Selectively disabling UAC for specific programs on

2019-01-11 14:45发布

问题:

There are dozens of posts questions/answers on stack and other forums about disabling/bypassing/suppressing UAC. There are solutions as well. But progmatically perhaps not. I could see only one solution Disabling UAC programmatically but perhaps there is not real programmatic solution given there.

Can there be a programatic solution for saving user to be prompted everytime he/she runs a program like wamp and they always have to click yes, So it would be better to tell windows that their choice is always yes. I am sure there would be as

I have found Here that windows provides this facility in Task Scheduler through GUI so it must be possible through code as well.

Update : I have prepared a pure programmatic solution which is working. See my answer.

回答1:

Quick description: Make a new console/window application to run any application bypassing UAC choosing the path of your target application in this application as guided below, compile this program once, and run anytime

Step by step

  1. Download Microsoft.Win32.TaskScheduler.dll from This Codeplex link
  2. Make a c# application (Windows or Console) and add reference to the above dll
  3. Add New Item (Application Manifest File) to your project (this application)
  4. Change <requestedExecutionLevel level="asInvoker" uiAccess="false" /> to <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
  5. Write following code in your program.cs file

using System;
using Microsoft.Win32.TaskScheduler;
class Program
{
   static void Main(string[] args)
   {
      TaskService ts = new TaskService();          
      TaskDefinition td = ts.NewTask();
      td.Principal.RunLevel = TaskRunLevel.Highest;
      //td.Triggers.AddNew(TaskTriggerType.Logon);          
      td.Triggers.AddNew(TaskTriggerType.Once);    // 
      string program_path = @"c:\wamp\wampmanager.exe"; // you can have it dynamic
//even of user choice giving an interface in win-form or wpf application

      td.Actions.Add(new ExecAction(program_path, null));
      ts.RootFolder.RegisterTaskDefinition("anyNamefortask", td);          
   }
}

6.Now compile and run your Application(this app)


Now your application (e.g WAMP) will run without prompting any UAC dialog on your desired schedule (every time your log on windows in my case)

Sources

Initiated from : Can you turn off UAC for a single app? and Selectively disabling UAC for specific programs on Windows 7

Basic Idea from : Make Vista launch UAC restricted programs at startup with Task Scheduler

Basic Implementation from Creating Scheduled Tasks



回答2:

The proper methodology wouldn't be to ignore the User Access Control (UAC) but rather test within those parameters. That way you don't disrupt security, you instead work within it's confines.

By disabling security, you run the risk of exploits. According to Secuna which provide several security test have noticed that small companies, lazy developer applications, and blatantly disregard for security are applications that have been focused on.

Which means your application may become a victim at some point.

The approach I would take, is test within UAC. Ensure the proper permissions exists to carry out your task, that way it isn't constantly running with Elevated Permission. An example may be:

class Elevated_Rights
{
    // Token Bool:
    private bool _level = false;

    #region Constructor:
    protected Elevated_Rights()
    {
           // Invoke Method On Creation:
           Elevate();
     }
     #endregion
     public void Elevate()
     {
           // Get Identity:
           WindowsIdentity user = WindowsIdentity.GetCurrent();

           // Set Principal
           WindowsPrincipal role = new WindowsPrincipal(user);

           #region Test Operating System for UAC:
           if (Environment.OSVersion.Platform != PlatformID.Win32NT ||            Environment.OSVersion.Version.Major < 6)
            {
                 // False:
                 _level = false;
             }
             #endregion
             else
             {
                    #region Test Identity Not Null:
                    if (user == null)
                    {
                        // False:
                        _level = false;
                    }
                    #endregion
                    else
                    {
                        #region Ensure Security Role:
                        if (!(role.IsInRole(WindowsBuiltInRole.Administrator)))
                        {
                            // False:
                            _level = false;
                        }
                        else
                        {
                            // True:
                            _level = true;
                        }
                        #endregion
             } 
      }
} 

Something along those lines would allow you to test against the UAC, then perform a task. I'm not quite sure why you would like to disable the UAC, but that would be my approach.

Hopefully that helps.



回答3:

If you want to bypass the protections that you gain by running as a standard user, then the better solution is to change permissions on the folder and registry key so that all users are allowed to modify your application's folder.

GrantAllUsersFullControlToFileOrFolder("C:\Program Files\Grobtastic");

with a pseudocode implementation of:

void  GrantAllUsersFullControlToFileOrFolder(String path)
{
    PACL oldDACL;
    PACL newDACL;    
    PSECURITY_DESCRIPTOR sd;

    //Get the current DALC (Discretionary Access Control List) and Security Descriptor
    GetNamedSecurityInfo(path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, 
          nil, nil, ref oldDACL, nil, ref sd);

    //Create an SID for the "Users" group
    PSID usersSid = StringToSid("S-1-5-32-545");

    // Initialize an EXPLICIT_ACCESS structure for the new Access Control Entry (ACE)
    EXPLICIT_ACCESS ea;
    ZeroMemory(@ea, SizeOf(EXPLICIT_ACCESS));
    ea.grfAccessPermissions  = GENERIC_ALL;
    ea.grfAccessMode         = GRANT_ACCESS;
    ea.grfInheritance        = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
    ea.Trustee.TrusteeForm   = TRUSTEE_IS_SID;
    ea.Trustee.TrusteeType   = TRUSTEE_IS_GROUP;
    ea.Trustee.ptstrName     = PChar(usersSID);

    // Create a new ACL that merges the new ACE into the existing ACL.
    // SetEntriesInAcl takes care of adding the ACE in the correct order in the list
    SetEntriesInAcl(1, @ea, oldDACL, ref newDACL); //use LocalFree to free returned newDACL

    //Attach the new ACL as the object's new DACL
    SetNamedSecurityInfo(path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
          nil, nil, newDACL, nil);

    LocalFree(HLOCAL(sd));
    LocalFree(HLOCAL(newDACL));
    FreeSid(usersSID);
}

This works even with UAC disabled (i.e. the user is a standard user and there is no convenient way for them to elevate). It also works on Windows XP, where there was no UAC convenience feature and you had to fast-user switch to run something as an administrator.

You then manifest your executable to run asInvoker, since you do not need administrative permissions.


Ask yourself:

What would I have done on Windows XP?
What would I have done on Windows 7 with UAC disabled?

If they're a standard user, does your program fall over dead?