1

I have been dabbling with working nicely with UAC for a while and I found about a few things:

  1. With UAC enabled, a program in the Startup folder, that requires to be run as admin (say by an embedded manifest), cannot be run according to this Stack Overflow thread.
  2. Another method of running a program at startup is by creating a key containing the path to that application in: HKLM or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKLM or HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run in 64 bit machines.
  3. Yet another method is using the task scheduler setting the Run with highest privileges option. This is the only method that bypasses the problem stated in point 1.

Coming from a Linux background, I had no clue about all these admin rights related problems. If someone can list out scenarios which absolutely need administrator privileges, it would be of great help!

I'm asking this because when I'm developing some application, I keep encountering several problems during implementation mostly because my application required admin rights when it shouldn't.

If I know, at design time, all possible scenarios that require admin rights, I could possibly design a common service for all my applications that takes care of all the administrator tasks (I think services are the Windows way of doing things like this).

Community
  • 1
  • 1
Anish Ramaswamy
  • 2,326
  • 3
  • 32
  • 63

1 Answers1

0

There really isn't a list of scenarios or API function calls that require elevation. Your best option will probably be to focus on what API calls require elevation. The reason for this is that it may be required only if certain values are passed to the function. For instance CreateFile can create a file in your home directory without elevation but requires it for creating a file in C:\Windows. If the directory is provided through user input the only way you can know if elevation is required is to check the error code when the call fails. If elevation is required the function will set the error status to ERROR_ACCESS_DENIED and return a value indicating failure.

Captain Obvlious
  • 19,754
  • 5
  • 44
  • 74
  • So that's an example of one scenario. Also, if there isn't a list, don't you think it will be extremely helpful for all Windows programmers if we made one in this thread? It would definitely help people while designing applications. – Anish Ramaswamy Apr 25 '13 at 07:35
  • It _might_ be helpful but it would be nearly impossible to maintain and isn't a good fit for SO. The list would include hundreds if not thousands of API calls each with several variations to cover all possibilities. You should assume that all Windows API calls can return `ERROR_ACCESS_DENIED` and handle it appropriately. – Captain Obvlious Apr 25 '13 at 07:46
  • No no. I'm talking about _scenarios_ not API calls. In your own answer, you mentioned that `CreateFile(something in C:\Windows)` requires elevation. That is a scenario. I'm sure there will not be an outrageous number of scenarios. – Anish Ramaswamy Apr 25 '13 at 07:53
  • 1
    @AnishRam: In that case, the list of scenario's is trivial: whenever you'd change things that affect other users. – MSalters Apr 25 '13 at 08:03
  • @AnishRam Every call that can require elevation would need to be documented for every combination of parameter values. You would end up with scenarios for a considerable amount of API calls and the same headaches would crop up. Given the size and maintainability issues it's just not a good fit for SO. – Captain Obvlious Apr 25 '13 at 08:13
  • If believe a list like that would be beneficial take this discussion over to [meta](http://meta.stackoverflow.com) because that's where it belongs. – Captain Obvlious Apr 25 '13 at 08:15
  • @MSalters, Hmm okay. So in that case, next time, if I need to do something, I could just find out if it would affect other users. If it does, try and avoid it. If I can't, require admin privileges? – Anish Ramaswamy Apr 25 '13 at 08:25
  • @AnishRam: Yup. Often, the "avoid it" is easy, because many system-wide settings have per-user equivalents. `HKLM` has `HKCU`, the start menu merges system-wide and per-user entries, etc. – MSalters Apr 25 '13 at 08:28
  • @CaptainObvlious, That is partly true though. Do you, by any chance, happen to have any good resources detailing the use of the registry? – Anish Ramaswamy Apr 25 '13 at 08:29
  • @AnishRam See the section on registry functions on [MSDN](http://msdn.microsoft.com/en-us/library/windows/desktop/ms724875(v=vs.85).aspx) – Captain Obvlious Apr 25 '13 at 08:32