Run at logon a desktop application with elevated privileges

The task is widespread, but I’m not satisfied with the solutions I’ve found so far.

The program must work on the background, regularly scan the system for the state change and, on some conditions, show notifying popup windows to users. The program runs under Windows 7.

There are two nuances. First, it needs elevated privileges (highest level, run as administrator, there is a mess of terminology in Windows) to scan for some protected system information. Second, it must work for all users which have administrative rights.

Here’s the list of typical solutions and reasons why they don’t suit.

1. Place the desktop application to the Windows Startup folder. Doesn’t work, because doesn’t allow to specify elevated privileges. By default, the application won’t run. At best, if configure file’s compatibility, a UAC popup request will appear on the screen each time the program runs.
2. Place the file name into registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The same problems.
3. Add a task to Windows Scheduler and tell to use the highest run level. Works only for a single user, under which the task runs. The others won’t see the window.
4. Write a windows service. The service can monitor user logons and run desktop applications in their sessions. Haven’t try this, but read it’s possible, though tricky. Also, services are harder to debug. Looks like an overkill.
5. Write a windows service which receives calls from desktop application, does administrative work and return results to the callers. Desktop application runs without privileges. The solution looks very strange because it means the senseless wrapper services doing nothing but transferring requests and responses should be written for all administrative tasks. Then again, services are harder to debug.

The task looks very common, but the solutions are complicated. Do I misunderstand something? Are there easier ways?

PS: I've seen this topic Process with administrative privileges run on user logon, but wonder if there are less complicated ways.

UPDATE

I found out that solutions with windows services also don't work for my task. I need to access user's personal certificate store. Service runs under one account and needs to access certificates of another. I haven't found how to do this with .Net cryptography API and guess it's not possible due to security policy. I posted the solution I finally came up with as the ans开发者_高级运维wer to this question.

You'll need a service to do the "dirty work" (i.e. where admin rights are required). Add to that an app that interfaces with the user.

Services are not hard to debug - just connect to the running process in Visual Studio.

Depending on what you are trying to accomplish, you can bypass UAC using a well know security bug to run your elevated code. I wouldn't recommend this for any type of commercial use, but in quick and dirty instances, it might be just the ticket.

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

Eventually, I had to implement this in a cumbersome way. I create one task for Windows Task Scheduler per user. The tasks do exactly the same, but run simultaneously under different credentials.

The additional task which this solution results in is how to add and remove these tasks in the program setup. I implemented it as following. Task name is a GUID generated during setup. During install, a set of registry entries is created, where entry name is user name and entry value is GUID of the task for the user. During uninstall, the tasks with names stored in the registry are deleted from the scheduler.

Just use Winaero's Elevated Shortcut and place the shortcut in the startup folder or in Group Policy's logon scripts.