public static bool IsAdministrator() { WindowsIdentity identity = WindowsIdentity.GetCurrent(); WindowsPrincipal principal = new WindowsPrincipal(identity); return principal.IsInRole(WindowsBuiltInRole.Administrator); }
对于XML文件中引用的UAC执行权限级别,分别代表下列含义:
Value Description Comment asInvoker The application runs with the same access token as the parent process. Recommended for standard user applications. Do refractoring with internal elevation points, as per the guidance provided earlier in this document. highestAvailable The application runs with the highest privileges the current user can obtain. Recommended for mixed-mode applications. Plan to refractor the application in a future release. requireAdministrator The application runs only for administrators and requires that the application be launched with the full access token of an administrator. Recommended for administrator only applications. Internal elevation points are not needed. The application is already running elevated.
---------------------------------------------------------------------------- uiAccess Values Possible uiAccess values
Value
Description
False
The application does not need to drive input to the user interface of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true.
True
The application is allowed to bypass user interface control levels to drive input to higher privilege windows on the desktop. This setting should only be used for user interface Assistive Technology applications. Important noteImportant Note:
Applications with the uiAccess flag set to true must be Authenticode signed to start properly. In addition, the application must reside in a protected location in the file system. \Program Files\ and \windows\system32\ are currently the two allowable protected locations.
Question Sign in to vote 说明白了就是要干涉其它程序的UI,或者发消息给其他程序,或者已经自带windows认可的数字证书 This is what I learned so far:
Applications running at normal privilege levels are NOT allowed to communicate with (i.e.; send messages to) applications running at higher privilege levels (e.g. the SendMessage API reports success but your message never reaches the target application running at a higher privilege).
If your application needs to send messages to all applications, regardless of their privilege level:
1 - The uiAccess flag MUST be set to True in your application's manifest.
2 - Your code MUST be digitally signed (which means you must pay MS for a digital certificate).
3 - Your application MUST reside in a trusted location (e.g.; Program Files), otherwise the uiAccess flag is ignored (so much for the user choosing where to place your application on THEIR hard drive).
Regardless of the state of the uiAccess flag, your application will always be able to send messages/drive input to windows of applications running at privilege levels equal to or less than your own privilege level.
Another piece of information in case you are having trouble putting a manifest in your executable (i.e.; the application fails to run with Windows complaining that it failed to initialize properly or something): the size of your manifest must be an exact multiple of 4 (i.e. if it is 253 bytes/characters, then you must pad the end of the manifest text with three spaces).
Actually you can use makecert to create your own certificate, and then add the cert to your trusted certificate store to run the code on your own machine. More on how to do that here-
Additionally, I don't think the code signing cert has to be from Microsoft, but can be purchased from any digital certificate authority (like Verisign, Entrust, DigiCert, etc.).
I hope that gets you what you need to get your code working without any further investment.
-Westley
制作数字证书的过程:
If your application does not have a digital signature and has uiAccess=true in its manifest, it will fail with "A referral was returned from the server."
(No, notepad does not have a digital signature :)
Applications that request uiAccess=true must have a valid, trusted digital signature to execute.
Also, applications by default must reside in a trusted location on the hard drive (such as windows or program files) to receive the uiAccess privilege. They will still run if they are not in one of these locations, but they will not receive the privilege. You can disable this security feature through the local security policy mmc snap-in.
If you want to create a trusted "test" certificate to sign your application with so that you can use your application on your current machine, here's how:
NOTE: These instructions assume you have visual studio installed and are using a command prompt that has all the environment variables set to find SDK utilities such as makecert and signtool. If not, you will need to find these tools on your hard drive before running them.
***
1) Open an elevated command prompt
- Click start - Find Cmd Shell or command prompt - Right-click, click Run As Administrator
2) Create a trusted root certificate
- Browse to the folder that you wish to contain a copy of the certificate - In the command shell, execute the following commands:
makecert -r -pe -n "CN=Test Certificate - For Internal Use Only" -ss PrivateCertStore testcert.cer
