CodeProject: How to Elevate Your Application at Windows Startup in Vista. Free source code and programming help

Report Article

Discuss

Send to a friend

5 votes for this Article.

Popularity: 1.75 Rating: 2.50 out of 5

Introduction

This article describes how to elevate your program in Windows startup in Vista. Elevating an application is so easy, but it's not easy registering an application in startup.

Background

This article requires readers to have some background.
Firstly, it's important to understanding Vista's UAC. UAC is too complex to understand. Hence, this article does not have any information about UAC.
Secondly, MFC and API knowledge are required since the sample code of this article uses MFC and API.

Vista and Windows Startup

Many programs need to run at Windows startup.

In Windows XP, run at startup was not big deal. But, it became a big deal in Windows Vista. Windows Vista's new protection features restrict a startup program which wants to run as administrator. (It needs to elevate.)

If your application does not need an administrator privilege, there is nothing to do for migration to Windows Vista. But, if your application need an administrator privilege, your application can't run at startup because Vista's new protection blocks your program.

It seems to be impossible to run an administrator privileged program at Windows startup in Vista. But, there is a way to do it (even if it is not the same as XP).

This article describes Windows Vista's protection and a possible method to figure out our problem.

Another Way

To find another way, we have to think about the architecture of protection software. Start with this:

"Windows Vista is allowed to run software which does not need an administrator privilege."

So, one possible method is as follows:

We have to create a normal program which does not need an administrator privilege. (New protection does not block none privilege application.)
That normally has to elevate itself with CreateProcess and terminate.

The following pseudo code shows it:

void Main()
{
    if(IsVista() == TRUE && Elevation() == FALSE) {
        ElevationItself();
        Terminate();
    }
}

C++ Code (MFC)

Pseudo code is easy, but real code is not.

CString g_szProgramFolder;
CString g_szCmdLine;

BOOL RunAsAdministrator(LPSTR lpszFileName, LPSTR lpszDirectory)
{
    SHELLEXECUTEINFOA TempInfo = {0};

    TempInfo.cbSize = sizeof(SHELLEXECUTEINFOA);
    TempInfo.fMask = 0;
    TempInfo.hwnd = NULL;
    TempInfo.lpVerb = "runas";
    TempInfo.lpFile = lpszFileName;
    TempInfo.lpParameters = "runasadmin";
    TempInfo.lpDirectory = lpszDirectory;
    TempInfo.nShow = SW_NORMAL;

    BOOL bRet = ::ShellExecuteExA(&TempInfo);

    return bRet;
}

BOOL CMFCApplication::InitInstance()
{
    char szCurFolder[1024] = { 0, };
    GetModuleFileName(GetModuleHandle(NULL), szCurFolder, 1023);

    CString szFullPath = szCurFolder;
    szFullPath = szFullPath.Left(szFullPath.ReverseFind('\\'));

    g_szProgramFolder = szFullPath;

    CCommandLineInfo oCmdLineInfo;
    ParseCommandLine(oCmdLineInfo);

    g_szCmdLine = oCmdLineInfo.m_strFileName;

    if(IsVista()) {
        if(stricmp(g_szCmdLine, "elevation") == 0) {
            char szCmdLine[1024] = { 0, };
            char szCurFileName[1024] = { 0, };
            GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

            BOOL bRet = 
                RunAsAdministrator( szCurFileName, (LPSTR)(LPCTSTR)g_szProgramFolder );

            if(bRet == TRUE) {
                return FALSE;
            }
        } else if(stricmp(g_szCmdLine, "runasadmin") == 0) {
            //
            // go trough!.
            //
        } else {
            char szCmdLine[1024] = { 0, };
            char szCurFileName[1024] = { 0, };
            GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

            sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);

            WinExec(szCmdLine, SW_SHOW);

            return FALSE;
        }
    }
    .
    .
    .
}

Points of Interest

RunAsAdministrator function returns FALSE when a user selects 'Cancel'. So, you can execute a program repeatedly until the user selects 'Allow'.

History

2008-05-16: First released

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Kwon Yong Hwi

I have an experience of C++, Windows Programming.
These days, Programming with Visual C++ and Windows Platform such as COM. And I often explore something new to research.
I release some freewares on my website (http://rodream.net)

- Microsoft Most Valuable Professional (Visual C++ Part)

Occupation:	Software Developer
Location:	Korea, Republic Of

Other popular Vista Security articles:

Vista UAC: The Definitive Guide
Learn how UAC operates behind the scenes. Use the Elevate package to start multiple elevated processes but only display one UAC elevation dialog from a non-elevated process.
A Developer's Survival Guide to IE Protected Mode
Busted features? APIs failing? Use this guide to get your IE plugin up and running again in protected mode!
Next Generation of Cryptography for Microsoft Windows Vista
Cryptography API: Next Generation (CNG) is the latest cryptographic infrastructure in Windows Vista™ which supports new APIs, unified user and kernel mode, agile cryptography, new cipher suits and improved auditing
Simple way to crypt a file with CNG
Cryptography API: The Next Generation (CNG) - How to crypt documents with C++ programming (without an understanding of cryptography or security)
Launch your application in Vista under the local system account without the UAC popup
This article describes how to launch an application from session 0 to session 1 under the local system account using a service helper application

Article Top

You must Sign In to use this message board.

