1

So we have a java process that runs as a windows service. It needs to execute a command with Runtime.getRuntime().exec(command). The command it executes requires UAC. This is on windows server 2008 and sounds like you cannot disable UAC for a single executable so is there any other way to make this work?

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
vinnyjames
  • 2,040
  • 18
  • 26
  • looks like applying a manifest to the executable may be an option https://sourceforge.net/tracker/index.php?func=detail&aid=2539794&group_id=9328&atid=109328# (have to expand comments) – vinnyjames Apr 12 '11 at 23:55
  • possible duplicate of [Java: run as administrator](http://stackoverflow.com/questions/1385866/java-run-as-administrator) - read the accepted answer ... – Stephen C Apr 13 '11 at 01:26
  • See [Requested for admin privileges for Java app on Windows Vista/7](http://stackoverflow.com/questions/258728/request-admin-privileges-for-java-app-on-windows-vista) – eee Apr 13 '11 at 06:38

1 Answers1

5

If your Java application runs as a windows service, it most likely runs under one of the system accounts: SYSTEM (most probable), LOCAL SERVICE, or NETWORK SERVICE. Thus if the service runs under SYSTEM account, everything you start from the service will inherit the account. Anyway your service must be allowed to interact with Desktop.

To summarize, if your process run as elevated, then processes started from it will also run elevated.

To elevate, you have to use ShellExecute or ShellExecuteEx functions of Windows API. If the .exe you're starting is marked with level=requireAdministrator in its manifest, the shell will display UAC dialog. If it's not marked, you can use runas verb/operation to force UAC confirmation dialog. Note: runas on Windows XP will show "Run as another user" dialog.

If Runtime.getRuntime().exec(command) is implemented via ShellExecute, then marking the .exe with appropriate manifest will work; if exec uses CreateProcess, the process will be started with current user privileges, i.e. not elevated; moreover the process will not be started at all if .exe has requireAdministrator in its manifest.

Alexey Ivanov
  • 11,541
  • 4
  • 39
  • 68
  • thanks Alexey, I think the exe in particular (patch.exe from UnxUtils) does not have a proper manifest defined. Using patch.exe from cygwin doesn't popup UAC (or fail with permission denied) so I assume it does. – vinnyjames Apr 13 '11 at 17:32
  • @vinnyjames Glad it helped. You can check for manifest by viewing .exe file. In case of cygwin, I guess you can add a manifest to it if it does help. – Alexey Ivanov Apr 14 '11 at 08:47
  • yeah thanks again. what tool do you use to see an exe's UAC manifest? – vinnyjames Apr 14 '11 at 14:52
  • 1
    @vinnyjames Notepad will do (yet it's slow if .exe is large); I use Far Manager. Then just search for "manifest" – if it's there, you'll see XML. – Alexey Ivanov Apr 14 '11 at 16:44