locked
How to refine UAC settings in order to support some sort of a 'trusted applications list"?

    Question

  • Hello everyone,
    I have an application, which is supposed to be able to read from the registry's "HKEY_LOCAL_MACHINE" (since the application settings should be the same for all and any user account). As a result UAC comes in, and even though I built it with UAC execution level "requireAdministrator", UAC still demands the confirmation each and every time the application is started... extremely annoying! I can turn off UAC completely of course, which is exactly what I did on the development machine by now - but I would prefer to avoid this on the systems to be shipped if possible. "If possible" means to me a possibility to tell the system something like "let UAC do its job, but do not manage this application - I trust it".
    Is there any way for doing that?
    Thank everyone in advance,
    Mike


    Mike Faynberg
    Wednesday, October 19, 2011 7:35 PM

Answers

  • There is no way to tell UAC not to manage specific apps.  The right thing to do would be to fix the app not to need elevation.  I believe there are app compat settings to redirect the registry calls to user-specific settings, but then you'll lose the common setting.  You might also be able to grant access to the necessary keys to other users.

    Does your application need to store this in the registry?  The standard recommendation would be to store it in CSIDL_COMMON_APPDATA.  When your app is installed create a subdirectory and grant write access to it so that all appropriate users have access.  See http://msdn.microsoft.com/en-us/library/ms995853.aspx for more discussion on where to store common data.

    This behavior is not new to Windows 8 (or even Vista).  Apps running as a non-admin would fail writes to HKLM on any version of Windows.

    Since it sounds like this is an app that you are writing it would be better off in the development forums at http://social.msdn.microsoft.com/Forums/en-US/windowsgeneraldevelopmentissues/threads forum.

    • Marked as answer by mfaynberg Thursday, October 20, 2011 5:10 PM
    Thursday, October 20, 2011 2:01 AM

All replies

  • You don't require elevation to read from the HKLM hive. If it's giving you access denied you are presumably opening the key asking for full permissions which will fail since user's can't write to HKLM. Correctly define the permissions you require when opening the registry key and all will be fine.
    Wednesday, October 19, 2011 8:20 PM
  • Andy,

    thanks for your comment. You are correct - my mistake: in some cases I would like to have a write permissions as well in order to save the settings.


    Mike Faynberg
    Wednesday, October 19, 2011 9:14 PM
  • There is no way to tell UAC not to manage specific apps.  The right thing to do would be to fix the app not to need elevation.  I believe there are app compat settings to redirect the registry calls to user-specific settings, but then you'll lose the common setting.  You might also be able to grant access to the necessary keys to other users.

    Does your application need to store this in the registry?  The standard recommendation would be to store it in CSIDL_COMMON_APPDATA.  When your app is installed create a subdirectory and grant write access to it so that all appropriate users have access.  See http://msdn.microsoft.com/en-us/library/ms995853.aspx for more discussion on where to store common data.

    This behavior is not new to Windows 8 (or even Vista).  Apps running as a non-admin would fail writes to HKLM on any version of Windows.

    Since it sounds like this is an app that you are writing it would be better off in the development forums at http://social.msdn.microsoft.com/Forums/en-US/windowsgeneraldevelopmentissues/threads forum.

    • Marked as answer by mfaynberg Thursday, October 20, 2011 5:10 PM
    Thursday, October 20, 2011 2:01 AM