Summary of Methods for Improving UAC permissions in. NET

[Digress]

Since Vista, The UAC (User Account Control) function has been added, so that the administrator User does not have the administrator privilege to Control all functions at ordinary times, therefore, when calling many important functions, you need to increase the permissions. Sometimes a program to be written needs to call this type of permission, which can be upgraded before running or after running. Here we will sort it out as follows.

 

[Article Index]

 

[1. Privilege Escalation before running the program]

If the entire program requires the Administrator permission (or even the content displayed on the main interface requires the Administrator permission), the Administrator permission can be upgraded when the program runs, just like most installers. Generally, you can set the manifest file to improve the permission when running the program. You can add the "Application List file" to the project. After adding the file, a file shown in is generated. In addition, you can select project Properties, go to the "Security" tab, select "enable ClickOnce Security Settings", and an app will be generated under the "Properties" directory of the project. manifest file.

Value

Description

Comment

AsInvoker

The application runs with the same access token as the parent process.

Recommended for standard user applications. Do refractoring with internal elevation points, as per the guidance provided earlier in this document.

HighestAvailable

The application runs with the highest privileges the current user can obtain.

Recommended for mixed-mode applications. Plan to refractor the application in a future release.

RequireAdministrator

The application runs only for administrators and requires that the application must be launched with the full access token of an administrator.

Recommended for administrator only applications. Internal elevation points are not needed. The application is already running elevated.

The difference is that highestAvailable is executed based on the permissions that can be obtained by the current account, while requireAdministrator is run as an administrator with full permissions. If the current account is an administrator account, both of them can obtain the administrator permissions by improving the permissions. If the current account is Guest, in this case, highestAvailable directly runs without permission escalation, while requireAdministrator allows users to enter passwords of other administrator accounts to escalate permissions.

ProcessStartInfo psi = psi. FileName = psi. Verb =}

Of course, the same is true for running other programs.

In addition, we may need to draw the UAC shield icon on this button or menu. In fact, the system has provided this method.

 [DllImport(, CharSet = CharSet.Auto, SetLastError =      SendMessage(IntPtr hWnd, UInt32 Msg,     UInt32 BCM_SETSHIELD = ;

During the call, you only need to set the FlatStyle of the button to System, and then use the following code. If the last item is set to 0, the UAC shield icon will be removed.

 SendMessage(button1.Handle, BCM_SETSHIELD, , (IntPtr));

However, if you want to draw the UAC shield icon on the menu or the WPF Button, you cannot do this. Fortunately, we can still get the System icon. If you don't want to discard it, you can use it. NET built-in System. drawing. systemIcons. shield, in fact many software use this icon, the source image is as follows (32 × 32 ):

[DllImport (, SetLastError = Int32 SHGetStockIconInfo (SHSTOCKICONID siid, SHGSI uFlags, SHSTOCKICONID: SIID_SHIELD = SHGSI: SHGSI_ICON = struct = [structlayoutkinattribute. sequential, CharSet = [financialas (UnmanagedType. byValTStr, SizeConst =}

Then you can set the UAC shield icon to the menu by calling the following:

 SHSTOCKICONINFO iconInfo =  iconInfo.cbSize = SHGetStockIconInfo(SHSTOCKICONID.SIID_SHIELD, SHGSI.SHGSI_ICON | SHGSI.SHGSI_SMALLICON,  Icon icon =  menu.Image = icon.ToBitmap();

In the figure, menu1 is the System. Drawing. SystemIcons. Shield used. menu2 obtains the icon through shell32.dll. button1 is the UAC icon directly displayed by SendMessage.

Boolean afterVista = (Environment. OSVersion. Platform = PlatformID. Win32NT & Environment. OSVersion. Version. Major> = );

 

3. determine the current permission in the program]

To determine whether the System is running as an administrator, you only need to reference the namespace "System. Security. Principal", and then you can use the following code to determine whether the System is running as an administrator.

 WindowsIdentity identity = WindowsPrincipal principal =  Boolean isRunasAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);

In addition to obtaining whether the current user is running as an administrator, you can also use DllImport to obtain whether the current user is an administrator user and whether the current process has elevated permissions (only for Vista and later versions, for details, see the code in link 2.

 

[Related link]