Hi Friedrich,

I was helping my client make modifications to a SB script where one of
the exe needed to be manifested as requireAdministrator. My client was
looking in the help, what the levels meant and brought to my attention
that the verbiage about the requireAdministrator execution level
contains this text:

"The application should run only for administrators, must be launched
with a full administrator access token, and will not run correctly in a
standard user context. This requested execution level marking is
reserved for pre-Windows Vista applications that require the user to be
a member of the local Administrators group. "

He stumbled on this: "reserved for pre-Windows Vista applications"

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

only specific system applications (e.g. an installation system) should
request administrator execution level privileges or apps that really have to
make system-wide modifications. Otherwise, this execution level is a
no-no-no go <g>.

A "standard" application that requires administrator rights to run is,
almost without exception, an application that contains bugs or is an old
(pre-Vista) application.

There are specific things that applications are required to do in order to
properly conform to the standard Windows development guidelines, and
avoiding doing things that require admin permissions (such as writing to the
installation directory or to the HKEY_LOCAL_MACHINE registry key) are one of
those things.

What kind of application does your client have that requires the
"requireAdministrator" manifest item? But if his app is a "system"
application then he can ignore this "warning" from the SB help.

Friedrich

Hi Friedrich,

> only specific system applications (e.g. an installation system) should
> request administrator execution level privileges or apps that really have to
> make system-wide modifications. Otherwise, this execution level is a
> no-no-no go <g>.

Correct, but there are developers who use SB and DO write tools and
services that NEED to use requireAdministrator in order to access those
system level information. Stating that only applications on pre-Vista
OS' should use requireAdministrator is simply incorrect, as you say:
"only SPECIFIC..." - meaning that SOME applications need it. The help
indicates that NO applications need it unless they run on pre-Vista OS'

We have a windows service admin/service that needs to run elevated. No
ifs or buts about it. It must be manifested with requireAdministrator.
If an app needs to make modifications to HKLM it needs elvation. If it
needs to write to program files or whatever, it needs elevation. We all
know this.

My client's comment after looking this up in the SB help was "in the
HELP files the "RequireAdministrator"...appeared to refer to Pre-vista
OS..."

It took me by a complete surprise as I think most developer never heard
of requireAdministrator or asInvoker before Windows Vista introduced us
to UAC<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

> Stating that only applications on pre-Vista OS' should use
> requireAdministrator
> is simply incorrect...

This "warning" in the SB documentation is there since the good old Vista
days in 2006 and comes directly from Microsoft.

But I'll add a "or administrative" in the next documentation update:

--- Documentation Update ---

requireAdministrator-Application runs only for administrators. Recommended
for administrator only applications.

The application should run only for administrators, must be launched with a
full administrator access token, and will not run correctly in a standard
user context. This requested execution level marking is reserved for
pre-Windows Vista or administrative applications that require the user to be
a member of the local Administrators group.

---

Friedrich

Hi Friedrich,

> user context. This requested execution level marking is reserved for
> pre-Windows Vista or administrative applications that require the user to be
> a member of the local Administrators group.

Thanks! I do not see pre-Vista mentioned anywhere in MS or MSDN
documentation any more. For example:
https://docs.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest
https://msdn.microsoft.com/en-us/library/6ad1fshk.aspx

There is preciously little documentation of the requestedExecutionLevel
values in MS/MSDN documentation! It's almost like "Oh, and BTW, there
is this UAC thing that Windows has that you can configure - you can
figure it out yourself" <g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Hi Arnor,

it's still mentioned here:

https://technet.microsoft.com/en-us/library/cc709628(v=ws.10).aspx
https://www.symantec.com/connect/articles/guidelines-and-best-practices-achieve-uac-applications-vista

But I agree, it's a bit outdated. I hope pre-Vista applications are history
now <g>.

I'll change it to the following in the next documentation update:

--- Documentation Update ---

requireAdministrator-Application runs only for administrators. Recommended
for administrator only applications.

The application should run only for administrators, must be launched with a
full administrator access token, and will not run correctly in a standard
user context. This requested execution level marking is reserved for
administrative applications that require the user to be a member of the
local Administrators group to work, such as the Firewall Settings editor,
which affects systemwide security.

---

Thank you for your suggestion!

Friedrich

Friedrich,

> I hope pre-Vista applications are history now <g>.

Are you implying I should get rid of my old dusty '98 box?!<g>

Lee White

Lee,

>> I hope pre-Vista applications are history now <g>.
>
> Are you implying I should get rid of my old dusty '98 box?!<g>

<VBG> ;-)

Friedrich

Hi Friedrich,

> But I agree, it's a bit outdated. I hope pre-Vista applications are history
> now <g>.
Sue parked the last Vista machine that was running in the Western
hemisphere last week. I think we're OK!<g>

Best regards,

--
Arnor Baldvinsson
Icetips Alta LLC

Windows 98 seems like almost 2 decades ago<g>.

It ran DOS apps well, though.

Jeff Slarve
www.jssoftware.com

you know what happens when you assuage

Jeff,

> Windows 98 seems like almost 2 decades ago<g>.

Almost!<g>

> It ran DOS apps well, though.

INDEED!

And, if you look closely, it's actually level too!

Lee White