Saturday, October 28, 2006 4:05 PM
Windows Vista - Demand UAC elevation for an application by adding a manifest using mt.exe
Assume you're writing some application that really - I mean really really - needs administrative privileges (does it? you must be kidding). So, you want it to run evelated as an administrator. How to tackle this requirement in a Windows Vista and UAC world where even an administrator is locked down on the machine?
This post shows you how to create an application manifest for your .NET application (I'll be using C# for that purpose) that tells Vista to run the application evelated.
Creating the Windows Forms app
Create a simple Windows Forms application called UacDemo. On Form1.cs add a single label called label1, and add the following line to the Form_Load event handler:
label1.Text = new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) ? "Yup" : "Nope";new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator) ? "Yup" : "Nope";
This time I'm assuming you're an administrator on the machine. Launch the application and see how "Nope" stares you in the face telling you're not as powerful as you thought you were:
Creating a manifest
In order to make the application support elevation, we need to define a manifest for the application. It's just a simple XML file with the following in it:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="220.127.116.11" processorArchitecture="X86" name="UacDemo" type="win32"/>
Add a file called UacDemo.exe.manifest to the project and copy/paste the XML chunk in there.
Adding the manifest to the executable
The last thing to do is to embed the manifest in the executable as a Win32Resource. An embedded resource is VS2005 can't be used for this. It's a little more complex than this. With the SDK, a tool called mt.exe ships that can be used to manage manifests in executables (for gurus, perform a dumpbin on the .exe file before and after the execution of mt.exe to see the application manifest being copied to the file). We'll be invoking this tool as a post-build step by going to the project properties, tab Build Events and pasting the following in Post-build even command line:
"$(DevEnvDir)..\..\SDK\v2.0\bin\mt.exe" -manifest "$(ProjectDir)$(TargetName).exe.manifest" –outputresource:"$(TargetDir)$(TargetFileName)";#1
This looks as follows:
Compile the project and go to the bin\Debug folder in Windows Explorer. Notice the application is now displayed with a security shield icon on it:
Let's try to run it. This should bring up the following prompt:
Now we are elevated and we finally see the happy "Yup" word:
So, now you now how to make your app UAC ready when it needs administrative rights and privileges. However, it's always better to avoid this level of rights and privileges. As usual: think before you do!Del.icio.us
| Digg It
Filed under: Windows Vista