Desktop Windows's apps created using QT need admin rights in most cases?
-
I created desktop app for Windows (running mostly on Win 10) using QT libraries. Explicitly in my code, I don't perform any operations that require administrator rights, especially writing to "Program Files" etc - application uses local app data folder structure (I double checked this going deeper and deeper into this matter).
In my manifest file application also doesn't need admin privileges (it's as invoker).
However, my application still requires admin rights to run. My question is rather not about how to solve my specific case, because I established that it's because deep dependencies hidden in QT libs to Windows API and these calls often require admin rights in case of operations that seem to not exactly need it like drag & drop or network connection with specific IP address.
I followed it using Microsoft Standard User Analyzer (SUA) tool on my executable.
I'm putting here example log from SUA investigation:
In detailed info for pos. 1-2 I can see it's caused by:
However for 3rd position, it is even more complex problem related to PROCESS_QUERY_INFORMATION access allowed only by elevated processes. Example stack trace (one of many many more):
Summarizing - my question:
You can believe me that I don't perform any operations that require admin rights from "normal", common sense point of view. Moreover my customer has got an old application written in .NET env that doesn't need admin rights and does the same things in general (I mean nothing "special" + similar functionalities).
What is a general way to overcome such problems with QT development environment?
Unless when using QT everyone takes a risk that the application mostly will require admin rights? -
@AntaresProductions
Most people do not need admin rights to run Qt programs. Qt does not assume you need/require admin rights. If it did you would see questions about this all the time.in case of operations that seem to not exactly need it like drag & drop or network connection with specific IP address.
Well if you need that you might need admin rights.
What about you write a minimal application and verify it does not require the admin rights you talk about? That is a starting point....
-
@JonB thank you for your answer !
Well if you need that you might need admin rights.
Ok, let me take an example of such application like Filezilla FTP client. It makes many network operations, many operations on files etc. My app doesn't have even 20% of its functionalities. For example my app a few times a month connects external server through REST API to get some authorization's piece of information. Of course I don't know if Filezilla uses QT (I guess not), that's way I am wondering why my quite simple application needs elevation but many more complex Filezilla doesn't. That's way I started to search for root cause of this problem somewhere in QT.
Is there a list or another way of evaluation what QT components/functions/modules might need admin rights in target environment?
This is problematic, because almost the same application (old version) regarding to its functions which wasn't written in QT env, doesn't need elevation but new one made in QT, needs it.
What about you write a minimal application and verify it does not require the admin rights you talk about? That is a starting point....
This is a good starting point, thank you for the advice:) If I don't find solution to overcome this problem I will exclude step-by-step QT modules from my code, to find problematic point or I will be forced to write another version not using QT.
However... for example restricted "PROCESS_QUERY_INFORMATION" seems like very wide problem touching many QT's modules.
-
@AntaresProductions
As I said, I'm (pretty sure that) Qt code does not itself use/require any "admin rights" capabilities, even though you suspect it does.Like I said, you need to start by testing a minimal Qt program, like just showing a widget. When (I trust) you discover that does not use admin rights. Then add in some things you use in whatever your app is, till you find it does, if it ever does.
-
@AntaresProductions I don't think it is anything Qt related - I have done applications using REST APIs, WebDAV, calling WinAPI to send ICMP requests, connecting to S3 buckets - none of that was requesting admin privileges. Both in Win10 and 11 now. I do believe issue is somewhere else.
-
Ok, thank you very much for your valuable input guys ! You gave me a reason to take a look at my code once again, because I used to develop QT applications on embeded Unix's platforms for automotive, I didn't experience such issues before and that's way I thought this is something specific related to QT + Windows.
I still treat this topic as open and I will try re-factor my application step-by-step. I will come back here with my observations with minimal application too - maybe it will be valuable for the others:)
-
If I had to guess, you probably have some kid running your IT dept who naively believed their college prof when told that anyone/everyone is a security risk, and that manifested in ridiculous windoze domain policies that prohibit you getting any real work done: an all too common problem.
-
@Kent-Dorfman said in Desktop Windows's apps created using QT need admin rights in most cases?:
If I had to guess, you probably have some kid running your IT dept who naively believed their college prof when told that anyone/everyone is a security risk, and that manifested in ridiculous windoze domain policies that prohibit you getting any real work done: an all too common problem.
I know "the spirit" of your sentence but this is a problem not only within my Windows environment but at end users also. Everyone must face it unfortunately now, whereas previous version of this application works well not elevated.
Previously I thought it's because missing OV/EV code signing certificate but now I know that certificate will be not enough