• highestAvailable比较灵活,毕竟大多数功能不需要系统最高权限(四种方法:屏蔽UAC,右键以管理员身份运行,增加manisfest,制作数字证书)


      打开VS2005、VS2008、VS2010工程,查看工程文件夹中的Properties文件夹下是否有app.manifest这个文件;如没有,按如下方式创建:鼠标右击工程在菜单中选择“属性”,点击工程属性的“安全性”标签,在安全性标签页中勾选“启用ClickOnce安全设置”,并选择“这是完全可信的应用程序”,保存工程,此时在Properties下已经自动生成了app.manifest文件。

            将默认的app.manifest文件修改为

    [html] view plaincopy
     
    1. <?xml version="1.0" encoding="utf-8"?>  
    2. <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"   
    3.   
    4. xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2"  
    5.   
    6.  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">  
    7.   <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>  
    8.   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">  
    9.     <security>  
    10.       <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">  
    11.         <!-- UAC Manifest Options  
    12.             If you want to change the Windows User Account Control level replace the   
    13.             requestedExecutionLevel node with one of the following.  
    14.         <requestedExecutionLevel  level="asInvoker" uiAccess="false" />  
    15.         <requestedExecutionLevel  level="requireAdministrator" uiAccess="false" />  
    16.         <requestedExecutionLevel  level="highestAvailable" uiAccess="false" />  
    17.             If you want to utilize File and Registry Virtualization for backward   
    18.             compatibility then delete the requestedExecutionLevel node.  
    19.         -->  
    20.         <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />  
    21.       </requestedPrivileges>  
    22.     </security>  
    23.   </trustInfo>  
    24. </asmv1:assembly>  

            配置文件修改后,我们运行应用程序,就会首先弹出这样一个提示框,点 Yes 后,程序才可以继续运行。

            顺便说下,还可以通过一个方法了解到此时程序运行是不是管理员权限:

    [csharp] view plaincopy
     
    1. public static bool IsAdministrator()  
    2. {  
    3.     WindowsIdentity identity = WindowsIdentity.GetCurrent();  
    4.     WindowsPrincipal principal = new WindowsPrincipal(identity);  
    5.     return principal.IsInRole(WindowsBuiltInRole.Administrator);  
    6. }  


    对于XML文件中引用的UAC执行权限级别,分别代表下列含义:

    Value Description Comment
    asInvoker The application runs with the same access token as the parent process. Recommended for standard user applications. Do refractoring with internal elevation points, as per the guidance provided earlier in this document.
    highestAvailable The application runs with the highest privileges the current user can obtain. Recommended for mixed-mode applications. Plan to refractor the application in a future release.
    requireAdministrator The application runs only for administrators and requires that the application be launched with the full access token of an administrator. Recommended for administrator only applications. Internal elevation points are not needed. The application is already running elevated.

             asInvoker : 应用程序就是以当前的权限运行。

             highestAvailable: 这个是以当前用户可以获得的最高权限运行。

             requireAdministrator: 这个是仅以系统管理员权限运行。

             默认情况下是 asInvoker。

             highestAvailable 和 requireAdministrator 这两个选项都可以提示用户获取系统管理员权限。那么这两个选项的区别在哪里呢?

             他们的区别在于,如果我们不是以管理员帐号登录,那么如果应用程序设置为 requireAdministrator ,那么应用程序就直接运行失败,无法启动。而如果设置为 highestAvailable,则应用程序可以运行成功,但是是以当前帐号的权限运行而不是系统管理员权限运行。如果我们希望程序在非管理员帐号登录时也可以运行(这种情况下应该某些功能受限制) ,那么建议采用 highestAvailable 来配置。

    参考:http://blog.csdn.net/a316019667/article/details/8647237

    ----------------------------------------------------------------------------

    uiAccess Values

    Possible uiAccess values

    Value

    Description

    False

    The application does not need to drive input to the user interface of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true.

    True

    The application is allowed to bypass user interface control levels to drive input to higher privilege windows on the desktop. This setting should only be used for user interface Assistive Technology applications.

    Important noteImportant Note:

    Applications with the uiAccess flag set to true must be Authenticode signed to start properly. In addition, the application must reside in a protected location in the file system. Program Files and windowssystem32 are currently the two allowable protected locations.

    参考:http://www.cnblogs.com/wangjei155/archive/2009/09/29/1576551.html

    Question
    Sign in to vote
    说明白了就是要干涉其它程序的UI,或者发消息给其他程序,或者已经自带windows认可的数字证书
    This is what I learned so far:

    Applications running at normal privilege levels are NOT allowed to communicate with (i.e.; send messages to) applications running at higher privilege levels (e.g. the SendMessage API reports success but your message never reaches the target application running at a higher privilege).

    If your application needs to send messages to all applications, regardless of their privilege level:

    1 - The uiAccess flag MUST be set to True in your application's manifest.

    2 - Your code MUST be digitally signed (which means you must pay MS for a digital certificate).

    3 - Your application MUST reside in a trusted location (e.g.; Program Files), otherwise the uiAccess flag is ignored (so much for the user choosing where to place your application on THEIR hard drive).

    Regardless of the state of the uiAccess flag, your application will always be able to send messages/drive input to windows of applications running at privilege levels equal to or less than your own privilege level.

    Another piece of information in case you are having trouble putting a manifest in your executable (i.e.; the application fails to run with Windows complaining that it failed to initialize properly or something): the size of your manifest must be an exact multiple of 4 (i.e. if it is 253 bytes/characters, then you must pad the end of the manifest text with three spaces).

