c# - Write Access to Program Files folder

Question

my application include a self-updater executable that is used to update the application.

One of the first steps the updater is performing is to check that it does have write permission to the application folder

IPermission perm = new FileIOPermission(FileIOPermissionAccess.AllAccess, _localApplicationCodebase);

        if (!SecurityManager.IsGranted(perm))
        {
            OnProgressChanged("Security Permission Not Granted 
 The updater does not have read/write access to the application's files (" +
                              _localApplicationCodebase + ")",MessageTypes.Error);
            return false;
        }

        OnProgressChanged("Updater have read/write access to local application files at " + _localApplicationCodebase);
        return true;

When executing under Win7/Vista, this code pass (meaning that according to CAS, the code does have write access), however when I try to write files, I got an Access Denied (and I confirmed that the files are NOT in use)

I understand that Vista/Win7 UAC is preventing users from writing files in the program files folders. However, what I don't understand is why the permission is granted if in reality it is not

Regards,

Eric Girard

PS : If I run the same code using 'Run As Administrator', it works fine

Answer 1

The important thing to know about UAC is that by default, no code runs with Administrator privileges and thus cannot write to the Program Files directory. Even if you are logged in as an administrator, the apps are launched with standard user privliges.

There are two ways around this. You can have the user start the app with the Run As Administrator menu item. But this relies on the user to remember something. The better was is to embed a manifest into your executable that requests administrator privileges. In the manifest, set requestedExecutionLevel to requireAdministrator. This will cause UAC to prompt the user for admin credentials as soon as the app starts.

As Daniel said, the best solution is to put the updating functionality in a separate application. Your primary app will have an manifest that sets the requestedExecutionLevel to "asInvoker" and your updater app with request "requireAdministrator". Your primary app can run with standard privileges. But when the update needs to happen, use Process.Start to launch the updater application that requires the user to enter the admin credentials.