Working with UAC (User Access control) in relation to win vista, win7 and win server 2008 can be quite troublesome.
Yesterday we found that one our helper apps, which has a feature to start and stop services both local and remotely, didn’t work as expected. When running the application in elevated mode, everything worked fine.
Since we can’t expect all users to remember to run the application in elevated mode, we needed to find a more permanent solution.
I have previously been working with UAC problems relating to processes not running in elevated mode, but i didn’t know how to force the entire application ro run in elevated mode. Google turned out to be my friend again and I found tons of articles telling me “just” to add a manifest file changing the existing:
Simple one would think – and it was, so You might figure my level of frustration, when this turned out not to be enough.
Actually there was nothing wrong with the suggested solution, but all post that I read, failed to explain how to tell Visual Studio to use the added manifest file – I had to figure that out myself. A complete solution on how to force Your application to always run in elevated mode wil be listed here:
- In Visual Studio 2010 (I guess the same applies to VS2008, but I haven’t tested it) right click Your project and select “add new item”
- Add a application manifest file – the default name will be app.manifest.
- Inside the manifest file, change the existing configuration from
- Save and close the manifest file.
- Please note that Your manifest file won’t show up anywhere in your solution. In order to fix that, in solution explorer, click the “show all files” button.
- Important: Right click the manifest file and add it to the project – we need that in order to tell VS to use the manifest file when compiling our application.
- Right click Your project and select “properties”.
- On the application tab, the bottom section, select the manifest file:
manifest file selection
- Compile and run the application. If Your UAC settings are enabled, You will be prompted to allow the application to start in elevated mode.
Sometimes it can come in handy to check whether Your application is actually running in elevated mode or not. Maybe You will find this codesnippet usefull:
WindowsPrincipal myPrincipal = new WindowsPrincipal (WindowsIdentity .GetCurrent());
if (myPrincipal.IsInRole(WindowsBuiltInRole .Administrator) == false )
//show messagebox - displaying a messange to the user that rights are missing
MessageBox .Show("You need to run the application using the \\"run as administrator\\" option" , "administrator right required" , MessageBoxButtons .OK, MessageBoxIcon .Exclamation);
MessageBox .Show("You are good to go - application running in elevated mode" , "Good job" , MessageBoxButtons .OK, MessageBoxIcon .Information);
You may also find these references helpfull:
For various reasons I sometimes have to build projects outside my Visual Studio environment. One approach is to use the sommand line tool csc.exe (for c# projects) or vbc.exe (for vb.net projects). It can be quite exhausting to build the command – especially if your are using external libraries, ressources, settings and other quite common stuff. It would be nice if one could just fetch the command that Visual Studio uses to compile the project – well you can:-)
If you want to have a look at the command that Visual studio uses to compile you project, all you need to do is to launch a command similar to this in a visual studio command prompt:
E:\VSS\Grene\AxXMLService\AxXMLService>msbuild AxXMLService.csproj /t:rebuild /clp:showcommandline >> log.txt
This command will produce a log file containing the output – this will look something like this:
csc command output
Please note the highlighted section – here you will find the command you need to build your project outside visual studio. the only requirement is ofcouse that the relevant framework version is installed on the machine performing the build.
A colleegue of mine recently build a MSI installer using some third party tool unknown to me. He kindly asked me, what he needed to do, to sign the installer using our corporate codesigning certificate.
I am used to build my installers using Visual Studio, but I remembered that I once or twice had used the SignTool.exe command line tool, to sign some files. I looked up the documentation for the tool And quickly I was able to create a command meeting my needs:
E:\VSS\USMT\MSIProject>signtool sign /f E:\VSS\CodeSigningCert\Trustzone\eg_codesigning.pfx /p mypassword /d USMTApp USMTApp.msi
Note: To me it seems rather important to remember the d options – adding a description to the installer. This will show when the user runs the isntallation package.
Do you also keep asking yourself something like this:
- Why does something so simple always turn out to be so relatively hard and timeconsuming?
- Once you have aquired your certificate, shouldn’t it be easy to apply to you project?
