CodeProject: How to Elevate Your Application at Windows Startup in Vista. Free source code and programming help

Announcements

	Windows 7 Comp Win a laptop!
	Monthly Competition

Articles

Desktop Development

Web Development

Enterprise Systems

Content Management Server

Microsoft BizTalk Server

SQL Reporting Services

Platforms, Frameworks & Libraries

Windows Communication Foundation

Windows Presentation Foundation

Windows Workflow Foundation

Cryptography & Security

Threads, Processes & IPC

WinHelp / HTMLHelp

Uncategorised Quick Answers

Graphics / Design

Expression

Usability

Development Lifecycle

Debug Tips

Design and Architecture

Uncategorised Technical Blogs

Services

Code-signing Certificates

Job Board

CodeProject VS2008 Addin

Feature Zones

Product Showcase

Code Signing Resources

WhitePapers / Webcasts

ASP.NET Web Hosting

Advanced Search
Add to IE Search

Discuss

Report

5 votes for this article.

Popularity: 1.75 Rating: 2.50 out of 5

Introduction

This article describes how to elevate your program in Windows startup in Vista. Elevating an application is so easy, but it's not easy registering an application in startup.

Background

This article requires readers to have some background.
Firstly, it's important to understanding Vista's UAC. UAC is too complex to understand. Hence, this article does not have any information about UAC.
Secondly, MFC and API knowledge are required since the sample code of this article uses MFC and API.

Vista and Windows Startup

Many programs need to run at Windows startup.

In Windows XP, run at startup was not big deal. But, it became a big deal in Windows Vista. Windows Vista's new protection features restrict a startup program which wants to run as administrator. (It needs to elevate.)

If your application does not need an administrator privilege, there is nothing to do for migration to Windows Vista. But, if your application need an administrator privilege, your application can't run at startup because Vista's new protection blocks your program.

It seems to be impossible to run an administrator privileged program at Windows startup in Vista. But, there is a way to do it (even if it is not the same as XP).

This article describes Windows Vista's protection and a possible method to figure out our problem.

Another Way

To find another way, we have to think about the architecture of protection software. Start with this:

"Windows Vista is allowed to run software which does not need an administrator privilege."

So, one possible method is as follows:

We have to create a normal program which does not need an administrator privilege. (New protection does not block none privilege application.)
That normally has to elevate itself with CreateProcess and terminate.

The following pseudo code shows it:

void Main()
{
    if(IsVista() == TRUE && Elevation() == FALSE) {
        ElevationItself();
        Terminate();
    }
}

C++ Code (MFC)

Pseudo code is easy, but real code is not.

CString g_szProgramFolder;
CString g_szCmdLine;

BOOL RunAsAdministrator(LPSTR lpszFileName, LPSTR lpszDirectory)
{
    SHELLEXECUTEINFOA TempInfo = {0};

    TempInfo.cbSize = sizeof(SHELLEXECUTEINFOA);
    TempInfo.fMask = 0;
    TempInfo.hwnd = NULL;
    TempInfo.lpVerb = "runas";
    TempInfo.lpFile = lpszFileName;
    TempInfo.lpParameters = "runasadmin";
    TempInfo.lpDirectory = lpszDirectory;
    TempInfo.nShow = SW_NORMAL;

    BOOL bRet = ::ShellExecuteExA(&TempInfo);

    return bRet;
}

BOOL CMFCApplication::InitInstance()
{
    char szCurFolder[1024] = { 0, };
    GetModuleFileName(GetModuleHandle(NULL), szCurFolder, 1023);

    CString szFullPath = szCurFolder;
    szFullPath = szFullPath.Left(szFullPath.ReverseFind('\\'));

    g_szProgramFolder = szFullPath;

    CCommandLineInfo oCmdLineInfo;
    ParseCommandLine(oCmdLineInfo);

    g_szCmdLine = oCmdLineInfo.m_strFileName;

    if(IsVista()) {
        if(stricmp(g_szCmdLine, "elevation") == 0) {
            char szCmdLine[1024] = { 0, };
            char szCurFileName[1024] = { 0, };
            GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

