User Account Control - Requesting Elevation

Requesting Elevation

A program can request elevation in a number of different ways. One way for program developers is to add a requestedPrivileges section to an XML document, known as the manifest, that is then embedded into the application. A manifest can specify dependencies, visual styles, and now the appropriate security context:

Setting the level attribute for requestedExecutionLevel to "asInvoker" will make the application run with the token that started it, "highestAvailable" will present a UAC prompt for administrators and run with the usual reduced privileges for standard users, and "requireAdministrator" will require elevation. In both highestAvailable and requireAdministrator modes, failure to provide confirmation results in the program not being launched.

An executable that is marked as "requireAdministrator" in its manifest cannot be started from a non-elevated process using CreateProcess. Instead, ERROR_ELEVATION_REQUIRED will be returned. ShellExecute or ShellExecuteEx must be used instead. If an HWND is not supplied, then the dialog will show up as a blinking item in the taskbar.

Inspecting an executable's manifest to determine if it requires elevation is not recommended, as elevation may be required for other reasons (setup executables, application compatibility). However, it is possible to programmatically detect if an executable will require elevation by using CreateProcess and setting the dwCreationFlags parameter to CREATE_SUSPENDED. If elevation is required, then ERROR_ELEVATION_REQUIRED will be returned. If elevation is not required, a success return code will be returned at which point one can use TerminateProcess on the newly created, suspended process. This will not allow one to detect that an executable requires elevation if one is already executing in an elevated process, however.

A new process with elevated privileges can be spawned from within a .NET application using the "runas" verb. An example using C#:

System.Diagnostics.Process proc = new System.Diagnostics.Process; proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe"; proc.StartInfo.Verb = "runas"; // Elevate the application proc.Start;

In a native Win32 application the same "runas" verb can be added to a ShellExecute or ShellExecuteEx call.

ShellExecute(hwnd, "runas", "C:\\Windows\\Notepad.exe", 0, 0, SW_SHOWNORMAL);

In the absence of a specific directive stating what privileges the application requests, UAC will apply heuristics, to determine whether or not the application needs administrator privileges. For example, if UAC detects that the application is a setup program, from clues such as the filename, versioning fields, or the presence of certain sequences of bytes within the executable, in the absence of a manifest it will assume that the application needs administrator privileges.