Home/ Questions/Q 987545
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T05:29:35+00:00

I’m trying to figure out how to solve the privilege acquisition. The application requires

  • 0

I’m trying to figure out how to solve the privilege acquisition.

The application requires a desktop access, so it cannot be executed as a Windows service: it have to create a window for receiving message sent by other processes using SendMessage (it must be used for waiting message acknowledge).

The application shall be started when an user login, and it will manage the user session (manage applications, windows…). Only one user can be managed at time.

What I’m asking is which is the best solution for requesting privilege acquisition, since the application requires it (execute a process which calls SetWindowsHook).

  • How it possible to run any process at user login with (higher) privileges, possibly without prompting UAC messages? The setup operations could be peformed during the installation phase…
  • How could be possible to run an utility service starting a process when user logon? In this way the (installed) service could run the effective process with any priviledges…
  • Any other solution? *

What are the definive action to be taken for having a full compatible UAC application? (I mean in the build and deploy phases?

For example, I am including the following manifest file using mt.exe (using VS2005):

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"     xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-    com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    security>
      <applicationRequestMinimum>
        <defaultAssemblyRequest permissionSetReference="Custom" />
        <PermissionSet class="System.Security.PermissionSet" version="1"     Unrestricted="true" ID="Custom" SameSite="site" />
      </applicationRequestMinimum>
        <requestedPrivileges>
                <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
        </requestedPrivileges>
    </security>
  </trustInfo>
</asmv1:assembly>

It seems correct to you? No, because it doesn’t work to me…

*

It actually make sense to create an additional user account (but this shall work also on windows domains) with administrator privileges to execute a controlled environment. It could be also acceptable to create a working session (a new desktop station) without logging any user, but actually I don’t know if it is possible.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You are asking a lot of questions inside of one question. There are many unclear subjects (unclear for me) about architecture of your solutions. It is also absolutely unclear for me why you need SetWindowsHook. So I try to answer only on the technical parts of your questions.

    Starting of a program without prompting UAC is not a large problem and can be soleved with respect of manifestes.

    Starting of a process on users’s desktop from a service, so that the process runs not under users credentials, is tricky but possible. How I understand your service run under SYSTEM account. Then it has SE_TCB_NAME privilage. The service run in the session 0 (see http://www.microsoft.com/whdc/system/sysinternals/session0changes.mspx). If a user login, the processes which he see run on in the session 1 or higher. Under Windows XP the first logged user run use session 0 and only the next login (if fast switching is on) use session 1 etc. So on any operation system acn be required to start a process on other session. To do this you should use SetTokenInformation function with TokenSessionId parameter. I described details in Launching a process in user’s session from a service.

    In all cases you should monitor users logins and logoffs and should get users session id to be able to start a process on the session. You can do this in different ways. One of the most simple way is to have a application which runs in autostart (registerd unter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for example). This application communicate with your service and you get through impersonation the users token and the session id. Another way is usage of ISensLogon2 notifications (see http://msdn.microsoft.com/en-us/library/aa376863.aspx) of the System Event Notification Service (SENS).

    One more small problem. Depend on account used for the process which you start on users desktop in can requires to change Security Descriptor of the Desktop and Windows Station objects with respect of OpenWindowStation, OpenDesktop and SetUserObjectSecurity (see http://msdn.microsoft.com/en-us/library/ms681928.aspx, http://msdn.microsoft.com/en-us/library/ms687107.aspx and http://support.microsoft.com/kb/165194)

    • 0