locked
Change Integrity level in current process (UIAccess) RRS feed

  • Question

  • I have an app that for some of the time needs to run with high integrity (UIAccess = true)

    For the rest of the time I'd like to lower the integrity level to the default (medium)

    I have tried the following but it does not work.

        hProcess = GetCurrentProcess();
        if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_QUERY, &hToken))
        {
            PSID pSidIL = NULL;
            //INFO on SID: https://support.microsoft.com/en-us/kb/243330?wa=wsignin1.0
            ConvertStringSidToSid(L"S-1-16-12288", &pSidIL);

            TOKEN_GROUPS tg = { 0 };

            tg.GroupCount = 1;
            tg.Groups[0].Attributes = SE_GROUP_INTEGRITY;
            tg.Groups[0].Sid = pSidIL;

            AdjustTokenGroups(hToken, FALSE, &tg, sizeof(TOKEN_GROUPS) + GetSidLengthRequired(1), NULL, NULL);
            DWORD error = GetLastError();
        }

    Any ideas please?


    Michael Tissington

    Wednesday, January 17, 2018 8:24 PM

Answers

  • Hi Michael Tissington,

    thanks for posting here.

    >>I have an app that for some of the time needs to run with high integrity (UIAccess = true)

    For the rest of the time I'd like to lower the integrity level to the default (medium)

    For this case, I suggest you use SetTokenInformation function to set the TokenIntegrityLevel to SECURITY_MANDATORY_MEDIUM_RID with the TOKEN_INFORMATION_CLASS enumeration.

    Hope this could be help of you.

    Best Regards,

    Baron Bi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Baron Bi Friday, January 19, 2018 1:12 AM
    • Marked as answer by Michael Tissington Friday, January 19, 2018 10:03 AM
    Thursday, January 18, 2018 1:36 AM

All replies

  • Hi Michael Tissington,

    thanks for posting here.

    >>I have an app that for some of the time needs to run with high integrity (UIAccess = true)

    For the rest of the time I'd like to lower the integrity level to the default (medium)

    For this case, I suggest you use SetTokenInformation function to set the TokenIntegrityLevel to SECURITY_MANDATORY_MEDIUM_RID with the TOKEN_INFORMATION_CLASS enumeration.

    Hope this could be help of you.

    Best Regards,

    Baron Bi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Baron Bi Friday, January 19, 2018 1:12 AM
    • Marked as answer by Michael Tissington Friday, January 19, 2018 10:03 AM
    Thursday, January 18, 2018 1:36 AM
  • Great - thanks that did it. I can now change the integrity to a lower level.

    Given the current process was originally launched with High Integrity (UIAccess) how can I re enable this? It seems like I can go down but can't come back up?


    Michael Tissington

    Thursday, January 18, 2018 10:26 AM
  • Windows doesn't allow processes to increase integrity levels.  Allowing a process to Increase its integrity level would essentially make the integrity level mechanism useless.  What if all processes elevated their integrity levels to high? 

    For more information see Windows Integrity Mechanism Design


    • Proposed as answer by Baron Bi Friday, January 19, 2018 1:12 AM
    Thursday, January 18, 2018 11:35 AM
  • Yes I understand that - I was hoping it was like a privilege that I could enable or disable.

    Michael Tissington

    Thursday, January 18, 2018 3:41 PM
  • Yes I understand that - I was hoping it was like a privilege that I could enable or disable.
    Nope.  But hope springs eternal. :)
    Thursday, January 18, 2018 3:43 PM
  • Could you duplicate the token, decrease the integrity of the duplicated token, then use the duplicate to start a thread for the low integrity work? Leaving the main thread to do the high integrity work.
    Tuesday, July 30, 2019 6:13 AM