今天新建了一个VS控制台工程RegTrustedInstallerDemo,编译出来的可执行文件RegTrustedInstallerDemo.exe居然请求以管理员权限运行。
经过一番探索之后发现,只要文件名里包含setup、install、patch、update,运行时都会请求管理员权限。
具体原因可以参考微软的链接:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc709628(v=ws.10)
Installer Detection Technology
Installation programs are applications designed to deploy software, and most write to system directories and registry keys. These protected system locations are typically writeable only by an administrator user, which means that standard users do not have sufficient access to install programs. Windows Vista heuristically detects installation programs and requests administrator credentials or approval from the administrator user in order to run with access privileges. Windows Vista also heuristically detects updater and uninstallation programs. Note that a design goal of UAC is to prevent installations from being executed without the user's knowledge and consent since they write to protected areas of the file system and registry.
Installer Detection only applies to:
1. 32 bit executables
2. Applications without a requestedExecutionLevel
3. Interactive processes running as a Standard User with LUA enabled
Before a 32 bit process is created, the following attributes are checked to determine whether it is an installer:
- Filename includes keywords like "install," "setup," "update," etc.
- Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
- Keywords in the side-by-side manifest embedded in the executable.
- Keywords in specific StringTable entries linked in the executable.
- Key attributes in the RC data linked in the executable.
- Targeted sequences of bytes within the executable.
解决方案:为工程添加清单文件,在清单文件中包含执行级别即可。
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<!--
可任选以下配置之一指定一个进程权限:
<requestedExecutionLevellevel="asInvoker" uiAccess="false" />
<requestedExecutionLevellevel="requireAdministrator" uiAccess="false" />
<requestedExecutionLevellevel="highestAvailable" uiAccess="false" />
requireAdministrator 为管理员权限,
highestAvailable 为可以获取到的最高权限,
asInvoker 为默认值,即调用进程当前权限,一般不需要显式指定,指定后会禁用虚拟化。
-->
</requestedPrivileges>
</security>
</trustInfo>