3

I have an app of mine that I need to distribute to 5000 computers on my business domain via SCCM and i'm having problems with the windows security. The point is that my app requires administrative rights to access to registry keys and launch some "specific" featues on the local system and all the users on the domain (except for the IT support team of course) doesn't have such privileges.

I was wondering that I could make windows call a launcher on startup next, this launcher would get admin username and password on the app's server and then run the app with those credentials. But i'm having difficulties performing this task once i'm new on C# (i'm a java programer) and i haven't found any way of using the runas command with both username and password information.

Other point, it would be perfect if i could make use the admin privileges without the anoying windows UAC prompts.

Can anybody help me?

Paulo
  • 29
  • 2
  • what version of windows are you deploying to? – DeanOC Apr 18 '15 at 21:37
  • 1
    You want to utilize impersonation, this will take a domain user with such permission, then attempt to impersonate said user to perform task. An example can be found here. https://msdn.microsoft.com/en-us/library/w070t6ka%28v=vs.110%29.aspx – Greg Apr 18 '15 at 21:41
  • 1
    The following is off topic because it doesn't demonstrate any actual code or information. – Greg Apr 18 '15 at 21:46
  • In one of my apps I built and run a service in the background that handles all of the privileged calls. The beauty of it is that user level rights can start / stop the service so it only runs when its needed. May not be your solution but a suggestion all the same... – RussDunn Apr 18 '15 at 21:49
  • 2
    If you need to set up registry values, use a Setup program (MSI preferred). Admins can deploy that. Such tasks are typical use cases for Setup programs. A Windows Service may work as well, but this sounds overkill for your use case and imposes potential security risks when not implemented properly. – JensG Apr 18 '15 at 21:57
  • Just found a solution, http://stackoverflow.com/questions/6413900/launch-a-process-under-another-users-credentials . But anyway thank you all for your help. – Paulo Apr 19 '15 at 17:15

2 Answers2

0

I'm not sure about what I'm going to say, but just did a bit of research that may help you.

You can try to schedule a task to run your program, and config this schedule to run it with admin rights, at startup.

Scheduling a task

Then the only thing left you need to look for is how to program easily this task for all your computers.

Hope this helps you

Btc Sources
  • 1,912
  • 2
  • 30
  • 58
0

If your application must be run as an administrator in order to operate correctly: then tell Windows that:

<requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />

So that if i'm a standard user (i.e. not an Administrator), and i try to use your program: i will be prompted to get an administrator to come to my desk and enter their credentials so i can run your program.

The downside of your program only functioning with admin privileges is that a standard user cannot run your program.

And you could try turning off UAC; but that doesn't fix anything. UAC is a quality-of-life feature.

  • if i turn off UAC
  • i'm still a standard user
  • except now i have to logout and login as an administrator

The correct solution is to let your program work as a standard user.

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219