java - 运行远程桌面应用程序时如何进入UAC提示？

Question

我用java开发了远程屏幕共享软件。它工作正常，但是当使用 UAC 时，屏幕上出现允许/禁止提示，但远程屏幕看不到它。所以每次用户都必须手动允许。我想知道如何解决这个问题。

Answer 1

这正是 uiAccess 的内容应用程序程序集 list 中的属性是为其创建的。

我将公然窃取并引用 Microsoft AppCompat Guy 的博客:

Using the uiAccess attribute of requestedExecutionLevel to Improve Applications Providing Remote Control of the Desktop

You have to elevate an application. When you do, you don’t see the UAC dialog – instead, the end user does. Even if you decide to give the user the password (it happens), you then can’t control or even see the elevated application.

Kind of makes it hard to be a helpdesk when that happens.

Here are the 3 solutions that I have seen to this problem:

• Do nothing. That’s what our solution did. It just failed every time elevation was involved.
• Install a service. That’s what company X did. It requires the user to know an admin password, and that’s a problem for my customers
• Run the application elevated. That’s what company Y did. It requires the user to know an admin password (a problem with my customers), and also won’t allow you to interact with any windows running at System integrity level (so an incomplete solution)

Here’s what I wish all 3 had done:

• Manifest with uiAccess = true

most people don’t really understand what this is for, and the UAC manifest is typically just a copy/paste affair. But it pays for the remote desktop developer to pay attention to it. For any regular piece of software, you generally want to stay away from it – it’s dangerous, and sidesteps a significant security feature (UIPI). But if you are remoting the desktop, it’s precisely what you want – you need to be able to see everything!

It’s dangerous enough, in fact, that we won’t allow you to set it without digitally signing your application. By default, you also have to have it installed in a secure location (such as Program Files). You can set a group policy to not require a secure location, but there is no option to not require a signature.

However, once set up, it’s really powerful. You’ll be able to remote every possible kind of window – any integrity level at all. No more blank, unresponsive screens. Everything comes across, regardless of integrity level.

对于 tl;dr 版本，这里是带有 uiAccess=true 选项的 assemblymanifest:

<?xml version='1.0' encoding='UTF-8' standalone='yes'?> 
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' 
 manifestVersion='1.0'> 
  <assemblyIdentity 
   version="1.0.0.0" 
   processorArchitecture="X86" 
   name="client" 
   type="win32" 
  /> 

  <description>Oh god not Java</description> 

  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> 
    <security> 
      <requestedPrivileges> 
        <requestedExecutionLevel level="asInvoker" 
         uiAccess="true"/> 
      </requestedPrivileges> 
    </security> 
  </trustInfo> 
</assembly>