Accessing Administrative Privileges from Your Visual Basic Programs

User rights (permissions) and privileges is a topic that will eventually come up at some point in your developer career. It is inevitable. In this article, you will explore the various ways to cater to Admin permissions in your Visual Basic programs.

The Difference Between Privileges and Permissions

In computer security, a permission is a property of an object; the object can be a file, for example. It indicates which agents are permitted to use the object, and what they are permitted to do (read, write, or modify it). A privilege is a property of an agent, for example, a user. Privileges let the agent perform tasks that are not ordinarily allowed.

User Accounts

A User account is an established relationship between a user and a computer, network, or information service. User accounts are given a username; passwords are optional. For personal computers, there are typically two types of user accounts: standard and Administrator. A standard user is commonly prevented from performing tasks such as installing applications, whereas administrators have the complete run of the computer.

User Account Types

Administrator: Administrator accounts are accounts that should be used for making changes to system settings or managing other people’s accounts. Admins have full access to every setting on the computer.

Standard: Standard accounts are the accounts you use for everyday tasks. Standard users can do all the day-to-day tasks, such as running software applications or copying and deleting files.

Guest: Guest accounts have very limited permissions. Some of their restrictions are as follows:

  • Guest accounts do not have a password and passwords cannot be set for it.
  • Guest accounts cannot install applications or hardware devices.
  • Guest accounts cannot change account types, names, or pictures.

Administrator Permission in Your Visual Basic Applications

There are numerous ways to give your Visual Basic applications Admin permissions. You can use any of the following methods:

  • You could use the Process object and execute it with ShellExecute and supply the “runas” verb.
  • You could use a Manifest and specify the desired requestedExecutionLevel.
  • You could create WindowsIdentity and WindowsPrincipal objects and specify the desired Role.
  • There may be other methods as well. If you know of any other methods, please let me know in the Comments section at the end of this article.

Our project will make use of all of the above-mentioned ways to give our Visual Basic application Administrator privileges.

Design

Create a new Visual Basic Windows Forms application. Once the Visual Basic application has been created, please add two buttons onto the Form.

Adding Administrator Privileges to a Visual Basic Application Method 1: Manifest

Add a Manifest to your Visual Basic application. Follow these steps:

  1. Click Project.
  2. Click Add New Item…

    Project Menu
    Figure 1: Project Menu

  3. Select Application Manifest File from the list.
  4. Click Add.

    Application Manifest File
    Figure 2: Application Manifest File

Modify your Manifest file to include the correct requestedExecutionLevel, as shown in the following XML code:

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0"
      
      xmlns_asmv1="urn:schemas-microsoft-com:asm.v1"
      xmlns_asmv2="urn:schemas-microsoft-com:asm.v2"
      xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance">
   <assemblyIdentity version="1.0.0.0"
      name="MyApplication.app"/>
   <trustInfo >
      <security>
         <requestedPrivileges
               >
            <requestedExecutionLevel
               level="requireAdministrator" uiAccess="false" />
         </requestedPrivileges>
      </security>
   </trustInfo>

   <compatibility
         >
      <application>
      </application>
   </compatibility>

</asmv1:assembly>

The available requestedExecutionLevel options are:

  • As Invoker: The application runs with the same access token as the parent process.
  • Highest Available: The application runs with the highest privileges the current user can obtain.
  • Require Administrator: The application runs only for administrators and requires that the application be launched with the full access token of an administrator.
  • No Execution Level Information: The Advanced Installer does not embed the requested execution level information in the Windows application manifest.

Adding Administrator Privileges to a Visual Basic Application Method 2: The Process Object

Add the following code to your application:

   Private Sub Form1_Load(sender As Object, e As EventArgs) _
         Handles MyBase.Load
      '1'
      If System.Environment.OSVersion.Version.Major >= 6 Then
         Dim prcProc As New Process()

         prcProc.StartInfo.FileName = "notepad"
         prcProc.StartInfo.UseShellExecute = True
         prcProc.StartInfo.Verb = "runas"
         prcProc.Start()

      End If

   End Sub

   Public Sub RunAsAdmin(strFileName As String)
      '2'
      Dim proc As New Process()

      proc.StartInfo.FileName = strFileName
      proc.StartInfo.UseShellExecute = True
      proc.StartInfo.Verb = "runas"
      proc.Start()

   End Sub

   Private Sub Button1_Click(sender As Object, e As EventArgs) _
         Handles Button1.Click
      '2'
      RunAsAdmin("notepad.exe")

   End Sub

Inside Form_Load, I do a check to determine the Operating System version. The reason for this is to ensure that the Operating System supports the UAC. I created a Process Object and supplied its parameters. These parameters include the name of the process, should it use ShellExecute—which forces the Default Application to be launched—and supplied the runas verb. The runas verb ensures the application will run in Administrator mode.

The second section of code looks similar. The only difference is that I have created a Sub procedure to do the previous tasks.

Adding Administrator Privileges to a Visual Basic Application Method 3: WindowsIdentity and WindowsPrincipal

Add the following code:

   Public Function AdminUser() As Boolean
      '3'

      Dim blnAdmin As Boolean

      Try

         Dim wiUser As WindowsIdentity = _
            WindowsIdentity.GetCurrent()
         Dim wpPrincipal As New WindowsPrincipal(wiUser)

         blnAdmin = wpPrincipal.IsInRole _
            (WindowsBuiltInRole.Administrator)

      Catch uaex As UnauthorizedAccessException

         blnAdmin = False

      Catch ex As Exception

         blnAdmin = False

      End Try

      Return blnAdmin

   End Function

   Private Sub Button2_Click(sender As Object, e As EventArgs) _
         Handles Button2.Click
      '3'
      MessageBox.Show(AdminUser)

   End Sub

WindowsIdentity represents a Windows user and WindowsPrincipal enables code to check the Windows group membership of a Windows user. The try and catch blocks also help identify if the user is authorized.

I invite you to download the accompanying code from the Download link to help you on your journey.

Conclusion

You will encounter situations where you will need to elevate your applications to Admin level so that the UAC can be bypassed. Now, you have three different ways to accomplish this.

Hannes DuPreez
Hannes DuPreez
Ockert J. du Preez is a passionate coder and always willing to learn. He has written hundreds of developer articles over the years detailing his programming quests and adventures. He has written the following books: Visual Studio 2019 In-Depth (BpB Publications) JavaScript for Gurus (BpB Publications) He was the Technical Editor for Professional C++, 5th Edition (Wiley) He was a Microsoft Most Valuable Professional for .NET (2008–2017).

More by Author

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Must Read