    参考:https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/4d2e1358-af95-4f4f-b239-68ec7e2525a9/uiaccess-in-manifest-files

    解释可以自己添加数字证书:

    Actually you can use makecert to create your own certificate, and then add the cert to your trusted certificate store to run the code on your own machine. More on how to do that here-

    http://social.msdn.microsoft.com/Forums/en-US/windowsgeneraldevelopmentissues/thread/350ceab8-436b-4ef1-8512-3fee4b470c0a

    Additionally, I don't think the code signing cert has to be from Microsoft, but can be purchased from any digital certificate authority (like Verisign, Entrust, DigiCert, etc.).

    I hope that gets you what you need to get your code working without any further investment.

    -Westley

    制作数字证书的过程:

    If your application does not have a digital signature and has uiAccess=true in its manifest, it will fail with "A referral was returned from the server."

    (No, notepad does not have a digital signature :)

    Applications that request uiAccess=true must have a valid, trusted digital signature to execute.

    Also, applications by default must reside in a trusted location on the hard drive (such as windows or program files) to receive the uiAccess privilege. They will still run if they are not in one of these locations, but they will not receive the privilege. You can disable this security feature through the local security policy mmc snap-in.

    If you want to create a trusted "test" certificate to sign your application with so that you can use your application on your current machine, here's how:

    NOTE: These instructions assume you have visual studio installed and are using a command prompt that has all the environment variables set to find SDK utilities such as makecert and signtool. If not, you will need to find these tools on your hard drive before running them.

    ***

    1) Open an elevated command prompt

    - Click start
    - Find Cmd Shell or command prompt
    - Right-click, click Run As Administrator

    2) Create a trusted root certificate

    - Browse to the folder that you wish to contain a copy of the certificate
    - In the command shell, execute the following commands:

        makecert -r -pe -n "CN=Test Certificate - For Internal Use Only" -ss PrivateCertStore testcert.cer

        certmgr.exe -add testcert.cer -s -r localMachine root

    3) Sign your file

    - In the command shell, browse to the location of your exe
    - In the command shell, type:

    SignTool sign /v /s PrivateCertStore /n "Test Certificate - For Internal Use Only" /thttp://timestamp.verisign.com/scripts/timestamp.dll APP.exe

    Where APP.exe is your application.

    ----------------------------------------------------------------------------

    Delphi:Delphi程序必须在资源里面嵌入MANIFEST信息。

    ?         首先编辑一个文件,内容如下:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 

    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

        <security>

          <requestedPrivileges>

            <requestedExecutionLevel level="requireAdministrator"/>

          </requestedPrivileges>

        </security>

    </trustInfo>

    </assembly>

    保存为UAC.manifest,这里文件是随意的。特别注意红色的“requireAdministrator”,这个表示程序需要管理员(Administrator)才能正常运行。

    ?         然后编辑一个RC文件,名称为uac.rc 如下所示:

    1 24 UAC.manifest

    其中:

    1-代表资源编号

    24-资源类型为RTMAINIFEST

    UAC.manifest-前面的文件名称

    ?         用brcc32编译这个rc文件为res文件,如下所示:

    brcc32 uac.rc -fouac.res

    ?         在程序里面加入

    {$R uac.res}

    让Delphi编译的时候,把uac.res编译进exe文件

    ?         把文件放到vista或win7下运行,就会看程序图标下面显示UAC盾牌标志了

     

    注:直接修改exe属性,试了好像不灵啊。

    参考:http://www.sieye.cn/showArticle.asp?nameID=201192722213483

    ----------------------------------------------------------------------------

    1:关闭用户的UAC功能(显然这个方法对于客户来说有点不靠谱,但是这里我也提一下,因为我就是特别烦UAC的提醒,所以给关闭了,程序一直也没有报错)。

    关闭方法“控制面板-用户账户和家庭安全-用户账户-用户账户控制设置”,设置为“从不通知”,保存,重启就OK了。

    2:这个方法很简单,就是在运行的时候右键“以管理员身份运行”。也是可以解决此问题,但是对于那些只想直接单击就运行的用户来说,估计他们也还是难以接受。

    3:这个方法就比较长些了,解决出发点也是从我们自己的程序来解决。我来写一下步骤:

    参考:http://www.cnblogs.com/boyliupan/archive/2011/01/17/1937518.html

    ----------------------------------------------------------------------------

    UAC的存在更多的意义在于让程序员明白一个程序不要申请多余的权限,这样可以在最大程度上保护用户的安全。正常的做法就是把用户数据配置文件放在AppData下,只是很多人都是以XP的惯性思维来做。

    至于2005下加入manifest的方法,作者最后给的那个链接文章里面也提到了,通过命令行的方式调用mt.exe即可:
    mt.exe –manifest temp.manifest –outputresource:YourApp.exe;#1.

  • 相关阅读:
    idea 将java导出为可执行jar及导入jar依赖
    使用idea 调试java -jar xxx.jar方式启动
    springboot 打成的jar包在ClassLoader().getResource方法读取文件为null
    maven 使用dependencyManagement统一管理依赖版本
    Win10系列:C#应用控件基础5
    Win10系列:C#应用控件基础4
    Win10系列:C#应用控件基础3
    Win10系列:C#应用控件基础2
    Win10系列:C#应用控件基础1
    Win10系列:UWP界面布局进阶9
  • 原文地址:https://www.cnblogs.com/findumars/p/4738017.html
Copyright © 2020-2023  润新知