Question How do I run c# application as published user within UAC dialog

Kamen

Active member
Joined
Nov 30, 2020
Messages
28
Programming Experience
1-3
You can read from Program Files without admin rights.

You can change Time Zones without being an admin. Do you really need to change the time when modern Windows actually synchronizes itself with NTP servers which use atomic clocks to keep time?

The correct thing to do is to get the UAC only at the time when you are trying to do something that actually requires admin rights, at the time when you need it. You don't want to always be running as admin. By always running as admin, you open up the attack surface for viruses. A virus will just have to inject itself into app instead of trying to inject itself into other more will known apps/processes which are more actively monitored by AV software and/or Windows Defender.

Please follow the Windows Guidelines with regards to UAC:
Hello.
Thanks for your kind help.
I made my c# app to run as an administrator using process reference instead of requireAdministrator excutionLevel . So my app run in startup and I can write file and change system time.
By the way my app has some problem still now. It seems to be UAC problem.
Whenever my app start on windows 10 64bit, "unknown publisher ..." message popup now.
I attached the message screen now. If I set UAC level to lowest(never notify) in UAC setting, I never get this message but I want to keep the level and prevent this message.
Can you help me in this section?
 

Attachments

  • 2021-01-07_00h33_28.png
    2021-01-07_00h33_28.png
    44.2 KB · Views: 37
Solution
I understand now. Nowhere in this thread or in your original thread did you ever mention that your app would be running on an offline PC and that it would never sync online. How were we supposed to figure out that you had those 1990's style constraints on a modern app running on Windows 10?

Anyway, so I am guessing that the reason why you want to be able to set the time is because the machine is locked down, and so you want a way for the user to update the time when the clock does drift, but without having to enter the admin password required by the UAC dialog.

My suggestion is to break up your app into two parts. Part runs as Windows service which gets installed and runs with system rights, or as user with admin rights. Windows...
Let's back up. Why do you need to change the system time?

Possible answers are:
A) Is it to correct the time because the machine clock has lagged behind?
B) Are you changing the time because the user has travelled from one location to another?
C) Are you changing the time to work virtually to be "in synch" with other team members who live some place else?
D) Are you changing the system time because you are running a piece of software that has an expired license and so you keep resetting the time to some time back in the past to get past the license?

If your answer is A, then you don't even have to change the time. The OS knows how to fix and keep the system clock falling behind as long as it has an active Internet connection. (Actually, the OS can also fix the clock falling behind as long as you just have an active WiFi or LAN connection, but you'll need an AD server or know how to setup your own time server.) That system time internally is set to UTC, and the time displayed to the users is dependent on the timezone setting.

If your answer is B or C, then all you need to do is change the timezone for the machine. As mentioned above the OS knows how to keep the system clock up to date. All you need to do is tell the OS what timezone the user is currently in or is virtually in.

If your answer is D, I don't condone hacks to get around licenses. People should be paid fairly for their work. I won't provide any further help to help you steal someone else's work.
It is not so important for me but I'll answer why I need to change the system time.
At first my app will run on PC offline. so OS will never get synch service online.
And next app is ordering system and so need summing every day and require correcting time manually sometimes.
You seems to dont understand correctly now.
And also it is not essential for this thread.
Main goal is to prevent UAC dialog.
Thank you.
 
I understand now. Nowhere in this thread or in your original thread did you ever mention that your app would be running on an offline PC and that it would never sync online. How were we supposed to figure out that you had those 1990's style constraints on a modern app running on Windows 10?

Anyway, so I am guessing that the reason why you want to be able to set the time is because the machine is locked down, and so you want a way for the user to update the time when the clock does drift, but without having to enter the admin password required by the UAC dialog.

My suggestion is to break up your app into two parts. Part runs as Windows service which gets installed and runs with system rights, or as user with admin rights. Windows services do not show the UAC when they start up. The other part is just a regular Windows app that runs as a normal user. When there is something that you need to do that requires elevated privileges, then send a message to the service for it to do the work.

Kind of strange to have a modern ordering system where all the order data just stays on that single machine. Does the user attach a printer and print out the order, and then someone takes the printout and types the same information back into the fulfillment system? Or do you at least use a USB stick to move the data around?
 
Solution
Hello.
Thanks for your answer.
As you said, I tried to make the main app run as user by that manage all files in localApp folder, and then the UAC dialog never display. By the way in this case how to set system time?
You said that when there is something that you need to do that requires elevated privileges, then send a message to the service for it to do the work.
Could you explain it in detail kindly?

Does the user attach a printer and print out the order, and then someone takes the printout and types the same information back into the fulfillment system? Or do you at least use a USB stick to move the data around?
Yeah, I use printer for sale ticketing data and also save into sqlite database.

