Wednesday, July 22, 2009

UAC Compatible applications - Part 2 ( Access Registry )

Okay, so in the part of the posts about Vista, we looked at the ways we could use manifest files to disable Registry Virtualization and subsequently, disable to UAC prompts. So with that out of the way, the next obvious question if how we are going get our application write in the Registry and Program Files directories.

The way I look at this, there are two distinct approaches of accomplishing this.

Method A

You would need to set permission at the directory/key level for the User Group .

This would ensure that our application could still write in the registry despite running the application from the Limited User Privileges.

Similar setting can be applied to the installation directory enabling us to write to the particular folder.

Method B

The second method is how we redesign the architecture of the product by introducing a second layer of code which would help us write the code. We would implement a Windows Service which would do the registry/folder writing for us.

The basic idea behind this approach is the fact the Windows Service runs in the System account and henceforth enable us in writing in the restricted areas. The custom application would send request to the Windows Service which, in-turn does the restricted operation. The mode of communication can be any of the IPC, from Named Pipes to Mailslot or any other.