none
Problem with manifest and uiAccess set to true...

    Question

  • Hi,

    I've got a (big) problem with the attribute uiAccess of the manifest file.

    Just to be sure, I do the things right, I've tried with notepad.exe.
    When I add a manifest+sign with "requireAdministrator" but withtout uiAccess Attribute (or with uiAccess set to false), I get the prompt, ... and notepad works well.
    BUT, if I add a manifest+sign with "requireAdministrator" AND uiAccess set to "true", I receive always "A referral was returned from the server". No prompt for admin-rights, only the error box "A referral was returned from the server".
    I've tried to change the policy "Only elevate UIAccess applications....", but it had no effect.

    Please, could someone help?
    Where are the microsoft vista gurus?!?

    Thx
    Friday, December 15, 2006 8:38 AM

All replies

  •  

    Hello,

    If your application does not have a digital signature and has uiAccess=true in its manifest, it will fail with "A referral was returned from the server."

    (No, notepad does not have a digital signature :)

    Applications that request uiAccess=true must have a valid, trusted digital signature to execute.

    Also, applications by default must reside in a trusted location on the hard drive (such as windows or program files) to receive the uiAccess privilege. They will still run if they are not in one of these locations, but they will not receive the privilege. You can disable this security feature through the local security policy mmc snap-in.

    If you want to create a trusted "test" certificate to sign your application with so that you can use your application on your current machine, here's how:

    NOTE: These instructions assume you have visual studio installed and are using a command prompt that has all the environment variables set to find SDK utilities such as makecert and signtool. If not, you will need to find these tools on your hard drive before running them.

    ***

    1) Open an elevated command prompt

    - Click start
    - Find Cmd Shell or command prompt
    - Right-click, click Run As Administrator

    2) Create a trusted root certificate

    - Browse to the folder that you wish to contain a copy of the certificate
    - In the command shell, execute the following commands:

        makecert -r -pe -n "CN=Test Certificate - For Internal Use Only" -ss PrivateCertStore testcert.cer

        certmgr.exe -add testcert.cer -s -r localMachine root

    3) Sign your file

    - In the command shell, browse to the location of your exe
    - In the command shell, type:

    SignTool sign /v /s PrivateCertStore /n "Test Certificate - For Internal Use Only" /t http://timestamp.verisign.com/scripts/timestamp.dll APP.exe

    Where APP.exe is your application.

    ***

    - JB
      Microsoft MVP - Windows Shell

    Monday, January 15, 2007 3:22 PM
  • Hi guys,

    I have done all what Jimmy Brush mentioned in his answer. Make a test certificate, and add it to local machine's Trusted Root Certification Authorities certificate store and the Trusted Publishers certificate store, and use this test certificate signed my application, and add uiAccess with true in manifest, but I can not use SendInput to simulate mouse click event. Even though, I run my application with High IL.

    I asked a question:http://social.msdn.microsoft.com/Forums/en-US/b68a77e7-cd00-48d0-90a6-d6a4a46a95aa/sendinput-fail-beause-interface-privilege-isolation-uipi-and-integrity

    Any one can help?

    Thanks.

    Wednesday, July 17, 2013 2:01 PM
  • Thank you very much, you help me solute a big problem!! Love you~~~
    Thursday, October 17, 2013 2:11 PM