Msgs 1 to 12 of 12 (Total in Forum: 12) (Refresh)

FirstPrevNext

Subject

Author

Date

Source code

MasterPr

0:38 23 Jun '08

Can you attach whole code to this article? Thanks.
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: Source code

Member 3928082

1:21 18 Sep '08

How to check for isVista() i am getting error can you post the full source code?
Sign In·View Thread·PermaLink

Buffer overflow

mav.northwind

21:51 17 May '08

Hi! I think your code is vulnerable to buffer overflow attacks. In `sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);`, when you manage to create a `szCurFileName` of 1012 characters or more, your sprintf call will overwrite the end of the `szCmdLine` buffer... Regards, mav -- Black holes are the places where God divided by 0...
Sign In·View Thread·PermaLink	5.00/5 (2 votes)

Re: Buffer overflow

Kwon Yong Hwi

5:36 18 May '08

Path has a limit. Basically, MAX_PATH is 256. So, 1024 is enough to make path.
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Re: Buffer overflow

SteveKing

20:23 18 May '08

Nope. MAX_PATH is only the limit for most shell APIs. For most other APIs, that restriction is long gone (the limit for paths on NTFS is 64kB).
Sign In·View Thread·PermaLink	5.00/5 (2 votes)

Re: Buffer overflow

Kwon Yong Hwi

4:54 19 May '08

In my experience, When I create nested folder in Windows Explorer, 64kb path length impossible. (even if NTFS format spec has 64kb length of path)
Sign In·View Thread·PermaLink

Re: Buffer overflow

Mihai Nita

9:26 19 May '08

"The string returned will use the same format that was specified when the module was loaded. Therefore, the path can be a long or short file name, and can use the prefix "\\?\". For more information, see Naming a File."
(http://msdn.microsoft.com/en-us/library/ms683197(VS.85).aspx[^])

Following the "Naming a File" link you will find this:
"The Windows API has many functions that also have Unicode versions to permit a maximum path length of approximately 32,000 characters composed of components up to 255 characters each in length. To specify that kind of extended length path, use the "\\?\" prefix. For example, "\\?\D:\"."

So yes, you can have 1023 characters in szCurFileName.
And because the szCmdLine has 1024 (same as szCurFileName), but contains szCurFileName + something more, it is a buffer overflow danger.

If the szCmdLine would be 1100 (szCurFileName + "...elevation") it would not be a buffer overflow, but a risk of failure in GetModuleHandle (and not test for that).

And let's remember localization, so if "...elevation" gets translated, 1100 might still not be enough.

5.00/5 (1 vote)

Re: Buffer overflow

Kwon Yong Hwi

14:45 19 May '08

Well, The method which I choose is not proper to all way.

But, Many MSDN example source codes use the Path Buffer with MAX_PATH macro.

MAX_PATH is 256 in Ansi, 512 in Unicode.

And, I think that 1024 is enough to hold path.

The reason why I use 1024 to Command Line Buffer is,

szCmdLine buffer do not use any user inputs.

So, If you want to exploit szCmdLine with Command Line(cmd.exe), you can do that. (Because I do not use User's Input to make szCmdLine.

And I tested in Windows Explorer,

I can not create following long path folder.

'C:\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\1234567890123456789012345678901234567890\1234567890123456789012345678901234567890'

Re: Buffer overflow

Mihai Nita

14:42 22 May '08

Compile and run this (a quick and dirty example):


#define _UNICODE
#define UNICODE

#include <windows.h>
#include <stdio.h>
#include <tchar.h>

int main( void ) {
	TCHAR fullPathName[32000];
	TCHAR *folderName = _T("\\Something kind of sort of long(ish)");

	_stprintf( fullPathName, _T("\\\\?\\C:" ) );
	for( int i = 0; i < 50; i++ ) {
		_tcsncat_s( fullPathName, _countof(fullPathName), folderName, _countof(fullPathName) );
		CreateDirectory( fullPathName, NULL );
	}

	return 0;
}

You can then change CreateDirectory(fullPathName, NULL) to RemoveDirectory(fullPathName) and undo the mess, because Explorer is unable to delete it Big Grin

5.00/5 (1 vote)

You shouldn't display an elevation prompt at login

Daniel Grunwald

7:13 17 May '08

Having to confirm a UAC prompt to login will annoy the user extremely.
That's why Vista blocks elevation prompts for startup programs.

If you need to run an application with administrator rights on logon, you have two choices:
1) Start it using the task scheduler. You can start silently elevated apps on logon this way. WARNING: if your application has any way to start other programs on the user's request (e.g. it's displaying a "Open file" dialog where the user could Right-click>Run on .exe files), that's a security vulnerability!

Better (and suggested by Microsoft):
2) Make your app not require administrator rights. For actions where administrator rights are absolutely required, make the app call into a Windows service running in the background with the necessary permissions. Here, too, you need to take care that your service is secured correctly, but this approach is better because here less code needs to run with admin privileges.

3.00/5 (2 votes)

Re: You shouldn't display an elevation prompt at login

axelriet

16:00 17 May '08

2) Make your app not require administrator rights Oh yes!!
Sign In·View Thread·PermaLink

Re: You shouldn't display an elevation prompt at login

Leo Davidson

8:36 18 May '08

Another option is to make the app into a service. Vista will enforce UI isolation in that case, as well, which is a bonus. If you need a front-end then you can have a non-admin client which connects to the service via some kind of RPC.
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Last Visit: Wednesday, October 15, 2008 6:19 PM Last Update:Wednesday, October 15, 2008 6:19 PM

General News Question Answer Joke Rant Admin