-3

I have an C# app that requires admin privileges for some components, so I figured out the application manifest way with level="requireAdministrator" and such. That works, but UAC asks every time the app is started now, which is really annoying for our customers. Is there a way to have this popup only on first launch or something? Or on install? Or get some token to use? Or a different way all together? Hopefully this is code-related enough. Thanks

user2864740
  • 60,010
  • 15
  • 145
  • 220
user3112658
  • 121
  • 2
  • 8
  • 1
    That might be annoying, but silently running stuff as admin is not really a good idea. – Brian Rasmussen Jun 17 '14 at 21:56
  • As far as I am aware, this is a "feature" of UAC. It is not something that you can circumvent unless you disable user account control. – dub stylee Jun 17 '14 at 21:56
  • 2
    It's SUPPOSED to be this way. Consider what'd happen to system security if you granted `cmd.exe` superuser rights once - anyone could use it later to re-assume those rights without ever getting prompted for an admin password. – Marc B Jun 17 '14 at 21:57
  • You also can't elevate on demand: [How to elevate privileges only when required?](http://stackoverflow.com/questions/573086/how-to-elevate-privileges-only-when-required). – CodeCaster Jun 17 '14 at 22:00
  • I thought there might be a way to do it with only one UAC popup (first launch or install). How is that a security risk? – user3112658 Jun 17 '14 at 22:00
  • Elevation is not something your process does, it's something operating system does when starting process (i.e. before your code even starts executing). Every process running with admin privileges is a security risk as it is allowed to do pretty much everything. – n0rd Jun 17 '14 at 23:17

1 Answers1

1

No. All you can do is write the app to not need admin privileges (what are you doing anyway?). Often, this can be accomplished by using the correct place to store your data (hint: it's not your Program Files folder), by changing permissions on a few files as the final task of your installer, or by installing a companion app that runs as a service (under appropriate credentials), where your main app instructs the service to make the changes.

The closest I've come to this is to install the app with a scheduled task. You set the scheduled task to run as admin, run as a specific user that does have needed the privileges, and give rights to run the task to non-privileged users. Then you can give them a shortcut to start the task that will not require a UAC prompt.

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
  • Thanks for sharing this. This is a very clever way to accomplish running tasks that require administrator privileges, without having to physically be present to enter the credentials. – dub stylee Jun 17 '14 at 21:59
  • I'm modifying network adapter settings with Win32_NetworkAdapterConfiguration through the WMI framework. The only way for the changes to take effect is to run the app as admin. – user3112658 Jun 17 '14 at 22:02
  • You can create a separate executable that performs the configuring and launch that as elevated process. – CodeCaster Jun 17 '14 at 22:04
  • That would still require the user to click a UAC prompt when that process is launched, which is every time – user3112658 Jun 17 '14 at 22:05
  • @user3112658 it sounds like you're solving something at the wrong level. What exactly is your code doing every time your application starts? Can't it be set system- or domain-wide, for example through group policies? – CodeCaster Jun 17 '14 at 22:33