Source language: Translate to:

[REQ] Add a manifest resource with requestedExecutionLevel

Post your suggestions for future versions of NeoBook

Moderator: Neosoft Support

[REQ] Add a manifest resource with requestedExecutionLevel

Postby sombra » Sat Nov 22, 2008 2:30 am

Hello,
Could be add an option for embedding manifest resource to our applications?

Currently there is one inside our compiled applications made with neobook, but it don't support for elevation prompt under Windows Vista.
A good place could be in "General page" for "Compile/Publish book" adding a combobox with trhee options: AsInvoker | requireAdministrator | highestAvailable
I tried with external .manifest files, but it didn't work. Only worked when I renamed the applications to setup.exe or install.exe
I think that Windows Vista is more expanded around the systems that two years ago, and IMHO this could help to many user for his applications.

Some advantages:
  • Prevent Virtualization
  • Write/clean registry entries (I want add context menu in explorer for applications)
  • Delete temporary files
  • Write in special folders.
  • etc.

Adding the next lines according the user preferences in compilation could solve this issue:
Code: Select all
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
       
        <requestedExecutionLevel level="asInvoker" uiAccess="false" />
        <!-- <requestedExecutionLevel level="requireAdministrator" /> -->
        <!-- <requestedExecutionLevel level="highestAvailable" /> -->

      </requestedPrivileges>
    </security>
  </trustInfo>

I can read English, but... I write like Tarzan. (sorry)
sombra
 
Posts: 93
Joined: Sat Apr 02, 2005 3:09 pm
Location: Spain

Postby Neosoft Support » Mon Nov 24, 2008 11:18 am

Unfortunately, the Vista manifest isn't something that NeoBook's compiler can add to a publication exe. Instead it must be built into the run-time module by us in advance. Currently there is no Vista manifest in the run-time, but we could add one in the future. The question is what type of manifest can we add that will work for all types of applications. If we add one that requires administrator, does that mean that the pub won't run on non-admin accounts? Would "AsInvoker" be more appropriate? Or is it better to have no manifest?
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Re: [REQ] Add a manifest resource with requestedExecutionLev

Postby Light » Mon Nov 24, 2008 12:58 pm

sombra wrote:Hello,
Could be add an option for embedding manifest resource to our applications?

Currently there is one inside our compiled applications made with neobook, but it don't support for elevation prompt under Windows Vista.
A good place could be in "General page" for "Compile/Publish book" adding a combobox with trhee options: AsInvoker | requireAdministrator | highestAvailable
I tried with external .manifest files, but it didn't work. Only worked when I renamed the applications to setup.exe or install.exe
I think that Windows Vista is more expanded around the systems that two years ago, and IMHO this could help to many user for his applications.

Some advantages:
  • Prevent Virtualization
  • Write/clean registry entries (I want add context menu in explorer for applications)
  • Delete temporary files
  • Write in special folders.
  • etc.
Adding the next lines according the user preferences in compilation could solve this issue:
Code: Select all
   <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
       
        <requestedExecutionLevel level="asInvoker" uiAccess="false" />
        <!-- <requestedExecutionLevel level="requireAdministrator" /> -->
        <!-- <requestedExecutionLevel level="highestAvailable" /> -->

      </requestedPrivileges>
    </security>
  </trustInfo>



I vote for that too
Light
 
Posts: 38
Joined: Tue Nov 27, 2007 7:47 am

Postby sombra » Mon Nov 24, 2008 6:22 pm

Hello Neosoft Support,

I did several test and I tried to modify the internal manifest inside the application with a resource editor like XNResourceEditor and eXeScope, but the resulting file application was corrupted :(
While a manifest resource is inside publication, then external manifest is always ignored. In other hand, If a publication is compiled as runtime package, not manifest resource is added to the executable and external manifest is take in count :)

Unfortunately, the Vista manifest isn't something that NeoBook's compiler can add to a publication exe. Instead it must be built into the run-time module by us in advance.

One idea, I don't know if it could be possible but I'll tell it anyway ;) If the manifest resource take for example 850 bytes, you could reserve 875 bytes (with 25 extra blank spaces) for the manifest resource into runtime module. And just before the compilation set the requested Execution Level choose by the user. Later could be deleted all necessary blank spaces for leave the resource manifest to 875 bytes again.
This would be the ideal method for compile the application as the user thought for his application.

Would "AsInvoker" be more appropriate?

As far I know with this method an application will be launched as normal application (without elevation), like currently neobook does, we win a compatible manifest with vista, and theoretically we avoid the virtualization.

If we add one that requires administrator, does that mean that the pub won't run on non-admin accounts?

I'm not sure, This should be tested more deeply. Perhaps users without a privilege account couldn't run the program. And for a publication which only have an slideshow of pictures couldn't be launched. It would be according as is defined the "Consent Policy for Standard Users"
IMHO if the user can not choose as the publication must be compiled, this alternative should not be by default.

