I need to use the systemRoot feature of the Preferences API, but it fails due to lack of permissions on Windows if UAC is on. I'm trying to find the technical details of popping the UAC prompt and elevating my permissions to allow the systemRoot updates to succeed.
Asked
Active
Viewed 1.5k times
14
-
possible duplicate of [UAC and Java](http://stackoverflow.com/questions/1076794/uac-and-java) – Stephen C Jan 11 '11 at 21:03
-
Sort of. However, that particular question is sorely lacking in the technical details required to make it work. I'm looking for *practical* information, not the theory that we all already know. :-) – Brian Knoblauch Jan 12 '11 at 13:18
-
1There's a "won't fix" bug in the java bug database: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6790382 – Jonathas Carrijo Nov 03 '14 at 16:50
3 Answers
6
According the accepted answer to this SO question, you cannot change the UAC permissions of a running process.
According to the answers to this SO question, possible ways to launch a process with elevated permissions are:
- create a wrapper to launch the JVM (with the appropriate arguments!) with a windows manifest that requests raised privileges, or
- use the application linked to the 2nd answer to run the JVM with raised privileges.
-
The problem I'm having is that I can't get the JVM to launch with raised privileges for some reason. – Brian Knoblauch Jan 12 '11 at 13:07
-
@brian - I think you are going to need to provide some code of how you are trying to launch elevated – Kevin Day Jan 16 '11 at 04:05
-
I've given up on the Preferences API, going to just do config files stored in the all users data directory instead. Don't need to do UAC escalation for that. – Brian Knoblauch Jan 17 '11 at 13:14
2
In addition to the manifest Using JNI to call ShellExecute with verb = runas will also do this - but specifying things with a manifest is a more robust way of doing it. Getting a manifest embedded in an exe can be a bit tricky, and there were a lot of problems with manifest handling in earlier versions of Visual C++, but most of them are worked out now.
That said, I'd encourage you to think hard about why you need to access the system root - is it to store settings for all users? If so, you may want to consider having a separate application for managing those settings (with it's own manifest). You can't just pop open a UAC elevation dialog - you actually have to launch a new process (if you look at task manager with apps that appear to work this way, you'll see that a second instance of the app actually gets launched - look at the UAC Virtualization column in task manager to see the differences).
Another possibility is to adjust the security settings in the area of the registry that you absolutely must configure from your non-elevated process - but this goes against the design of UAC, and it'll almost always cause more trouble than it's worth. Probably better to drink the M$ kool-aid and design your app properly for UAC. (Believe me, I feel your pain on this - been through it a number of times).
As I was experiencing this pain myself, I found the following MSDN article quite helpful to understand the Microsoft design intent with UAC:
http://msdn.microsoft.com/en-us/library/aa511445.aspx
Hope this helps...
Kevin Day
- 16,067
- 8
- 44
- 68
-
Unfortunately, there doesn't seem to be any way around it. I have data that any user needs to be able to update for all users for our app. We used to have dependency files in Program Files, but that doesn't work in the NWO. Preferences API seems to be the way to go, but I'm running into Windows platform specific problems (our app is also used on OS X and *nix). A separate updater app would be fine. I've been trying to just launch another copy of my app, but with command line options to select an alternate code path to do the update (keeps the packaging simpler than bundling another app). – Brian Knoblauch Jan 12 '11 at 13:12
-
yes - elevating to set those specific settings is the right thing to do (you could also adjust the folder permissions during install - sometimes that's appropriate, other times not). – Kevin Day Jan 16 '11 at 04:05
2
You can use run-as-root library: https://github.com/dyorgio/run-as-root
// Specify JVM options (optional)
RootExecutor rootExecutor = new RootExecutor("-Xmx64m");
// Execute privileged action
rootExecutor.run(() -> System.out.println("Call your admin code here."));
P.S.: I'm the author.
Dyorgio
- 1,114
- 13
- 23