none
Application Running Elevated Checking RRS feed

  • Question

  • Hello,

     

    I don't know if this is the correct channel to report the following Windows Server 2008 RC0 thing. If this is not the case, it would be great if you could give me an URL. I cannot find an equivalent to the Software Development for Windows
    Vista forum at the moment.

    When checking whether an application is running elevated (using OpenProcessToken(GetCurrentProcess()…) and GetTokenInformation( … TokenElevationType… ) yadayada) then RC0 always seems to return TokenElevationTypeDefault (even if the application *is* running elevated). The very same function works perfectly under Vista.

     

    Is this a bug in RC0 or the expected behaviour?

     

    Thanks,

    Friedrich

    Monday, October 1, 2007 4:44 PM

Answers

  • Hi Linder,

     

    TokenElevationTypeDefault just means token not split. As I mentioned, if you have UAC turned off, are using the built-in Administrator account, or aren’t running with an interactive login, then you don’t generate a split token.

     

    Being a standard user is only one way of many to end up with a single token.

     

    Thanks,

    - Amitava
    Partner Technical Consultant, Microsoft

     

    Thursday, October 4, 2007 10:42 AM
  • Hi Friedrich,

     

    I’d suggest that there is almost never a good reason to check to see the elevation state. Instead, you should just separate out your admin code and use the shield icon to decorate the entry point.

     

    However, I tried in .NET in C# with the following code which worked fine for me.

     

    bool IsAdmin(ref string strIdentity)

    {   

        AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

        WindowsIdentity wi = WindowsIdentity.GetCurrent();

        WindowsPrincipal wp = new WindowsPrincipal(wi);

     

        strIdentity= wp.Identity.Name;

     

        if (wp.IsInRole(WindowsBuiltInRole.Administrator))

    return true;

        else

    return false;

    }

     

    Hope it helps.

     

    Thanks.

    Amitava

     

    Friday, October 12, 2007 12:25 PM
  • Hi Friedrich,

    Just trying to help although I'm Out Of Offce for next few weeks. However, this is where our recommendation is to divide your application into virtual segments. Separate the modules requiring Admin rights and manifest them with
    requestedExecutionLevel level="requireAdministrator".
    So, you won't need to know the run level, but automatcally ask for admin credential. Isn't it applicable to your case? You may visit this post in my blog if you need information on creating and adding manifest.

    Thanks,
    Amitava
    Monday, October 15, 2007 5:24 PM

All replies

  • This may be an expected behaviour depending on the UAC status (switched On or Off). I'll confirm it and let you know.

     

    Thanks,

    Amitava

    Partner Technical Consultant, Microsoft

    Wednesday, October 3, 2007 10:04 AM
  • Hi Linder,

     

    TokenElevationTypeDefault just means token not split. As I mentioned, if you have UAC turned off, are using the built-in Administrator account, or aren’t running with an interactive login, then you don’t generate a split token.

     

    Being a standard user is only one way of many to end up with a single token.

     

    Thanks,

    - Amitava
    Partner Technical Consultant, Microsoft

     

    Thursday, October 4, 2007 10:42 AM
  • Amitava,


    Thanks so much for your reply.  I'll check this and post back.I think the app was running under the Standard User account.  It asked for permission to run elevated, user accepted (password was entered) and it still returned TokenElevationTypeDefault. BTW, the program (a installer) was able to copy files into the Program Files folder so it really had administrator execution level privileges.


    Friedrich

    Thursday, October 4, 2007 4:26 PM
  • Hello,

    Okay, I have more information available.  UAC is ENABLED on this clean Windows Server 2008 RC0 machine (standard installation).
     
    A new Standard User user account is created.  The uactest.exe application is started and requests administrator execution level privileges.  UAC kicks in and the User Account Control window asks for the Administrator password.  Admin password entered and the app is running elevated.  But our IsElevated function returns TokenElevationTypeDefault.  The very same scenario on Vista machines always returns TokenElevationTypeFull.
     
    When running under the Admin account, the same uactest.exe runs elevated but also returns TokenElevationTypeDefault.
     
    Now the strange on.  Setting the "User Account Control: Admin Approval Mode for the Built-In Administrator account" group policy to ENABLE (default is DISABLE on both Vista and 2008) changes this behavior.  Suddenly, uactest.exe returns TokenElevationTypeFull when running elevated.
     
    Is this the expected behavior?

    Any idea?