            BOOL bRet = 
                RunAsAdministrator( szCurFileName, (LPSTR)(LPCTSTR)g_szProgramFolder );

            if(bRet == TRUE) {
                return FALSE;
            }
        } else if(stricmp(g_szCmdLine, "runasadmin") == 0) {
            //
            // go trough!.
            //
        } else {
            char szCmdLine[1024] = { 0, };
            char szCurFileName[1024] = { 0, };
            GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

            sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);

            WinExec(szCmdLine, SW_SHOW);

            return FALSE;
        }
    }
    .
    .
    .
}

Points of Interest

RunAsAdministrator function returns FALSE when a user selects 'Cancel'. So, you can execute a program repeatedly until the user selects 'Allow'.

History

2008-05-16: First released

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Kwon Yong Hwi

Member

I have an experience of C++, Windows Programming.
These days, Programming with Visual C++ and Windows Platform such as COM. And I often explore something new to research.
I release some freewares on my website (http://rodream.net)

- Microsoft Most Valuable Professional (Visual C++ Part)

Occupation:	Software Developer
Location:	Korea, Republic Of

Other popular Vista Security articles:

Vista UAC: The Definitive Guide
Learn how UAC operates behind the scenes. Use the Elevate package to start multiple elevated processes but only display one UAC elevation dialog from a non-elevated process.
Subverting Vista UAC in Both 32 and 64 bit Architectures
This article illustrates how to bypass Vista UAC as well as how to correctly launch an interactive process from a Windows Service.
A Developer's Survival Guide to IE Protected Mode
Busted features? APIs failing? Use this guide to get your IE plugin up and running again in protected mode!
Next Generation of Cryptography for Microsoft Windows Vista
Cryptography API: Next Generation (CNG) is the latest cryptographic infrastructure in Windows Vista™ which supports new APIs, unified user and kernel mode, agile cryptography, new cipher suits and improved auditing
Simple way to crypt a file with CNG
Cryptography API: The Next Generation (CNG) - How to crypt documents with C++ programming (without an understanding of cryptography or security)

Article Top

You must Sign In to use this message board.

FAQ
Noise Tolerance Layout Per page

Msgs 1 to 15 of 15 (Total in Forum: 15) (Refresh)

FirstPrevNext

Full source code

lemonlyt

1:41 31 Mar '09

I have some errons about my project.Can you post your full source code?Thanks very much!
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

ProcessShellCommand() reports error

kuan deng

7:05 18 Mar '09

After adding your code and run it in a Vista-32 machine, the ProcessShellCommand() reports error of "c:\...\runasadmin was not found."

Here is my code. The 1st part is your code; the 2nd part is my original code for Windows XP and below OSs.

What caould be the problem of coding?

Thanks!

BOOL CTrayIconApp::InitInstance()
{

  char szMsg[256];
  char szCurFolder[1024] = { 0, };
  GetModuleFileName(GetModuleHandle(NULL), szCurFolder, 1023);

  CString szFullPath = szCurFolder;
  szFullPath = szFullPath.Left(szFullPath.ReverseFind('\\'));

  g_szProgramFolder = szFullPath;

  CCommandLineInfo oCmdLineInfo;
  ParseCommandLine(oCmdLineInfo);

  g_szCmdLine = oCmdLineInfo.m_strFileName;

  if( IsWindowsVista() ) 
  {
    if(stricmp(g_szCmdLine, "elevation") == 0) 
    {
      char szCmdLine[1024] = { 0, };
      char szCurFileName[1024] = { 0, };
      GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);
      BOOL bRet = RunAsAdministrator( szCurFileName, (LPSTR)(LPCTSTR)g_szProgramFolder );
      if(bRet == TRUE) 
      {
        return FALSE;
      }
    } 
    else if(stricmp(g_szCmdLine, "runasadmin") == 0) {
      //
      // go trough!.
      //
    } 
    else
    {
      char szCmdLine[1024] = { 0, };
      char szCurFileName[1024] = { 0, };
      GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

      sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);
      WinExec(szCmdLine, SW_SHOW);
      return FALSE;
    }
 } //IsWindowsVista

//
// Below are the original code!!!
//
// Standard initialization
// If you are not using these features and wish to reduce the size
// of your final executable, you should remove from the following
// the specific initialization routines you do not need.

