"Wyatt Says..." is a collection of articles by Wyatt O'Day talking about wyDay products and the things we've learned along the way.

Wyatt Says...

Shield icons, UAC, and process elevation in .NET on Windows 2000, XP, Vista, and 7

October 21st, 2009

One of the great things about Vista and Windows 7 is the user isolation. Even admin users need to “elevate” their account to make system changes. Take this Date and Time dialog from Windows 7 as an example:

Every user can view the Date and time, but only administrators can change it.

Adding this ability to your .NET application

Although this series of articles is called “7 days of Windows 7” this particular article is applicable to Windows 2000 – Windows 7.

Step 1. Do we have permission?

The first step is to check if we can write to system registry or system files & folders. There are many ways to do this, but the easiest method is a simple Windows API call:

// check if user is an admin for Windows 2000 and above
[DllImport("shell32.dll", EntryPoint = "#680", CharSet = CharSet.Unicode)]
public static extern bool IsUserAnAdmin();

This will return false if you’re a limited user on Windows 2000 – Windows 7, and will also return false if you are an admin but aren’t elevated on Windows Vista and Windows 7.

In other words, it will return false if you don’t have permission to access system files & registry. And ‘ IsUserAnAdmin” returns true if you do have permission.

Step 2. Notifying the user that elevation will happen: UAC Shield Icon

To set the shield icon to one of your buttons you have to do a few things. First, set the FlatStyle of your button to “System”:

Next, you need to define a couple of functions:

public static bool AtLeastVista()
{
    return (Environment.OSVersion.Platform == PlatformID.Win32NT && Environment.OSVersion.Version.Major >= 6);
}

[DllImport("user32.dll", CharSet = CharSet.Unicode)]
public static extern IntPtr SendMessage(HandleRef hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam);

public static void SetButtonShield(Button btn, bool showShield)
{
    //Note: make sure the button FlatStyle = FlatStyle.System
    // BCM_SETSHIELD = 0x0000160C
    SendMessage(new HandleRef(btn, btn.Handle), 0x160C, IntPtr.Zero, showShield ? new IntPtr(1) : IntPtr.Zero);
}

Now, simply use this snippet in your code:

…
// UAC Shield on next button for Windows Vista+
if (AtLeastVista())
    SetButtonShield(btnName, true);
…

Step 3. Re-launching process with administrator privileges

All we have to do now is show the elevation dialog and elevate the current program. You might want to specify some arguments, but the barebones of it is as follows:

ProcessStartInfo psi = new ProcessStartInfo
                           {
                               Arguments = "-justelevated",
                               ErrorDialog = true,

                               // Handle is the handle for your form
                               ErrorDialogParentHandle = Handle,
                               FileName = Application.ExecutablePath,
                               Verb = "runas"
                           };
try
{
    Process.Start(psi);
    Close();
}
catch (Exception ex)
{
    // the process couldn't be started. This happens for 1 of 3 reasons:

    // 1. The user cancelled the UAC box
    // 2. The limited user tried to elevate to an Admin that has a blank password
    // 3. The limited user tries to elevate as a Guest account
    MessageBox.Show(ex.Message);
}

Step 4. Code signing

Chances are that if you try to elevate your application you’ll get an ugly yellow elevation box:

To get the nice UAC box you’ll need to code sign your application. I won’t link to any code signing providers (because the list is huge), but you can get a code signing certificate from anywhere between $100 for 3 years to $400 or $500 for a single year. It depends on the company you use and the amount of searching you want to do.

7 Days of Windows 7

Join me tomorrow when I talk about Every possible Windows Vista and Windows 7 .NET Control You could ever want. See the full list of articles in the series.

Tags: C#, Programming, Windows Vista, .net, open source, vb.net, windows 7

Subscribe to the 'Wyatt Says...' RSS Feed and keep up to date on on my articles on updaters, usability, open source C# components, and software licensing.

Comments

Jason Bullard - March 27th, 2010 at 9:59 am

Wyatt,

I just wanted to leave a piece of code snippet that is an alternative to the IsUserAdmin API posted above. This is the .NET method of determining if the user has admin privileges.

namespace JB.Utilities
{
	using System;
	using System.Security.Principal;
	
	/// 
	/// Class used to hold methods associated with authentication and permissions
	/// 
	public class Profile
	{
        /// 
        /// Method used to check for administrative privileges
        /// 
        /// Boolean
        public bool IsAdministrator()
        {
            // Check administrative role
            return (new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator));
        }
	}
}

Wyatt O'Day - March 27th, 2010 at 10:15 am

Thanks for the tip, Jason.
Ruthie Heichel - April 11th, 2013 at 6:28 pm

Thanks for all your valuable efforts on this web site. My niece delights in participating in investigation and it’s really simple to grasp why. Many of us notice all about the powerful manner you provide very helpful tips and hints via your web blog and attract contribution from other people on the subject then our own child is actually learning a great deal. Take advantage of the remaining portion of the new year. You have been conducting a useful job.

LimeLM
Overview Pricing & Sign up Why LimeLM? Tour Log In Help
wyBuild
Overview Pricing & Buy Features What's new Help
Support forum
Wyatt Says...
wyDay Home
Downloads Buy Contact us Careers