Embed and run application with admin credentails

Question

I am having a requirement to run my code/application using admin credentials, even though the current user is not having admin rights, any how if we can embed the admin credentials into the code and use that by default to run the application.

As per my initial findings there is something called as running the code with Elevation, but if I do that the application prompts for the credentials. But that not what we wanted to happen, the application should take the admin credentials available in the code and execute the program with admin privileged.

Eagerly waiting for some solutions.

Answer 1

Could you not use Impersonation and impersonate a admin user? 

Answer 2

Running an app as an embedded admin is a really bad idea.  Anybody (guest or otherwise) could then do something that only an admin could do.  I would push back on this requirement.

Running with elevation does not give a user admin privileges if they don't already have it. All it does is allow an admin who is currently using a standard token (because of UAC) to get elevated to admin level.  By adding a manifest you can force your app to request elevation before it can be run.  This allows an admin to run the app without having to right-click Run as Administrator.  Normal user would simply not be able to run the app.

If you have a situation where a normal user runs the app but you want to provide admin functionality then you need to add an elevation icon (the shield) that notifies the user that clicking the button requires elevation. To elevate a process you have to restart it though so your app will need to be coded to allow a user to elevate and then perform the desired task.  You'll need to google on how to add the shield icon and how to elevate your process while it is running as the code isn't straightforward.

Michael Taylor
http://blogs.msmvps.com/p3net

Answer 3

It is possible to call Runas from a batch file/powershell and provide User Credentials. But even that kind of writing it down of rights is really, REALLY dangerous.
I would rather elevate the batch file (or even a batch file running other batchfiles) manually*

*note that this might cause issues with relatve paths as the elevated user has another working directory. Use this syntax to get around it:
http://www.codeproject.com/Tips/119828/Running-a-bat-file-as-administrator-Correcting-cur

Indeed I have done so while working as an adminsitrator with great success.

Without batch your best bet is to add a manifest, try to elevate via Process.Start(). Or already having an programm run under admin rights* that starts your programm, as elevation is inherited (indeed getting rid of it is not really possible).

*Can't be a service if you need any form of UI. But some tray icon that is started under same account as what was used for installation of the programm should work.

Answer 4

Here is how you do what you want to do for a simple locally run application that needs access to change certain things on the local PC.

1) Your admin credentials will be passed one time, at installation.

2) Your installation package will modify the rights of the operating system to allow users to make the changes or access the sections of the OS that you need them to.

Can it be done?  Sure.  Run it with cached credentials using runas but doing it this way is wrong and time consuming.  

Answer 5

You may want to try a hack. To me, it is worth a shot. :)

http://www.thewindowsclub.com/create-elevated-shortcut-run-programs-bypass-uac

Answer 6

To add on to the question.

As I am the owner of the program/code and know that its trusted to be executed even by non admin users. Any way if I can allow non-admin user to execute the program with admin permissions without being prompted for the credentials.

Answer 7

I answered you above.  You can do it but if you do that you are absolutely doing the wrong thing.

use your install package to change permissions on the OS to give the user the rights to the areas that you need.

If you must used cached credentials under runas or do that thing where you run it as a task.

What do you need the program to have admin credentials for anyways?

Answer 8

You have to disable UAC, which I have seen companies do. If the machine is setting on a corporate LAN, protected with a network firewall and the Windows firewall is running on the machine too, it doesn't seem to be a problem. And they do it disabling UAC. In working on a  corporate network such as that with Vista or Win 7, UAC has never been enabled on the machine not even on a laptop that was handed out for remote VPN connection.

One sure fire way to not get the UAC prompt is to have the exe executed at system startup using the Task Scheduler, which the program can be ran with admin rights at startup and not get the UAC prompt.  The solution has been around since Vista. You can minimize the program and have it sitting there waiting to go on the taskbar. The user has to know if he or she exits out of the program, he or she will have to reboot the machine to have the program startup without being prompted by UAC.

Answer 9

"As I am the owner of the program/code and know that its trusted to be executed even by non admin users"

You might feel that it is trustworthy but the OS doesn't.  What exact functionality are you trying to run as admin?  Is this an app that a normal user is expected to run or is it better handled through an automated process like a service or scheduled task?  These types of apps can run with elevated credentials if need be.

Answer 10

"As I am the owner of the program/code and know that its trusted to be executed even by non admin users"

You might feel that it is trustworthy but the OS doesn't.  What exact functionality are you trying to run as admin?  Is this an app that a normal user is expected to run or is it better handled through an automated process like a service or scheduled task?  These types of apps can run with elevated credentials if need be.

That is a good idea.  Depending on the response time required a service that performs actions based on a file with parameters can be started/stopped.  So could the task scheduler for that matter.  

I have run across similar programs where users rights are elevated in code, getting full root access on a permanent basis via hacks only took a matter of minutes because the programmer forgot to patch all of the holes and there were a lot of holes to patch.

It is still puzzling why the OP doesn't just grant granular permissions so the user can do their things.