Monday, April 27, 2009

Create Manifest for Vista UAC if Not Running Under Administrative Rights

From a developer perspective Windows Vista's UAC can be problematic for some parts of your Delphi application, if the application is not being run by an administartor. One such operation is writing to the Registry database.

Learn how to "request admin rights" by creating an application manifest file....

Windows Vista - User Account Control
User Account Control is a security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As.
To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature.

From a developer perspective the following UAC features are important:

All processes are started as Standard User as default
A Standard User can not:
Change files in Program Files folders
Change files in Windows or System32 folders
Change registry under HKLM\Software
Change the local machines date and time
...the list continues...
Programmatically Edit Registry to Run Your Delphi Application on Windows Startup
By programmatically editing the Windows Registry, using the TRegistry object, you can you can "automagically" start programs whenever Windows launches.
The procedure you can use to force "auto-run-on-Windows-startup" for your application might look like:

procedure RunOnStartup(const sCmdLine: string; bRunOnce: boolean = false; Remove: Boolean = false) ;
var
sKey: string;
Section: string;
const
ApplicationTitle = ”Your Application TITLE”;
begin
if (bRunOnce) then
sKey := 'Once'
else
sKey := '';

Section := 'Software\Microsoft\Windows\CurrentVersion\Run' + sKey + #0;

with TRegIniFile.Create('') do
try
RootKey := HKEY_LOCAL_MACHINE;
if Remove then
DeleteKey(Section, ApplicationTitle)
else
WriteString(Section, ApplicationTitle, sCmdLine) ;
finally
Free;
end;
end;


On Vista, if the user running the application does not have admin rights the above code would fail, due to UAC!

Faking UAC Rights - How to Request Execution Level

Even if the user running the above code is not an admin, you can, as a developer arm your application with a special kind of embedded resource: application manifest file.

Having the manifest file will ensure Vista's UAC will allow your code to execute.

Here are the steps:


  1. Create XML file with following content:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0]
    <assemblyIdentity version="1.1.1.1"
    processorArchitecture="X86"
    name="YourApplicationExeName"
    type="win32"/>
    <description>elevate execution level</description>
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2]
    <security>
    <requestedPrivileges>
    <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
    </requestedPrivileges>
    </security>
    </trustInfo>
    </assembly>

  2. Name this XML file as YourApplicationName.manifest
  3. Create a text file with following content:

    1 24 "YourApplicationName.manifest"


  4. Name this text file as YourApplicationName.RC
  5. using the command line execute following command:

    brcc32 YourApplicationName.RC -foYourApplicationName.REC

    This will create a new resource file called YourApplicationName.REC


  6. Copy this YourApplicationName.REC file in to the resource path of your application.
  7. Include this resource file into the DPR of you application, as like:

    {$R YourApplicationName.REC}


  8. Finally build your application - it is now ready to get admin rights on Windows Vista.
Note 1: in the above steps, replace "YourApplicationExeName" with your actual application name.

Note 2: Above steps create a resource file to be stored inside the EXE file of your application. More on .

How to Automate the Above "Create Manifest" Process

To help you automate the process I have written a small program that does all the dirty work for you.

1 comment:

PaulStogov said...

I think you should check spelling. Correct xml file is:




elevate execution level