tags:

views:

36

answers:

2
Q: 

How to run a process as current user privilege from an admin process

When a setup program(built by like Inno Setup) does launch a process, the process always be run as administrator privilege. -because setup program had been run as admin.

I want to run the child process as current user's privilege.
Is there a good way?

+3  A: 

This question comes up every 3 or 4 months internally at MSFT.

The answer that the security folks give is: You can't. When the elevated process token is created, there are changes made to the token that can't be undone.

Your best bet is to have a launcher application that runs your elevated setup program and then when the elevated setup program is completed, turns around and runs your child process.

Larry Osterman  2010-10-15 05:47:12
I keep telling people this over and over, but they never listen. Finally someone from MS speaks up.
Anders  2010-10-15 10:34:14
+1  A: 

Although it is not considered best practice (or even good practice), it is possible to launch a medium IL process from a high/admin IL process:

See this post on codeproject

I can confirm that this code works on Vista 32 and 64-bit with and without UAC enabled.

Bradley Smith  2010-10-15 05:58:51
Oh, I'll try. Thanks.
Benjamin  2010-10-15 06:01:55
Yes! It works. Thanks Brad.
Benjamin  2010-10-15 08:30:50
This can fail in multiple ways: A)Explorer is not running. B)Explorer is elevated. C)Explorer is running as a different user because the secondary logon service aka runas was used: Explorer.exe=User1, cmd.exe(or some other process)=User2(cmd.exe started by runas, this is the user you want) YourElevated.exe=(Admin)User3
Anders  2010-10-15 10:30:49
@Anders Although it is not a fool-proof solution, it is relatively safe to assume that a setup program (as in the context of the original question) will be run interactively; ensuring that A is true. C is true in the vast majority of environments. If either of the 3 scenarios you stated are true, i'm sure it's not unreasonable for an elevation prompt to be presented to the user.
Bradley Smith  2010-10-15 17:37:28
@Bradley Smith: Another scenario; The system is so messed up that it has to be booted in safe mode with command line (Broken shell extension or malware that keeps crashing the shell) Then the only processes will be cmd.exe, add/remove programs and the uninstaller.
Anders  2010-10-15 22:44:46

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)