[英]How to launch program with user permissions instead of active permissions
I have a C# application which runs and displays a tray icon. 我有一个C#应用程序,它运行并显示一个托盘图标。 I have an installer for my tray application which launches the application after installation.
我有一个托盘应用程序的安装程序,它在安装后启动应用程序。 The installer requires admin permissions whereas the tray icon must be run with normal permissions.
安装程序需要管理员权限,而托盘图标必须以正常权限运行。 My installer currently breaks this - when the installed tray application is launched it inherits admin permissions from the installer process.
我的安装程序目前打破了这个 - 当安装托盘应用程序启动时,它继承了安装程序进程的管理员权限。
As part of my installer I am launching a C# application to perform some custom work. 作为我的安装程序的一部分,我正在启动一个C#应用程序来执行一些自定义工作。 This small application currently launches the tray application by calling:
这个小应用程序目前通过调用以下方式启动托盘应用程
Process.Start(@"path/to/my/tray/app.exe");
Is there any way to invoke the tray app with the current user's permissions rather than the elevated permissions given to the installer? 有没有办法用当前用户的权限而不是提供给安装程序的提升权限来调用托盘应用程序?
I have heard that the recommended way to do this is to have a wrapper EXE around the installer which launches the installer then launches the installed program. 我听说推荐的方法是在安装程序周围安装一个包装器EXE,启动安装程序,然后启动已安装的程序。 I would like to avoid this if possible.
如果可能的话,我想避免这种情况。
I am using WiX to build an MSI installer so I would also accept solutions which work directly from WiX/MSI. 我正在使用WiX构建MSI安装程序,因此我也接受直接从WiX / MSI工作的解决方案。
There are two approaches. 有两种方法。 The simplest is to use a shell exe that first launches the admin task elevated (lots of ways to do this; I prefer a manifest) and then the other task non-elevated.
最简单的方法是使用一个shell exe,它首先启动提升的管理任务(很多方法来执行此操作;我更喜欢清单),然后另一个任务不提升。 If you refuse to do that for whatever reason then take a look at the blog post and CodePlex project I link to from my blog post on this: http://www.gregcons.com/KateBlog/NonElevatedFromElevatedManagedThisTime.aspx
如果您因任何原因拒绝这样做,请查看我在博客文章中链接到的博客文章和CodePlex项目: http : //www.gregcons.com/KateBlog/NonElevatedFromElevatedManagedThisTime.aspx
或者,您可以使用Windows API CreateProcessAsUser
,它似乎可以完成这项工作。
Very good question. 非常好的问题。 The answers I found that ostensibly work are all a bit messy;
我发现表面上工作的答案都有点混乱; the most elegant overall is the EXE wrapper.
最优雅的整体是EXE包装。
Have a look at this article: http://www.codeproject.com/KB/vista-security/RunNonElevated.aspx . 看看这篇文章: http : //www.codeproject.com/KB/vista-security/RunNonElevated.aspx 。 It describes a method by which you can obtain a native hook to one of the shell windows, which run non-elevated, and ask the shell to start your code for you.
它描述了一种方法,通过该方法,您可以获取其中一个运行非提升的shell窗口的本机挂钩,并要求shell为您启动代码。 Native hooks in C# require very high CAS permissions;
C#中的本机挂钩需要非常高的CAS权限; to get these permissions, your installer must be strongly named and signed, and the code must demand or assert SecurityPermission with SecurityPermissionFlag.UnmanagedCode.
要获得这些权限,必须对安装程序进行强命名和签名,并且代码必须使用SecurityPermissionFlag.UnmanagedCode来请求或断言SecurityPermission。
The ProcessStartInfo class of the .NET Framework also contains a UseShellExecute Boolean property that, when set, tells Process.Start() to give this call to the shell rather than starting the process directly from the current application domain. .NET Framework的ProcessStartInfo类还包含一个UseShellExecute布尔属性,该属性在设置时告诉Process.Start()将此调用提供给shell,而不是直接从当前应用程序域启动进程。 I don't know if this will do that you need, but it's definitely much easier to try;
我不知道这是否能满足您的需求,但绝对容易尝试; you just use the ProcessStartInfo overload of Process.Start(), with a declared ProcessStartInfo having the flag set.
您只需使用Process.Start()的ProcessStartInfo重载,并使用已设置标志的已声明ProcessStartInfo。
Remember that you cannot tell the shell to start an EXE as a user other than the currently logged-in user (UserName and Password must not be set on the ProcessStartInfo). 请记住,您无法告诉shell以当前登录用户以外的用户身份启动EXE(不得在ProcessStartInfo上设置UserName和Password)。 You must also specify the path to the EXE using the WorkingDirectory property.
您还必须使用WorkingDirectory属性指定EXE的路径。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.