一、
windows7 x64,uac會阻止copyfile到c:/windows。提示拒絕訪問。
[會引起uac提示的3種情況:
- Administrator access token checks.
- "All access" access requests in system protected locations.
- Data writing to protected locations, such as
%ProgramFiles%,%Windir%, and HKEY_LOCAL_MACHINE\Software.]
需要將程序性的UAC Executioin Level設置為 RequireAdministrator。有兩種方法
方法1:
(已測有效,當PC UAC等級較低時,會全屏變暗提示需要Administrate權限。)
Linker->Manifest File->UAC Execution Level, AsInvoker==>RequireAdministrator
方法2:
添加manifest,在manifest文件中配置 requestedExecutionLevel 為 RequireAdministrator。with one of the following.
<requestedExecutionLevel level="asInvoker" uiAccess="false" /> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> <requestedExecutionLevel level="highestAvailable" uiAccess="false" />
具體操作參看:http://support.microsoft.com/kb/944276/zh-cn
二、(備用)
runas法。使用SellExecuteEx方法或者ProcessStartInfo類。
引用1:在Windows Vista里面,ShellExecuteExW lpVerb的參數可以傳入runas命令,使得系統調用
ShellExecuteExW 的時候,會強制將目標文件以完全admin模式啟動,即使目標文件的manifest
沒有申明需要完全admin權限。
引用2:ShellExecuteEx是唯一一個微軟允許觸發UAC的進程啟動函數。在Win7下使用Createprocess,
如果發現權限不足,會直接失敗,而ShellExecuteEx則是一個好的解決方法。
SHELLEXECUTEINFO shExInfo = {0};
shExInfo.cbSize = sizeof(shExInfo);
shExInfo.fMask = SEE_MASK_NOCLOSEPROCESS;
shExInfo.hwnd = 0;
shExInfo.lpVerb = _T("open"); // Operation to perform
shExInfo.lpFile = enginePath; // Application to start
shExInfo.lpParameters = szBuf; // Additional parameters
shExInfo.lpDirectory = workingPath;
shExInfo.nShow = SW_SHOW;
shExInfo.hInstApp = 0;
ShellExecuteEx(&shExInfo);
或者,To execute another process through UAC elevation: you use the ProcessStartInfo class; you also enable UseShellExecute and add “runas” for Verb:
try { ProcessStartInfo proc = new ProcessStartInfo(); proc.UseShellExecute = true; proc.WorkingDirectory = @"C:\Windows\System32\"; proc.FileName = @"C:\Windows\System32\cmd.exe"; proc.Verb = "runas"; Process.Start(proc); } catch (Exception ex) { MessageBox.Show(ex.Message); }
三、(備用)
Service法。
引用1:改成服務程序,或者另做一個服務程序加載現有程序。
四、(非正常手段)
來自:http://bbs.pediy.com/showthread.php?t=106650&page=3
引用1:對於Win7正式版(家庭高級版、家庭基礎版、Professional的簡體中文)都好使。其原理簡述:
win7有一批可信的文件(white list file),這些文件的敏感行為不會觸發uac.
因此,利用explorer將自身拷貝到其中一個文件的相同目錄下,這里用的是sysrep.exe,命名為它
使用的dll,sysrep.dll,然后CreateProcess sysrep.exe,使其加載dll,因為windows優先加載相同
目錄下的dll而非系統目錄下的,所以我們的dll得以運行。
另:http://www.pretentiousname.com/misc/win7_uac_whitelist2.html#release
五、
1.UAC: All Information Developers need about the User Account Control (UAC)
2.MSDN的系列:Designing UAC Applications for Windows Vista
http://msdn.microsoft.com/en-us/library/bb756973.aspx
3.Windows Vista Application Development Requirements for User Account Control (UAC)
http://msdn.microsoft.com/en-us/library/aa905330.aspx
4.Designing UAC Applications for Windows Vista
http://msdn.microsoft.com/en-us/library/bb756973.aspx
5.User Account Control (win7)
http://technet.microsoft.com/en-us/library/cc731416(v=ws.10).aspx
6.Deploying Application Compatibility Databases for Windows 7
http://technet.microsoft.com/en-us/library/ee732413(v=ws.10).aspx
7.Designing UAC Applications for Windows Vista
http://msdn.microsoft.com/en-us/library/bb756973.aspx
8.進程Mandatory Level檢查和自我提升權限
http://www.cnblogs.com/jialiang/archive/2010/03/23/uacselfelevation.html
六、
XP中,如果admin用戶登錄,使用的是一個admin的訪問令牌。在vista和win7的uac中,用戶持有2個訪問令牌access token,無論是普通用戶還是administrator,explorer都使用的是普通令牌,也就是桌面是從普通令牌打開的。
這里有一件很神奇的事。就是任務管理器,進程頁的顯示所有用戶進程項,會自動提升訪問令牌為admin。。。
The ActiveX Installer Service enables enterprises to delegate ActiveX control installation for standard users. This service ensures that routine business tasks are not impeded by failed ActiveX control installations and updates. Windows Vista also includes Group Policy settings that enable IT professionals to define Host URLs from which standard users can install ActiveX controls. The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and some changes in Internet Explorer. The ActiveX Installer Service is an optional component, and will only be enabled on client computers where it is installed.