Vb.net, How to restart an application with elevated admin rights? - vb.net

I currently have 2 applications; The main application and an Updater. The main application runs with the manifest in "asInvoker", whilst the Updater runs with "requireAdministrator".
However, I currently need the main program to modify contents of its own folder in ProgramFiles, but in order to do this I need elevated access. Instead of creating another application to separate the process, would it be possible to have a messagebox appear saying "Restart in Admin Mode?" and then proceed to restart the application in Administrative mode only the one time?
I don't want the end user being spammed with Window's UAC every time they open the application, which is why I already separated the updater.
Any ideas and suggestions are greatly appreciated.

Simpliest solution is to not store application in Program Files, where access is restricted for non-administrators, but in %LocalAppData%, where is unrestricted access for logged user. This is how update is solved in ClickOnce-distributed applications.

Related

How does one interact with the user from a vb.net service?

I've got one for you thats been bugging me for a bit.
If you run a Windows Service as Local System, how can that service display forms or prompts on the user desktop?
I tried this in one of my previous apps and couldn't get it to work; I settled on having an 'invisible' app running in the user context to handle any user interaction. But as time has passed, I've seen some apps that have nothing more than a service running as local system and yet they produce prompts and forms on the user desktop.
Thanks in advance for any info :)

Start application with administrative privileges when user logs on

I'm trying to find a way to start an application when the user logs on. The application must have administrative privileges.
This seems to be easy: just create a new registry key under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This works, but the user is asked every time by the User Account Control window. This is annoying, especially at startup. So I'm trying to find a way to launch this applications with elevated privileges but without the UAC prompt.
I've found here a solution: it uses Windows Task Scheduler. However, this Windows utility seems a bit unreliabled: sometimes it works well, sometimes not. On two computer tested, my application is started with a delay average of 46 seconds.
On the link given below, it says that you can recall the Task Scheduler operation with this command (where MyOperationName is the name of the scheduled task):
schtasks /run /tn "MyOperationName"
so, if I try to combine this command to a new key in CurrentVersion\Run I should get what I want. Would this work?
I'm working on VB.NET WinForms, Visual Studio 2013 and I use this library to interoperate with Task Scheduler.
Thanks,
FWhite

ClickOnce Set Up and other Questions vb.NET

I am attempting to write a small, lightweight client, using vb.net winforms, that can install without needing elevated privileges. Before I ask my questions, let me give you a bit of an idea of what it is supposed to do.
The app will start when Windows loads, set like this from the install, with a system/notification tray icon that can be clicked on to load up specific functionality. The application install from a website, or possibly a file share, haven't quite decided yet. This client will initially request user credentials for one of our web programs, and it will talk to an already built web service to determine what functionalities of our services they have licensed access to. After this, credentials will be encrypted and saved to the users pc locally. Every five minutes, the client will pass the credentials to the websites they have access to and check to see the status of jobs that are being processed, and download available reports if needed.
So, here is what I am trying to understand. If I configure this app as a ClickOnce application, once it installs from the url or shared drive, the user will not need to do anything else, correct? Or do they have to visit that url every time they boot up to reinstall/run the client?
Another thing, I wanted to get some opinions on the best ways to do some of the things this app will be doing. I have a good idea of where I am going with it, but I have no idea of which solution to go with yet.
For instance, what is the best way to store user passed credentials on their system for a "remember me"?
Also, is the best way to have the client install with automatically starting on windows startup to configure it to create a shortcut of itself in the windows startup folder?
I am trying to keep this as lightweight as possible, and using a very small GUI, so it shouldn't be too intrusive, so any ideas on how to ensure that, while keeping it from needing admin privs to install, will also help.
If I configure this app as a ClickOnce application, once it installs
from the url or shared drive, the user will not need to do anything
else, correct? Or do they have to visit that url every time they boot
up to reinstall/run the client?
Well if they need to reinstall it, they would have to download the setup.exe file again, but why would users need to do that? CilckOnce supports automatic updates. Visiting url is certainly not needed for running the program.
what is the best way to store user passed credentials on their system
for a "remember me"?
Probably storing them as application settings. Haven't used visual studio 2012, but in visual studio 2010 you have to right-click on project in solutions explorer, go to project propeties and then create variables in Settings tab. Then you can access those variables in code using My.Settings.variableName. Not sure about security though, if you need any.
As for privileges, I think you just need a privilege to install a program. Maybe you should publish a primitive clickOnce application and experiment with it and that will answer all your other questions about clickOnce.

