How to make a file read-write to a program but read-only/no access to non-admin users in Windows?

Question

I would like to do the following:

1. Non-admin users can run my program without UAC prompt.
2. The program have full access to a particular file.
3. Outside of the program, the user have read-only or no access to the file. They cannot modify the file. They can only modify it through the program.

Is it possible?

Answer 1

You'll need to split your code into two parts; the user interface, which runs in the user's context, and a service, which runs with admin privilege.

If you're programming in C, start with the MSDN library section on services for a general overview as well as the authoritative reference.

You'll probably want to use named pipes as the communication mechanism between the UI and the back end, although there are other options depending on your specific needs.

As an optimization once you've got it working, configure the service so that it only starts when the UI needs it. This answer shows how to configure a service so that any user can start it.

Answer 2

Applications don't have privileges, users do. The conditions "the program has full access to a particular file" and "the user has full access to a particular file" are indistinguishable, since a program runs with identical privileges as the user who started it.

So, in order for a program to run with higher privileges, it needs to run as a different user. You can do that by embedding an application manifest in your executable. Of course, then when you run it, you'll get a UAC prompt, and that cannot be bypassed.