Supporting admin and non-admin users in Windows XP/Vista applications

Recently at work, in one of our windows based desktop application, we needed to support both admin and non-admin users in Windows Vista and Windows XP/2000

Here are some of my takeaways:

1. [For admin/XP] When an admin user executes an application, XP gives full admin rights to this application. With these privileges, there should be no problem reading / writing to any folder/registry.
2. [For admin/Vista] Unlike Windows XP, Windows Vista's UAC feature executes applications with standard privileges. So even if the user is logged in as an admin, the application has read-only access to the following common locations:
   • C:\
   • C:\Program Files
   • C:\Windows
   • HKLM
   • 'All Users' profile or Application.CommonAppDataPath
3. [For non-admin/XP/Vista] Typically application data, which is common to all users (in a multi-user Windows desktop application), should be stored under 'All Users' profile or Application.CommonAppDataPath. This works great, except that a non-admin user has read-only permissions to this folder.

Point #1 is not really an issue. This is the easiest scenario to support.

For issues #2, a number of relevant solutions have been discussed in Dave's post "UnauthorizedAccessException writing to HKLM". But in case an application must store information in say HKLM or CommonAppDataPath, you can request UAC for elevated privileges. In order to do this, create a file called <projectname>.exe.manifest under the project root folder.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
 <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Clean" type="win32"/>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
     <security>
         <requestedPrivileges>
                <requestedExecutionLevel level="requireAdministrator"/>
            </requestedPrivileges>
     </security>
 </trustInfo>
</assembly>

The following step is optional, but recommended since it adds the manifest file as an embedded resource in the final exe. Under "<project> > Properties > Build Events > Post Build Events", add the following line:

"$(DevEnvDir)..\..\SDK\v2.0\bin\mt.exe" -manifest "$(ProjectDir)$(TargetName).exe.manifest" –outputresource:"$(TargetDir)$(TargetFileName)";#1

For issue #3, we could not find a clean solution. We needed a way to provide write permissions to a folder for both the admin and the non-admin users. In our case, the application was to be installed in a lab environment by an admin and then used by non-admin users. In this type of setup, during installation, we moved the application data folder to say C:\ or D:\ and enabled write permissions for all users. This is not the most elegant solution, but I don't know of a better one. If there is a better solution, I am very interested to learn more, please add a comment below.