# Sunday, 21 June 2009

Some simple truths about elevation (as in UAC):

  • A process, once running, cannot elevate itself. You are launched elevated or not.
  • A non elevated process can launch an elevated one. The easiest way is to make a separate exe and embed a manifest, then launch it with ShellExecute.
  • An elevated process, once running, cannot "drop back down" to being elevated. As in the first bullet, you are launched elevated or not.

There are some incredibly complicated ways to launch an elevated process but I don't use them because they are incredibly complicated. But you might have noticed there's a symmetry problem there. Can an elevated process launch a non elevated one? My first answer would be "it doesn't matter, because you shouldn't." My paradigm is that your core app should be non elevated, if at all possible, and if it has one or two admin-ish features, those should be refactored into a separate manifested exe that is launched (from a UI component decorated with the shield), does its stuff and gets out.

However, a case can be made for having some sort of admin app that wants to leverage some other installed application, like Internet Explorer, that could possibly be using a malicious plugin or the like. This admin app would be smart to do its leveraging with a non elevated instance of that application. So how can you do it? Well, according to Aaron Margosis, it's a seven step process in native code. Managed code is left as an exercise for the reader.

If you care, now you know how to do it. And even if you don't care, the symmetry is restored.



Sunday, 21 June 2009 17:30:28 (Eastern Daylight Time, UTC-04:00)  #    Comments [1]