Company Events Academic Community Support Solutions Products & Services Contact NI MyNI

Deploying LabVIEW Applications on Windows Vista and Later Operating Systems

LabVIEW 2013 Help

Edition Date: June 2013

Part Number: 371361K-01

»View Product Info

The security changes introduced by Windows Vista result in the following two issues to consider when using the LabVIEW Application Builder on Windows Vista or later:

  • LabVIEW embeds an application manifest in every stand-alone application and installer.
  • Stand-alone applications and installers for stand-alone applications are not signed.

In addition to this help topic, you can refer to the following resources for more information about developing applications on Windows Vista and later:

  • Refer to the KnowledgeBase for more information about application development considerations for Windows Vista and later.
  • Refer to the KnowledgeBase for the most up-to-date information about the LabVIEW Application Builder on Windows Vista and later.

Application Manifests

LabVIEW embeds an application manifest in every stand-alone application and installer. Because the manifest is embedded in the application, you must retrieve the manifest before it appears in the directory with the application. The manifest is an XML file with the extension .manifest. The manifest contains information that describes the application properties to Windows. While manifests are not new to Windows, the security section of the manifest is a new feature. You can now specify the requested execution level in the manifest for an application you deploy on Windows Vista or later.

Specifying the execution level of the application determines the required security privileges you need to launch an application. The execution level of the application determines if the application displays a dialog box prompting the user to give administrator consent or to enter an administrator password before launching the application. Applications that require administrator privileges have a security shield overlay on the application icon. Whether the application runs as an administrator or standard user then determines several properties of the application, including the directories to which the application can write. If you launch an application as a standard user, the application cannot write to protected directories and registries. The Program Files directory is an example of a protected directory on Windows Vista and later.

Microsoft recommends that applications run without requiring administrator privileges. Therefore, design applications so they do not attempt to access protected areas of the operating system. Running without administrator privileges gives all users the opportunity to run the application as intended.

The following code is an example manifest for a stand-alone application.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0>

<assemblyIdentity version="1.0.0.0"

processorArchitecture="X86"

name="National Instruments.LabVIEW.LabVIEW"

type="win32"/>

<description>LabVIEW Development System</description>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

<security>

<requestedPrivileges>

<requestedExecutionLevel

level="asInvoker"

uiAccess="false"/>

</requestedPrivileges>

</security>

</trustInfo>

</assembly>

The requested execution level of a stand-alone application can be any of the following values:

  • asInvoker—(Default) The stand-alone application executes with the same access privileges as the user, either standard or administrator. The application does not display a dialog box prompting the user for consent before it runs. If the application runs as standard user, the application cannot write to protected directories. If the application runs as administrator, the application can write to protected directories.
  • highestAvailable—The stand-alone application executes with the highest access privileges possible. If the user has only standard user privileges, the application does not display a dialog box prompting the user for consent, but the application cannot write to protected directories. If the user has administrative privileges, the application displays a dialog box prompting the user to either consent or to enter the administrator password and can write to protected directories.
  • requireAdministrator—The stand-alone application executes at the administrator level. If the user has only standard privileges, the application displays a dialog box prompting the user to enter the administrator password and can write to protected directories. If the user has administrator privileges, the application displays a dialog box prompting the user for consent before it runs. The application can write to protected directories.

If you develop a stand-alone application in LabVIEW 8.2.1 or later and deploy the application on Windows XP or earlier, a stand-alone application that includes a manifest and has the requested execution level specified does not exhibit the Windows Vista and later behavior. Windows XP ignores the security section of the manifest.

The setup.exe in LabVIEW-built installers also contains a manifest. The default requested execution level is requireAdministrator. Because the setup.exe updates system-level files, settings, and configurations, avoid changing the requested execution level of setup.exe. Changing the requested execution level of setup.exe might cause the installer to function incorrectly.

Refer to the KnowledgeBase for more information about application manifests.

Digital Signing

Digital signing lets users verify who created an application or installer and decide whether the application or installer is safe to install or run. Because Windows Vista and later offer additional levels of security, users might encounter additional dialog boxes warning them about the risks of installing or running unsigned applications or installers. By default, LabVIEW does not sign stand-alone applications or installers so you can customize the digital signature. To reduce the amount of dialog boxes a user encounters, sign stand-alone applications and installers using the Windows Security page of the Application Properties dialog box or the Windows Security page of the Installer Properties dialog box, respectively, when you build.

You need the following tools to sign an application or installer:

  • Signing certificate—You can purchase signing certificates from a number of vendors, including Verisign. You can purchase signing certificates only for companies or organizations. Individuals cannot purchase signing certificates. Signing certificates must be personal information exchange (PFX) files.
  • Signing tool—The Windows Driver Kit includes the signing tool. You use the signing tool to apply the digital signature. Refer to the KnowledgeBase for more information about downloading the Windows Driver Kit.

To sign a stand-alone application, you need to sign only the .exe file. To sign a LabVIEW-built installer, you need to sign only the setup.exe. You do not need to sign any other files for stand-alone applications and installers. Digital signing involves procuring third-party providers for digital certificates, and no single procedure for signing code exists. Refer to the KnowledgeBase for more detailed information about digitally signing applications or installers for deployment on Windows Vista and later.


 

Your Feedback! poor Poor  |  Excellent excellent   Yes No
 Document Quality? 
 Answered Your Question? 
Add Comments 1 2 3 4 5 submit