Email Password Remember me?  Lost your password?

Introduction

This article describes how to elevate your program in Windows startup in Vista. Elevating an application is so easy, but it's not easy registering an application in startup.

Background

This article requires readers to have some background.
Firstly, it's important to understanding Vista's UAC. UAC is too complex to understand. Hence, this article does not have any information about UAC.
Secondly, MFC and API knowledge are required since the sample code of this article uses MFC and API.

Vista and Windows Startup

Many programs need to run at Windows startup.

In Windows XP, run at startup was not big deal. But, it became a big deal in Windows Vista. Windows Vista's new protection features restrict a startup program which wants to run as administrator. (It needs to elevate.)

If your application does not need an administrator privilege, there is nothing to do for migration to Windows Vista. But, if your application need an administrator privilege, your application can't run at startup because Vista's new protection blocks your program.

It seems to be impossible to run an administrator privileged program at Windows startup in Vista. But, there is a way to do it (even if it is not the same as XP).

This article describes Windows Vista's protection and a possible method to figure out our problem.

Another Way

To find another way, we have to think about the architecture of protection software. Start with this:

"Windows Vista is allowed to run software which does not need an administrator privilege."

So, one possible method is as follows:

• We have to create a normal program which does not need an administrator privilege. (New protection does not block none privilege application.)
• That normally has to elevate itself with CreateProcess and terminate.

The following pseudo code shows it:

void Main()
{
    if(IsVista() == TRUE && Elevation() == FALSE) {
        ElevationItself();
        Terminate();
    }
}

C++ Code (MFC)

Pseudo code is easy, but real code is not.

CString g_szProgramFolder;
CString g_szCmdLine;

BOOL RunAsAdministrator(LPSTR lpszFileName, LPSTR lpszDirectory)
{
    SHELLEXECUTEINFOA TempInfo = {0};

    TempInfo.cbSize = sizeof(SHELLEXECUTEINFOA);
    TempInfo.fMask = 0;
    TempInfo.hwnd = NULL;
    TempInfo.lpVerb = "runas";
    TempInfo.lpFile = lpszFileName;
    TempInfo.lpParameters = "runasadmin";
    TempInfo.lpDirectory = lpszDirectory;
    TempInfo.nShow = SW_NORMAL;

    BOOL bRet = ::ShellExecuteExA(&TempInfo);

    return bRet;
}

BOOL CMFCApplication::InitInstance()
{
    char szCurFolder[1024] = { 0, };
    GetModuleFileName(GetModuleHandle(NULL), szCurFolder, 1023);

    CString szFullPath = szCurFolder;
    szFullPath = szFullPath.Left(szFullPath.ReverseFind('\\'));

    g_szProgramFolder = szFullPath;

    CCommandLineInfo oCmdLineInfo;
    ParseCommandLine(oCmdLineInfo);

    g_szCmdLine = oCmdLineInfo.m_strFileName;

    if(IsVista()) {
        if(stricmp(g_szCmdLine, "elevation") == 0) {
            char szCmdLine[1024] = { 0, };
            char szCurFileName[1024] = { 0, };
            GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

            BOOL bRet = 
                RunAsAdministrator( szCurFileName, (LPSTR)(LPCTSTR)g_szProgramFolder );

            if(bRet == TRUE) {
                return FALSE;
            }
        } else if(stricmp(g_szCmdLine, "runasadmin") == 0) {
            //
            // go trough!.
            //
        } else {
            char szCmdLine[1024] = { 0, };
            char szCurFileName[1024] = { 0, };
            GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023);

            sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);

            WinExec(szCmdLine, SW_SHOW);

            return FALSE;
        }
    }
    .
    .
    .
}

Points of Interest

RunAsAdministrator function returns FALSE when a user selects 'Cancel'. So, you can execute a program repeatedly until the user selects 'Allow'.

