Generating an application manifest with a trust level section for an administrative application

[RossettoeCioccolato]

Is there any way to coax the VC8 linker into generating an application
manifest with a trust level section suitable for an administrative
application? Or do I have to add this manually each time that I rebuild?

Regards,

George.

 

[Gary Chang[MSFT]]

Hi George,

Is there any way to coax the VC8 linker into
generating an application manifest with a trust
level section suitable for an administrative
application?

Would you please provide more detailed information about this issue? How do
you use the -tr option manually to generate the application manifest right
now?

Thanks for your understanding!

Best regards,

Gary Chang
Microsoft Community Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng06 when prompted. Once you have entered the
secure code mmpng06, you will be able to update your profile and access the
partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

[RossettoeCioccolato]

Gary,

Thanks for your reply. I am referring to setting the
requestedExecutionLevel attribute. See the section on "Application Manifest
Schema" in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp.
According to another MSDN article which I can't seem to find right now, this
is an extension of the trust level section. The article is dated September
2005 but you must have known about it for some time internally. Surely you
have given some thought to this by now.

Would you please provide more detailed information about this issue? How
do
you use the -tr option manually to generate the application manifest right
now?

Frankly, that is not a very palatable option. It would be nice to find a
simple example of an administrative application manifest that didn't contain
a bunch of COM or .Net gobble-de-gook.

Regards,

George.

 

[RossettoeCioccolato]

To answer my own post (in part):

It would be nice to find a simple example of an administrative
application manifest that didn't contain a bunch of COM or .Net
gobble-de-gook.

I pulled this off of somebody's blog (with corrected syntax):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="true"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>

Regards,

George.

 

[Gary Chang[MSFT]]

That's great, George! I am glad to know you found the solution.

If you have any more concerns on it, please feel free to post here.


Have a nice day!

Best regards,

Gary Chang
Microsoft Community Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng06 when prompted. Once you have entered the
secure code mmpng06, you will be able to update your profile and access the
partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

[RossettoeCioccolato]

Gary,

As I stated, my previous post only answered my question "in part." The
unanswered part is how to get the linker to add this automatically so that I
don't have to edit the manifests manually. Is there any way to get the
linker to insert custom xml into the manifest?

To update my previous post:

<requestedExecutionLevel level="requireAdministrator" uiAccess="true"/> <

Omit "uiAccess="true"" for console admin applications. Substitute this line
instead:

<requestedExecutionLevel level="requireAdministrator"/>

Regards,

George.

 

[Gary Chang[MSFT]]

Sorry, Georgr, I missed your original point.

Is there any way to get the
linker to insert custom xml into the manifest?

yes, you can merge your manifest into the application's manifest:

1. Open the project's Property Pages dialog.
2. Specify the manifest file you need to insert in the Configuraion
Properties/Manifest Tool/Input and Output/Additional Manifest Files entry.
3. Click OK and Rebuild the project.


Wish this helps!

Best regards,

Gary Chang
Microsoft Community Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng06 when prompted. Once you have entered the
secure code mmpng06, you will be able to update your profile and access the
partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

[RossettoeCioccolato]

Gary,

Well this procedure works well as far as the VC8 linker is concerned.
However the output took down every system on which I tried to run the
application with the merged manifest. This doesn't happen if I edit the
manifests manually. This isn't really your problem (in this NG) but it
certainly is a problem for someone at MS.

Regards,

George.

Sorry, Georgr, I missed your original point.

Is there any way to get the
linker to insert custom xml into the manifest?

yes, you can merge your manifest into the application's manifest:

1. Open the project's Property Pages dialog.
2. Specify the manifest file you need to insert in the Configuraion
Properties/Manifest Tool/Input and Output/Additional Manifest Files entry.
3. Click OK and Rebuild the project.


Wish this helps!

Best regards,

Gary Chang
Microsoft Community Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng06 when prompted. Once you have entered the
secure code mmpng06, you will be able to update your profile and access
the
partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
======================================================

 

[Gary Chang[MSFT]]

Thanks for understanding, George.

I apologize for any inconvenience this may cause you, we will forward your
feedback to our corresponding product team for review.

Good Luck!

Best regards,

Gary Chang
Microsoft Community Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng06 when prompted. Once you have entered the
secure code mmpng06, you will be able to update your profile and access the
partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

[Guest]

Thanks for understanding, George.

