none
How to prevent UAC from automatically elevating an application RRS feed

  • Question

  • On Windows Server 2008 Standard x86-64 SP2, whenever UAC determines an application to require elevation, it raises a UAC prompt for it. Is there a way to configure Windows so that it never prompts for elevation but only ever runs applications with limited privileges unless specifically requested otherwise (run as administrator, etc)?
    Wednesday, August 19, 2009 5:39 AM

Answers

  • Hi - I think my information can help.

    Below: Manifest xml config code.
    -----------------------------------------------
    <?xml version="1.0" encoding="utf-8"?>

    <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

      <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />

      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">

        <security>

          <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">

            <requestedExecutionLevel level="asInvoker" uiAccess="false" />

          </requestedPrivileges>

          <applicationRequestMinimum>

            <PermissionSet class="System.Security.PermissionSet" version="1" Unrestricted="true" ID="Custom" SameSite="site" />

            <defaultAssemblyRequest permissionSetReference="Custom" />

          </applicationRequestMinimum>

        </security>

      </trustInfo>

    </asmv1:assembly>
    -----------------------------------------------
       Change to:   <requestedExecutionLevel level="asInvoker" uiAccess="false" />
    -----------------------------------------------

    If you have made the applications, the just modify the xml config manifest.
    You can also make this by using, the WindowsIdentity class and WindowsPrincipal class.
    ----------------------------------------------

            bool IsAdmin()

            {

                WindowsIdentity id = WindowsIdentity.GetCurrent();

                WindowsPrincipal principal = new WindowsPrincipal(id);

                return principal.IsInRole(WindowsBuiltInRole.Administrator);    

            }

            bool IsUser()

            {

                WindowsIdentity id = WindowsIdentity.GetCurrent();

                WindowsPrincipal principal = new WindowsPrincipal(id);

                return principal.IsInRole(WindowsBuiltInRole.User);    

            }

    --------------------------------------------------
    You can implement the above function in "if-and-elseif" or using a "switch()"-statement.

    Have a nice day...

    Best regards,
    Fisnik


    Coder24.com
    Thursday, August 20, 2009 4:17 PM
  • the appropriate runlevel for an exe is determined before the process starts, and is determined (in applications designed for Vista+) by the requestedExecutionLevel on the application's embedded manifest.

    For older exes, the OS has to make a guess.

    Generally speaking, the experience for a admin / non-admin is the same under UAC - things that require administrative access will generate a prompt for elevation, and  things that don't, won't.  (The exception to this is things marked with requestedExecutionLevel 'highestAvailable', which should generally not be used).


    If you want things to work the way you describe, you can turn off UAC and make sure all your users are standard users.  I don't believe there's a policy for 'ignore requestedExecutionLevel manifests', which is what would be required.

    Wednesday, August 19, 2009 5:30 PM

All replies

  • the appropriate runlevel for an exe is determined before the process starts, and is determined (in applications designed for Vista+) by the requestedExecutionLevel on the application's embedded manifest.

    For older exes, the OS has to make a guess.

    Generally speaking, the experience for a admin / non-admin is the same under UAC - things that require administrative access will generate a prompt for elevation, and  things that don't, won't.  (The exception to this is things marked with requestedExecutionLevel 'highestAvailable', which should generally not be used).


    If you want things to work the way you describe, you can turn off UAC and make sure all your users are standard users.  I don't believe there's a policy for 'ignore requestedExecutionLevel manifests', which is what would be required.

    Wednesday, August 19, 2009 5:30 PM
  • Hi - I think my information can help.

    Below: Manifest xml config code.
    -----------------------------------------------
    <?xml version="1.0" encoding="utf-8"?>

    <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

      <assemblyIdentity version="1.0.0.0" name="MyApplication.app" />

      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">

        <security>

          <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">

            <requestedExecutionLevel level="asInvoker" uiAccess="false" />

          </requestedPrivileges>

          <applicationRequestMinimum>

            <PermissionSet class="System.Security.PermissionSet" version="1" Unrestricted="true" ID="Custom" SameSite="site" />

            <defaultAssemblyRequest permissionSetReference="Custom" />

          </applicationRequestMinimum>

        </security>

      </trustInfo>

    </asmv1:assembly>
    -----------------------------------------------
       Change to:   <requestedExecutionLevel level="asInvoker" uiAccess="false" />
    -----------------------------------------------

    If you have made the applications, the just modify the xml config manifest.
    You can also make this by using, the WindowsIdentity class and WindowsPrincipal class.
    ----------------------------------------------

            bool IsAdmin()

            {

                WindowsIdentity id = WindowsIdentity.GetCurrent();

                WindowsPrincipal principal = new WindowsPrincipal(id);

                return principal.IsInRole(WindowsBuiltInRole.Administrator);    

            }

            bool IsUser()

            {

                WindowsIdentity id = WindowsIdentity.GetCurrent();

                WindowsPrincipal principal = new WindowsPrincipal(id);

                return principal.IsInRole(WindowsBuiltInRole.User);    

            }

    --------------------------------------------------
    You can implement the above function in "if-and-elseif" or using a "switch()"-statement.

    Have a nice day...

    Best regards,
    Fisnik


    Coder24.com
    Thursday, August 20, 2009 4:17 PM
  • Hello - John S. Savage:

    I'm wondering how the situation is on your side?
    Is this issue solved or not?

    Please tell me...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Friday, October 2, 2009 6:51 PM
  • Hello - John S. Savage:

    I'm wondering how the situation is on your side?
    Is this issue solved or not?

    Please tell me...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Tuesday, October 13, 2009 6:10 AM