none
uac elevation by a service RRS feed

  • Question

  • Hi, I have a service running as local system which sometimes has to spawn another process running as the currently logged on administrator user. The spawned process needs elevated admin rights in order to perform its task which could be a software installation or configuration job.

    The question is; how does the service do this without the user having to click the uac dialog?

    The problem is that the user may be logged on but could be away (perhaps the job takes place at night) so there could be nobody to click the dialog. The way it works at the moment is that the service gets the token of the admin user then calls createprocessasuser. The spawned process, of course, runs under restricted admin rights which are insufficient for the task at hand.

    Any help gratefully received!

    Richard

     

    Monday, July 17, 2006 9:18 AM

All replies

  • We are having the same problem.  We're hoping someone can point us in the right direction.  I saw another post here talking about using a SID to elevate from low rights to medium rights, but we're still confused as well.  We know it must be possible because the Task Scheduler Service in Vista does it by using the "Use highest privileges" option when creating a new scheduled task...

     

    - Scott

    Wednesday, October 18, 2006 8:50 PM
  • Hi, I have found this snippit of information but have not actually tried this yet:

    1. use the LogonUser API to logon on the admin user and get their (not elevated) “filtered” token. You can also get the user token of an existing process running as admin.

    2. call GetTokenInformation with the InformationClass set to TOKEN_LINKED_TOKEN to get the full (elevated) token.

    3. You can then impersonate to the higher privileged token and spawn from there

    Richard

    .

    Thursday, October 19, 2006 9:12 AM
  • Richard,

    Thank you!!  Your suggestion worked perfectly.  We're on our way again.  I don't know how you found that snippet, but we're very glad you did.

    Thanks!!

    - Scott

    Monday, October 23, 2006 10:08 PM