In my oppinion Visual Studio 2010 offers limited support for wanting to codesign your apps before distribution. In my experience You will only experince a fair ammount of success when dealing with clickonce applications. In those cases it is pretty much straigth forward to apply your certificate (pfx file) and You may remember a screen like this:
Codesigning screendump from VS2010
The troubles start when you want to sign the assembly. This never works the first time for me. Either I keep some strange errors stating that the certificate can not be imported or that a reference to a token can not be found and so on and so on and so on… All these errors have always turneed out to be less than helpfull and today I had enough and once and for all I wanted to find a nearby bulletproof way to sign my apps in the future.
Reading various blogs I noticed that a lot of people have had the same frustrations as I, and a lot of those people had turned to external signing tools. Since I am pretty keen on using the standard tools from Microsoft I chose to go along with the Signtool util that Microsoft provides along with Visual Studio. I also learned something new called “Post build events” until now I didn’t know they existed, but in this case they come in pretty handy – let me explain… I’am usually required to deliver my apps as a MSI package. When building the MSI package based on the primary output from my assembly the assembly gets rebuild. If the assembly is not signed during this process, you will end up having an unsigned assembly. This is where the post build event comes into play.
Sign the assembly using signtool.exe and the post build event (VB.net)
- Right click your project file of your assembly – select “properties”
- Select the “Compile” tab and notice the “Build events” button in the lower left corner
- Click that button. You will now be able to provide a pre-build event command and/or a post-build event command
- Enter the signtool command that applies to your needs. You can use the visual studio command prompt to test the command. In that way you don’t have to wait while all projects are being recompiled.
A piece of advice is to use the built-in macros. Using those macros it is pretty easy to supply the correct paths.
- Choose when to run the post-build event – for instance “on successful build”
- click “ok” to exit
- Recompile your assembly. If you have put in the signtool command correctly, your assembly will be signed.
To get the signtool command to work properly I had to try out various commands. The one thing that kept getting in my way, was to supply the proper paths. Here is what you need to know:
- When putting the signtool command into visual studio it does not know where to locate the signtool.exe file. You will have to put in the exact path to the signtool.exe. Using Visual Studio 2010 my path was “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool”. Notice that the signtool is located in a previous version of Visual Studio. You might need to perform a search to find it in your environment.
- If you have any spaces in your file paths, remember to but the path in quotes <“path”>
- Remember to use the exact filepath when pointing to your certificate
- Remember to supply the password for the certificate
- Remember to use the full filepath to the assembly that needs to be signed – this is done by using the build-in macros
Here’s a sample command that worked for me:
“C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool” sign /f “$(ProjectDir)resources\eg_codesigning.pfx” /p mypassword “$(TargetPath)”
Sign the installer using Signtool.exe (VB.net)
Once the assembly is signed you can move forward to have your installer signed. I will assume you know how to add a setup project to your solution.
- Select the “setup project” project file and view the properties.
- Notice that you will have a property called “PostBuildEvent”. Click the browse button to enter the command line screen.
- As you did before you need to build the command. I will not go into further details since the process is pretty much the same as described above.
- Once you have entered your command rebuild the setup project.
Things you need to know:
- If you do not put in a description using the signtool, You will notice that when installing your app, a funny name like 77eu891.msi will show up in the UAC prompt. To avoid this, just remember to use the /d option in the signtool command. This will add a description to the MSI package and this description will display in the UAC prompt.
Here’s a sample that worked for me:
“C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool” sign /f “$(ProjectDir)eg_codesigning.pfx” /p mypassword /d “EGPackageMaker – Corporate software administration tool” “$(BuiltOuputPath)”
That’s it. For now my struggles regarding codesigning have ended – and maybe this article can be of use to someone else.
For some time I’ve been looking for a good way to copy my source code into this blog, without having to install a plugin. I stumpled across this great article about how to enable “Copy source as html” in Visual Studio 2010. “Copy source as HTML” can be downloaded from codeplex – check it out.
For some strange reasons “Copy Source as HTML” has stopped working and I am not able to get it up and running again. Instead of struggling any more than necessary I installed “Code4Blog“. It seems to work really great and even better than “Copy Source as HTML”.