如何使用 c# 显示文件保存到受限位置的 UAC 提示? [英] How to display UAC prompt for file save to restricted location using c#?

问题描述

当用户从我的应用程序保存文件时，他们目前无法保存到受限位置(如 C:).我认为这是一个很好的限制，但我想提供一个 UAC 提示来提升权限并允许用户在受限区域保存.

When a user saves a file from my application, they currently can't save to restricted locations (like C:). I think this is a good restriction, but I would like to provide a UAC prompt to elevate privileges and allow a user to save in a restricted area.

我已经看到很多关于这个主题的答案，其中涉及使用runas"生成具有提升权限的新进程.此外，这似乎可以通过模拟其他用户来完成.据我了解，这两种方法都需要用户提供用户凭据.

I've seen lots of answers around this topic that involve spawning a new process with elevated privileges using 'runas'. Also, it seems like this can be done by impersonating another user. From what I understand, both of those methods require a user to provide user credentials.

我想做的基本上就是 Windows 本身所做的.当您尝试在 Windows 7 中将文件复制到 C: 时(假设您已将 UAC 设置为其默认级别)，您会收到以下提示:

What I'm wanting to do is basically what Windows itself does. When you try to copy a file to C: in Windows 7 (assuming you've got UAC set to its default level), you get the following prompt:

一旦您单击带有 UAC 防护罩的继续"按钮，文件就会被复制到 C:，而不会提示您输入凭据(假设您以管理员权限登录).

Once you click the Continue button with the UAC shield, the file is copied to C: with no prompt for credentials (assuming you're logged on with admin privileges).

如何在我的应用程序中为管理员用户复制此行为?他们不应该冒充任何其他用户，因为他们已经拥有管理员权限.任何人都可以提供有关 Windows 在此过程中正在做什么的详细信息吗?他们是否生成了一个具有提升权限的新 explorer.exe 进程?

How can I replicate this behavior in my application for admin users? They shouldn't have to impersonate any other user because they already have admin privileges. Can anyone provide details on what Windows is doing during this process? Are they spawning a new explorer.exe process with elevated privileges?

推荐答案

您需要做 Windows 所做的事情.并产生一个新进程，该进程将以更高的权限运行.这里没有捷径.进程启动时分配的令牌决定了进程拥有哪些权限.该令牌在进程开始后无法更改.如果你需要提升，你需要一个新的过程.

You need to do what Windows does. And spawn a new process which will run with elevated rights. There are no shortcuts here. The token that is allocated when a process starts is what determines what rights the process has. That token cannot be changed after the process has started. If you need to elevate, you need a new process.

我已经看到很多关于这个主题的答案，其中涉及使用runas"生成具有提升权限的新进程.此外，这似乎可以通过模拟其他用户来完成.据我了解，这两种方法都需要用户提供用户凭据.

I've seen lots of answers around this topic that involve spawning a new process with elevated privileges using 'runas'. Also, it seems like this can be done by impersonating another user. From what I understand, both of those methods require a user to provide user credentials.

不，事实并非如此.如果当前用户不是管理员，则 UAC 对话框将提示输入具有管理员权限的用户的新凭据.这就是 over-the-shoulder UAC 对话框.另一方面，如果当前用户是管理员，那么他们只会获得同意对话框.这是安全桌面上显示的对话框，只要求您单击继续".

No that's not the case. If the current user is not an admin, then the UAC dialog will prompt for new credentials of a user that does have admin rights. That's the over-the-shoulder UAC dialog. On the other hand, if the current user is an admin then they just get the consent dialog. That's the dialog that's shown on the secure desktop and just asks for you to click Continue.

Windows 组件可以做而您不能做的一件事是在不向您显示同意对话框的情况下启动提升的进程.这仅在 Windows 7 上发生(而不在 Vista 上)，并且仅当您在 Windows 7 中添加的新 默认 设置中具有 UAC 设置时.这就是资源管理器能够显示您的对话框的方式包含在问题中，然后启动一个提升的过程来进行复制而不显示同意 UAC 对话框.只有 Windows 组件被授予这种能力.

The one thing that Windows components can do that you cannot is start a process elevated without showing you the consent dialog. That happens on Windows 7 only (not on Vista), and only if you have the UAC setting at the new Default setting that was added in Windows 7. That's how Explorer is able to show the dialog that you included in the question and then start an elevated process to do the copying without showing the consent UAC dialog. Only Windows components are granted that ability.

但最重要的是，您需要启动一个运行提升的新进程.使用 runas 动词是执行此操作的规范方法.

But the bottom line is that you need to start a new process that runs elevated. Using the runas verb is the canonical way to do it.

这篇关于如何使用 c# 显示文件保存到受限位置的 UAC 提示?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！