Security Requirements

Use the Security tab page of the project painter to specify whether an application has a manifest file to set its requested execution level, and whether the manifest file is external or embedded in the application.

This manifest file is not the same as the manifest files generated when you publish a Windows Forms application as a smart client (ClickOnce) application. The concept of execution level is part of the User Account Control (UAC) protocol.

If you want to deploy an application that meets the certification requirements of the Windows Logo program, you must follow UAC guidelines. The executable file must have an embedded manifest that defines the execution level and specifies whether access to the user interface of another window is required. The Application Information Service (AIS) checks the manifest file to determine the privileges with which to launch the process.

Generate options

Select Embedded manifest if your application needs to be certified for Vista or later. A manifest file with the execution level you select is embedded in the application’s executable file.

You can also select External manifest to generate a standalone manifest file in XML format that you ship with your application’s executable file, or No manifest if you do not need to distribute a manifest file.

Note: If you select Embedded manifest for a Windows Forms target, you must have a supported version of the .NET Framework SDK installed on your system, because the process that embeds the manifest in the executable file uses the mt.exe tool that is distributed with the SDK.

Execution level

Select As Invoker if the application does not need elevated or administrative privileges. Selecting a different execution level will probably require that you modify your application to isolate administrative features in a separate process to receive Vista or later certification.

Select Require Administrator if the application process must be created by a member of the Administrators group. If the application user does not start the process as an administrator, a message box displays so that the user can enter the appropriate credentials.

Select Highest Available to have the AIS retrieve the highest available access privileges for the user who starts the process.

UI access

If the application needs to drive input to higher privilege windows on the desktop, such as an on-screen keyboard, select the “Allow access to protected system UI” check box. For most applications you should not select this check box. Microsoft provides this setting for user interface Assistive Technology (Section 508) applications.

Note: If you check the Allow access to protected system UI check box, the application must be Authenticode signed and must reside in a protected location, such as Program Files or Windows\system32.