Answered Administrative Authority

mrcapture

New member
Joined
Aug 1, 2020
Messages
4
Programming Experience
10+
I am performing file operations that require administrator permission in Windows 10 environment. For example, adding and deleting files to the c: directory. In this case, the user also needs to give Windows UAC approval for application. It can do the same anti-virus programs and does not ask the user for UAC approval every time. So how do anti-virus softwares do this? Can you help me with the method? I use C# as the development language.
 

 
You will want to run your service as a system user. This way it has unrestricted access to the system. This is what AVS do. Make sure your service is secured and used in conjunction with an application to act as its controller and only run your service when your application requires it for managing files on the system. To ensure only your application can be the controlling hand behind your service, you will need to use ServiceBase.CanStop Property (System.ServiceProcess) to prevent users from interrupting your service while your applications controller has started the service. Any question?

Ps, welcome to the forum.
 
Actually, instead of using a system account, why not create your own user account for the application/service you are running and create your own permissions, as such; only adding the permissions your application needs. This saves on preventing vulnerabilities.
 
ServiceBase.CanStop Property (System.ServiceProcess) and creating my own user account gave me new perspectives. thank you so much.

When I think of it as a Win Form application and put this application in windows startup, UAC question becomes a problem at every boot.

I tried to create a service to start Windows and start the Win Form, which is a desktop interaction with this service, but the application did not start with any kind of administrator privileges.

I think I have to plan the engine, which would do the job as a service, as a method. Now it will be a waste of time to return, but if you have no other advice, I will have to change it again in order to solve this.
 
A common way to do this with interactive programs is use Task Scheduler in Windows and add the program to "Run with highest privilegies", the task can be set to run at system startup.
 
Seems you skipped a couple of chapters on what I was advising you to do. A user must set the user credentials to a user with the permissions needed to run the task. So the user of your application needs to login with your application, and that user must also have the local policy set to allow the user to run system files. If you don't login with your service, the your service will be assigned a S4U user account. This is not what you want. Your application is only a controller for the service to issue the service commands.

Those commands will need a user account with the appropriate permissions required for the actions you want it to perform. It's going to take you a few days to code all this up, so by coming back overnight, and saying it didn't work confirms that you didn't follow the advice to the letter. Regarding "Run with Highest privileges" - this only allows you to obtain a different security token which is inherited by the Administrator account for windows. It doesn't grant higher permission for the user. This is why I suggested you create your own system user or a user with the permissions you need to execute commands from your service.
 
I tried to create a service to start Windows and start the Win Form, which is a desktop interaction with this service, but the application did not start with any kind of administrator privileges.
I believe that starting with Windows XP, desktop interaction by a Windows service was severely neutered by Microsoft to prevent exactly what you were trying to do. Follow @Sheepings' advice which is to install the service once. That installation will require UAC, but only at install time. Then when your WinForms is running, have it communicate with the service to get it to do any privileged operations.

This is how the Windows Installer works. Part runs as the current user, and then any privileged operations are needed, it passes off to the installer service. You may go: but when I try to install a .MSI, I sometimes get a UAC. That is mostly to give the user a notification that part of the install needs admin rights. The work to do the admin install is actually done by the service, not the installer. (For the sake of completeness: The installer service actually checks the privileges of the caller to make sure that the caller has the correct rights since it does not know who may call it, hence the need for UAC from the caller.)

In your case, you need to come up with your own security scheme to make sure that your service is not abused. This was also adviced by @Sheepings above.
 
For example, adding and deleting files to the c: directory.
Out of curiosity, why are you even trying to do this? The Windows guidelines are such that you shouldn't even be creating anything in the drive root without the user's permission. It's not 1980 anymore when the user's machine was applications play ground. Now it's the user's machine, you are supposed to respect that. What exactly is your application supposed to do?
 
Actually, if you are running an application which requires adding files to a users system, you would use %appdata% or %programdata%. In fact if you look at ProgramData. you can see that its specifically for this purpose. So if you want to continue adding files to the root drive, then I can only conclude you must be doing something you should not. Their is a reason why recursion of root file and modifying root files in the root directory is prohibited by Windows security principles. Now I'm curious why you want to circumvent that?

I should have asked this first but what is your application for, and what purpose does it serve?
 
I am preparing an application that will centrally manage computers on local networks. An application to perform internal business tasks. I perform these tasks using winform. In this way, I was aiming to show the transactions to the end user. Generally, many tasks are within the authority of the user, but some tasks require administrator permission.

Thank you for all your advice. As a result, there must be a service that will do the job. I have to use winform to show the tasks to the end user. I have to create a separate user for the service. I must assign the necessary privileges to the user I created.

In fact, I knew before writing here that this method was the only logical method. However, I was hoping that I might get a practical method recommendation that would not throw me back in my studies.
 
I'd be taking this issue up with your management If i was you.

I wonder who's bright Idea it was to store business information at the root of a drive, and then try map the whole drive by its root location. Your plan from the word go is halted by the people administrating your network, who clearly never got trained in on windows directory/file management and networking 101. That's why we use shared folders. But did you know Microsoft provide products for these types of setups. Right? If you're dealing with idiots, then your job will likely be very difficult from the get-go. It's important that your administrators know your requirements for your companies project is being halted by their incompetence to use appropriate network directories. They are treating the network setup like we are still running windows 98 or something.

Sounds like a bad setup. All of this could be avoided if they would use networking paths not relative to the root of a harddrive. My my...
 
Back
Top Bottom