I'm creating an install for a .NET application written in C# that comprises three .exe files; the main application shall be accessible for all users of the computer, the other two are tools that only members of the Administrator group shall be able to launch. We only support VersionNT > 400 operating systems (2000, XP, Vista).
Before Windows Vista, it was sufficient to populate the LockPermission table and give only the Administrator group full access over the tools I install.
With Vista's UAC I find that the only way to achieve something similar is to embed a manifest file into the tools' .exe files that contains a line like
Unfortunately, this addition to the manifest is ignored by Windows XP and the .exe files can be launched by any user.
Is there a unified way to ensure that only members of the Administrators group (XP and/or Vista) can launch an application? Probably it would be a good idea to code this directly into the assemblies; still the question is: how would you do it without changing the assemblies' code?
There is no such unified way that I'm aware of. Even the manifest you describe may or may not work in various UAC scenarios on Vista (although I think it will disallow running without, it may not allow the privilege increase you need). The simplest most fool-proof method I can imagine would be a correct programmatic probing of whether your application actually has access to the file. If it does not, it should then use ShellExecute[Ex] or equivalent with the "runas" verb to launch itself while requesting extra privileges. This works both on and before Vista.
