3

I'm looking for a way to elevate the execution privileges of a thread or process without the UAC popup appearing. The user who runs the process is an admin user and I have his username and password available.

I need to do that in order to do some administrative stuff like restarting a service and writing files to system directories. My application is run remotely and there is no interactive user to confirm the UAC dialog. Disabling UAC is not an option.

I've tried juggling LogonUser(), ImpersonateLoggedOnUser(), CreateProcessAsUser() and DuplicateTokenEx() for the better part or two days but couldn't figure out the right combination and if at all this is even possible.

Specifically what I've tried is this:

HANDLE token = 0;
LogonUserA(user, NULL, pass, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, &token);
HANDLE impToken = 0;
DuplicateToken(token, SecurityImpersonation, &impToken);
ImpersonateLoggedOnUser(impToken);
CreateFileA("C:\\windows\\blabla.dll", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);

the last call fails with GetLastError()=1346, "Either a required impersonation level was not provided, or the provided impersonation level is invalid."

What am I doing wrong?
Note - this is running on Win2008 R2

shoosh
  • 76,898
  • 55
  • 205
  • 325
  • 3
    This may give a hint; http://stackoverflow.com/questions/5098121/how-can-i-get-elevated-permissions-uac-via-impersonation-under-a-non-interacti – Joachim Isaksson Feb 15 '12 at 17:26
  • I don't think you can do this inline; it probably requires launching a separate process with the impersonation token. – Luke Feb 15 '12 at 18:57
  • @Luke Launching a new process is ok but I couldn't figure out how to do that as well using `CreateProcessAsUser`. any ideas? – shoosh Feb 15 '12 at 23:19
  • 1
    @Luke: This is indeed a mandatory step to request elevation but it won't help skipping the UAC prompt. – Serge Wautier Feb 16 '12 at 08:10
  • I read somewhere that you can get the non-split token via LogonUser(NETWORK), launch a new process with that token via CreateProcessAsUser(), then launch another process via ShellExecute("runas") and get a full-blown admin process without a UAC prompt. No idea if that's true or not, but it's worth a try. – Luke Feb 16 '12 at 12:57
  • @Lunk the token I get using LogonUser(NETWORK) doesn't allow me to do anything, I get the same error for any call and does any security check. can you please try to locate the source you read this? – shoosh Feb 19 '12 at 08:07
  • I must have misremembered because I couldn't find it; sounded dubious anyway. – Luke Feb 20 '12 at 15:29

4 Answers4

4

You'll go nowhere by trying to login this or that user. The problem is not the user, it's the context where you ask the admin privilege. Even admins must confirm UAC prompts.

If what you ask was possible, it would totally defeat the UAC concept. As long as the session is interactive (and, on Win7, the program doesn't come from a Windows shortlist, such as the Services applet), you won't be able to bypass the prompt.

As others said, the usual solution is to write a service and have your interactive application talk to the service using a standard IPC mechanism such as named pipes. Beware though to the security descriptors required upon creation of your IPC object on both ends: User contexts are different in the service and in the interactive application.

Serge Wautier
  • 21,494
  • 13
  • 69
  • 110
2

Usually the suggested solution where you need to bypass UAC is to write a service. The service would run with full privileges, and your applications asks it to perform actions.

Alexey Ivanov
  • 11,541
  • 4
  • 39
  • 68
  • To install a service I need to pass through UAC, so we have a chicken and egg. – shoosh Feb 16 '12 at 08:06
  • @shoosh So are you trying to avoid UAC on the first install of your application? Or is your app already installed? – Alexey Ivanov Feb 16 '12 at 08:22
  • 1
    The point is that you only need to install the service *once*, not elevate an application's process *each time*. As Serge says, if UAC could be trivially defeated, it would be pointless. – Cody Gray - on strike Feb 17 '12 at 06:55
1

The problem is that you provided a wrong value of impersonation level (the SecurityImpersonation variable). It should be a "magic number" 2

thangcao
  • 1,819
  • 1
  • 13
  • 14
1

I believe you can use the Task Scheduler to bypass a UAC prompt. Found a set of instructions here: http://www.vikitech.com/253/create-shortcuts-for-trusted-programs-to-bypass-windows-7-uac-check

It would be some work, but it can certainly be accomplished via code.

Joe Jordan
  • 2,372
  • 2
  • 17
  • 20
  • You need full admin privileges to create a scheduled task. This can be done with the "at" command. invoking it under UAC returns "Access denied" – shoosh Feb 16 '12 at 08:11