Jeremy Cottino

Il est bien plus beau de savoir quelque chose de tout que de savoir tout d'une chose. [Blaise Pascal]

Change privilege level of a Windows application

21 comments
As part of my preparation for the first exam, I discovered some features I didn’t know yet. As usual, the best way for me to remember them is to write a short review. Cheat sheet inside...
Today, the subject is: Security and privilege elevation… tada…

I will not care about the WHY this is needed, just about the HOW. By default, any .net application run as current user (invoker) and does not check any security level. Let’s imagine that we have to develop an application that needs to modify registry or add/update files in %ProgramFiles%. The invoker should be part of the local admin group or the application should not start.

This is this new pop up we discovered with Windows Vista and now in Windows 7.


Quick Note:
How to take a screenshot of the User account control pop up? Seems to be a stupid question, but try it and with default configuration, this is not possible. Here is how to do it:
You have to configure UAC to not switch to the secure desktop, and then you'll be able to take a screenshot of the UAC prompt.
Run Secpol.msc as administrator, expand Local Policies, Security Options, policy "User Account Control: Switch to the secure desktop when prompting for elevation", set to "Disabled". It is recommended to revert the changes after you've taken the screenshots.

After this quick note, let’s go back to our business. On your Windows application, add a new file called Application Manifest File. This will create app.manifest.


The default configuration of the manifest below shows: requestedExecutionLevel level="asInvoker", meaning that the application runs with the same privilege as the calling application.
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

If you want that the application request administrator privilege to be launched, replace the previous config. by the one below, with requestedExecutionLevel level="requireAdministrator"

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

Note that with requireAdministrator as the level attribute parameter, the .exe icon changes, note the small windows shield icon.

To summarize, the three different values for the level attribute:
  1. requireAdministrator: The application must be started with Administrator privileges; it won't run otherwise.
  2. highestAvailable: The application is started with the highest possible privileges.  If the user is logged on with an Administrator account, an elevation prompt appears. If the user is a Standard User, the application is started (without any elevation prompt) with these standard privileges.
  3. asInvoker: The application is started with the same privileges as the calling application.

21 comments :

Post a Comment

Note: Only a member of this blog may post a comment.

Certification season is open

No comments
Autumn seems to be certification season for me. After successfully pass the 70-433 - SQL Server 2008 database development certification, my new challenges come to Windows forms using .Net framework 3.5.

The first one will be 70-505 Microsoft .NET Framework 3.5, Windows Forms Application Development









Then 70-536 Microsoft .NET Framework - Application Development Foundation

And finally if I still have energy 70-563 PRO Designing and Developing Windows Applications Using the Microsoft .NET Framework 3.5









After that I could be MCPD :P

Because for me the easiest way to remember something is to write it, following posts will be dealing with some parts of those certifications that I have trouble to remember.
For those who love the "For dummies"  book cover, you can create your own here.

No comments :

Post a Comment

Note: Only a member of this blog may post a comment.

Explained to myself, what is Twitter?

No comments
I have created my Twitter account few days ago and did not really find the "Good" way to use it.
I found this free webinar from ITMPI about "Using Twitter in the Enterprise". As it was quite interesting, let me share some resources around Twitter.
This webinar was presented by Edward Yourdon (Find him on Wikipedia, or on his blog). Slides of this presentation can be donwloaded here.

Let's start with a nice video that present Twitter called Twitter in plain English.


Amongs many other, here are some Twitter client-based programs:
  • Seesmic: presented as the best Twitter client for Desktop, Web and Mobile, manage multiple Twitter accounts, Facebook feeds and pages and access Twitter Lists.
  • Twhirl: a desktop client for the Twitter microblogging platform, powered by Adobe AIR
  • TweetDeck: a simple and fast way to experience Twitter
  • Tweetie: An iPhone/iPad client.
Some articles:
Also some tools that can be usefull (honestly, i did not try any so...)
  • TweetStats: In ur Tweets, Graphin' Your Stats!
  • TweetCube allows you to share files on Twitter
  • Displayed as a cloud, tweetclouds: Quickly view 'what's being said' across the Twittersphere
  • Twitterfone to... guess what, microblog over mobile phone.

No comments :

Post a Comment

Note: Only a member of this blog may post a comment.

25 Cool Windows 7 Keyboard Tricks That Will Impress Your Friends

No comments
An article from one of my favorite general information site makeuseof.com, 25 Cool Windows 7 Keyboard Tricks That Will Impress Your Friends.
On this article, I have discovered the Windows Mobility Center, that provide in a small Windows usefull commands for your laptop(Volume, WiFi, Presentation settings...), can be accessible with [Windows] + [X]

No comments :

Post a Comment

Note: Only a member of this blog may post a comment.

New webinar on MS Project 2010

No comments
New York City MPUG chapter presents WebnLearn: Harnessing the Power of New Features of MS 2010 (1 PDU); Nov. 23, 2010 18:00 (CET). Register here.


Teaser from MPUG:
Dale Howard, noted author, speaker, and Microsoft Project MVP, will present Harnessing the Power of the New Features in Microsoft Project 2010. In this lively presentation, Dale will show you how to harness the power of some of the new features included in the Microsoft Project 2010 desktop application, including the following:
• Customizing the Ribbon and the Quick Access menu
• Using a Highlight filter
• Using Manually Scheduled tasks to plan for undefined tasks
• Using the Inactivate feature to cancel an unnecessary task
• Using, formatting, and exporting the Timeline view
• Creating a custom field using the Add New Column virtual column

No comments :

Post a Comment

Note: Only a member of this blog may post a comment.