#ifdef _AFXDLL
    Enable3dControls();	// Call this when using MFC in a shared DLL
#else
    Enable3dControlsStatic();	// Call this when linking to MFC statically
#endif

 // Change the registry key under which our settings are stored.
 // You should modify this string to be something appropriate
 // such as the name of your company or organization.
 SetRegistryKey(_T("Local AppWizard-Generated Applications"));
 LoadStdProfileSettings();  // Load standard INI file options (including MRU)

 // Register the application's document templates.  Document templates
 //  serve as the connection between documents, frame windows and views.

  CSingleDocTemplate* pDocTemplate;
  pDocTemplate = new CSingleDocTemplate(
		IDR_MAINFRAME,
		RUNTIME_CLASS(CTrayIconDoc),
		RUNTIME_CLASS(CMainFrame),       // main SDI frame window
		RUNTIME_CLASS(CTrayIconView));
	AddDocTemplate(pDocTemplate);

  // Parse command line for standard shell commands, DDE, file open
  CCommandLineInfo cmdInfo;
  ParseCommandLine(cmdInfo);

  // Dispatch commands specified on the command line
  if (!ProcessShellCommand(cmdInfo))
	return FALSE;

  //Application stuff
  char	traceTime[200];
  initGlobals();

  processMutex = OpenMutex(MUTEX_ALL_ACCESS, TRUE,  LUCENTTRAYICON_MUTEX) ;
  if(!processMutex)
  {
    processMutex = CreateMutex(0, FALSE, LUCENTTRAYICON_MUTEX) ;
  }
  else
  { 
    writeTrace("\r\r\n%s:: A instance of TrayIcon is already running, so not starting a new instance\r\r\n", getTime(traceTime));
    return FALSE; 
  }
	
  // Spawn a seperate thread to poll/communicate with another app
  contactIKEApp();

  return TRUE;

}

Source code

MasterPr

0:38 23 Jun '08

Can you attach whole code to this article? Thanks.
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: Source code

Member 3928082

1:21 18 Sep '08

How to check for isVista() i am getting error can you post the full source code?
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: Source code

lzf8977

2:00 24 Oct '08

BOOL IsWindowsVista() { OSVERSIONINFO osif; osif.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&osif); if( osif.dwMajorVersion == 6 && osif.dwMinorVersion == 0 ) return TRUE; return FALSE; }
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Buffer overflow

mav.northwind

21:51 17 May '08

Hi! I think your code is vulnerable to buffer overflow attacks. In `sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);`, when you manage to create a `szCurFileName` of 1012 characters or more, your sprintf call will overwrite the end of the `szCmdLine` buffer... Regards, mav -- Black holes are the places where God divided by 0...
Sign In·View Thread·PermaLink	5.00/5 (2 votes)

Re: Buffer overflow

Kwon Yong Hwi

5:36 18 May '08

Path has a limit. Basically, MAX_PATH is 256. So, 1024 is enough to make path.
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

Re: Buffer overflow

SteveKing

20:23 18 May '08

Nope. MAX_PATH is only the limit for most shell APIs. For most other APIs, that restriction is long gone (the limit for paths on NTFS is 64kB).
Sign In·View Thread·PermaLink	5.00/5 (2 votes)

Re: Buffer overflow

Kwon Yong Hwi

4:54 19 May '08

In my experience, When I create nested folder in Windows Explorer, 64kb path length impossible. (even if NTFS format spec has 64kb length of path)
Sign In·View Thread·PermaLink

Re: Buffer overflow

Mihai Nita

9:26 19 May '08

"The string returned will use the same format that was specified when the module was loaded. Therefore, the path can be a long or short file name, and can use the prefix "\\?\". For more information, see Naming a File."
(http://msdn.microsoft.com/en-us/library/ms683197(VS.85).aspx[^])

Following the "Naming a File" link you will find this:
"The Windows API has many functions that also have Unicode versions to permit a maximum path length of approximately 32,000 characters composed of components up to 255 characters each in length. To specify that kind of extended length path, use the "\\?\" prefix. For example, "\\?\D:\"."