I apologize for any inconvenience this may cause you, we will forward your
feedback to our corresponding product team for review.

I want to confirm what George is seeing. If I include the manifest he posted
in a .manifest file and let the manifest tool generate the resource, it
causes a BSoD on XP systems. Sometimes, I have to run the app two or three
times before it crashes, and sometimes the crash takes a few seconds to kick
in, but it's consistent.

Before I found this thread, I had narrowed it down to the <security> tag. It
seemed that, no matter what I included in <security>, if it was present, the
app would crash. However, the security section is necessary for UI automation
applications in Windows Vista
(http://windowssdk.msdn.microsoft.co...html/1d853695-973c-48ae-b382-4132ae702805.asp),
so removing it is not an option.

As a side note, the IDE doesn't understand the requestedPrivileges and
requestedExecutionLevel tags. It generates a warning if they are present in
the .manifest file.

I did enter a bug against this in the MSDN product feedback center at
http://lab.msdn.microsoft.com/ProductFeedback/viewFeedback.aspx?FeedbackID=FDBK48918 if anybody wants to validate/vote on it.

To workaround this, you can either edit the resource directly after
building, or do what I did:

1) Manually add a resource to the project of type RT_MANIFEST and ID of 1.
2) Paste the contents of the .manifest file into the resource.
3) Go to the project properties, go to the manifest tool's input/output
section, and turn off the option to embed the manifest.

Then, when you build, the resource will be properly formed, won't crash XP,
and will allow UI automation in Vista (as long as you sign it), without
having to remember to manually edit the resources after building.

 

[RossettoeCioccolato]

Troy,

Sorry to see this is still a problem on XP systems. I guess someone will
have to develop an exploit to get it fixed. What I find particularly
interesting is that vulnerable systems go down hard. They don't even
genearate a crash dump.

Regards,

George.

Thanks for understanding, George.

I apologize for any inconvenience this may cause you, we will forward
your
feedback to our corresponding product team for review.

I want to confirm what George is seeing. If I include the manifest he
posted
in a .manifest file and let the manifest tool generate the resource, it
causes a BSoD on XP systems. Sometimes, I have to run the app two or three
times before it crashes, and sometimes the crash takes a few seconds to
kick
in, but it's consistent.

Before I found this thread, I had narrowed it down to the <security> tag.
It
seemed that, no matter what I included in <security>, if it was present,
the
app would crash. However, the security section is necessary for UI
automation
applications in Windows Vista
(http://windowssdk.msdn.microsoft.co...html/1d853695-973c-48ae-b382-4132ae702805.asp),
so removing it is not an option.

As a side note, the IDE doesn't understand the requestedPrivileges and
requestedExecutionLevel tags. It generates a warning if they are present
in
the .manifest file.

I did enter a bug against this in the MSDN product feedback center at
http://lab.msdn.microsoft.com/ProductFeedback/viewFeedback.aspx?FeedbackID=FDBK48918
if anybody wants to validate/vote on it.

To workaround this, you can either edit the resource directly after
building, or do what I did:

1) Manually add a resource to the project of type RT_MANIFEST and ID of 1.
2) Paste the contents of the .manifest file into the resource.
3) Go to the project properties, go to the manifest tool's input/output
section, and turn off the option to embed the manifest.

Then, when you build, the resource will be properly formed, won't crash
XP,
and will allow UI automation in Vista (as long as you sign it), without
having to remember to manually edit the resources after building.

 

[Guest]

Troy,

Sorry to see this is still a problem on XP systems. I guess someone will
have to develop an exploit to get it fixed. What I find particularly
interesting is that vulnerable systems go down hard. They don't even
genearate a crash dump.

Thanks to your post, I realized that it wasn't a problem in the manifest
itself, like I first thought. The workaround isn't too bad, but it does mean
that changes to the manifest are a two-step process, since you have to edit
the XML file as well as the .RC. I suppose you could edit the resource
directly, but it's much easier to work with XML than a hex dump. <g>

I've never entered a bug through the MSDN product feedback, so I'm not sure
if you can see it at
http://lab.msdn.microsoft.com/ProductFeedback/viewFeedback.aspx?FeedbackID=FDBK48918. Maybe if enough people vote on it, it might get fixed.