我们可以得到UAC提示只显示一次? [英] Can we get the UAC prompt to show only once?
问题描述
有没有办法为一个应用程序,以present与UAC用户提示只有一次,在第一次运行。此后,没有进一步的提示。
Is there a way for an app to present the user with the UAC prompt only once, upon first running. Thereafter, no further prompting.
在换句话说,我明白,我们的应用程序需要用户的UAC权限去做某些事情。这很好。但是,我们不希望它必须保持运行,每一次问的。可以将用户授予权限,以我们所有的时间应用程序?还是什么,我问违反UAC的基本面?
In other words, I understand that our app needs the user's UAC permission to do certain things. And that's fine. But we don't want it to have to keep asking on every occasion it runs. Can the user give permission to our app for all time? Or does what I am asking violate the fundamentals of UAC?
我们正在与.NET和Windows 7
We are working with .NET and Windows 7
推荐答案
在回答你的问题是:不,你不能这样做,的
微软专门为禁止这种行为。如果一个应用程序可以将自己添加到排除列表中,那么,我们重新回到我们以前的一塌糊涂。
Microsoft specifically is forbidding such behavior. If a applications could add themselves to an exclude list, then we get back into the mess we had before.
您需要做的是使你的程序不需要管理访问权限。
What you need to do is make your program not require administrative access.
问问自己:?你做了什么在Windows XP
- 在不允许我运行你的软件?
- 在做软件崩溃时,我是一个标准的用户?
- 在做软件提供了没有价值,而且也没有绝对没有的功能由一个标准用户运行时?
Windows XP不具备UAC的说服。为用户的唯一的方式来运行程序作为管理员登录与其他用户。而这比点击继续更糟糕的用户体验。
Windows XP doesn't have the convince of the UAC. The only way for a user to run your program as an administrator is to logon with another user. And that's a much worse user experience than clicking "Continue".
如果你不想写的软件,标准的用户界面友好,那么你就是问题的一部分。 UAC是没有问题的,UAC是一个便于学习。我可以关闭UAC,运行作为一个标准用户充分的时间,你的软件的仍将无法工作。
If you don't want to write software that is standard user friendly, then you're part of the problem. UAC is not the problem, UAC is a convience. i can turn off UAC, run as a standard user full time, and your software still won't work.
- 白名单
- 的记住我的preference 的
- 的不要再问我了。的
- white-lists
- Remember my preference
- Don't ask me again.
如果你有一个白名单,则每个程序只会自身添加到这样的列表在安装时。
If you had a white-list, then every program would just add itself to such a list at install time.
如果这样的白名单存在,那么你的应用程序将成为恶意软件的目标。它愿意修改执行它想要的东西二元;因为它知道该程序将被自动升高。
If such a white-list existed, then your app would be the target of malware. It would love to modify the binary to execute what it wants; since it knows the program will be silently elevated.
恶意软件会喜欢戳与SendMessage函数应用程序,试图通过无效的数据或结构,试图让你的,管理,应用程序执行的code就是了。
Malware would love to poke at your application with SendMessage, trying to pass invalid data or structures, trying to get your, administrative, application to execute the code it wants.
如果用户必须禁用计划未来的提示选项,那么他们只会做,每一个程序会以管理员身份运行,我们会回来的方式事情。
If the user had the option to disable future prompts on programs, then they would just do it, and every program would run as an administrator, and we'll be back to the way things were.
所有这些想法都没有解决的问题:几乎没有程序实际上需要管理权限
All those ideas don't solve the problem: almost no program actually requires administrative access.
的时间终于迫使开发商来与这一事实条款。
The time has finally come to force developers to come to terms with that fact.
有人要拿出办法让白名单的工作。
Some people want to come up with ways to make whitelists work.
-
有一个复选框,用户可以说不提示我这个文件了。的
如果存储了文件名,然后用相同名称的其他程序会悄无声息地管理员运行。
Have a checkbox where the user can say, "Don't prompt me for this file anymore"
If you store that filename, then other programs with the same name will silently run as administrators.
好了,然后我们会记录完整路径,或使用文件的哈希值,作为白名单条目。的 如果有一个白名单,然后其他程序将自己添加到这个列表在安装时,并有管理权限的用户不希望运行的程序。
Okay, then we'll record the full path, or use the hash of the file, as the whitelist entry. If there's a whitelist then other programs will add themselves to that list when they install, and have programs running with administrative access that the user didn't want.
如果仅签名的应用程序是允许的,这样,我们知道他们是安全的。的应用程序是不是安全的,因为他们签名。应用程序不一定是恶意软件为它被滥用成做坏事。 (如缓冲区溢出闪光灯,火狐,IE,铬,Safari浏览器,歌剧,文字,软件,雅虎图片上传工具)。
What if only signed applications are allowed, that way we know they're safe. Applications are not safe because they're signed. An application doesn't have to be malware for it to be abused into doing bad things. (e.g. buffer overruns in flash, firefox, ie, chrome, safari, opera, word, photoshop, Yahoo image uploader tool).
您必须存储在列表中的 somehwere 有效code-签名者的名单。不管你如何切它,有任何白名单将意味着应用程序只会将自己添加到列表中。
You have to store list of valid code-signers in a list somehwere. And no matter how you slice it, having any white-list will mean that applications will just add themselves to that list.
- 的好了,那就不要让他们访问列表。甚至连管理员可以将项目添加到列表中。的如果连非管理员可以将项目添加到列表中,那么如何才能将用户添加项目到列表中的第一个地方?你不能将项目添加到白名单,如果你不允许项添加到白名单中!
- Well, then don't allow them access to the list. Not even administrators are allowed to add items to the list. If not even administrators can add items to the list, then how can the user add items to the list in the first place? You can't add items to the whitelist if you're not allowed to add items to the whitelist!
和你如何管理白名单?比方说用户已经改变了主意,还是爸爸已经改变了主意,或已改变了主意,或者企业已经改变了主意,或软件发行商改变主意:你怎么从列表中删除的项目 - 尤其是当没有人被allowd修改列表。
And how do you manage the white-list? Lets say the user has changed their mind, or Dad has changed his mind, or IT has changed its mind, or corporate has changed its mind, or the software publisher changes their mind: how do you remove items from the list - especially when nobody is allowd to modify the list.
摘要:白名单不能正常工作
这篇关于我们可以得到UAC提示只显示一次?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