History

• 2008-05-16: First released

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Windows damaged after run application as elevated to write to registry [modified] Ha_Tim 21:22 15 Nov '09   I can write keys into registry following your code. (I could not before) I wrote 2 key flv and mp4 into MCI Extensions key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI Extensions This helps me to support FLV and MP4 in my application. (write keys and install a codec on the specified PC) However, after getting elevated right and adding keys, my Windows damaged on Re-start. This is the error message: File: \Windows\system32\drivres\intelide.sys Status: 0xc000000f Info: Windows failed to load because a critical system driver is missing, or corrupt. PS: I can add these keys manually and verify that everything works normally. Could I have any suggestion please? Thanks, TuanVo. Sign In·View Thread·PermaLink Full source code lemonlyt 1:41 31 Mar '09   I have some errons about my project.Can you post your full source code?Thanks very much! Sign In·View Thread·PermaLink 2.00/5 ProcessShellCommand() reports error kuan deng 7:05 18 Mar '09   After adding your code and run it in a Vista-32 machine, the ProcessShellCommand() reports error of "c:\...\runasadmin was not found." Here is my code. The 1st part is your code; the 2nd part is my original code for Windows XP and below OSs. What caould be the problem of coding? Thanks! BOOL CTrayIconApp::InitInstance() { char szMsg[256]; char szCurFolder[1024] = { 0, }; GetModuleFileName(GetModuleHandle(NULL), szCurFolder, 1023); CString szFullPath = szCurFolder; szFullPath = szFullPath.Left(szFullPath.ReverseFind('\\')); g_szProgramFolder = szFullPath; CCommandLineInfo oCmdLineInfo; ParseCommandLine(oCmdLineInfo); g_szCmdLine = oCmdLineInfo.m_strFileName; if( IsWindowsVista() ) { if(stricmp(g_szCmdLine, "elevation") == 0) { char szCmdLine[1024] = { 0, }; char szCurFileName[1024] = { 0, }; GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023); BOOL bRet = RunAsAdministrator( szCurFileName, (LPSTR)(LPCTSTR)g_szProgramFolder ); if(bRet == TRUE) { return FALSE; } } else if(stricmp(g_szCmdLine, "runasadmin") == 0) { // // go trough!. // } else { char szCmdLine[1024] = { 0, }; char szCurFileName[1024] = { 0, }; GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023); sprintf(szCmdLine, "\"%s\" elevation", szCurFileName); WinExec(szCmdLine, SW_SHOW); return FALSE; } } //IsWindowsVista // // Below are the original code!!! // // Standard initialization // If you are not using these features and wish to reduce the size // of your final executable, you should remove from the following // the specific initialization routines you do not need. #ifdef _AFXDLL Enable3dControls(); // Call this when using MFC in a shared DLL #else Enable3dControlsStatic(); // Call this when linking to MFC statically #endif // Change the registry key under which our settings are stored. // You should modify this string to be something appropriate // such as the name of your company or organization. SetRegistryKey(_T("Local AppWizard-Generated Applications")); LoadStdProfileSettings(); // Load standard INI file options (including MRU) // Register the application's document templates. Document templates // serve as the connection between documents, frame windows and views. CSingleDocTemplate* pDocTemplate; pDocTemplate = new CSingleDocTemplate( IDR_MAINFRAME, RUNTIME_CLASS(CTrayIconDoc), RUNTIME_CLASS(CMainFrame), // main SDI frame window RUNTIME_CLASS(CTrayIconView)); AddDocTemplate(pDocTemplate); // Parse command line for standard shell commands, DDE, file open CCommandLineInfo cmdInfo; ParseCommandLine(cmdInfo); // Dispatch commands specified on the command line if (!ProcessShellCommand(cmdInfo)) return FALSE; //Application stuff char traceTime[200]; initGlobals(); processMutex = OpenMutex(MUTEX_ALL_ACCESS, TRUE, LUCENTTRAYICON_MUTEX) ; if(!processMutex) { processMutex = CreateMutex(0, FALSE, LUCENTTRAYICON_MUTEX) ; } else { writeTrace("\r\r\n%s:: A instance of TrayIcon is already running, so not starting a new instance\r\r\n", getTime(traceTime)); return FALSE; } // Spawn a seperate thread to poll/communicate with another app contactIKEApp(); return TRUE; } Sign In·View Thread·PermaLink Re: ProcessShellCommand() reports error Ha_Tim 18:09 16 Nov '09   I got the same problem as your. I found that the only situation that the InitInstance continue is else if(stricmp(g_szCmdLine, "runasadmin") == 0) It is after the function RunAsAdministrator was called. The function RunAsAdministrator set some params and call ShellExecuteExA to get elevated right. Then I made some change: reset inline params in that situation. I didn't have chance to test inline call to run my application, since after get elevated and write some keys to registry, my Vista is corrupted as another my post. However, it helps me to pass your situation. if(IsWindowsVista()) { if(stricmp(g_szCmdLine, "elevation") == 0) { char szCmdLine[1024] = { 0, }; char szCurFileName[1024] = { 0, }; GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023); BOOL bRet = RunAsAdministrator( szCurFileName, (LPSTR)(LPCTSTR)g_szProgramFolder ); if(bRet == TRUE) { return FALSE; } } else if(stricmp(g_szCmdLine, "runasadmin") == 0) { // // go trough!. // //////////////////////////////////however, ignore inline params __argc=0; __targv[0]=""; //////////////////////////////////////////////////// } else { char szCmdLine[1024] = { 0, }; char szCurFileName[1024] = { 0, }; GetModuleFileName(GetModuleHandle(NULL), szCurFileName, 1023); sprintf(szCmdLine, "\"%s\" elevation", szCurFileName); WinExec(szCmdLine, SW_SHOW); return FALSE; } } Sign In·View Thread·PermaLink Source code MasterPr 0:38 23 Jun '08   Can you attach whole code to this article? Thanks. Sign In·View Thread·PermaLink 5.00/5 Re: Source code Member 3928082 1:21 18 Sep '08   How to check for isVista() i am getting error can you post the full source code? Sign In·View Thread·PermaLink 5.00/5 Re: Source code lzf8977 2:00 24 Oct '08   BOOL IsWindowsVista() { OSVERSIONINFO osif; osif.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&osif); if( osif.dwMajorVersion == 6 && osif.dwMinorVersion == 0 ) return TRUE; return FALSE; } Sign In·View Thread·PermaLink 5.00/5 Buffer overflow mav.northwind 21:51 17 May '08   Hi! I think your code is vulnerable to buffer overflow attacks. In sprintf(szCmdLine, "\"%s\" elevation", szCurFileName);, when you manage to create a szCurFileName of 1012 characters or more, your sprintf call will overwrite the end of the szCmdLine buffer... Regards, mav -- Black holes are the places where God divided by 0... Sign In·View Thread·PermaLink 5.00/5 Re: Buffer overflow Kwon Yong Hwi 5:36 18 May '08   Path has a limit. Basically, MAX_PATH is 256. So, 1024 is enough to make path. Sign In·View Thread·PermaLink 1.00/5 Re: Buffer overflow SteveKing 20:23 18 May '08   Nope. MAX_PATH is only the limit for most shell APIs. For most other APIs, that restriction is long gone (the limit for paths on NTFS is 64kB). Sign In·View Thread·PermaLink 5.00/5 Re: Buffer overflow Kwon Yong Hwi 4:54 19 May '08   In my experience, When I create nested folder in Windows Explorer, 64kb path length impossible. (even if NTFS format spec has 64kb length of path) Sign In·View Thread·PermaLink Re: Buffer overflow Mihai Nita 9:26 19 May '08   "The string returned will use the same format that was specified when the module was loaded. Therefore, the path can be a long or short file name, and can use the prefix "\\?\". For more information, see Naming a File." (http://msdn.microsoft.com/en-us/library/ms683197(VS.85).aspx[^]) Following the "Naming a File" link you will find this: "The Windows API has many functions that also have Unicode versions to permit a maximum path length of approximately 32,000 characters composed of components up to 255 characters each in length. To specify that kind of extended length path, use the "\\?