How to Start a Process Unelevated

by

I had best results by cloning Explorer’s token as follows:

var shellWnd = WinAPI.GetShellWindow();
if (shellWnd == IntPtr.Zero)
    throw new Exception("Could not find shell window");

uint shellProcessId;
WinAPI.GetWindowThreadProcessId(shellWnd, out shellProcessId);

var hShellProcess = WinAPI.OpenProcess(0x00000400 /* QueryInformation */, false, shellProcessId);

var hShellToken = IntPtr.Zero;
if (!WinAPI.OpenProcessToken(hShellProcess, 2 /* TOKEN_DUPLICATE */, out hShellToken))
    throw new Win32Exception();

uint tokenAccess = 8 /*TOKEN_QUERY*/ | 1 /*TOKEN_ASSIGN_PRIMARY*/ | 2 /*TOKEN_DUPLICATE*/ | 0x80 /*TOKEN_ADJUST_DEFAULT*/ | 0x100 /*TOKEN_ADJUST_SESSIONID*/;
var hToken = IntPtr.Zero;
WinAPI.DuplicateTokenEx(hShellToken, tokenAccess, IntPtr.Zero, 2 /* SecurityImpersonation */, 1 /* TokenPrimary */, out hToken);

var pi = new WinAPI.PROCESS_INFORMATION();
var si = new WinAPI.STARTUPINFO();
si.cb = Marshal.SizeOf(si);
if (!WinAPI.CreateProcessWithTokenW(hToken, 0, null, cmdArgs, 0, IntPtr.Zero, null, ref si, out pi))
    throw new Win32Exception();

Alternative approach

Originally I went with drf’s excellent answer, but expanded it somewhat. If the above (clone Explorer’s token) is not to your liking, keep reading but see a gotcha at the very end.

When using drf’s method as described, the process is started without administrative access, but it still has a high integrity level. A typical un-elevated process has a medium integrity level.

Try this: use Process Hacker to see the properties of the process started this way; you will see that PH considers the process to be elevated even though it doesn’t have administrative access. Add an Integrity column and you’ll see it’s “High”.

The fix is reasonably simple: after using SaferComputeTokenFromLevel, we need to change the token integrity level to Medium. The code to do this might look something like this (converted from MSDN sample):

// Get the Medium Integrity SID
if (!WinAPI.ConvertStringSidToSid("S-1-16-8192", out pMediumIntegritySid))
    throw new Win32Exception();

// Construct a structure describing the token integrity level
var TIL = new TOKEN_MANDATORY_LABEL();
TIL.Label.Attributes = 0x00000020 /* SE_GROUP_INTEGRITY */;
TIL.Label.Sid = pMediumIntegritySid;
pTIL = Marshal.AllocHGlobal(Marshal.SizeOf<TOKEN_MANDATORY_LABEL>());
Marshal.StructureToPtr(TIL, pTIL, false);

// Modify the token
if (!WinAPI.SetTokenInformation(hToken, 25 /* TokenIntegrityLevel */, pTIL,
                                (uint) Marshal.SizeOf<TOKEN_MANDATORY_LABEL>()
                                + WinAPI.GetLengthSid(pMediumIntegritySid)))
    throw new Win32Exception();

Alas, this still doesn’t really solve the problem completely. The process won’t have administrative access; it won’t have a high integrity, but it will still have a token that’s marked as “elevated”.

Whether this is a problem for you or not I don’t know, but it may have been why I ended up cloning Explorer’s token in the end, as described at the start of this answer.

Here is my full source code (modified drf’s answer), in all its P/Invoke glory:

var hSaferLevel = IntPtr.Zero;
var hToken = IntPtr.Zero;
var pMediumIntegritySid = IntPtr.Zero;
var pTIL = IntPtr.Zero;
var pi = new WinAPI.PROCESS_INFORMATION();
try
{
    var si = new WinAPI.STARTUPINFO();
    si.cb = Marshal.SizeOf(si);
    var processAttributes = new WinAPI.SECURITY_ATTRIBUTES();
    var threadAttributes = new WinAPI.SECURITY_ATTRIBUTES();
    var args = CommandRunner.ArgsToCommandLine(Args);

    if (!WinAPI.SaferCreateLevel(WinAPI.SaferScopes.User, WinAPI.SaferLevels.NormalUser, 1, out hSaferLevel, IntPtr.Zero))
        throw new Win32Exception();

    if (!WinAPI.SaferComputeTokenFromLevel(hSaferLevel, IntPtr.Zero, out hToken, WinAPI.SaferComputeTokenFlags.None, IntPtr.Zero))
        throw new Win32Exception();

    if (!WinAPI.ConvertStringSidToSid("S-1-16-8192", out pMediumIntegritySid))
        throw new Win32Exception();
    var TIL = new TOKEN_MANDATORY_LABEL();
    TIL.Label.Attributes = 0x00000020 /* SE_GROUP_INTEGRITY */;
    TIL.Label.Sid = pMediumIntegritySid;
    pTIL = Marshal.AllocHGlobal(Marshal.SizeOf<TOKEN_MANDATORY_LABEL>());
    Marshal.StructureToPtr(TIL, pTIL, false);
    if (!WinAPI.SetTokenInformation(hToken, 25 /* TokenIntegrityLevel */, pTIL, (uint) Marshal.SizeOf<TOKEN_MANDATORY_LABEL>() + WinAPI.GetLengthSid(pMediumIntegritySid)))
        throw new Win32Exception();

    if (!WinAPI.CreateProcessAsUser(hToken, null, commandLine, ref processAttributes, ref threadAttributes, true, 0, IntPtr.Zero, null, ref si, out pi))
        throw new Win32Exception();
}
finally
{
    if (hToken != IntPtr.Zero && !WinAPI.CloseHandle(hToken))
        throw new Win32Exception();
    if (pMediumIntegritySid != IntPtr.Zero && WinAPI.LocalFree(pMediumIntegritySid) != IntPtr.Zero)
        throw new Win32Exception();
    if (pTIL != IntPtr.Zero)
        Marshal.FreeHGlobal(pTIL);
    if (pi.hProcess != IntPtr.Zero && !WinAPI.CloseHandle(pi.hProcess))
        throw new Win32Exception();
    if (pi.hThread != IntPtr.Zero && !WinAPI.CloseHandle(pi.hThread))
        throw new Win32Exception();
}

And here are the P/Invoke definitions you’ll need in addition to those listed in drf’s answer:

[DllImport("advapi32.dll", SetLastError = true)]
public static extern Boolean SetTokenInformation(IntPtr TokenHandle, int TokenInformationClass,
    IntPtr TokenInformation, UInt32 TokenInformationLength);

[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CloseHandle(IntPtr hObject);

[DllImport("advapi32.dll")]
public static extern uint GetLengthSid(IntPtr pSid);

[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool ConvertStringSidToSid(
    string StringSid,
    out IntPtr ptrSid);

[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr LocalFree(IntPtr hMem);

More Related Contents:

  1. VB Net Class in C# [closed]
  2. What is a NullReferenceException, and how do I fix it?
  3. Setting Objects to Null/Nothing after use in .NET
  4. Custom Compiler Warnings
  5. Difference in months between two dates
  6. Way to have String.Replace only hit “whole words”
  7. When is a custom attribute’s constructor run?
  8. Capture screenshot Including Semitransparent windows in .NET
  9. How do I determine a mapped drive’s actual path?
  10. Get File Icon used by Shell
  11. Difference with Parameters.Add and Parameters.AddWithValue
  12. How to find overlapping controls that I added to form?
  13. How to flatten nested objects with linq expression
  14. Inconsistency in divide-by-zero behavior between different value types
  15. What is a predicate in c#? [duplicate]
  16. Winforms: Application.Exit vs Environment.Exit vs Form.Close
  17. Install to same path when upgrading application
  18. Get the SourceControl of a DropDownMenu
  19. .NET Configuration (app.config/web.config/settings.settings)
  20. Compare compiled .NET assemblies?
  21. Return to an already open application when a user tries to open a new instance
  22. Is .NET 4.0 Compatible with Windows XP SP2 or below? [closed]
  23. Save Settings in VB.Net or C#
  24. .NET graph library around? [closed]
  25. center MessageBox in parent form [duplicate]
  26. How to get status code from webclient?
  27. What steps do I need to take to use WCF Callbacks?
  28. How to insert a Symbol (Pound, Euro, Copyright) into a Textbox
  29. Dynamically changing Textbox’s AutoComplete List causes AccessViolationException, any advice?
  30. As of today, what is the right way to work with COM objects? [duplicate]

Leave a Comment