Thank you again.
Looking forward to hearing from you asap.
 
It's up to you how you send a message to your Windows service: shared memory, named pipe, TCP port, file system, .NET Remoting, etc. The point is to send a signal to your Windows service that you need it to do something on your behalf. This is how the Windows Installer does things where some operations require higher privileges than the user has -- it talks to the windows installer service to do some of the work.

You'll say: "But wait, the Windows Installer pops up the UAC sometimes." Yes, it does, but not because it is trying to run elevated. It pops up the UAC when it determines that .MSI contains operations that require elevated privileges and so the user better be authorized to perform such operations on the machine. It's just like the UAC you see when you try to change some settings in the Control Panel. Control Panel itself may not be running elevated, but if you are trying to make some system level changes, then the UAC is brought up first to determine if you are allowed to make those changes.
 
It's up to you how you send a message to your Windows service: shared memory, named pipe, TCP port, file system, .NET Remoting, etc. The point is to send a signal to your Windows service that you need it to do something on your behalf. This is how the Windows Installer does things where some operations require higher privileges than the user has -- it talks to the windows installer service to do some of the work.

You'll say: "But wait, the Windows Installer pops up the UAC sometimes." Yes, it does, but not because it is trying to run elevated. It pops up the UAC when it determines that .MSI contains operations that require elevated privileges and so the user better be authorized to perform such operations on the machine. It's just like the UAC you see when you try to change some settings in the Control Panel. Control Panel itself may not be running elevated, but if you are trying to make some system level changes, then the UAC is brought up first to determine if you are allowed to make those changes.
Hello.
Thanks for your time.
I'm happy to learn c# and windows application development more deeply from you.
Honestly, I have many experiences in web and mobile development but no in desktop applications.
So I understand your explanation almost but not at all.
Especially, I want to know how to set system time while running application as user.
I fixed other sections as normal user but didn't the time setting yet.
So I hope you help me in detail.
Thank you again.
Regards.
 
Just like in web development when you call back to backend (usually using a web service call) to get a write or read into a database, the same thing is what will happen for your desktop app. In the case of web development, you don't want the database credentials living on the front end. You don't want your database sitting exposed to the world. You keep the database behind the firewall, and have a web service that can reach back behind the firewall using the database credentials that should (hopefully) be securely only be in the web service. Your non-elevated app is the front end. Your Windows service is your backend. You need to send a message to the backend.

Start off with a simple Windows service that just waits for the existence of a file as your "message" for it to do something. Once you get that working, have the service actually read the contents of the file to determine whether it should do something. Once you get that working, work out some authentication scheme to ensure that nobody can trick your service into doing something in case a savvy user figures out that you are using a file as a transport. Then graduate over to using some other transport like a named pipe or a TCP port or shared memory.

 
Just like in web development when you call back to backend (usually using a web service call) to get a write or read into a database, the same thing is what will happen for your desktop app. In the case of web development, you don't want the database credentials living on the front end. You don't want your database sitting exposed to the world. You keep the database behind the firewall, and have a web service that can reach back behind the firewall using the database credentials that should (hopefully) be securely only be in the web service. Your non-elevated app is the front end. Your Windows service is your backend. You need to send a message to the backend.

Start off with a simple Windows service that just waits for the existence of a file as your "message" for it to do something. Once you get that working, have the service actually read the contents of the file to determine whether it should do something. Once you get that working, work out some authentication scheme to ensure that nobody can trick your service into doing something in case a savvy user figures out that you are using a file as a transport. Then graduate over to using some other transport like a named pipe or a TCP port or shared memory.

You mean I should create or change my winforms app into windows service app?
If so, I have no enough time to change my app dev struncture now. Just only need the way to change system time when need to change during running app as normal user.
Could you explain how to change time setting by keeping current my app structure?
Thank you.
 
No. I was saying that you need to create a simple Windows service and move the code that actually sets the time there. Then from your current app, send a message to the service so that it will set the time.
 
No. I was saying that you need to create a simple Windows service and move the code that actually sets the time there. Then from your current app, send a message to the service so that it will set the time.
Hello. thanks for your time.
I tried to make additional service for time setting and link the service into the main application but I didn't solve it yet. Maybe because I'm basically in this desktop application dev, there are so many things that I should learn.
However, I'm happy to be with you and learn from you in this community.
I'll try to do it again myself but if you have a free time, I want you to help me at any time.
Thank you again.
 
No, you don't link it into the main app. You will end up deploying two executables: your main app and the service. You install the service to run as a privileged account, and you install your main app to run as a normal user.
 
Back
Top Bottom