Tip

How to elevate programs' privileges correctly using Vista's UAC

Yuval Shavit, Associate Editor
UAC Tips for developers
1. Overview of UAC for developers
2. What is UAC?
3. Elevating privileges correctly
4. Writing installers with UAC
Vista's user account control (UAC) lets applications elevate to administrator-level privileges, but there's a right way and a wrong way to do it. Processes can't change their permissions dynamically, so it's important to ask for elevated privileges correctly. The three basic approaches are to launch a new version of your process, to create an elevated COM object and to send requests to tasks and services that run in elevated administrator privilege, said Crispin Cowan, senior project manager at Microsoft's UAC team at a talk he gave at PDC in October.

This tip is part of a series on UAC based on Cowan's talk. If you haven't read our introduction to developing programs under UAC, you may want to start there. You may also want to read our tip on how to write installers that run in UAC.

1. Launch a new, elevated process

Programs can't be elevated once they've already been launched, so the simplest technique is to start your program in standard user and include a button that launches a new, privileged version of the process before closing the original version. You should mark the elevated program with "asAdministrator" in your program's manifest. This is the technique that the task manager uses when the user clicks on the "show processes from all users" button, for instance.

The advantage of this method is that it's easy, but there are two drawbacks. First, closing the first process and opening a new one in its place disrupts the user experience slightly; the window appears to close and open again. More importantly, programs can't un-elevate themselves, so the program will now be running in administrator mode until it exits, negating UAC's security improvements.

2. Create an elevated COM object

A slightly more sophisticated approach to elevating is to create a new COM object with elevated privileges. If you do this, make sure that object creates its own GUI, Cowin said. A common pitfall is to create an invisible, elevated COM object and send messages to it from your un-elevated GUI. But malware can hijack that GUI by faking mouse clicks and using the GUI to drive malicious messages to the COM object. If your COM object draws the GUI, Vista's user interface privilege isolation (UIPI) hides it from non-privileged software. Use CreateElevatedComObject to generate this elevated COM object.

3. Use tasks or services

The third way to handle elevated processes is to refactor them into tasks or services, background processes that your installer creates. Services work in any operating system and always run in the background, while tasks are created and destroyed as needed but only work for Vista (and Windows 7, when it comes out).

The advantage to tasks and services is that it creates a seamless user experience. The major disadvantage is that services and tasks can't create GUIs, so you have to send messages to them from an unprivileged GUI source -- the exact situation you tried to avoid with an elevated COM object.

If you take this approach, make sure to sanitize all inputs and treat them as suggestions, not commands, Cowin said. In other words, assume every message is coming from malware, and make sure to validate every argument. When you sanitize inputs, use an allow list rather than a deny list -- in other words, assume every character is bad and make exceptions for those you know are good, rather than trying to specifically block out characters you know are bad. "Anyone who's ever used a deny list has regretted it. Trust me," Cowin said.

Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.

This was first published in December 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.