Is it possible for a service to start a user app running with admin privilege?

  • Thread starter Thread starter Polaris
  • Start date Start date
P

Polaris

Hi Vista Experts:

I have an UI application which needs admin privilege to run on Vista. In
order for non-admin user to run it, can I create a service and then the
service calls CreateProcessAsUser with a duplicate token of the service
itself to start the UI application for the non-admin user to interact with?
If the UI App is started this way, will it have the same privilege as the
service (and thus be able to run with admin privilege)?

Thanks in advance.

Polaris
 
Polaris--

I'd sure like to know what the application is. You should be able to rt.
click the program and give them permissions using the security tab which is
going to list all the user's profiles>add>edit, but I wouldn't think your
user would need to. What app do you have that others can't get permission
to run?

I would think that you could go to :\Windows\Program Files and if you need
to right click the folders and give the users you want privileges at the
security tab if you have to. I don't think a service would come into play
here.

CH

The Mighty Cheney has struck out. Chutzpah enough to pardon? In a psychotic
world anything goes for Bushey and Cheney.
The lawyuhs are richer a few million dollars. The closing arguments for the
defense should be good for Comedy Central and Saturday Night Live. Fitz has
been gentle in this case--but if he ever had a chance to tear this
administration a new one--it's on Closing Argument Tuesday.
 
Thanks. Like I said, my app is an app with UI and it needs admin privilege
to run, what I'm trying to do is to find a way so that non-admin user can
still run this application.

Polaris
 
Assinging permissions by right clicking the program>properties>security tab
should allow the non-admin user to run the program. Just add the user using
the edit butt>by typing in user>check the privilegtes>close.

CH
 
The whole point of the improved security in Vista is so that what you want
to do can't be done.
 
I think Polaris is trying to get at something else. Kerry summed it up: no.
Why does your app need admin privs? Can you factor out the components that do
and use COM Monikers to elevate those? If not, it is an administrative
applications and ordinary users should not run it in the first place.
 
Polaris said:
Hi Vista Experts:

I have an UI application which needs admin privilege to run on Vista. In
order for non-admin user to run it, can I create a service and then the
service calls CreateProcessAsUser with a duplicate token of the service
itself to start the UI application for the non-admin user to interact with?
If the UI App is started this way, will it have the same privilege as the
service (and thus be able to run with admin privilege)?
Click to expand...

Yes, I expect that a service can respond in some way to a user trigger
(eg. window message, comms on a particular port) and spawn a new process
with your application running with the service's privileges.

However - I understand that in Vista, services can no longer interact
with the standard desktop - in essence, you cannot have services which
have a GUI operating on the normal desktop. I suspect this means that
whilst your service could, in theory, start an application - the fact
you have a GUI on it means it wouldn't work as you expect. I'm not sure
how it would fail (whether app would start but you'd not see anything,
or wouldn't start at all). I guess they added this to stop services
being installed which would then be used to bypass UAC etc - just as you
thought.

There are some ways around this it seems, but they won't work as you
think. See
http://msdn2.microsoft.com/en-us/library/aa480152.aspx#appcomp_topic10

Specifically it says:

"Quick solution:

* If the application's service uses a UI, a built-in mitigation in
Windows Vista allows the user to interact with the Session 0 UI in a
special desktop. This will make available the UI specific to the
application, instead of the entire Session 0 desktop."

Hope that helps

David
 
There is a reason for the distinction between admin and non-admin users. If
your user needs admin access, then make him an administrator.

Dale
 
Let alone the fact that it would take less than an hour to test the whole
thing if the OP knows anything about how to create a Windows service app.

Dale
 
Back
Top