Thursday, October 8, 2009

Start application without elevated privileges on Windows Vista and Windows 7

I finally found out how you do this. You sometimes have applications that have something like "install" or "setup" in their names. Windows Vista and Windows 7 are stupid enough to enforce administrator privileges when starting these applications. But often this is absurd and breaks the applications. Let's say it's a command that's called "InstalScript" that installs a new script to your application's settings directory, which is in the user's APPDATA path. Someone uses your application in a company that has a Windows Domain in-place and his user-account does not have administrator privileges, which is usually the case. This user would now be unable to use your script, because he can't run the InstallScript application.


Since the release of Vista I was always wondering how you could prevent this, but never took the time to google for a solution. At some point, I even assumed it was impossible. Well, it nearly is ;-) Since you are reading this article the chances are high you are developing for Windows. And the chances that you stumbled upon manifest-files are high in this case, too. If you ask me, .manifest is short for "Manifestation Of The Royal Pain In The Ass". But heck, this article is not about ranting against manifest-files. In this case, they are here to help you. You can specify which kind of privileges your application needs in your manifest-file, and when you set "requestedExecutionPrivileges" to "asInvoker", you are free to go! That's the information I found on many websites. Unfortunately, little of them mentioned where this actually should go, and because I'm no meanie, here's an example I took from MSDN:


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
  <assemblyIdentity version="1.0.0.0"
     processorArchitecture="X86"
     name="ShrinkyInstaler"
     type="win32"/> 
  <description>Installs Shrinky on your computer</description> 
  <!-- Identify the application security requirements. -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="asInvoker"
          uiAccess="false"/>
        </requestedPrivileges>
       </security>
  </trustInfo>
</assembly>


Now I can finally call Shrinky's Installer "ShrinkyInstaller.exe" and still debug it! (I put the manifest-file into the debug directory and named it "ShrinkyInstaller.exe.manifest). Yay!

1 comment:

  1. actual i was looking for the application security requirements coding, thanks for sharing as while running the application i found error but after reading your blog, i fixed it. So, thanks a lot for sharing valuable info.

    ReplyDelete