RE: Elevate permission of code

Thanks for your reply Zinon,

I'm afraid such programmatic privilege elevation is not allowed in both
windows Vista and windows XP. Actually, if your application can do such
programmatic elevation(to gain a permission your process account not have
originally), then any other application(maybe malicious ) can also do this.
That'll be a big security threaten.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
From: =?Utf-8?B?Wmlub24=?= <zinon@xxxxxxxxxxxxxxxx>
References: <1DCC7C7F-725E-4F50-9E92-921BEBBBC069@xxxxxxxxxxxxx>
<yeFdwAFdIHA.4720@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Elevate permission of code
Date: Thu, 21 Feb 2008 00:29:00 -0800


Thanks for the replies.

The app will be deployed on WinXP machines, so unfortunately any solution
involving Vista features is not an option.

So the bottom line, from what I understand, is that it cannot be done?


""Steven Cheng"" wrote:

Hi Zinon,

As for the privilege elevation, I'm afraid you're limited to the Vista
interactive elevation behavior since the UAC is used to detect any
privileged operations that may occcur in application's code. If it is
allowed to programmatically elevate privilege, then the security hole is
opened again.

So far for applications that may require admin token(elevated
privilege),
there are two means:

1. Just let the UAC detect it and request the user to do the elevation
on-demand when executing.

2. Add a manifest for your application and tell what level of execution
permission will it require. Thus, the operating system will demand that
elevation(if necessary) at startup time.

#How To: Tell Vista's UAC What Privelege Level Your App Requires
http://channel9.msdn.com/Showpost.aspx?postid=211271

http://blogs.msdn.com/shawnfa/archive/2006/04/06/568563.aspx

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach
the
most efficient resolution. The offering is not appropriate for
situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are
best
handled working with a dedicated Microsoft Support Engineer by
contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no
rights.



--------------------
From: =?Utf-8?B?Wmlub24=?= <zinon@xxxxxxxxxxxxxxxx>
Subject: Elevate permission of code
Date: Wed, 20 Feb 2008 08:21:01 -0800


Hi All,

I have an application which accesses and modifies the registry during
runtime. The application is being deployed using ClickOnce. However,
the
users running the application do not have the required privileges to
modify
the registry and the application fails.

Is there a way to elevate the security priveleges of a particular piece
of
code in order to modify the registry or carry out other tasks which may
have
security restrictions?

I've tried declaring [RegistryPermission(SecurityAction.Assert,
Unrestricted
= true)] on the calling class, as well as:
RegistryPermission permission = new
RegistryPermission(PermissionState.Unrestricted);
permission.Assert();
..in the method body but with no luck so far. What am I not doing? Or
maybe,
what should I be doing?

Thanks
Zinon





.

Relevant Pages

  • Re: Visual C++ 6.0, Vista, DragnDrop and elevation...
    ... Vista requires elevation. ... Vista appears to bark at any .exe with Install or Installer within the ...
    (microsoft.public.vc.mfc)
  • Re: I bought a new computer yesterday... it came with VISTA !!
    ... >>>> Actually just clicking Continue DOES NOT elevate to Admin level. ... Vista tries to elevate setup files automatically, ... Windows will ask for elevation credentials and will ...
    (comp.sys.mac.advocacy)
  • DeleteFileW returns incorrect error code in Vista for DLLs
    ... I've found what seems to be a bug in the DeleteFileW function in Vista, I was just wondering if this was known about already: ... It seems that DeleteFileW can return an incorrect error code when attempting to delete a DLL that is in use, _if elevation is used_. ... In XP, or in the case of in-use files in Vista for which elevation is not needed in order to delete them, ERROR_SHARING_VIOLATION is returned for both EXEs and DLLs. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: DeleteFileW returns incorrect error code in Vista for DLLs
    ... I've found what seems to be a bug in the DeleteFileW function in Vista, ... attempting to delete a DLL that is in use, _if elevation is used_. ... deleting an in-use DLL from the Program Files folder. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Vista - Starting a Service
    ... Unless you are explicitly elevated you won't have the permission. ... Services applet asks for elevation, ... Your program needs a manifest to ... Net Start XYZService from a CMD prompt - I get an Error 5 Access Denied. ...
    (microsoft.public.dotnet.general)