How to elevate programs' privileges correctly using Vista's UAC

This tip is part of a series on UAC based on Cowan's talk. If you haven't read our introduction to developing programs under UAC, you may want to start there. You may also want to read our tip on how to write installers that run in UAC.

1. Launch a new, elevated process

Programs can't be elevated once they've already been launched, so the simplest technique is to start your program in standard user and include a button that launches a new, privileged version of the process before closing the original version. You should mark the elevated program with "asAdministrator" in your program's manifest. This is the technique that the task manager uses when the user clicks on the "show processes from all users" button, for instance.

The advantage of this method is that it's easy, but there are two drawbacks. First, closing the first process and opening a new one in its place disrupts the user experience slightly; the window appears to close and open again. More importantly, programs can't un-elevate themselves, so the program will now be running in administrator mode until it exits, negating UAC's security improvements.

2. Create an elevated COM object

A slightly more sophisticated approach to elevating is to create a new COM object with elevated privileges. If you do this, make sure that object creates its own GUI, Cowin said. A common pitfall is to create an invis...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Testing and Security Test-driven development in .NET yields complete unit test coverage How to write installers in Vista that work correctly under UAC Internet Explorer 8 beta's development tools add source visualizations Microsoft previews new features in Visual Studio 2010 Advanced Windows Debugging Book Chapter and Podcast Book excerpt: Advanced Windows Debugging Book excerpt: Pragmatic unit testing in C# with NUnit Security interoperability with .NET/WSE and WebLogic Workshop 8.1 How to avoid regression bugs while adding new features NDepends: How you look at code .NET Framework 3.5 and Visual Studio 2008 development Microsoft's message at TechEd: make the most of what you have How to speed up Visual Studio 2008's slow WPF designer How to list fonts in WPF using markup extensions and data templates How to convince management to buy Microsoft Visual Studio 2008 Moonlight 1.0 release brings Silverlight to Linux Microsoft cuts Visual Studio 2008 upgrade prices as VS 2010 looms User Account Control (UAC): How to develop code for standard users How to write installers in Vista that work correctly under UAC Introduction to Vista's user account control (UAC) for developers Microsoft offers startups free development tools, MSDN subscription Windows Vista security and .NET Framework 3.0 User Account Control (UAC): How to develop code for standard users How to write installers in Vista that work correctly under UAC Introduction to Vista's user account control (UAC) for developers Beginning Windows CardSpace development Five Windows Vista security tips .NET developers should know Windows CardSpace standards, user controls sway online banker .NET 3.0 Roadshow: An introduction to Windows CardSpace .NET 3.0 Roadshow: Instance management, security in WCF What's up with Windows CardSpace Get your code ready: Windows Vista is just around the corner

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cosmos  (SearchWinDevelopment.com) IronRuby  (SearchWinDevelopment.com) Visual Studio Express (VSE)  (SearchWinDevelopment.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ible, elevated COM object and send messages to it from your un-elevated GUI. But malware can hijack that GUI by faking mouse clicks and using the GUI to drive malicious messages to the COM object. If your COM object draws the GUI, Vista's user interface privilege isolation (UIPI) hides it from non-privileged software. Use CreateElevatedComObject to generate this elevated COM object.

3. Use tasks or services

The third way to handle elevated processes is to refactor them into tasks or services, background processes that your installer creates. Services work in any operating system and always run in the background, while tasks are created and destroyed as needed but only work for Vista (and Windows 7, when it comes out).

The advantage to tasks and services is that it creates a seamless user experience. The major disadvantage is that services and tasks can't create GUIs, so you have to send messages to them from an unprivileged GUI source -- the exact situation you tried to avoid with an elevated COM object.

If you take this approach, make sure to sanitize all inputs and treat them as suggestions, not commands, Cowin said. In other words, assume every message is coming from malware, and make sure to validate every argument. When you sanitize inputs, use an allow list rather than a deny list -- in other words, assume every character is bad and make exceptions for those you know are good, rather than trying to specifically block out characters you know are bad. "Anyone who's ever used a deny list has regretted it. Trust me," Cowin said.

Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.

Rate this Tip To rate tips, you must be a member of SearchWinDevelopment.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.