After posting the blog Programming Elevated Privilege / UAC, I realized I should post a separate blog to discuss UAC first.
Before Window NT (Windows 3.1, Win95, 98), there is no concept of user or user privilege. At that time, Windows are built on top of DOS, and DOS is a very simple operating system. When programming under Windows 3.1, I used to access the physical memory! Windows 95 and 98 made some improvements, but the kernel does not change. That’s the main reason why Windows was not considered as a real operating system at that time.
Windows 2000 is the first real desktop operating system. Since Windows 2000, criticisms to Windows changes to the system complexity and too many unnecessary features provided (or maybe difficult to exceed from competitor’s perspective). Probably for compatibility reason, plus Microsoft didn’t realize the importance of security at that time, the default user has administrator privilege under Windows 2000 and XP. That means all processes has administrator privilege, can do anything to operating system. Note the term process instead of application is used here: process can be executed at background. This “feature” is really convenient for all programs, including malicious ones!
Actually the security can be greatly improved by using standard user under Windows 2000 and XP. However most Windows users don’t care or don’t understand it at all, and more and more malicious programs are spreading through internet, giving Windows a very bad reputation as an unsafe operating system. Starting from Windows Vista, Microsoft introduces UAC (User Account Control). That is, even user sign on the system with an administrator account, the operating system still enforces the user run as a normal user privilege. The privilege elevation needs the user’s consent.
What does UAC mean? It means the program requires administrator privilege, will break under UAC. To test if your program can successfully run under UAC, you don’t actually need Windows Vista – you can test it under Windows 2000/XP, using normal user account.
If your program breaks without administrator privilege, first of all you should try all your best to modify your program, so that administrator privilege is no longer required. For example, write data to AppData folder, write registry data to HKCU instead of HKLM, etc.
If part of your program have to require administrator privilege, you should implement this part separately, displayed with an UAC shield on your UI. When end user click the button of menu item with UAC shield, use “RunAs” to start another instance of your program. Note code can only be elevated at process level when startup, which means that a running process cannot be elevated. The implementation is to have two processes, one run as foreground application without administrator privilege, another one run as background process with administrator privilege. These two processes can be distinguished by startup parameters. For complete example, see Programming Elevated Privilege / UAC, both WPF and Windows Forms source code are provided.
Windows 7 made some improvements to UAC. The system or certified programs, can be elevated directly without end user consent. This can reduce some UAC dialogs. But this does not help general programs – not everyone can expect his/her program being certified by Windows.