Il est bien plus beau de savoir quelque chose de tout que de savoir tout d'une chose. [Blaise Pascal]

Change privilege level of a Windows application

17 comments
As part of my preparation for the first exam, I discovered some features I didn’t know yet. As usual, the best way for me to remember them is to write a short review. Cheat sheet inside...
Today, the subject is: Security and privilege elevation… tada…

I will not care about the WHY this is needed, just about the HOW. By default, any .net application run as current user (invoker) and does not check any security level. Let’s imagine that we have to develop an application that needs to modify registry or add/update files in %ProgramFiles%. The invoker should be part of the local admin group or the application should not start.

This is this new pop up we discovered with Windows Vista and now in Windows 7.


Quick Note:
How to take a screenshot of the User account control pop up? Seems to be a stupid question, but try it and with default configuration, this is not possible. Here is how to do it:
You have to configure UAC to not switch to the secure desktop, and then you'll be able to take a screenshot of the UAC prompt.
Run Secpol.msc as administrator, expand Local Policies, Security Options, policy "User Account Control: Switch to the secure desktop when prompting for elevation", set to "Disabled". It is recommended to revert the changes after you've taken the screenshots.

After this quick note, let’s go back to our business. On your Windows application, add a new file called Application Manifest File. This will create app.manifest.


The default configuration of the manifest below shows: requestedExecutionLevel level="asInvoker", meaning that the application runs with the same privilege as the calling application.
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

If you want that the application request administrator privilege to be launched, replace the previous config. by the one below, with requestedExecutionLevel level="requireAdministrator"

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

Note that with requireAdministrator as the level attribute parameter, the .exe icon changes, note the small windows shield icon.

To summarize, the three different values for the level attribute:
  1. requireAdministrator: The application must be started with Administrator privileges; it won't run otherwise.
  2. highestAvailable: The application is started with the highest possible privileges.  If the user is logged on with an Administrator account, an elevation prompt appears. If the user is a Standard User, the application is started (without any elevation prompt) with these standard privileges.
  3. asInvoker: The application is started with the same privileges as the calling application.

17 comments :

  1. Just had this question in the exam today, didn't know but got it right !!!
    Cheers, John

    ReplyDelete
    Replies
    1. IEEE Final Year projects Project Center in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes. Final Year Project Domains for IT

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, project projects for cse. Angular Training

      Delete
  2. i will like to have the two system in computer vista/ win 7 what should i do

    Windows tips and tricks

    ReplyDelete
  3. Great article! Really very useful for developing my knowledge and I hope more valuable details
    from your post. Thanks for your good job.

    Guest posting sites
    Technology

    ReplyDelete
  4. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. saiba como baixar Lulubox apk 2020

    ReplyDelete
  5. Thanks for informative post, keep updated with a new info. love to know about new thing.
    spiritual ways to attract money

    ReplyDelete
  6. NorthShield Windows and Doors offers a wide selection of high-quality windows and doors. Among other features, our products offer the latest in security, durability, and design. We are homeowners too, that’s why we work within your style preferences to find exactly what you need and provide you with durable products that will keep your home safe.Windows replacement

    ReplyDelete
  7. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... recruitment software

    ReplyDelete
  8. Excellent and very exciting site. Love to watch. Keep Rocking. satta king

    ReplyDelete
  9. Nice to read your article! I am looking forward to sharing your adventures and experiences. satta king

    ReplyDelete