\" prefix. For example, "\\?\D:\"." So yes, you can have 1023 characters in szCurFileName. And because the szCmdLine has 1024 (same as szCurFileName), but contains szCurFileName + something more, it is a buffer overflow danger. If the szCmdLine would be 1100 (szCurFileName + "...elevation") it would not be a buffer overflow, but a risk of failure in GetModuleHandle (and not test for that). And let's remember localization, so if "...elevation" gets translated, 1100 might still not be enough. Sign In·View Thread·PermaLink 5.00/5 Re: Buffer overflow Kwon Yong Hwi 14:45 19 May '08   Well, The method which I choose is not proper to all way. But, Many MSDN example source codes use the Path Buffer with MAX_PATH macro. MAX_PATH is 256 in Ansi, 512 in Unicode. And, I think that 1024 is enough to hold path. The reason why I use 1024 to Command Line Buffer is, szCmdLine buffer do not use any user inputs. So, If you want to exploit szCmdLine with Command Line(cmd.exe), you can do that. (Because I do not use User's Input to make szCmdLine. And I tested in Windows Explorer, I can not create following long path folder. 'C:\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\12345678901234567890123456789012345678901234567890\1234567890123456789012345678901234567890\1234567890123456789012345678901234567890' Sign In·View Thread·PermaLink Re: Buffer overflow Mihai Nita 14:42 22 May '08   Compile and run this (a quick and dirty example): #define _UNICODE #define UNICODE #include <windows.h> #include <stdio.h> #include <tchar.h> int main( void ) { TCHAR fullPathName[32000]; TCHAR *folderName = _T("\\Something kind of sort of long(ish)"); _stprintf( fullPathName, _T("\\\\?\\C:" ) ); for( int i = 0; i < 50; i++ ) { _tcsncat_s( fullPathName, _countof(fullPathName), folderName, _countof(fullPathName) ); CreateDirectory( fullPathName, NULL ); } return 0; } You can then change CreateDirectory(fullPathName, NULL) to RemoveDirectory(fullPathName) and undo the mess, because Explorer is unable to delete it Sign In·View Thread·PermaLink 5.00/5 You shouldn't display an elevation prompt at login Daniel Grunwald 7:13 17 May '08   Having to confirm a UAC prompt to login will annoy the user extremely. That's why Vista blocks elevation prompts for startup programs. If you need to run an application with administrator rights on logon, you have two choices: 1) Start it using the task scheduler. You can start silently elevated apps on logon this way. WARNING: if your application has any way to start other programs on the user's request (e.g. it's displaying a "Open file" dialog where the user could Right-click>Run on .exe files), that's a security vulnerability! Better (and suggested by Microsoft): 2) Make your app not require administrator rights. For actions where administrator rights are absolutely required, make the app call into a Windows service running in the background with the necessary permissions. Here, too, you need to take care that your service is secured correctly, but this approach is better because here less code needs to run with admin privileges. Sign In·View Thread·PermaLink 3.00/5 Re: You shouldn't display an elevation prompt at login axelriet 16:00 17 May '08   2) Make your app not require administrator rights Oh yes!! Sign In·View Thread·PermaLink Re: You shouldn't display an elevation prompt at login Leo Davidson 8:36 18 May '08   Another option is to make the app into a service. Vista will enforce UI isolation in that case, as well, which is a bonus. If you need a front-end then you can have a non-admin client which connects to the service via some kind of RPC. Sign In·View Thread·PermaLink 1.75/5

Last Visit: 7:55 24 Nov '09     Last Update: 7:55 24 Nov '09 1