Apr 3rd, 2009
In part 1 of this tutorial I have presented how to run an application with and without elevation by specifying this from another process.
However there are some situations when an application cannot be run without administrative rights. For example a system configuration utility requires administrative rights to change some global policies.
In order to force an application to run only if the current user is administrator or can provide administrative credentials you must add a manifest to the C# project.
The manifest is an XML file named <application_name>.exe.manifest with the following content:
What is important is the requestedExecutionLevel element. It specifies what permissions (execution level) the application needs in order to start. If the current user does not have the required level then an elevation window is displayed (see part one of the tutorial that describes the elevation window).
The default value of requestedExecutionLevel if it is not specified in the manifest or the manifest does not exist is asInvoker. Except asInvoker and requireAdministrator there is another execution level. All three are described below:
|asInvoker||The application runs with the same access token as the parent process.||Recommended for standard user applications. Do refractoring with internal elevation points, as per the guidance provided earlier in this document.|
|highestAvailable||The application runs with the highest privileges the current user can obtain.||Recommended for mixed-mode applications. Plan to refractor the application in a future release.|
|requireAdministrator||The application runs only for administrators and requires that the application be launched with the full access token of an administrator.||Recommended for administrator only applications. Internal elevation points are not needed. The application is already running elevated.|
In order to embed the manifest in the aplication’s executable you can choose one of the following options:
1. The hard way – mt.exe
The Mt.exe file is a tool that generates signed files and catalogs. It is available in the Microsoft Windows Software Development Kit (SDK). Mt.exe requires that the file referenced in the manifest be present in the same directory as the manifest.
The manifest will be embedded after a successful build so we need to add this the call of Mt.exe in the post-build event. In order to do this right click the project -> Properties -> Choose “Build Events” from the vertical left tabs.
Mt.exe is found in many places on disk so the path to it might be different on your configuration. The post build command is:
“C:Program FilesMicrosoft.NETSDKv2.0 64bitBinmt.exe” -manifest “$(ProjectDir)$(TargetName).exe.manifest” –outputresource:”$(TargetDir)$(TargetFileName)”;#1
Make sure the paths to mt.exe and the .manifest file are correct. You should get something like this:
This method has a drawback. If you start the application with debugging from Visual Studio it will start with limited privileges. Running without debugging will ask you to elevate the parent process (in our case Visual Studio).
2. The easy way – designer
Just create the manifest file, include it in visual studio, go to the “Application” tab in project’s properties and choose the manifest file from the Manifest combo box.
This method that has another advantage. Even if running with Debug you will still be prompted to elevate Visual Studio.
The source code can be downloaded below (it is the application from part 1 but includes the manifest file):
IMPORTANT: This tutorial is useless if you disabled UAC because all you processes (considering you are the administrator) run elevated.