uac interview questions
Top uac frequently asked interview questions
I have a product setup executable that copies some files to the user's hard drive. It's not a typical installer in the normal sense (it doesn't add anything to the Start Menu or Program Files folders).
Each time the setup program is run on Vista, after the exe terminates, Vista produces a task dialog:
- This program might not have installed correctly
- Reinstall using recommended settings
- This program installed correctly
Is there a function I need to call from the exe or registry entry to set, to indicate to the operating system that the program installed correctly (or to at least supress this message)?
Related questions: http://stackoverflow.com/questions/1069135/this-program-might-not-have-installed-correctly-message-in-windows-7-rc (for Windows 7-specific issues)
Source: (StackOverflow)
Here is the question:
Can TortoiseSvn work on Windows 2008 without turning off User Account Control?
Here is the story:
I just moved my test server to Windows 2008 and I am having problems with TortoiseSvn. I am logged on as an administrator, but when I go to update some code from the Subversion repository, I get a message saying:
Error Can't set file 'C:\dev\trunk.svn\entries' read-write: Access is denied
So I have seen messages like that and I know to run cleanup. But when I run cleanup I get:
Cleanup failed to process the following paths: C:\dev\trunk
So further investigation convinces me that I have a permissions problem. Running svn status from a command prompt shows me that the directories are locked and running svn cleanup fails just like the tortoise cleanup did. But when I launch the command prompt as an administrator, I can run svn cleanup with out a problem and I can run svn up and get my files updated.
UPDATE:
This is a windows UAC permissions problem. Turning off UAC fixes the problem. But I would like to find a solution that doesn't require turning off UAC. Since Tortoise is a windows shell extension, I don't know how to make it run as administrator.
Any suggestions?
Source: (StackOverflow)
I have created a .NET C# WinForms application on Win 7 RTM x64, which let's say I have called DataInstaller.
When I run this program outside of the debugger (just an empty form with no functionality at the moment), it works fine until I close the form. I then get a message from the Program Compatibility Assistant that says:
This program might not have installed correctly
I then get the option to reinstall using recommended settings or to say that the install did work as expected.
If I name the app 'DataThingy' this isn't an issue, I guess this is related to the way that programs called *Setup gain a UAC shield icon.
I assume that there will be something simple that I can put in the application manifest to prevent this?
I'm not sure if this occurs on Vista as I don't have access currently.
Changing the name is not an option and turning off UAC is not an option so please don't suggest this!
Edit:
OMG.
It seems that if any of the following are true, UAC sticks its oar in:
Exe name contains the word Installer
AssemblyInfo.cs
AssemblyTitle contains the word 'Installer'
e.g. [assembly: AssemblyTitle("DataInstaller")]
AssemblyProduct contains the word 'Installer'
e.g. [assembly: AssemblyProduct("Data Installation Utility")]
'Installer' can also be 'Setup'.
It beggars belief, it really does. Obviously one of the old VB6 programmers got relocated into the UAC team over at Redmond.
I still need a workaround, I'm not prepared to accept that my application can't possibly be an called an installer because it doesn't touch the registry or put any files in the Program Files folder.
I assume that UAC would put the machine into total lockdown if I tried to execute my application called IAmAVirus.exe. (Actually, I daren't try it because I'm not entirely convinced that I'm just being silly)
Source: (StackOverflow)
I noticed the following phenomenon:
An executable built with Delphi 7 and part of the name including "Update" (e.g. "UpdateMyApp.exe") causes UAC to step in to display a warning like "do you want to allow the program to make changes to your computer".
This happens with a simple hello world application. Showing the file in explorer shows the shield symbol overlayed to the application icon.
As soon as you rename the exe the shield disappears and the application starts without warnings.
As mentioned this only happens to programs built with Delphi 7 and started on Windows 7 (I assume same on Vista) but not on e.g. WinXP.
A quick check with Delphi 2007 shows that this problem is gone.
Funny... scarying...
Besides renaming the file, what can I do to prevent this?
Source: (StackOverflow)
I know how to launch a process with Admin privileges from a process using:
proc.StartInfo.UseShellExecute = true;
proc.StartInfo.Verb = "runas";
where proc is a System.Diagnostics.Process. But how does one do the opposite?
If the process you're in is already elevated, how do you launch the new process without admin privileges? More accurately, we need to launch the new process with the same permission level as Windows Explorer, so no change if UAC is disabled, but if UAC is enabled, but our process is running elevated, we need to perform a certain operation un-elevated because we're creating a virtual drive and if it's created with elevated permissions and Windows explorer is running unelevated it won't show up.
Feel free to change the title to something better, I couldn't come up with a good description.
Source: (StackOverflow)
What are possible reasons for getting the Program Compatibility Assistant dialog after my application closes?
