Giving Application Elevated Uac

Giving application elevated UAC

You don't need to meddle with all that to make sure that your application always runs with elevated privileges. You can simply add an application manifest which instructs Windows to run your app elevated, and the UAC prompt will appear without you needing to write a single line of code.

There's a related question with an answer that also describes how to add a manifest here: How can I embed an application manifest into an application using VS2008?

Disable Vista UAC per-application, or elevate privileges without prompt?

Generally this problem solved by installing a Windows Service which runs as SYSTEM or an admin account. Then your application can request the privileged action from this service.

Obviously to not pose a security threat ensure that your service can't run arbitrary code or something which might leave the all users vulnerable to privilege escalation attacks.

Winpcap and most of the other sniffing applications use a similar design to give sniffing access to unprivileged users.

How to display UAC prompt for file save to restricted location using c#?

You need to do what Windows does. And spawn a new process which will run with elevated rights. There are no shortcuts here. The token that is allocated when a process starts is what determines what rights the process has. That token cannot be changed after the process has started. If you need to elevate, you need a new process.

I've seen lots of answers around this topic that involve spawning a new process with elevated privileges using 'runas'. Also, it seems like this can be done by impersonating another user. From what I understand, both of those methods require a user to provide user credentials.

No that's not the case. If the current user is not an admin, then the UAC dialog will prompt for new credentials of a user that does have admin rights. That's the over-the-shoulder UAC dialog. On the other hand, if the current user is an admin then they just get the consent dialog. That's the dialog that's shown on the secure desktop and just asks for you to click Continue.

The one thing that Windows components can do that you cannot is start a process elevated without showing you the consent dialog. That happens on Windows 7 only (not on Vista), and only if you have the UAC setting at the new Default setting that was added in Windows 7. That's how Explorer is able to show the dialog that you included in the question and then start an elevated process to do the copying without showing the consent UAC dialog. Only Windows components are granted that ability.

But the bottom line is that you need to start a new process that runs elevated. Using the runas verb is the canonical way to do it.

How do I elevate my UAC permissions from Java?

According the accepted answer to this SO question, you cannot change the UAC permissions of a running process.

According to the answers to this SO question, possible ways to launch a process with elevated permissions are:

create a wrapper to launch the JVM (with the appropriate arguments!) with a windows manifest that requests raised privileges, or
use the application linked to the 2nd answer to run the JVM with raised privileges.

How can I auto-elevate my batch file, so that it requests from UAC administrator rights if required?

You can have the script call itself with psexec's -h option to run elevated.

I'm not sure how you would detect if it's already running as elevated or not... maybe re-try with elevated perms only if there's an Access Denied error?

Or, you could simply have the commands for the xcopy and reg.exe always be run with psexec -h, but it would be annoying for the end-user if they need to input their password each time (or insecure if you included the password in the script)...

Is there an API call to prompt user for UAC elevation?

If you don't want to elevate your entire app, you have a few options:

spawn a separate elevated process just to access the file. Use ShellExecute/Ex() with the runas verb, or CreateProcessElevated(), to run a second copy of your app, or another helper app, with command-line parameters to tell it what to do. The main process can wait for the second process to exit, if needed.
create a COM object to access the file, and then use the COM Elevation Moniker to run the COM object in an elevated state.
prompt the user for credentials using CredUIPromptForCredentials() or CredUIPromptForWindowsCredentials() (see Asking the User for Credentials for more details), then logon to the specified account using LogonUser() to get a token, impersonate that token using ImpersonateLoggedOnUser(), access the file as needed, and then stop impersonating using RevertToSelf() and close the token with CloseHandle().

Need to elevate permissions without UAC pop ups

Doing so would violate the basic principle of User Access Control.

There is no way to elevate permissions while avoiding the prompts, by design. If there was a way to do this, UAC would become useless.

That being said, you could try to design around the issue. Instead of making your program a startup/system tray application, you may want to consider making a windows service that does the update. This could run as an administrator on boot (instead of login), and it would already run with elevated permissions.

If you need a system tray application, it could be a separate app that "talks" to the service.

Rights elevation with UAC

Edited the NSIS script to include this line:

AccessControl::GrantOnFile \"$INSTDIR" "(S-1-5-32-545)" "FullAccess"

This gave the User account full access to the application folder within Program Files, meaning my patcher could write to it without any problems.

How to enable drag and drop between normal & UAC elevated privileges applications

You can change the UIPI filter on the window of the privileged application by using ChangeWindowMessageFilterEx to let file drag&drop related messages be received. WM_DROPFILES is the most obvious one, WM_COPYDATA is another one. There's also an undocumented message involved: $0049, you'll find sometimes it is referred to as WM_COPYGLOBALDATA. In fact a search on the last one, I believe, will reveal some code examples related with your question.

Giving Application Elevated Uac