Load Application on Windows Startup Before Login

I'm writing a VB.NET application that I want to load at Windows start up before the user logs in. It's going to run on a server and launch other process and kill and restart them as needed to get around a memory leak issue. It also needs to have a GUI to view the current status of the processes its managing.
Now, I can get the application to load when the user logs in but that's not very helpful because the server could reboot for some reason and no user would be logged on, but this application still needs to run in the background.
How do I do this? Do I need to write it as a service, or is there another way? I tried writing a WinForms app but it wouldn't load until after the user logs in.
You need to write a service. Also, probably best to write a second app that will interact with the service and provide a GUI to control what it does.

How to allow to allow admins to edit my app's config files without UAC elevation?

My company produces a cross-platform server application which loads its configuration from user-editable configuration files. On Windows, config file ACLs are locked down by our Setup program to allow reading by all users but restrict editing to Administrators and Local System only.
Unfortunately, on Windows Server 2008, even local administrators no longer have admin privileges (because of UAC) unless they're running an elevated app. This has caused complaints from users who cannot use their favorite text editor to open and save config files changes-- they can open the files (since anyone can read) but can't save.
Anyone have recommendations for what we can do (if anything) in our app's Setup to make editing easier for admins on Windows Server 2008?
Related questions: if a Windows Server 2008 admin wants to edit an admins-only config file, how does he normally do it? Is he forced to use a text editor which is smart enough to auto-elevate when elevation is needed, like Windows Explorer does in response to access denied errors? Does he launch the editor from an elevated command-prompt window? Something else?
In my opinion an administrator that doesn't manage to right-click notepad and select "run as administrator" shouldn't be an administrator, but well... in real life there are such administrators around.
UAC works by disabling the administrator group SID from the user's security token, until you run a program with elevated priviliges. When running in non-elevated mode there is unfortunately no way to utilize the administrative rights.
One workaround, which unfortunately requires a non-trivial amount of work could be to:
Create a custom file name suffix for your config file.
Create a small application which is registered as the handler for that config file.
Mark the small application as requiring elevated priviliges (you can do this as you are creating a new application).
The only thing that the small application should do is to locate the registered handler for .txt file in the registry and then use it to open the file - with elevated priviliges.
This isn't complicated for admins worth their salt. Open the text editor elevated, open file, save, done. Most people who edit configuration files are used to the ritual now. Unix people do this reflexively (with sudo); it's only difficult on Windows because it's still slightly unfamiliar territory for some users.
Realistically, they'd have the same problem if it were an HKLM registry setting, except they'd have to elevate regedit or Powershell or whatever they normally use to edit registry settings.
If they can't figure it out, they could choose to disable UAC entirely, or turn it down a notch or two, but I suspect if they can't figure out how to open an editor elevated this will create more problems than it will solve.
You should have to think before making big changes to system-wide config files. The UAC elevation is just enough thinking that it should give you pause if you didn't mean to make a system-wide change.
If it weren't a service, you could use %USERPROFILE% to store configuration settings, but generally, services run under a different user credential than the sysadmin's normal account.
Dotnet applications could choose to store information to the folder returned by Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData); people may need elevation to write to that folder outside your service, but if they don't like your admin UI and they do like their text editor, it's the same as the original problem: they just need to learn how to use UAC.
For the second question: for a quick solution i add notepad to the windows shortcut bar, right click, run as administrator, open the file, make the changes and save it.
We moved all of our app setting to the database.
See my blog post here. You can easily see how you can create a web page to edit that and have all of the permissions live in the web application.