הערה
הגישה לדף זה מחייבת הרשאה. באפשרותך לנסות להיכנס או לשנות מדריכי כתובות.
הגישה לדף זה מחייבת הרשאה. באפשרותך לנסות לשנות מדריכי כתובות.
Question
Friday, July 27, 2018 11:59 PM
I am VERY new to VB.Net, and I am trying to write something basic that monitors services on a server. Everything works fine, but I would now like to log the user's activity in the application, and any errors encountered in the application, to a log file in "C:\Program Files\ApplicationName\logs\.
The issue I am having is that when a non-Administrator tries to launch the application, I receive an exception that access to the log file "C:\Program Files (x86)\ApplicationName\logs\2018.07.27_LogFile.txt" is denied.
Administrator privileges are required to install the application, but I do not want to require Administrator privileges to run it.
How can I write to a log file in the "Program Files" folder without requiring Administrator privileges to run the application?
Thank you in advance!
Eric
All replies (16)
Saturday, July 28, 2018 10:35 AM
For security reasons standard users do not have permission to write to the Program Files folder and its sub-folders.
Per-user data or per-machine data should be placed in other file system locations. I suggest you read https://blogs.msdn.microsoft.com/patricka/2010/03/18/where-should-i-store-my-data-and-configuration-files-if-i-target-multiple-os-versions/
Although it was written some time ago, the blog entry highlights points you should consider in determining where to save your program's log data and the principles remain applicable to current versions of Windows.
Saturday, July 28, 2018 4:03 PM
Thank you for the reply.
I understand user data and permissions, but I am not trying to write per-user data. I would like to log about the application itself. If there are any exceptions encountered, I would like to be able to grab a log file to see what the issue was.
I have written a couple Windows services, and since those are running under the SYSTEM account, logging is no issue. Now that this is a user application, I would like to still be able to log application data. Is that not possible with impersonation or something?
Saturday, July 28, 2018 4:26 PM
Have you considered logging to a sub-folder under ProgramData?
Monday, July 30, 2018 2:11 AM
Hi
I don't think there is a problem with your code but the reason for UAC.
You don't want to use admin rights unless you turn off UAC.
Best regards,
Alex
MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Monday, July 30, 2018 4:09 AM
Look at the SpecialFolders Enumeration
Wednesday, August 1, 2018 3:15 PM
I am not sure how SpecialFolders are supposed to help we write to Program Files (?).
Wednesday, August 1, 2018 3:16 PM
I cannot disable UAC on our domain client computers, but I do not think even that would allow writing to Program Files without Admin privileges.
Wednesday, August 1, 2018 3:19 PM
I just tested this, and while it does not answer my question, and it is not an ideal solution, writing to subfolder of ProgramData (SpecialFolder.CommonApplicationData) does work without Administrator privileges.
I am going to do this for the time being, but I would still rather keep everything under one directory in the Program Files subdirectory.
Wednesday, August 1, 2018 3:38 PM
You can create a folder under Program Files and modify it's default security descriptor to allow Standard Users to write to it. However, this is not considered to be a best practice.
If you decide to do this make sure you don't allow non-administrators to have write access to folders containing executable code.
Wednesday, August 1, 2018 3:51 PM
I am going to do this for the time being, but I would still rather keep everything under one directory in the Program Files subdirectory.
You dont really have any choice but pick one of those folders because that is the way windows works.
You should not try to bypass windows security features just because you want to write to the same folder as your exe. There is a reason it is that way.
The program folder is the original app and can only be changed with a setup program where permission is dealt with for most.
Everything else is by user permission. Accept it. It makes no difference what the folder is to you. Put it where microsoft wants it. Stop wasting time on it.
:)
Wednesday, August 1, 2018 3:54 PM
You can create a folder under Program Files and modify it's default security descriptor to allow Standard Users to write to it. However, this is not considered to be a best practice.
If you decide to do this make sure you don't allow non-administrators to have write access to folders containing executable code.
I have thought about this, and granting "Modify" permissions to the log folder would work, but I agree that would not be best practice, as there is no control over the user deleting the log files.
It would be best to handle this programmatically with impersonation or something.
Wednesday, August 1, 2018 3:57 PM
I have thought about this, and granting "Modify" permissions to the log folder would work, but I agree that would not be best practice, as there is no control over the user deleting the log files.
Not so. You can allow users to create files and write to them without giving them rights to delete files.
But using ProgramData is, in my opinion, a better choice.
Wednesday, August 1, 2018 3:59 PM
I have thought about this, and granting "Modify" permissions to the log folder would work, but I agree that would not be best practice, as there is no control over the user deleting the log files.
Not so. You can allow users to create files and write to them without giving them rights to delete files.
Whether or not they can delete a file with Modify permissions, they could delete the information contained within the files.
Wednesday, August 1, 2018 4:09 PM
I have thought about this, and granting "Modify" permissions to the log folder would work, but I agree that would not be best practice, as there is no control over the user deleting the log files.
Not so. You can allow users to create files and write to them without giving them rights to delete files.
Whether or not they can delete a file with Modify permissions, they could delete the information contained within the files.
What's your point? If you want to allow users the ability to create files but then deny access to them then say so.
Wednesday, August 1, 2018 5:18 PM
What's your point? If you want to allow users the ability to create files but then deny access to them then say so.
You are missing the root of the point here. I am not asking for "users" to be able to create the log files. I want the application to do so. For all I care, the users would have absolutely no idea these log files even exist. They would solely be written for the purpose of me troubleshooting any issues with the application. I want the application to write the log files, but since a non-Admin user is launching the application, it does not implicitly have permissions to do so.
Wednesday, August 1, 2018 5:49 PM
Well, on Windows systems access rights and privileges are associated with users, not applications. I'm not missing the point, you seem to want something that Windows doesn't provide.