开发者

Requesting administrator privileges at run time

Is it possible to get a C++ application running in Windows to request administrator privileges from the operating system at run time?

I know it can be done at compile开发者_运维技巧 time, but can't seem to find anywhere whether it can be done at run time.

Thanks for your help!

EDIT: What if I want the current instance to have elevated privileges? For example, I might have data stored in memory which I want to keep.


If you want the application to always elevate, you can give it a manifest, either by building one in (not compiling technically) or by putting an external manifest in the same folder as the exe. If you want to decide, as a person, to run it elevated, you right click the exe or short cut and choose Run As Administrator. If you are launching it from code, then as @vcsjones comments, you use the runas verb when you launch that process. For example:

ShellExecute( NULL, 
    "runas",  
    "c:\\windows\\notepad.exe",  
    " c:\\temp\\report.txt",     
    NULL,                        // default dir 
    SW_SHOWNORMAL  
); 


You can elevate a process only during its creation. When a process already runs, there's no way to change its security token: it either runs elevated or not.

If your application needs to perform an administrative task, and it usually runs non-elevated, you have to create another .exe which will request elevation with its manifest. To start a process elevated, you have to use ShellExecute or ShellExecuteEx function. From your main process you will need a way to pass the commands to that new process that will run elevated.


For more information about UAC, read Designing UAC Applications for Windows Vista series.


Not quite, but you can do the opposite—you can drop privileges if you already have them. So, you can have your program start out running as an Administrator, using one of the methods listed by Kate Gregory. Then, drop your unneeded privileges; see Dropping privileges in C++ on Windows for how to do that.


Add a manifest file into your EXE as described here.

http://msdn.microsoft.com/en-us/library/bb756929.aspx


Your process (and threads) have a token assinged to them. That token already have all your groups set up. Under UAC, the Administrator group is disabled. UAC will remove that disabled group so you end up with a full administrator token.

To acheive the same, you must have the TCB priviledge. In other words, to elevate a process at runtime, you will need help from a process running under the SYSTEM account, and Microsoft isn't providing one, nor an API to control the current UAC implementation. Otherwise, it would defeat the purpose.

For the sake of completness, there is a whitelist of process that can perform some elevated operations without prompting. In short, your executable needs :

  • To be signed by Microsoft
  • To perform predefined operations, like with IFileOperation

The best explanation I found is this hack. It has been fixed since then, but is sheds some light on the whole thing.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