- <?xml version="1.0" encoding="utf-8"?>
- <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"
- xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <assemblyIdentity version="" name="MyApplication.app"/>
- <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
- <security>
- <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
- <!-- UAC Manifest Options
- If you want to change the Windows User Account Control level replace the
- requestedExecutionLevel node with one of the following.
- <requestedExecutionLevel level="asInvoker" uiAccess="false" />
- <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
- <requestedExecutionLevel level="highestAvailable" uiAccess="false" />
- If you want to utilize File and Registry Virtualization for backward
- compatibility then delete the requestedExecutionLevel node.
- -->
- <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
- </requestedPrivileges>
- </security>
- </trustInfo>
- </asmv1:assembly>
配置文件修改后,我们运行应用程序,就会首先弹出这样一个提示框,点 Yes 后,程序才可以继续运行。
- public static bool IsAdministrator()
- {
- WindowsIdentity identity = WindowsIdentity.GetCurrent();
- WindowsPrincipal principal = new WindowsPrincipal(identity);
- return principal.IsInRole(WindowsBuiltInRole.Administrator);
- }
Value | Description | Comment |
asInvoker | The application runs with the same access token as the parent process. | Recommended for standard user applications. Do refractoring with internal elevation points, as per the guidance provided earlier in this document. |
highestAvailable | The application runs with the highest privileges the current user can obtain. | Recommended for mixed-mode applications. Plan to refractor the application in a future release. |
requireAdministrator | The application runs only for administrators and requires that the application be launched with the full access token of an administrator. | Recommended for administrator only applications. Internal elevation points are not needed. The application is already running elevated. |
asInvoker : 应用程序就是以当前的权限运行。
highestAvailable: 这个是以当前用户可以获得的最高权限运行。
requireAdministrator: 这个是仅以系统管理员权限运行。
默认情况下是 asInvoker。
highestAvailable 和 requireAdministrator 这两个选项都可以提示用户获取系统管理员权限。那么这两个选项的区别在哪里呢?
他们的区别在于,如果我们不是以管理员帐号登录,那么如果应用程序设置为 requireAdministrator ,那么应用程序就直接运行失败,无法启动。而如果设置为 highestAvailable,则应用程序可以运行成功,但是是以当前帐号的权限运行而不是系统管理员权限运行。如果我们希望程序在非管理员帐号登录时也可以运行(这种情况下应该某些功能受限制) ,那么建议采用 highestAvailable 来配置。
uiAccess Values
Value |
Description |
False |
The application does not need to drive input to the user interface of another window on the desktop. Applications that are not providing accessibility should set this flag to false. Applications that are required to drive input to other windows on the desktop (on-screen keyboard, for example) should set this value to true. |
True |
The application is allowed to bypass user interface control levels to drive input to higher privilege windows on the desktop. This setting should only be used for user interface Assistive Technology applications. |
![]() |
Applications with the uiAccess flag set to true must be Authenticode signed to start properly. In addition, the application must reside in a protected location in the file system. \Program Files\ and \windows\system32\ are currently the two allowable protected locations. 参考:http://www.cnblogs.com/wangjei155/archive/2009/09/29/1576551.html |

Applications running at normal privilege levels are NOT allowed to communicate with (i.e.; send messages to) applications running at higher privilege levels (e.g. the SendMessage API reports success but your message never reaches the target application running at a higher privilege).
If your application needs to send messages to all applications, regardless of their privilege level:
1 - The uiAccess flag MUST be set to True in your application's manifest.
2 - Your code MUST be digitally signed (which means you must pay MS for a digital certificate).
3 - Your application MUST reside in a trusted location (e.g.; Program Files), otherwise the uiAccess flag is ignored (so much for the user choosing where to place your application on THEIR hard drive).
Regardless of the state of the uiAccess flag, your application will always be able to send messages/drive input to windows of applications running at privilege levels equal to or less than your own privilege level.
Another piece of information in case you are having trouble putting a manifest in your executable (i.e.; the application fails to run with Windows complaining that it failed to initialize properly or something): the size of your manifest must be an exact multiple of 4 (i.e. if it is 253 bytes/characters, then you must pad the end of the manifest text with three spaces).
Actually you can use makecert to create your own certificate, and then add the cert to your trusted certificate store to run the code on your own machine. More on how to do that here-
Additionally, I don't think the code signing cert has to be from Microsoft, but can be purchased from any digital certificate authority (like Verisign, Entrust, DigiCert, etc.).
I hope that gets you what you need to get your code working without any further investment.
If your application does not have a digital signature and has uiAccess=true in its manifest, it will fail with "A referral was returned from the server."
(No, notepad does not have a digital signature :)
Applications that request uiAccess=true must have a valid, trusted digital signature to execute.
Also, applications by default must reside in a trusted location on the hard drive (such as windows or program files) to receive the uiAccess privilege. They will still run if they are not in one of these locations, but they will not receive the privilege. You can disable this security feature through the local security policy mmc snap-in.
If you want to create a trusted "test" certificate to sign your application with so that you can use your application on your current machine, here's how:
NOTE: These instructions assume you have visual studio installed and are using a command prompt that has all the environment variables set to find SDK utilities such as makecert and signtool. If not, you will need to find these tools on your hard drive before running them.
1) Open an elevated command prompt
- Click start
- Find Cmd Shell or command prompt
- Right-click, click Run As Administrator
2) Create a trusted root certificate
- Browse to the folder that you wish to contain a copy of the certificate
- In the command shell, execute the following commands:
makecert -r -pe -n "CN=Test Certificate - For Internal Use Only" -ss PrivateCertStore testcert.cer
certmgr.exe -add testcert.cer -s -r localMachine root
3) Sign your file
- In the command shell, browse to the location of your exe
- In the command shell, type:
SignTool sign /v /s PrivateCertStore /n "Test Certificate - For Internal Use Only" /thttp://timestamp.verisign.com/scripts/timestamp.dll APP.exe
Where APP.exe is your application.
? 首先编辑一个文件,内容如下:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="requireAdministrator"/>
? 然后编辑一个RC文件,名称为uac.rc 如下所示:
1 24 UAC.manifest
? 用brcc32编译这个rc文件为res文件,如下所示:
brcc32 uac.rc -fouac.res
? 在程序里面加入
{$R uac.res}
? 把文件放到vista或win7下运行,就会看程序图标下面显示UAC盾牌标志了
mt.exe –manifest temp.manifest –outputresource:YourApp.exe;#1.