Handling UAC Administrative Token

Question

to all, I am stuck at a location and wanted everyone's suggestion on this matter.

My application consists of 79 forms where numerous places requires admin privileges. Program runs on windows start-up, So cannot use default administrative token (asAdministator). Lazarus cannot create ActiveX dll's, so what other options are in my favor, I am almost completed most part of my project in lazarus, so there is no way back.

Answer 1

If your application really does do some things that require administrator access

and that is a really big if; almost nobody ever needs it

then the best technique is to launch an elevated copy of yourself, passing a command-line switch saying which action you want to take.

Lets say you want to start a service. You create a button with a UAC shield on it:

Then in the click event you launch an elevated copy of yourself, passing the /StartService command line parameter:

procedure TForm1.StartService(Sender: TObject);
begin
   if IsUserAnAdmin then
   begin
      //no need to elevate, we're already an admin
      StartService();
      Exit;
   end;

   //We're a standard user, relaunch elevated to start the service
   RunAsAdmin(0, ParamStr(0), '/StartService');
end;

with a helper function to check if we have administrative privileges:

///This function tells us if we're running with administrative permissions.
function IsUserAdmin: Boolean;
var
    b: BOOL;
    AdministratorsGroup: PSID;
begin
    {
        This function returns true if you are currently running with admin privelages.
        In Vista and later, if you are non-elevated, this function will return false (you are not running with administrative privelages).
        If you *are* running elevated, then IsUserAdmin will return true, as you are running with admin privelages.

    }
    b := AllocateAndInitializeSid(
            SECURITY_NT_AUTHORITY,
            2, //2 sub-authorities
            SECURITY_BUILTIN_DOMAIN_RID,    //sub-authority 0
            DOMAIN_ALIAS_RID_ADMINS,        //sub-authority 1
            0, 0, 0, 0, 0, 0,               //sub-authorities 2-7 not passed
            AdministratorsGroup);
    if (b) then
    begin
        if not CheckTokenMembership(0, AdministratorsGroup, b) then
            b := False;
        FreeSid(AdministratorsGroup);
    end;

    Result := b;
end;

The trick to launching your app as an administrator is to use ShellExecute with the runas verb. i ever created a handy wrapper:

function RunAsAdmin(hWnd: HWND; filename: string; Parameters: string): Boolean;
{
    See Step 3: Redesign for UAC Compatibility (UAC)
    http://msdn.microsoft.com/en-us/library/bb756922.aspx
}
var
    sei: TShellExecuteInfo;
begin
    ZeroMemory(@sei, SizeOf(sei));
    sei.cbSize := SizeOf(TShellExecuteInfo);
    sei.Wnd := hwnd;
    sei.fMask := SEE_MASK_FLAG_DDEWAIT or SEE_MASK_FLAG_NO_UI;
    sei.lpVerb := PChar('runas');
    sei.lpFile := PChar(Filename); // PAnsiChar;
    if parameters <> '' then
        sei.lpParameters := PChar(parameters); // PAnsiChar;
    sei.nShow := SW_SHOWNORMAL; //Integer;

    Result := ShellExecuteEx(@sei);
end;

Now you just need to watch for a /StartService command line switch on application startup. In this quick and dirty code i put it in FormActivate. In reality you would put it in your project file, before Application.Run:

procedure TForm1.FormActivate(Sender: TObject);
begin
    if FindCmdLineSwitch('startService', True) then
    begin
        //If we're not an admin, then use ShellExecute to launch ourselves as one
        if not IsUserAdmin then
        begin
            //Relaunch ourselves as an admin
            Toolkit.RunAsAdmin(0, ParamStr(0), '/StartService'); //don't forget to pass the command option
            Application.Terminate;
            Exit;
        end;

        //We are an admin; do the updates.
        StartOurService();
        MessageDlg('Service started!', mtInformation, [mbOk], 0);

        Application.Terminate;
        Exit;
    end;
end;

Note: Any code released into public domain. No attribution required.