Win C#: Run app as administrator without UAC prompt
Solution 1
Of course what you are supposed to do if you want to just drive UI is to use the UI access flag in your manifest (see http://msdn.microsoft.com/en-us/library/ms742884.aspx). If you install your application in a trusted location (e.g. system32) and it is signed (bleh!) then when you run your application it will be elevated to high (for an admin account).
The signing requirement makes it slightly annoying but at least it reduces slightly the attack surface as your code gets run with high integrity but not with an administrator token.
Solution 2
If it were possible to do this, then UAC would be completely ineffective. The inability of applications to elevate themselves without user consent is the fundamental principle behind UAC.
Aside from already having an elevated process that launches it (i.e. service or task scheduler), the answer is no, it can't be done.
Paya
Updated on January 23, 2020Comments
-
Paya over 4 years
I need one of my .exe to always run as administrator without UAC prompt. My program will be installed with setup, which will have for one time admin rights, and I need to perform such step in this setup that my exe will be always executed as admin without UAC prompt.
I've found 2 solutions so far:
1. Use custom service, which will elevate the program for me.
2. Use Task Scheduler.
Is there any other solution? Some manifest probably?
Thanks.
-
Karl about 14 yearsSounds like someone wants to write a virus.
-
Andras Vass about 14 years+1 Just as @Aaronaught wrote, a design goal of UAC is to not provide a way for applications to circumvent the prompts.
-
Aaronaught about 14 years@Karl: I don't presume to know his motivation - lots of legitimate software products try to do similarly obnoxious things that Windows explicitly prohibits, like steal focus or install shortcuts in the Quick Launch. Of course, such programs usually crash and burn when there's anything "non-standard" about the installation like directory structure or language.
-
Paya about 14 yearsNo I don't want to write a virus :-D I need elevated application since I'm writing automation application which will send clicks to apps, and I need admin rights if I want to click in elevated processes. But I don't want to bother the user with prompts. I've solved it using the service, which gets installed with the setup, hovewer I would like some more elegant solution not requiring service, because service adds additional complexity to the program.
-
Paya about 14 years@Aaronaught: Well I don't want the app to elevate itself or break any UAC rules, I just need the setup to perform such steps, that the app will get always elevated. The setup will be elevated, so it CAN perform such steps, as installing the service or using task scheduler. I'm just looking for other solutions...
-
Amber McCoic about 14 yearsThe only other solution is to turn off UAC but DO NOT go that way.
-
Paya about 14 yearsI would never want to turn off the UAC. If there is no other way, then the service or task scheduler will be good.
-
Aaronaught about 14 years@Paja: That's fair, as I said, I'm not questioning your motives. Nevertheless, UAC has just one main "rule", which is that a request for elevation always brings up a protected UAC prompt. If applications could selectively turn this off for themselves during their installations, then (a) every application would do it, thus rendering UAC ineffectual, and (b) it would constitute a serious security hole, as hostile programs could take advantage of programs on the safe list. That is why it's simply not allowed; the only workaround is to already be elevated when you launch the program.
-
Paya about 14 years@Aaronaught: But every application installed by elevated setup CAN turn UAC off for that application, by using custom service, which will automatically elevate the program.
-
Aaronaught about 14 years@Paja: As you must have realized if you already went with that approach, it's not nearly as simple as that. Designing a service to do this that is both secure and reliable is not simple, and even when done correctly, the entire system will break if the user disables the service (which can be done at any time). I personally would be loathe to install any application that did this, but in a corporate environment it might be OK.
-
tyranid about 14 yearsSo you would be loathe to install pretty much any modern AV product? As they almost certainly have an update service which can gain elevated privileges to run certain things which has been show in a number of case to contain bugs which actually weaken the machine (oh the irony :P)
-
Paya about 14 yearsThank you very much. This looks very interesting. I would sign my app anyway in the future. And if I would get higher integrity level without admin token, that's exactly what I need.
-
Aaronaught about 14 years@tyranid: I dislike A/V products intensely, and not for only that reason, but I think we're getting a little off-topic here. When you install an A/V product, you expect it to run as a service with local system privileges; however, you don't expect an application to sneak a service onto your system in order to bypass the UAC prompt when running with elevated privileges. That's distinctly malware-like behaviour, which again, might make sense in a locked-down corporate environment but would almost certainly be unacceptable for a retail application.
-
Paya about 14 yearsBTW I've found very cheap COMODO certificates here: secure.ksoftware.net/code_signing.html
-
mrid almost 4 years@Paya can you please help me out a little ? how did you manage to start a process from service ? i'm developing a C# service and the process start part just won't work. there are no errors in event log, but the process just doesn't start
