Question How do I run c# application as published user within UAC dialog

Kamen

Active member
Joined
Nov 30, 2020
Messages
28
Programming Experience
1-3
You can read from Program Files without admin rights.

You can change Time Zones without being an admin. Do you really need to change the time when modern Windows actually synchronizes itself with NTP servers which use atomic clocks to keep time?

The correct thing to do is to get the UAC only at the time when you are trying to do something that actually requires admin rights, at the time when you need it. You don't want to always be running as admin. By always running as admin, you open up the attack surface for viruses. A virus will just have to inject itself into app instead of trying to inject itself into other more will known apps/processes which are more actively monitored by AV software and/or Windows Defender.

Please follow the Windows Guidelines with regards to UAC:
Hello.
Thanks for your kind help.
I made my c# app to run as an administrator using process reference instead of requireAdministrator excutionLevel . So my app run in startup and I can write file and change system time.
By the way my app has some problem still now. It seems to be UAC problem.
Whenever my app start on windows 10 64bit, "unknown publisher ..." message popup now.
I attached the message screen now. If I set UAC level to lowest(never notify) in UAC setting, I never get this message but I want to keep the level and prevent this message.
Can you help me in this section?
 

Attachments

  • 2021-01-07_00h33_28.png
    2021-01-07_00h33_28.png
    44.2 KB · Views: 13
Solution
I understand now. Nowhere in this thread or in your original thread did you ever mention that your app would be running on an offline PC and that it would never sync online. How were we supposed to figure out that you had those 1990's style constraints on a modern app running on Windows 10?

Anyway, so I am guessing that the reason why you want to be able to set the time is because the machine is locked down, and so you want a way for the user to update the time when the clock does drift, but without having to enter the admin password required by the UAC dialog.

My suggestion is to break up your app into two parts. Part runs as Windows service which gets installed and runs with system rights, or as user with admin rights. Windows...

Skydiver

Staff member
Joined
Apr 6, 2019
Messages
3,175
Location
Chesapeake, VA
Programming Experience
10+
Just like in web development when you call back to backend (usually using a web service call) to get a write or read into a database, the same thing is what will happen for your desktop app. In the case of web development, you don't want the database credentials living on the front end. You don't want your database sitting exposed to the world. You keep the database behind the firewall, and have a web service that can reach back behind the firewall using the database credentials that should (hopefully) be securely only be in the web service. Your non-elevated app is the front end. Your Windows service is your backend. You need to send a message to the backend.

Start off with a simple Windows service that just waits for the existence of a file as your "message" for it to do something. Once you get that working, have the service actually read the contents of the file to determine whether it should do something. Once you get that working, work out some authentication scheme to ensure that nobody can trick your service into doing something in case a savvy user figures out that you are using a file as a transport. Then graduate over to using some other transport like a named pipe or a TCP port or shared memory.

 

Kamen

Active member
Joined
Nov 30, 2020
Messages
28
Programming Experience
1-3
Just like in web development when you call back to backend (usually using a web service call) to get a write or read into a database, the same thing is what will happen for your desktop app. In the case of web development, you don't want the database credentials living on the front end. You don't want your database sitting exposed to the world. You keep the database behind the firewall, and have a web service that can reach back behind the firewall using the database credentials that should (hopefully) be securely only be in the web service. Your non-elevated app is the front end. Your Windows service is your backend. You need to send a message to the backend.

Start off with a simple Windows service that just waits for the existence of a file as your "message" for it to do something. Once you get that working, have the service actually read the contents of the file to determine whether it should do something. Once you get that working, work out some authentication scheme to ensure that nobody can trick your service into doing something in case a savvy user figures out that you are using a file as a transport. Then graduate over to using some other transport like a named pipe or a TCP port or shared memory.

You mean I should create or change my winforms app into windows service app?
If so, I have no enough time to change my app dev struncture now. Just only need the way to change system time when need to change during running app as normal user.
Could you explain how to change time setting by keeping current my app structure?
Thank you.
 

Skydiver

Staff member
Joined
Apr 6, 2019
Messages
3,175
Location
Chesapeake, VA
Programming Experience
10+
No. I was saying that you need to create a simple Windows service and move the code that actually sets the time there. Then from your current app, send a message to the service so that it will set the time.
 

Kamen

Active member
Joined
Nov 30, 2020
Messages
28
Programming Experience
1-3
No. I was saying that you need to create a simple Windows service and move the code that actually sets the time there. Then from your current app, send a message to the service so that it will set the time.
Hello. thanks for your time.
I tried to make additional service for time setting and link the service into the main application but I didn't solve it yet. Maybe because I'm basically in this desktop application dev, there are so many things that I should learn.
However, I'm happy to be with you and learn from you in this community.
I'll try to do it again myself but if you have a free time, I want you to help me at any time.
Thank you again.
 

Skydiver

Staff member
Joined
Apr 6, 2019
Messages
3,175
Location
Chesapeake, VA
Programming Experience
10+
No, you don't link it into the main app. You will end up deploying two executables: your main app and the service. You install the service to run as a privileged account, and you install your main app to run as a normal user.
 
Top Bottom