How reliable is adding an application manifest to ensure elevated privileges across windows xp, vista and 7?
https://stackoverflow.com/questions/10468010
-
06-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How stable is this method to ensure that my admin application requests admin privileges when launching:
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
</requestedPrivileges>
This works well on Windows 7 but I do not have access to XP and Vista so cannot tell.
Solution
By specifying that manifest, you tell Windows (Vista or 7), if a standard user (admin as well with UAC enabled) tries to execute this app, UAC prompt should appear. Without elevation, this app won't work as expected.
Both Windows Vista and Windows 7 can handle this properly, as that's why UAC is designed.
For Windows XP, a standard user needs to use runas manually to execute your app as admin, while an admin user can run it directly. There is no UAC on Windows XP, and it falls back to the old behaviors long time Windows developers familiar with.
To test out Windows XP, you should use Windows XP mode, http://www.microsoft.com/windows/virtual-pc/download.aspx
OTHER TIPS
Windows XP does not process the requestedPrivileges node, and does not have any kind of UAC mechanism.
UAC and the ability to set a requestedExecutionLevel were both introduced with Windows Vista.
Windows XP's standard accounts were strictly that, and there was no elevation mechanisim in place for administrative tasks to be performed short of logging in again.
Consequently the best practice for dealing with errors resulting from a lack of permissions on XP was just to display a meaningful error message.
Yes, that manifest ensures that a user that belongs to the Administrators group gets properly elevated on Vista and up when they accept the UAC prompt.
What it does not do is give a user that doesn't belong to that group privileges. Like the way it was done in XP but also in later releases. A site admin may give users restricted accounts. Which is okay, they are surely not supposed to run your program. The admin didn't want them to. Do check that you give a reasonable diagnostic. WindowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator) lets you check on .NET.
