Reputation: 735
UAC prompt from an already elevated application
Let's say an application is already running with elevated privileges. Is it possible for this application to show a UAC prompt and get its result (successfully confirmed or cancelled)?
Background story: I have an application that requires Administrator privileges but runs in a restricted user account, so an UAC prompt is shown at its start, the user enters Administrator credentials to confirm it and everything works fine. However, for some critical actions I'd like to verify that the current user is (still) allowed to do that.
For example, the original user left the workstation without locking his Windows account (yes, the world's not perfect...) and another user open that already running application and accesses some sensitive settings. You can compare this to an online-shop, where an already logged in user has to provide his credentials again if he wants to change his delivery address.
I understand that I could create a custom prompt, ask for admin account credentials and check if they're valid, but I don't want to touch those credentials at all. Neither do I want to introduce additional application-specific credentials. The UAC prompt would be a nice and native solution to re-verify the user has admin privileges.
Basically something like this:
if VerifyAdminWithUacPrompt then
begin
//critical stuff
end;
A Delphi example would be perfect, but I'm also happy about general ideas how to accomplish this.
Upvotes: 2
Views: 679
Answers (1)
Reputation: 598279
Your app does not need to invoke a new UAC prompt, since UAC is already running your app elevated. The app just needs to ask the user for credentials. Windows has APIs for that very purpose: CredUIPromptForCredentials() and CredUIPromptForWindowsCredentials():
The
CredUIPromptForCredentialsfunction creates and displays a configurable dialog box that accepts credentials information from a user.
The
CredUIPromptForWindowsCredentialsfunction creates and displays a configurable dialog box that allows users to supply credential information by using any credential provider installed on the local computer.
See Asking the User for Credentials on MSDN for more details:
Your application may need to prompt the user for user name and password information to avoid storing an administrator password or to verify that the token holds the appropriate privileges.
However, simply prompting for credentials may train users to supply those to any random, unidentified dialog box that appears on the screen. The following procedure is recommended to reduce that training effect.
To properly acquire user credentials
Inform the user, by using a message that is clearly part of your application, that they will see a dialog box that requests their user name and password. You can also use the
CREDUI_INFOstructure on the call toCredUIPromptForCredentialsto convey identifying data or a message.Call
CredUIPromptForCredentials. Note that the maximum number of characters specified for user name and password information includes the terminating null character.Call
CredUIParseUserNameandCredUIConfirmCredentialsto verify that you obtained appropriate credentials.
Upvotes: 2
Related Questions
- How to run a process elevated on Windows?
- UAC-style elevated prompt
- Start elevated application on OS startup, without UAC prompt
- Delphi: Prompt for UAC elevation when needed
- Why does my win32 program need elevation?
- Launch an EXE with elevated privileges from a "normal" non-elevated one?
- Windows UAC Dialog
- Newly compiled application requires UAC/elevation?
- How to determine why application is prompting for elevation
- Run my program asUser