Il est bien plus beau de savoir quelque chose de tout que de savoir tout d'une chose. [Blaise Pascal]

Change privilege level of a Windows application

21 comments
As part of my preparation for the first exam, I discovered some features I didn’t know yet. As usual, the best way for me to remember them is to write a short review. Cheat sheet inside...
Today, the subject is: Security and privilege elevation… tada…

I will not care about the WHY this is needed, just about the HOW. By default, any .net application run as current user (invoker) and does not check any security level. Let’s imagine that we have to develop an application that needs to modify registry or add/update files in %ProgramFiles%. The invoker should be part of the local admin group or the application should not start.

This is this new pop up we discovered with Windows Vista and now in Windows 7.


Quick Note:
How to take a screenshot of the User account control pop up? Seems to be a stupid question, but try it and with default configuration, this is not possible. Here is how to do it:
You have to configure UAC to not switch to the secure desktop, and then you'll be able to take a screenshot of the UAC prompt.
Run Secpol.msc as administrator, expand Local Policies, Security Options, policy "User Account Control: Switch to the secure desktop when prompting for elevation", set to "Disabled". It is recommended to revert the changes after you've taken the screenshots.

After this quick note, let’s go back to our business. On your Windows application, add a new file called Application Manifest File. This will create app.manifest.


The default configuration of the manifest below shows: requestedExecutionLevel level="asInvoker", meaning that the application runs with the same privilege as the calling application.
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

If you want that the application request administrator privilege to be launched, replace the previous config. by the one below, with requestedExecutionLevel level="requireAdministrator"

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
      </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

Note that with requireAdministrator as the level attribute parameter, the .exe icon changes, note the small windows shield icon.

To summarize, the three different values for the level attribute:
  1. requireAdministrator: The application must be started with Administrator privileges; it won't run otherwise.
  2. highestAvailable: The application is started with the highest possible privileges.  If the user is logged on with an Administrator account, an elevation prompt appears. If the user is a Standard User, the application is started (without any elevation prompt) with these standard privileges.
  3. asInvoker: The application is started with the same privileges as the calling application.

21 comments :

  1. Just had this question in the exam today, didn't know but got it right !!!
    Cheers, John

    ReplyDelete
  2. i will like to have the two system in computer vista/ win 7 what should i do

    Windows tips and tricks

    ReplyDelete
  3. Thanks for the blog filled with so many information. Stopping by your blog helped me to get what I was looking for. Now my task has become as easy as ABC. saiba como baixar Lulubox apk 2020

    ReplyDelete
  4. Thanks for informative post, keep updated with a new info. love to know about new thing.
    spiritual ways to attract money

    ReplyDelete
  5. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious... recruitment software

    ReplyDelete
  6. Excellent and very exciting site. Love to watch. Keep Rocking. satta king

    ReplyDelete
  7. Nice to read your article! I am looking forward to sharing your adventures and experiences. satta king

    ReplyDelete
  8. Awesome article! I want people to know just how good this information is in your article. It’s interesting, compelling content. Your views are much like my own concerning this subject. bahis siteleri listesi

    ReplyDelete
  9. Thanks for sharing the post.. parents are worlds best person in each lives of individual..they need or must succeed to sustain needs of the family. black satta king

    ReplyDelete
  10. It is a very informative blog, Thanks for taking the time to share the good article.
    salesforce interview questions
    blue prism interview questions

    ReplyDelete
  11. Exceptionally pleasant post here and a debt of gratitude is in order for it .I generally like and a super substance of these post. Excellent and extremely cool thought…


    AWS Training in Hyderabad

    ReplyDelete
  12. Nice post, it's very good change for windows application. valuable and informative for me. Thanks for sharing these article with all of us. whatsapp mod

    ReplyDelete

Note: Only a member of this blog may post a comment.