locked
Elevating a COM object to run as Admin RRS feed

  • Question

  • A few months back I saw something about how it is possible to run a COM object in an elevated state.  I cannot find that in MSDN now, might someone be kind enough to direct me to it?

    Does anyone know if you still get the UAC prompt when using this approach?  Also, is there any way to setup an application so that a regular user is able to run it as admin without the user being an administrator?

    Sam
    Thursday, February 18, 2010 4:46 PM

Answers

  • Hello Sam

    Here are several options that may help you:

    Option 1.

    Based on the sample http://blogs.msdn.com/vistacompatteam/archive/2006/09/28/CoCreateInstanceAsAdmin-or-CreateElevatedComObject-sample.aspx, open dcomcnfg, and find the MyElevatedCom component in DCOM Config. Open its property page and turn to the Identity tab. The default choice is “The launching user” (i.e. the ordinary user if the app is run as a real ordinary user). We need to set it to be “This user”, and enter an admin account. Next, turn to the Security tab of the dialog, and make sure that the ordinary use is allowed to launch/activate/access the component. If you want to allow all users to access the high IL component, you can enter "Everyone", and take the security risk.

    In the client app, remove the code of elevation moniker. Build and run it. Because this time the dllhost process runs in a non-interactive session, you won’t see the "Elevation" message box, and the process hangs. In other words, please make sure that your COM component does not have any task that interacts with the user. If you check the dllhost process in process explorer, you will find that it indeed runs in high integrity level as expected.

    Option 2.

    Write an out-of-proc COM Service that runs in system integrity level. In dcomcnfg, configure the component to allow the ordinary user to access it. (After the configuration of the security setting, please remember to restart the service process). ATLCOMService in All-In-One Code Framework shows you such a sample out-of-proc COM service.

    Option 3.

    Host your COM in-proc DLL in COM+ process, and configure the component to run as admin, and to allow the ordinary user to access it.

     


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by EHCarleton Tuesday, February 23, 2010 4:28 AM
    Friday, February 19, 2010 5:57 AM

All replies

  • Hello Sam

    Here are several options that may help you:

    Option 1.

    Based on the sample http://blogs.msdn.com/vistacompatteam/archive/2006/09/28/CoCreateInstanceAsAdmin-or-CreateElevatedComObject-sample.aspx, open dcomcnfg, and find the MyElevatedCom component in DCOM Config. Open its property page and turn to the Identity tab. The default choice is “The launching user” (i.e. the ordinary user if the app is run as a real ordinary user). We need to set it to be “This user”, and enter an admin account. Next, turn to the Security tab of the dialog, and make sure that the ordinary use is allowed to launch/activate/access the component. If you want to allow all users to access the high IL component, you can enter "Everyone", and take the security risk.

    In the client app, remove the code of elevation moniker. Build and run it. Because this time the dllhost process runs in a non-interactive session, you won’t see the "Elevation" message box, and the process hangs. In other words, please make sure that your COM component does not have any task that interacts with the user. If you check the dllhost process in process explorer, you will find that it indeed runs in high integrity level as expected.

    Option 2.

    Write an out-of-proc COM Service that runs in system integrity level. In dcomcnfg, configure the component to allow the ordinary user to access it. (After the configuration of the security setting, please remember to restart the service process). ATLCOMService in All-In-One Code Framework shows you such a sample out-of-proc COM service.

    Option 3.

    Host your COM in-proc DLL in COM+ process, and configure the component to run as admin, and to allow the ordinary user to access it.

     


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by EHCarleton Tuesday, February 23, 2010 4:28 AM
    Friday, February 19, 2010 5:57 AM
  • Hello

    How are you? May I know whether you have any updates about this issue?


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Tuesday, February 23, 2010 3:51 AM
  • Sorry, I totally missed the reply on Friday, that is EXACTLY what I am looking for, thank you.
    Tuesday, February 23, 2010 4:28 AM