EDIT: Program Compatibility Assistant: frequently asked questions
I realize this question has already been asked on S.O.
However, my app:
- Only gets PCA after it closes
- Does not attempt to do anything that requires elevated privileges (I don't think)
- Does not get PCA when run from IDE
- Is not an installer/setup program
- Does not have "installer" or "setup" in the program name
- Does not throw an exception when it closes, or exit with a code other than 0 (I don't think)
- Does not get PCA if I add
<compatibility> node to application manifest
Note #6, with the following app.manifest, I no longer get the PCA:
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
</application>
</compatibility>
</asmv1:assembly>
So that second part seems to fix it, but I am worried that my application is still doing something that I am unaware of.
To be clear, I'm asking a 2 part question:
- What issues can cause the PCA dialog to appear?
- Is the
<compatibility> node absolutely necessary in order to avoid the PCA dialog? Or might I still be doing something wrong?
Source: (StackOverflow)
Is there a way in Java to ask the system to get control over administrator functionality.
Of course without doing: Right click on the exe -> run as admin.
What I want is that there comes a frame from UAC like in Windows Vista or Windows 7.
Or have I to do some settings while making an exe from the jar?
Source: (StackOverflow)
I want my Python script to copy files on Vista. When I run it from a normal cmd.exe window, no errors are generated, yet the files are NOT copied. If I run cmd.exe "as administator" and then run my script, it works fine.
This makes sense since User Account Control (UAC) normally prevents many file system actions.
Is there a way I can, from within a Python script, invoke a UAC elevation request (those dialogs that say something like "such and such app needs admin access, is this OK?")
If that's not possible, is there a way my script can at least detect that it is not elevated so it can fail gracefully?
Source: (StackOverflow)
In Windows 7, you could go into a programs compatibility settings and check off to always run as an Administrator. Is there a similar option in Windows 8?
I've always disabled UAC on my machines, and did the same after my Windows 8 upgrade, or so I thought. It turns out there is no off option, only turning off the notifications.
This means nothing is run as an Administrator despite being in the Administrator group. I need to keep closing and reopening my consoles\Visual Studio when I try to debug (attach to process, not F5), which is very frustrating.
It's really annoying that I need to either remember to take extra steps to open it as an Administrator or tell it to close and re-open when I go to debug for the first time.
Source: (StackOverflow)
I'm building an MSI installer for windows and sign the installer using signtool. When I run the .msi to test it, the UAC (User Account Control) prompt shows up to ask me if I want to allow the installation to proceed. That's fine, but the prompt shows a number of fields, and for the Program Name field it displays something like "403b3.msi". This is not the name of the msi I'm running.
How can I get the correct Program Name to be displayed?
Source: (StackOverflow)
I have a CustomAction as part of an MSI.
It MUST run as a domain account that is also a member of the local Administrators account.
It can't use the NoImpersonate flag to run the custom action as NT Authority\System as it will not then get access to network resources.
On Vista/2008 with UAC enabled if NoImpersonate is off then it will run as the executing user but with the unprivileged token and not get access to local resources such as .installState. See UAC Architecture
Anyone know of a way to either
Force the MSI to run with the elevated token in the same way that running from an elevated command prompt does?
Force the CustomAction to run elevated (requireAdministrator in manifest doesn't appear to work)?
Work out if UAC is enabled and if it hasn't been ran elevated and if so warn or cancel the installation?
Source: (StackOverflow)
I have a console application that require to use some code that need administrator level. I have read that I need to add a Manifest file myprogram.exe.manifest that look like that :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator">
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
But it still doesn't raise the UAC (in the console or in debugging in VS). How can I solve this issue?
Update
I am able to make it work if I run the solution in Administrator or when I run the /bin/*.exe in Administrator. I am still wondering if it's possible to have something that will pop when the application start instead of explicitly right click>Run as Administrator?
Source: (StackOverflow)
Everything I've been able to find about escalating to the appropriate privileges for my needs has agreed with my current methods, but the problem exists. I'm hoping maybe someone has some Windows Vista/Win7 internals experience that might shine some light where there is only darkness. I'm sure this will get long, but please bare with me.
Context:
I'm working on an app that requires accessing the memory of other processes on the current machine. This, obviously, requires administrator rights. It also requires SeDebugPrivilege, which I believe myself to be acquiring correctly, although I question if more privileges aren't necessary and thus the cause of my problems. Code has so far worked successfully on all versions of Windows XP, and on my test Vista32 and Win7x64 environments.
Process:
- Program will Always be run with Administrator Rights. This can be assumed throughout this post.
- Escalating the current process's
Access Token to include SeDebugPrivilege rights.
