We have a C# Windows Forms client application. This application occasionally needs to check for updates to itself from a trusted internal web site, download them, install them, and restart itself.
To make the application compatible with User Account Control (UAC), we embedded a manifest in the .exe that requests the highest available privileges:
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
We want standard (non-administrator) users to be able to run the application without being prompted to elevate to administrator. We gave standard users full permissions to the entire application folder. This means the user has the power to mess with the software files, but that is acceptable.
The users have been working with this application on Windows 7, Windows 8, and Windows 8.1 for a while with UAC fully enabled. On these operating systems, when our application is launched, Windows does not prompt the user to elevate to administrator privileges.
We are now testing behavior on Windows 10. On a Windows 10 system, with full UAC enabled, Windows is prompting standard users to elevate to administrator. Nothing else has changed. The .EXE is the same, and the embedded manifest is the same requested execution level highestAvailable.
We have tested this with the client files in
C:\Program Files and inC:\Users\PublicBoth locations have the same behavior.
Why is the UAC elevation behavior different on Windows 10? Is the behavior on prior versions a bug in UAC? Should it have been prompting to elevate all along?
Note that we must keep UAC enabled. I am aware of how to disable it.
Also note that I have tested changing the manifest to requestedExecutionLevel of asInvoker. This is not prompting for elevation on Windows 10.
We have tracked the elevation prompting to a difference between local users and domain users. This MSDN article says:
Application launch behavior for a standard user with additional privileges (E.G. Backup Operator)...[will] prompt for credentials before running the application
We are seeing local standard users not prompted for elevation, but local domain users are prompted for elevation. The only privileges the domain user has over the limited user is being a member of the Domain Users role.
You miss understand highestAvailable. This means request the full admin token if your account is part of the admin group, but for normal standard users no UAC dialog is shown and the process runs with the standard token.
If your program requires admin rights to function then you need to use requireAdministrator in the manifest. When a standard user starts such a process, the over-the-shoulder UAC dialog is shown, where the user can enter credentials of an admin account.