So yes, you can have 1023 characters in szCurFileName.
And because the szCmdLine has 1024 (same as szCurFileName), but contains szCurFileName + something more, it is a buffer overflow danger.

If the szCmdLine would be 1100 (szCurFileName + "...elevation") it would not be a buffer overflow, but a risk of failure in GetModuleHandle (and not test for that).

And let's remember localization, so if "...elevation" gets translated, 1100 might still not be enough.

5.00/5 (1 vote)

Re: Buffer overflow

Kwon Yong Hwi

14:45 19 May '08

Well, The method which I choose is not proper to all way.

But, Many MSDN example source codes use the Path Buffer with MAX_PATH macro.

MAX_PATH is 256 in Ansi, 512 in Unicode.

And, I think that 1024 is enough to hold path.

The reason why I use 1024 to Command Line Buffer is,

szCmdLine buffer do not use any user inputs.

So, If you want to exploit szCmdLine with Command Line(cmd.exe), you can do that. (Because I do not use User's Input to make szCmdLine.

And I tested in Windows Explorer,

I can not create following long path folder.

'C:\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\1234567890123456789012345678901234567890\1234567890123456789012345678901234567890'

Re: Buffer overflow

Mihai Nita

14:42 22 May '08

Compile and run this (a quick and dirty example):


#define _UNICODE
#define UNICODE

#include <windows.h>
#include <stdio.h>
#include <tchar.h>

int main( void ) {
	TCHAR fullPathName[32000];
	TCHAR *folderName = _T("\\Something kind of sort of long(ish)");

	_stprintf( fullPathName, _T("\\\\?\\C:" ) );
	for( int i = 0; i < 50; i++ ) {
		_tcsncat_s( fullPathName, _countof(fullPathName), folderName, _countof(fullPathName) );
		CreateDirectory( fullPathName, NULL );
	}

	return 0;
}

You can then change CreateDirectory(fullPathName, NULL) to RemoveDirectory(fullPathName) and undo the mess, because Explorer is unable to delete it Big Grin

5.00/5 (1 vote)

You shouldn't display an elevation prompt at login

Daniel Grunwald

7:13 17 May '08

Having to confirm a UAC prompt to login will annoy the user extremely.
That's why Vista blocks elevation prompts for startup programs.

If you need to run an application with administrator rights on logon, you have two choices:
1) Start it using the task scheduler. You can start silently elevated apps on logon this way. WARNING: if your application has any way to start other programs on the user's request (e.g. it's displaying a "Open file" dialog where the user could Right-click>Run on .exe files), that's a security vulnerability!

Better (and suggested by Microsoft):
2) Make your app not require administrator rights. For actions where administrator rights are absolutely required, make the app call into a Windows service running in the background with the necessary permissions. Here, too, you need to take care that your service is secured correctly, but this approach is better because here less code needs to run with admin privileges.

3.00/5 (2 votes)

Re: You shouldn't display an elevation prompt at login

axelriet

16:00 17 May '08

2) Make your app not require administrator rights Oh yes!!
Sign In·View Thread·PermaLink

Re: You shouldn't display an elevation prompt at login

Leo Davidson

8:36 18 May '08

Another option is to make the app into a service. Vista will enforce UI isolation in that case, as well, which is a bonus. If you need a front-end then you can have a non-admin client which connects to the service via some kind of RPC.
Sign In·View Thread·PermaLink	1.75/5 (4 votes)

Last Visit: 16:04 8 Nov '09 Last Update: 16:04 8 Nov '09

General News Question Answer Joke Rant Admin

PermaLink | Privacy | Terms of Use
Last Updated: 17 May 2008
Editor: Deeksha Shenoy