I previously wrote this article in my blog, Think Big!.
User Access Control (UAC) is a feature of
Windows that can help prevent unauthorized changes to your computer. UAC does
this by asking you for permission or an administrator password before performing
actions that could potentially affect your computer's operation or that change
settings that affect other users.
With UAC, Administrator users, by
default, don't have administrative privileges. Every Windows process has two
security tokens associated with it, one with normal user privileges and one with
admin privileges. With applications that require administrative privileges, the
user can change the application to run with Administrator rights. And that
process called Elevation.
Therefore, when a normal user logs on to the
system he assigned the standard user access security token that does not allow
him to access administrator resources. On the other hand, when an administrator
logs on to the system, Windows creates two security tokens for him: a standard
user access token and an administrator access token. And he assigned the latter.
When he tries to access a resource that requires administrator privileges, he is
asked for elevation. Unless he approved the elevation request, he cannot access
that resource. It is worth mentioning that standard users cannot access
protected resources. However, they are requested for the elevation, by entering
an administrator username and password. Therefore, the administrator accesses
the protected resource on behalf of the standard user.
Now, there is a
question. Why do I need administrator privileges? Means, what are the resources
that are protected? The answer is very simple. Most operations that may affect
the system or other users on the machine are access protected. For example,
writing a file on the system drive requires admin approval, reading from the
registry requires admin approval, and changing file association requires admin
After all, in this lesson, we will learn how to request admin
approval at the application start to allow the application to access protected
Requesting Admin Approval via a Manifest
To request the
admin approval, you may need to embed a manifest with specific form to the
An application manifest is an XML file similar to the
application configuration file but it has another construction.
a manifest to the application, you will need to add it to the project and ask
Visual Studio to embed it.
The Manifest Construction
The following is the manifest
Download this file here
You can also add this manifest file via the Add
New Item dialog. However, VB.NET adds it automatically. But be sure to edit
This manifest should be named the way you name the configuration
file. That means that its name should be app.manifest
, so Visual Studio
can treat it the right way.
This manifest is nothing more than a simple
XML file with a specific construction. You cannot change any element name or a
namespace. However, you can set the application required privileges through the
attributes level and uiAccess of the requestedExecutionLevel element.
level attribute specifies the security level that we need to grant the
application. It can be one of three values:
Means that the application requires administrator
privileges (elevation, in other words.) If this is an administrator, he will be
asked for approval. If this is a standard user, he will be asked to provide an
administrator's username and password. Therefore, the administrator executes the
application of behalf of the standard user.
The application gets the privileges the user has but
only after getting the consent from the user. This means that if the user is a
standard user, the application gets standard user privileges. On the other hand,
if the user is an administrator, the application gets the admin privileges but
after the request for elevation.
The application is running with the security token of the
user. This means that if the user is a standard user or an administrator, the
application gets the standard user privileges without elevation, and does not
While VB.NET automatically adds the manifest file, it sets
requestedExecutionLevel to asInvoker.
The uiAccess option comes handy if your
application requires input to a higher-privilege-level window on the desktop.
For example, if your application is an onscreen keyboard. Set uiAccess to true
to allow that type of input, or false otherwise.
Actually, you will not be
granted the UIAccess privilege unless your application is installed in a secure
location like the Program Files
directory. If you need to allow all
applications located in any place to be granted the UIAccess privilege, you will
need to change system policy in the Local Security Policy MMC snap-in. Learn
Automatically Creating the Manifest
To embed the
manifest to your application, follow these steps:
- Add the manifest file (app.manifest) to the project.
- Open the Project Properties dialog.
- Switch to the Application tab.
- In the Resources section and in the Manifest field, you can choose to embed
a default manifest to the application that has the asInvoker level set, to
create the application without a manifest and that has the same effect as the
previous option, or to choose from a list of manifest files added to the
Figure 1 shows how to embed the manifest file.
1. Embedding a Manifest
Trying the Example
Now, we are going to write a simple
example that illustrates how to request admin approval at the application and
how this affects the application progress.
For the example to work well, it
is better not to start Visual Studio .NET with admin privileges because if you
ran the application from the Visual Studio environment, it will be granted its
permissions automatically. However, to see the results, run the application from
Now, start a new project and add the following code to the Main()
static void Main()
// Change the drive C to
// the system drive
The last code
tries to write a file to the system drive which is access protected and requires
admin approval to allow the writing.
Now, try to run the application.
Unfortunately, because you are not granted the administrator access token, the
application will fail and you will be faced with
Again, if you started Visual Studio
.NET with admin privileges, you will not see how the UAC affects the whole
application. In that case, you will need to run the application from its
Now, add the manifest to the application and embed it and try to
run the application again.
Cheers, succeeded. Now, you are faced with the
admin approval message. The following figures show the two types of admin
approval messages. Figure 2 shows the prompt for consent message for
administrator users, while figure 3 shows the prompt for credentials message for
2. Prompt for Consent Message
Figure 3. Prompt for Credentials Message
Requesting Admin Approval via the Registry
While you can
easily request admin approval via a manifest file during the development
process, it will not be the case if the application is already
Actually, you can request an application to start with admin
privileges by right-clicking the application file and choosing "Run as
Administrator" item. However, you will need to do this every time you try to run
Another way is to change the application to request admin
approval every time you execute it. This is done through the compatibility
options in the Properties dialog of the application file. See figure
4. Compatibility Options Setting this option adds the compatibility flag
RUNASADMIN to the registry at SOFTWARE\Microsoft\Windows
that resides in HKCU if you change
current user settings or HKLM if you choose to change the settings for all
users. Figure 5 shows our application item in the registry.
Figure 5. Compatibility Flags in Registry Therefore, you can register an
application to run as administrator if you added the compatibility flag
RUNASADMIN in the right place.
Actually, you can replace the manifest
approach with this way. You make the application installer add this
compatibility flag in the installation process which -by default- runs in admin
The Last Word
It is worth mentioning that this does not
apply to Windows Vista only, it applies to Windows 7 -and maybe later versions-
also. Working with UAC is very exhausting. However, you should relax! Windows 7
fixes major UAC problems. Now, you are not required to grant the permission for
such simple operations like changing system date and time.
It is worth
mentioning that it is better not to request admin approval for the whole
application. It is recommended that you request admin approval for the specific
operations that require it only. And this can be done through the Windows Vista
In addition, you can read more about UAC and how it affects your
application flow in these articles: