Elevating Process Privilege Programmatically

Elevating process privilege programmatically?

You can indicate the new process should be started with elevated permissions by setting the Verb property of your startInfo object to 'runas', as follows:

startInfo.Verb = "runas";

This will cause Windows to behave as if the process has been started from Explorer with the "Run as Administrator" menu command.

This does mean the UAC prompt will come up and will need to be acknowledged by the user: if this is undesirable (for example because it would happen in the middle of a lengthy process), you'll need to run your entire host process with elevated permissions by Create and Embed an Application Manifest (UAC) to require the 'highestAvailable' execution level: this will cause the UAC prompt to appear as soon as your app is started, and cause all child processes to run with elevated permissions without additional prompting.

Edit: I see you just edited your question to state that "runas" didn't work for you. That's really strange, as it should (and does for me in several production apps). Requiring the parent process to run with elevated rights by embedding the manifest should definitely work, though.

Start a process with elevated privilege

Please see Elevating process privilege programatically.

You either need to throw a UAC Elevation prompt (potentially annoying) or run your root forking process as administrator. By declaring it in the ClickOnce or program manifests, you can ensure that simple double-clicks on your executable will automatically prompt to elevate.

If the end user's machine has UAC enabled, at some point some kind of prompt will appear, as there is no legitimate way of elevating a child process from an unprivileged one.

How to elevate privileges only when required?

I don't believe that it is possible to elevate the currently running process. It is built into Windows Vista that administrator privileges are given to a process upon startup, as I understand. If you look at various programs that utilise UAC, you should see that they actually launch a separate process each time an administrative action needs to be performed (Task Manager is one, Paint.NET is another, the latter being a .NET application in fact).

The typical solution to this problem is to specify command line arguments when launching an elevated process (abatishchev's suggestion is one way to do this), so that the launched process knows only to display a certain dialog box, and then quit after this action has been completed. Thus it should hardly be noticeable to the user that a new process has been launched and then exited, and would rather appear as if a new dialog box within the same app has been opened (especially if you some hackery to make the main window of the elevated process a child of the parent process). If you don't need UI for the elevated access, even better.

For a full discussion of UAC on Vista, I recommend you see this very through article on the subject (code examples are in C++, but I suspect you'll need to use the WinAPI and P/Invoke to do most of the things in C# anyway). Hopefully you now at least see the right approach to take, though designing a UAC compliant program is far from trivial...

How to elevate account on start / install with standard user?

If you don't want to prompt the UAC in the moment of the administrative operation (using runas), or on every program start (via manifest), you need to create a Service or a Scheduled Task once, at first program setup. A lot of programs use this technique such as Chrome for updates, which normally don't require elevated privileges but for few occasional operations.

Choosing the service method means that you must implement an IPC mechanism for example via named pipe so the low privilege program can talk to the service and ask to execute the desired operation. Keep in mind that the service will always run in background and you shouldn't expose too much permissive operations otherwise other malicious programs could use your service to elevate themselves, or you'll need also an authentication method.

For the scheduled task you could use the same executable with a command line argument like /disabletouch. You only need to manually trigger the task from the low privilege instance. There are the TaskScheduler COM interface (some open-source wrappers exists around it) and the schtasks tool that allow task creation and manual triggers. The task can be created for running as Administrator or SYSTEM account. As for the service allow only strict and harmless elevated operations to prevent misuse.

Elevating privileges programmatically and as more user friendly as possible

I would suggest launching a second copy of your application with the elevated privleges.. then use SendMessage and WM_COPYDATA (or some user-defined offset above WM_USER) to post a message/s to the new instance instructing it what to do (pass those args, tell it where to center itsself, etc). Or use some other form of IPC (inter-process communication: windows messages, named piped, memory mapped files, tcp/ip, etc...)

In this manner you can retain the application name, the signature, the program location.. everything looks normal to the user.

You may go so far as to launch the form from the un-elevated process and only handle data processing on the elevated side - passing data via your coice of IPC.

C# How to get admin privileges AT RUNTIME

You can't change the privilege level of a currently running process. You CAN launch a new process, asking for elevated permissions. Process.Start() supports the flag "runas".

        using (Process configTool = new Process())
        {
            configTool.StartInfo.FileName = "foo.exe"
            configTool.StartInfo.Arguments = "--bar";
            configTool.StartInfo.Verb = "runas";
            configTool.Start();
            configTool.WaitForExit();
        }

See Elevating process privilege programmatically?

You could separate functions of your application into a second executable, or re-launch your application with elevated permissions with "runas".


Related Topics

Is Is Possible to Export Functions from a C# Dll Like in VS C++

Post an HTML Table to Ado.Net Datatable

What Are Some Good .Net Profilers

Why Saving Changes to a Database Fails

When Should I Use a Struct Rather Than a Class in C#

Use Unity API from Another Thread or Call a Function in the Main Thread

Automating the Invokerequired Code Pattern

A Field Initializer Cannot Reference the Nonstatic Field, Method, or Property

Linq Query on a Datatable

Observablecollection Not Noticing When Item in It Changes (Even With Inotifypropertychanged)

What Does the Unary Plus Operator Do

Cross-Thread Operation Not Valid: Control Accessed from a Thread Other Than the Thread It Was Created On

Understanding Garbage Collection in .Net

C# Difference Between == and Equals()

How to Get the Application'S Path in a .Net Console Application

Performance Differences Between Debug and Release Builds

What Does the =≫ Operator Mean in a Property

How to Enumerate an Enum


Leave a reply



Submit