locked
CreateProcessWithLogin requires elevation RRS feed

  • Question

  • I have a task scheduling program that has functionality similar to the Windows Task Scheduler. This program runs in the background (not as a service though) as an admin user (it runs elevated). Like Windows Task Scheduler, it allows the user to configure other programs to be run at a specified time. Of course, the machine may well be unattended at the time, so elevation prompts are not acceptable.

     

    Furthermore, the program allows the user to specify account information that the program should be run as. When it is time to run the program, my scheduler program runs the program as the specified account. To implement this, the code calls CreateProcessWithLogonW, and this works just fine under XP. Under Vista, however, if the executable I am trying to run is marked as "requiresAdministrator" I get the error:

     

        "The requested operation requires elevation."

     

    Now I suppose this error message could be read two ways. My program IS running elevated, so that doesn't seem like that should be the problem. So I guess I should read this error message as meaning "the program you are trying to run requires elevation, and this function doesn't support this". I certainly could be wrong about this though.

     

    So I guess the question is, is there a way to accomplish this. It seems like it should be possible. Why? Because Windows Task Scheduler can do it. If you create a scheduled task in Vista, you can select the "Run with highest privileges" checkbox, and the program is run elevated as whatever user you have specified (with NO elevation prompts).

     

    I suppose I could actually use task scheduler programmatically to do what I want (create a temporary task, kick it off, and delete it when done), but this seems horribly kludgy.

     

    My code (that gets the error) looks something like this:

     

    PROCESS_INFORMATION processInfo = {0};

    HANDLE hToken;

    LPVOID lpvEnv;

    STARTUPINFO startupInfo = {0};

    startupInfo.cb = sizeof(STARTUPINFO);

     

    if (!LogonUser(strProcessAccountName, // The account to run the program as

    strProcessDomainName,

    strProcessPassword,

    LOGON32_LOGON_INTERACTIVE,

    LOGON32_PROVIDER_DEFAULT,

    &hToken))

    {

    // handle error

    }

     

    if (!CreateEnvironmentBlock(&lpvEnv, hToken, FALSE))

    {

    // handle error

    }

     

    if (!CreateProcessWithLogonW(strProcessAccountName,

    strProcessDomainName,

    strProcessPassword,

    LOGON_WITH_PROFILE,

    szExepath,

    szCommandLine,

    CREATE_UNICODE_ENVIRONMENT,

    lpvEnv,

    NULL,

    &startupInfo,

    &processInfo))

    {

    // handle error

    }

    Friday, February 22, 2008 4:37 PM

All replies

  • In Vista it is important to keep the distinction between a user with administrative privileges, and the actual built in "Administrator" account.

     

    Running as the "Administrator" account should also allow you to skip the prompts.  For example, in a command prompt running as an administrative user, type “mmc”, you'll see that you are prompted.  Now, go to the command prompt icon, right click, and select, "Run as Administrator".  Type “mmc” and see that you aren't prompted.

    Friday, February 22, 2008 6:30 PM
  •  Brian Houck wrote:

    In Vista it is important to keep the distinction between a user with administrative privileges, and the actual built in "Administrator" account.

     

    Running as the "Administrator" account should also allow you to skip the prompts.  For example, in a command prompt running as an administrative user, type “mmc”, you'll see that you are prompted.  Now, go to the command prompt icon, right click, and select, "Run as Administrator".  Type “mmc” and see that you aren't prompted.

     

    Thanks for the response, but I honestly am not sure what your point is. My scheduling progam will not necessarily be run by the "Administrator" account, but by accounts with administrative privileges. But either way, the error I get from the function call is my immediate problem.

    Friday, February 22, 2008 7:18 PM
  • The point I was trying to make is that I think the error message you are getting is from not elevating to the "Administrator" account, versus an administrative user.

    Friday, February 22, 2008 9:14 PM
  • I get the same error whether I start my program with the "Run As Administrator" menu option or not (the program is also marked as having a requestedExecutionLevel of "requiresAdministrator" in its manifest).

     

    Dave
    Friday, February 22, 2008 10:04 PM
  • Hi Dag,

     

    Did you resolve your problem.

     

    I am looking for the solution to same problem.

     

    Thank you!

     

    Friday, July 18, 2008 6:39 AM
  •  Virgo2008 wrote:

    Hi Dag,

     

    Did you resolve your problem.

     

    I am looking for the solution to same problem.

     

    Thank you!

     

     

    I have no solution yet. Up until recently, we simply have required our users to turn off UAC.

     

    Your timing is pretty good though - I opened up an incident directly with Microsoft on this just last week. No answers yet, but maybe this will get me somewhere. If I do get anywhere I'll post back here.

    Monday, July 21, 2008 3:16 AM
  • The token returned from CreateProcessWithLogonW is the non-elevated version of a users UAC token, which is why you are seeing the error messages. If you want to schedule tasks that need to run elevated, you should do so via the Task Scheduler APIs.

     

    Monday, July 21, 2008 12:47 PM
  • Thank you Dag!

     

    I am trying with CoCreateInstance and ShellExecuteEx, I don't know yet whether it will work.

     

    Monday, July 21, 2008 4:03 PM