Board index » delphi » Delphi 2007 and UAC

D2007 and UAC


2007-08-21 03:14:01 PM
delphi136
Hello,
any plan to add a expert in Delphi 2007 for creating Vista manifest for
avoiding all the UAC problems ?
Thanks
John
 
 

Re:D2007 and UAC

Thanks for your reply.
Quote
I still think you would need to sign your executables to completely avoid
UAC prompts.
and how do you sign them ?
Thanks
John
 

Re:D2007 and UAC

Quote
I still think you would need to sign your executables to completely
avoid UAC prompts.
You can not *avoid* UAC prompts.
If anything, manifest with requireAdministrator actually *ensures* that
user will get a prompt. On the other hand, asInvoker requires you to
write elevation-enabled code to obtain administrative permissions. But
this will still trigger a prompt. For a developer, there is simply no
way around it.
That said, putting a digital signature on the executable does make the
prompts look more friendly (or at least less threatening).
See tinyurl.com/32hjaj for detailed explanation.
--
Regards,
Aleksander Oven
 

Re:D2007 and UAC

Aleksander Oven writes:
Quote
If anything, manifest with requireAdministrator actually ensures that
user will get a prompt. On the other hand, asInvoker requires you to
write elevation-enabled code to obtain administrative permissions. But
this will still trigger a prompt. For a developer, there is simply no
way around it.
How about writing a service that runs as Admin and posting the requests
to the service?
--
Dean
 

Re:D2007 and UAC

Thanks Aleksander
 

Re:D2007 and UAC

Quote
How about writing a service that runs as Admin and posting the
requests to the service?
Technically, you could consider this a workaround, yes. But I am not sure
that's what John had in mind. :)
--
Regards,
Aleksander Oven
 

Re:D2007 and UAC

Hi John,
Quote

and how do you sign them ?

You need to get a code signing certificate.
Cheers Stu
 

Re:D2007 and UAC

Quote

You can not *avoid* UAC prompts.

If your application has a manifest with asInvoker and is signed do you still get a UAC prompt?
I thought that you only got a prompt for applications which need Administrator access.
Cheers Stu
 

Re:D2007 and UAC

Stuart Kelly writes:
Quote
If your application has a manifest with asInvoker and is signed do you still get a UAC prompt?
No, you don't (and it doesn't need to be signed). Signing just changes
how the UAC prompt looks. However, if your application needs
administrative rights for some action, having this manifest will only
prevent the UAC prompt on startup. You'd then have to programmatically
invoke elevation later in your application, which would still result in
a UAC prompt.
 

Re:D2007 and UAC

Aleksander Oven writes:
Quote
Technically, you could consider this a workaround, yes. But I am not
sure that is what John had in mind. :)
If I needed to do something from an app that otherwise did not need
Admin rights, I'd go this route. it is safer to restrict the
portions that need admin rights to their own app IMO.
--
Dean
 

Re:D2007 and UAC

Quote
If I needed to do something from an app that otherwise did not need
Admin rights, I'd go this route. it is safer to restrict the
portions that need admin rights to their own app IMO.
Agreed. However, installing a service is often an overkill. Most of the
time it would just be sitting there, doing nothing but cluttering
the system.
There's also a middle ground -- you can put the privileged code in a
separate non-service app, that runs elevated (i.e. it has the
requireAdministrator manifest) and run it the first time your asInvoker
app needs something from it, then shut it down when the main app shuts
down.
This way, the user will only see the prompt the first time after they
run their app and not again until they restart it, which is a definite
advantage over the ask-every-single-time COM DLL variant. I believe
Total Commander does something like that on Vista.
--
Regards,
Aleksander Oven
 

Re:D2007 and UAC

"Nathanial Woolls":
Quote
Stuart Kelly writes:

>If your application has a manifest with asInvoker and is signed do you
>still get a UAC prompt?

No, you don't (and it doesn't need to be signed). Signing just changes how
the UAC prompt looks. However, if your application needs administrative
rights for some action, having this manifest will only prevent the UAC
prompt on startup. You'd then have to programmatically invoke elevation
later in your application, which would still result in a UAC prompt.
Unless I am mis-reading this, it sounds like you are suggesting
a process can be elevated after it is started. That is not possible.
If admin rights are required, you either need to start the process
elevated, or launch a separate EXE elevated from a non-elevated
process.