- Using
EnumProcesses to create a list of current PIDs on the system
- Opening a handle using
OpenProcess with PROCESS_ALL_ACCESS access rights
- Using
ReadProcessMemory to read the memory of the other process.
Problem:
Everything has been working fine during development and my personal testing (including Windows XP 32 & 64, Windows Vista 32, and Windows 7 x64). However, during a test deployment onto both Windows Vista(32-bit) and Windows 7(64-bit) machines of a colleague, there seems to be a privilege/rights problem with OpenProcess failing with a generic Access Denied error. This occurs both when running as a limited User (as would be expected) and also when run explicitly as Administrator (Right-click > Run as Administrator and when run from an Administrator level command prompt).
However, this problem has been unreproducible for myself in my test environment. I have witnessed the problem first hand, so I trust that the problem exists. The only difference that I can discern between the actual environment and my test environment is that the actual error is occurring when using a Domain Administrator account at the UAC prompt, whereas my tests (which work with no errors) use a local administrator account at the UAC prompt.
It appears that although the credentials being used allow UAC to 'run as administrator', the process is still not obtaining the correct rights to be able to OpenProcess on another process. I am not familiar enough with the internals of Vista/Win7 to know what this might be, and I am hoping someone has an idea of what could be the cause.
The Kicker:
The person who has reported this error, and who's environment can regularly reproduce this bug, has a small application named along the lines of RunWithDebugEnabled which is a small bootstrap program which appears to escalate its own privileges and then launch the executable passed to it (thus inheriting the escalated privileges). When run with this program, using the same Domain Administrator credentials at UAC prompt, the program works correctly and is able to successfully call OpenProcess and operates as intended. So this is definitely a problem with acquiring the correct privileges, and it is known that the Domain Administrator account is an administrator account that should be able to access the correct rights. (Obviously obtaining this source code would be great, but I wouldn't be here if that were possible).
Notes:
As noted, the errors reported by the failed OpenProcess attempts are Access Denied. According to MSDN documentation of OpenProcess:
If the caller has enabled the SeDebugPrivilege privilege, the requested access is granted regardless of the contents of the security descriptor.
This leads me to believe that perhaps there is a problem under these conditions either with (1) Obtaining SeDebugPrivileges or (2) Requiring other privileges which have not been mentioned in any MSDN documentation, and which might differ between a Domain Administrator account and a Local Administrator account
Sample Code:
void sample()
{
/////////////////////////////////////////////////////////
// Note: Enabling SeDebugPrivilege adapted from sample
// MSDN @ http://msdn.microsoft.com/en-us/library/aa446619%28VS.85%29.aspx
// Enable SeDebugPrivilege
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tokenPriv;
LUID luidDebug;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken) != FALSE)
{
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidDebug) != FALSE)
{
tokenPriv.PrivilegeCount = 1;
tokenPriv.Privileges[0].Luid = luidDebug;
tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, 0, NULL, NULL) != FALSE)
{
// Always successful, even in the cases which lead to OpenProcess failure
cout << "SUCCESSFULLY CHANGED TOKEN PRIVILEGES" << endl;
}
else
{
cout << "FAILED TO CHANGE TOKEN PRIVILEGES, CODE: " << GetLastError() << endl;
}
}
}
CloseHandle(hToken);
// Enable SeDebugPrivilege
/////////////////////////////////////////////////////////
vector<DWORD> pidList = getPIDs(); // Method that simply enumerates all current process IDs
/////////////////////////////////////////////////////////
// Attempt to open processes
for(int i = 0; i < pidList.size(); ++i)
{
HANDLE hProcess = NULL;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pidList[i]);
if(hProcess == NULL)
{
// Error is occurring here under the given conditions
cout << "Error opening process PID(" << pidList[i] << "): " << GetLastError() << endl;
}
CloseHandle(hProcess);
}
// Attempt to open processes
/////////////////////////////////////////////////////////
}
Thanks!
If anyone has some insight into what possible permissions/privileges/rights/etc that I may be missing to correctly open another process (Assuming the executable has been properly "Run as Administrator"ed) on Windows Vista and Windows 7 under the above conditions, it would be most greatly appreciated. I wouldn't be here if I weren't absolutely stumped, but I'm hopeful that once again the experience and knowledge of the group shines bright. I thank you for taking the time to read this wall of text. The good intentions alone are appreciated, thanks for being the type of person that makes SO so useful to all!
Source: (StackOverflow)
I need my application to behave differently depending on whether Vista UAC is enabled or not. How can my application detect the state of UAC on the user's computer?
Source: (StackOverflow)
For my C# app, I don't want to always prompt for elevation on application start, but if they choose an output path that is UAC protected then I need to request elevation.
So, how do I check if a path is UAC protected and then how do I request elevation mid-execution?
Source: (StackOverflow)