Start elevated application on OS startup, without UAC prompt

Question

I am developing a program for Windows which consists of two components:

1. A kernel driver (signed with an EV certificate)
2. A user-level GUI component, the .exe file (written in Delphi).

The .exe requires to be run elevated, in order to start the driver and perform other elevated tasks.

How can such a program be automatically run on Windows startup without displaying UAC prompt?

I saw that many similar applications, such as Anti-Malware programs, are able to startup elevated, without UAC prompt.

I am considering the following options, and would be grateful if you can point to the right direction:

1. Set driver startup as automatic, launch .exe from kernel service

However, my research indicates that there is no documented way to start a user-level process from the kernel.

2. Create a separate user-level service which will start the .exe

I read that user-level services are exempt from UAC.

A possible approach would be to create an automatic startup user-level service, which just runs the .exe process (using CreateProcessAsUser()) and then terminates itself.

3. Convert the .exe program from a Delphi GUI application to a user-level service

Similar to option 2, but instead of creating a separate .exe for the service, we are converting the current GUI application to work also as a service. I found some documentation about this on this StackOverflow thread. However, this approach seems more complicated then creating a separate dedicated service.

4. Does an EV certificate provide some advantage to allow this task?

5. Is there any better way other then the above mentioned ones?

Answer 1

As it was pointed out by Sertac Akyuz in his comment you should use windows Task Schedluer for this.

With Task Scheduler you can create a task that will run at user logon and run your EXE with highest privileges available.

And when I say highest privilege available I mean the highest privilege of current user when you specify a group of users in When running the task, use the following user account field provided that current user is a member of that group. So if current user does not have sufficient right to execute programs with elevated privileges the task will execute your application with standard privileges.

But as field name suggest you can also specify that this task will always run your application using a specific user account meaning that it will use that account privilege levels instead of of the current user account.

Any way using task scheduler to execute GUI application that comes with some drivers is quite popular. For instance ASUS uses such approach to launch their AI Suite program that allows monitoring and tweaking various settings of their motherboards. Here is how such task is configured on my computer.

PS: I have purposely chose to show you task properties for ASUS AI Suite as it is actually made with Delphi