开发者

about running an application which requires admin privileges on a locked down user account

开发者 https://www.devze.com 2023-02-19 13:53 出处:网络
I have a Winforms app which runs under a standard user account (i.e. user account logs in, app runs under that named user). However, this very app needs to perform some actions (Writing to registry be

I have a Winforms app which runs under a standard user account (i.e. user account logs in, app runs under that named user). However, this very app needs to perform some actions (Writing to registry being one of them), which require admin privileges, and restart a service (the problem I want to avoid is this one: Service Controller not able to start service - Access denied).

One way to solve this is to make the entire app run as administrator, using a manifest file. Alternatively, would it work if I write a windows开发者_运维百科 service (call it x) running under the highest power account (local system I believe), which can do all of the high-power-account-required stuff and, which in turn calls the existant service, which I need to manipulate and is running under the named/logged-in user account (thus a standard user). If so, how can I invoke a windows service to run on demand (or would a console app be better)?


What I do in this instance:

For the service use this tool to allow your limited account group or user permissions to start/stop: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en And a bit on how to use: http://ss64.com/nt/subinacl.html

As for registry, you need to find the appropriate registry key > right-click > permissions > "Full Control" for the "Users" group or the name of the specific "limited" group that need these tweaked permissions.

I typically run this all from an script in an installer or from setup script. The script adjusts the permissions for the very specific things that are necessary, registry/services/files/folders. This allows the software to run under the context of the limited rights user, not elevated with admin rights.

As a working example I use this for a custom OpenVPN implementation I built that runs for non-admin users. I had to allow them start/stop the service and write to the log file (in the program files folder).

If you need a more hands on working example, let me know and I can probably throw something together.


You can have an admin task helper process, (Second Executable) that runs as administrator via manifest file.

Then your normal app can be run under the limited user, but when you want to execute admin tasks, you fire up your helper process via Process class. Windows should prompt for elevation (to administrator) JUST to perform the tasks you want to.

0

精彩评论

暂无评论...
验证码 换一张
取 消