How does the UAC know the application is going to need elevated privileges?

Question

I have a C# .NET application with about 20 supporting assemblies that I am maintaining.

When it starts, windows shows a UAC dialog that says:
Do you want to allow the following program to make changes to this computer.

If I disable the 'Run as administrator' checkbox on the file's properties dialog, I get a dialog of:
Unable to run [Application Name]. The user account '[Me]' does not have sufficient privileges to write to
C:\ProgramData[Company][Application Name]

This application will try to write to the ProgramData directory which is causing the UAC to ask the user for permission.

How does the UAC know the application is going to write to ProgramData?
What can I change so that the UAC does not complain?

Answer 1

It is possible that the application has a manifest file such as this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
            <requestedPrivileges>
                <requestedExecutionLevel level="requireAdministator" uiAccess="false"/>
            </requestedPrivileges>
        </security>
    </trustInfo>
</assembly>   

If it has, the requestedExecutionLevel level="requireAdministator will cause it to show the UAC dialog.

The manifest file would normally be called app.manifest

Answer 2

1. How does UAC know the application is going to write to ProgramData

   • ProgramData MIGHT be under the list of "Protected Directories" during the virtualization process of the UAC Architecture. (source needed)

2. What can I change so that the UAC does not complain?

   • Couple options here -
     1. It appears that you are trying to write to C:\ProgramData[Company][Product]
        To me, this looks like a path separation issue. you are trying to create [or use] a directory named C:\ProgramDataAdobePhotoshop if your application is not seperating these directories, then i'd assume that this is causing your UAC issue. try adding your path seperators. C:\ProgramData\Adobe\Photoshop [as an example]
     2. Disable UAC? The UAC is there to prevent unauthorized activity, and if you look at the flowchart above, any application that has a signature of writing to a "restricted directory" or any "elevated actions", it will fall under, and spark a UAC prompt. Your user would click through it, and all is well.
     3. Use the Application Data folder, instead of the ProgramData folder. That folder seems to be hidden for a reason.

My recommendation - For any application that needs to story data - use the users Application Data rather than the ProgramData folder. You will not get any UAC prompts if you use this directory. (this question could help with that)