Maybe, an average solution could be the option "highestAvailable". where the application will be launched with the highest privileges the current user can obtain.

Or is it better to have no manifest?

I think that this option is good too, but the neobook user should be aware of it. And could solve all related problems to this issue creating and external manifest.
I can view two handicaps with this method: The user forget attach his application.exe.manifest with the main program before to release it. And as consequence... Manifest file, also help to some application to render the XP-theme.

Here some related links:
http://msdn.microsoft.com/en-us/library/bb756929.aspx
http://www.helpware.net/VistaCompat.htm
I can read English, but... I write like Tarzan. (sorry)
sombra
 
Posts: 93
Joined: Sat Apr 02, 2005 3:09 pm
Location: Spain

Postby dbz » Tue Dec 09, 2008 3:31 pm

Hola:
Echale un vistazo a esto ( en español)

http://technet.microsoft.com/es-es/maga ... 10320.aspx

--------------------------------------------------------------------------
Hello:
Take a look at this ( in english)


http://technet.microsoft.com/en-us/maga ... 10320.aspx
User avatar
dbz
 
Posts: 42
Joined: Mon Apr 04, 2005 4:12 am
Location: Varel, Germany

Postby Neosoft Support » Tue Dec 09, 2008 5:06 pm

Why Vista PCs that are not part of a multi-user office environment have to put up with this annoying feature is beyond me. If you're the only person using your PC, turn off Vista's UAC (User Access Control) feature and you will be much, much happier.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby dbz » Wed Dec 10, 2008 3:42 am

Estoy de acuerdo contigo, pero las cosas seguirán por el mismo camino con el Service Pack 2 de Vista y en Windows 7.



-----------------------------------------------

I agree with you, but things will follow the same path with Vista Service Pack 2 and Windows 7.

http://msdn.microsoft.com/en-us/windows/default.aspx
User avatar
dbz
 
Posts: 42
Joined: Mon Apr 04, 2005 4:12 am
Location: Varel, Germany

Postby Neosoft Support » Wed Dec 10, 2008 10:58 am

I think for most types of publications a Vista manifest is not necessary. It's only when the pub tries to write to restricted parts of the registry or certain folders on the hard drive that this becomes an issue. Is this correct?
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby dbz » Wed Dec 10, 2008 1:16 pm

Vista requiere elevación para:
Escribir en el Registro,escribir en el Directorio Archivos de Programa, asignar permisos , etc.



Vista requires elevation for:
Writing to registry, creating/writing to program files directory, setting permissions etc
User avatar
dbz
 
Posts: 42
Joined: Mon Apr 04, 2005 4:12 am
Location: Varel, Germany

Postby Neosoft Support » Wed Dec 10, 2008 5:41 pm

Vista requires elevation for:
Writing to registry, creating/writing to program files directory, setting permissions etc


If you're writing a Vista compliant application for average users (not an administrator tool) then you would want to avoid anything that required elevation. If your user isn't authorized to access those areas, then Vista won't allow it.

By default, a normal end user app that follows the Vista rules shouldn't need to worry about this. Only apps that require administrator level access, or want to monkey around with things that normal apps shouldn't, need a specific Vista manifest. Right?
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby dbz » Thu Dec 11, 2008 2:18 am

Exacto.
El problema es que los usuarios de Windows están
acostumbrados a trabajar en modo Administrador.

Por ejemplo, si nuestra aplicación escribe en el Registro
el nombre del último usuario que la ha utilizado, nos
pedirá elevación.
Si grabamos ese dato en un texto encriptado en una
carpeta que no sea Archivos de programa, Windows o System, no nos la pedirá.

Una explicación sobre el asunto ( en español)

http://technet.microsoft.com/es-es/maga ... 62813.aspx

------------------------------------------------------------------------

Accurate.
The problem is that Windows users are accustomed to working in Administrator mode.

For example, if our application writes to the registry the name of the last user who has used it, we asked elevation.
If we recorded this information in an encrypted text in a folder other than Program Files, Windows or System, does not ask us.

An explanation on the matter (in English)

http://technet.microsoft.com/en-us/maga ... 62813.aspx
User avatar
dbz
 
Posts: 42
Joined: Mon Apr 04, 2005 4:12 am
Location: Varel, Germany

Postby Neosoft Support » Thu Dec 11, 2008 11:48 am

That's a good article. Basically it says that this level of security is designed to protect you from malware that "doesn't exist widely yet." Such malware (when it does exist in the future) will still be able to destroy a user's private data, but not the whole system as is the case when you're running as an administrator. I understand the concept.

What I'm still not sure about is what level of Vista manifest we should set as the default for NeoBook pubs: None or AsInvoker. Is there any difference between No manifest and AsInvoker? Doesn't AsInvoker simply mean use whatever access level is assigned to the current user - the same as no manifest?
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA


Return to NeoBook Suggestions

Who is online

Users browsing this forum: No registered users and 1 guest