 |
||||
|
|
|||
|
||||
The trick is to write your code such that you avoid unnecessary UAC prompts, and that basically means not accessing administrator-level rights in Vista. Here are searchWinDevelopment.com's top three tips for how to develop code that works with Vista's standard user. These tips are based on a talk at PDC by Crispin Cowan, senior project manager at Microsoft's UAC team.
1. Don't rely on UAC -- or ignore it
User account control was designed to be a temporary tool -- or, as Cowan put it, "a softer, gentler standard user." Under Vista, administrator users are actually standard users who are allowed to launch applications with administrator approval -- as long as they go through the UAC prompt. Standard users can elevate applications using the over the shoulder (OTS) prompt, which requires an administrator's login. This introduction to UAC for developers will also teach you how to avoid the UAC prompt altogether by developing programs for standard users.
2. Elevate to administrator mode correctly
Of course, sometimes you legitimately need administrator access. For instance, management tools often need to write to those tender bits of the operating system, as do installers that install for more than just the current user. In those cases, there's a wrong way and three right ways to get elevated privileges. In increasing order of sophistication (and decreasing order of ease), those are: launching a new, elevated process; creating a privileged COM object with its own GUI; and refactoring the privileged code into services or tasks, their successors in Vista, tasks. An unprivileged application can't dynamically elevate itself, and a privileged application can't dynamically restrict itself to standard user permissions; this tip will show you how to elevate into administrator mode with UAC safely in Vista.
3. Know what to do, and what not to do, with administrator privileges
The whole point of UAC is to get applications away from the habit of running in administrator mode unnecessarily. Just as important as how you elevate to administrator access is knowing what you shouldn't do with it. For instance, installers that run in administrator mode (for per-machine installs) shouldn't launch read-me files or the first instance of the application, Cowan said. Our last tip in this series will show you how to write installers in Vista with UAC.
The upshot of all this is that user account control may present a painful transition for developers, but it's for a good cause. The new security model makes it harder for Trojans, viruses and other malware to do their harm silently and in the background. But here we defer to the expert, who said it as well as we could:
"The least privilege model that Vista introduced is good. It's good for the platform's security, it's good for your security. It saves us all from our own flawed software, because if everybody's running everything as administrator, then the security requirement is basically 'don't write vulnerable code,' and writing perfect code all the time is really tedious," Cowan said.
Yuval Shavit is the associate editor for searchWinDevelopment.com. Email Yuval to tell him what you thought about these tips. These tips are based on a talk by Crispin Cowan, product manage for Vista's UAC team, which he gave at Microsoft PDC. The talk, "Windows 7: Best Practices for Developing Windows Standard User" is available online.
This was first published in December 2008