    Thanks,

    Friedrich
    Friday, October 5, 2007 5:54 PM
  • Hello Friedrich,

     

    Yes, this is expected. The following, extracted from the TechNet resource on UAC http://technet2.microsoft.com/windowsserver2008/en/library/ea0e4c02-9c27-488d-992b-ce4e0d3920031033.mspx?mfr=true should be helpful to you.

     

    While UAC appears in both Windows Server 2008 and Windows Vista, the default configurations differ in the following ways:

    The Admin Approval Mode (AAM), by default, is not enabled for the Built-in Administrator Account in either Windows Server 2008 or Windows Vista.

    The Built-in Administrator account is disabled by default in Windows Vista, and the first user account created is placed in the local Administrators group, and AAM is enabled for that account.

    The Built-in Administrator account is enabled by default in Windows Server 2008. AAM is disabled for this account.

     

    Hope this helps.

     

    Sincerely,

    Amitava, Microsoft

     

    Monday, October 8, 2007 12:40 PM
  • Amitava,

     

    Very interesting.  Thank you for the information!!!

     

    Friedrich
    Thursday, October 11, 2007 12:59 PM
  • Hi Amitava,

     

    We gave it some thoughts and this really is a problem (IMO).  For example, our application has to find out if it is running elevated or not.  But it always returns TokenElevationTypeDefault under Windows Server 2008 (if it is running elevated or unelevated).

     

    Is there any other way to detect if an application is running elevated?

     

    Thank you!

     

    Friedrich
    Thursday, October 11, 2007 2:28 PM
  • Hi Friedrich,

     

    I’d suggest that there is almost never a good reason to check to see the elevation state. Instead, you should just separate out your admin code and use the shield icon to decorate the entry point.

     

    However, I tried in .NET in C# with the following code which worked fine for me.

     

    bool IsAdmin(ref string strIdentity)

    {   

        AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

        WindowsIdentity wi = WindowsIdentity.GetCurrent();

        WindowsPrincipal wp = new WindowsPrincipal(wi);

     

        strIdentity= wp.Identity.Name;

     

        if (wp.IsInRole(WindowsBuiltInRole.Administrator))

    return true;

        else

    return false;

    }

     

    Hope it helps.

     

    Thanks.

    Amitava

     

    Friday, October 12, 2007 12:25 PM
  • Hi Amitava,

     

    Thank you for your reply.

     

    Yes, I agree.  But the problem is that two features in our software have to use Winsock.  This does not work for Standard Users.  So we check if the application is running elevated - if this is not the case, we display a message and ask the user to restart the application as administrator.  This works perfect under Vista, but not in Windows Server 2008 :-(

     

    So we need something similar to the "Administrator permissions are recommended for running Visual Studio 2005 SP1" message in VS2005 SP1.

     

    Thanks again for all your help!!!!

     

    Friedrich

    Friday, October 12, 2007 12:38 PM
  • Hi Friedrich,

    Just trying to help although I'm Out Of Offce for next few weeks. However, this is where our recommendation is to divide your application into virtual segments. Separate the modules requiring Admin rights and manifest them with
    requestedExecutionLevel level="requireAdministrator".
    So, you won't need to know the run level, but automatcally ask for admin credential. Isn't it applicable to your case? You may visit this post in my blog if you need information on creating and adding manifest.

    Thanks,
    Amitava
    Monday, October 15, 2007 5:24 PM
  • Amitava,

     

    Thanks so much for coming back to me although you are out of the office!

     

    During the last 18-24 months we read all available Vista documentations and our applications are Vista-aware.  Our software itself compiles Vista-aware applications.

     

    The problem is that we have to detect the run level from our IDE (and perhaps our customers have to do the same from their apps compiled with our system). For example, our IDE requests "asInvoker" privileges.  When running on Vista, it correctly returns TokenElevationTypeLimited.  If someone executes it with Run-as-administrator (it runs elevated now) then it returns TokenElevationTypeFull.  Perfect.

     

    This changed under Windows Server 2008 (and you kindly provided me with the new documentation).  So as it is now, it is impossible to programmatically detect whether a asInvoker or highestAvailable application is running elevated under Windows Server 2008 :-(

     

    We tried everything here but we did not find any solution :-(

     

    Thanks again,
    Friedrich

    Tuesday, October 16, 2007 6:23 AM
  • Hello Linder

    > Is there any other way to detect if an application is running elevated?

    Yes !

    Use
    GetTokenInformation(..., TokenElevation, ....)

    instead of
    GetTokenInformation(..., TokenElevationType, ....)

     

    Thats it !

    Elmü

    Monday, May 23, 2011 2:41 PM