application to work under a standard user account, and only request elevataion when an adminstrative task is necessary.

    If all of this is simply void to your application design, and you are positive that you want User Account Control out of the way, then you can disable it completely in the control panel. This is not recommended.

    As for your application manifest.

     

    <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
    </requestedPrivileges>
    
    

    You are telling the caller (in this case Windows), that your application requires administrative access. All your doing by specifying false for uiAccess is telling UAC that your application does not need to drive input into other application windows. Which is the recommended value for applications that do not provide any form of accessibility anyway.

     

    Also, if you really must, an alternative to having your application run as administrator without the UAC prompt is to provide Windows credentials to a process object and start it that way. (eg. runas + provide administrator credentials).

    Process.Start(string fileName, string username, SecureString password, string domain);


    Currently developing FaultTrack. I occassionally blog about C# and .NET.
    Hoping to become a MVP by 2013. Email: danderson [at] dcomproductions [dot] com
    Saturday, February 04, 2012 1:35 AM
  • I used the solution described here

    http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/dd400cb9-d5fc-41b2-ad9d-6b91ce88c766

    and it did work.

    But it looks like some Microsoft fixes broke this solution.

    The message about 'unknown publisher' leads me to another idea.

    Our assembly is signed , but the file used for signing isn't comming from Microsoft.

    Maybe we must now used a sign file from Microsoft to get rid of the 'unknown publisher' message.

     

    with best regards

      Hendrik

     

     

     

    Monday, February 06, 2012 10:17 AM
  • You need a code signing certificate from a place like GlobalSign or Verisign for that

    Currently developing FaultTrack. I occassionally blog about C# and .NET.
    Hoping to become a MVP by 2013. Email: danderson [at] dcomproductions [dot] com

    Monday, March 05, 2012 11:25 AM