Is it possible for a service to start a user app running with admin privilege?

Is it possible for a service to start a user app running with admin privilege?

Post by Polari » Sat, 17 Feb 2007 13:11:21


Hi Vista Experts:

I have an UI application which needs admin privilege to run on Vista. In
order for non-admin user to run it, can I create a service and then the
service calls CreateProcessAsUser with a duplicate token of the service
itself to start the UI application for the non-admin user to interact with?
If the UI App is started this way, will it have the same privilege as the
service (and thus be able to run with admin privilege)?

Thanks in advance.

Polaris
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by Chad Harri » Sat, 17 Feb 2007 14:34:01

Polaris--

I'd sure like to know what the application is. You should be able to rt.
click the program and give them permissions using the security tab which is
going to list all the user's profiles>add>edit, but I wouldn't think your
user would need to. What app do you have that others can't get permission
to run?

I would think that you could go to :\Windows\Program Files and if you need
to right click the folders and give the users you want privileges at the
security tab if you have to. I don't think a service would come into play
here.

CH

The Mighty Cheney has struck out. Chutzpah enough to pardon? In a psychotic
world anything goes for Bushey and Cheney.
The lawyuhs are richer a few million dollars. The closing arguments for the
defense should be good for Comedy Central and Saturday Night Live. Fitz has
been gentle in this case--but if he ever had a chance to tear this
administration a new one--it's on Closing Argument Tuesday.

 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by Polari » Sat, 17 Feb 2007 15:02:19

Thanks. Like I said, my app is an app with UI and it needs admin privilege
to run, what I'm trying to do is to find a way so that non-admin user can
still run this application.

Polaris
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by Chad Harri » Sat, 17 Feb 2007 15:40:37

Assinging permissions by right clicking the program>properties>security tab
should allow the non-admin user to run the program. Just add the user using
the edit butt>by typing in user>check the privilegtes>close.

CH
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by Kerry Brow » Sat, 17 Feb 2007 16:11:03

The whole point of the improved security in Vista is so that what you want
to do can't be done.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.yqcomputer.com/
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by B. Nic » Sat, 17 Feb 2007 17:52:29

On Thu, 15 Feb 2007 23:11:03 -0800, "Kerry Brown"



Good point :-)
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by David Hear » Sat, 17 Feb 2007 18:32:33


Yes, I expect that a service can respond in some way to a user trigger
(eg. window message, comms on a particular port) and spawn a new process
with your application running with the service's privileges.

However - I understand that in Vista, services can no longer interact
with the standard desktop - in essence, you cannot have services which
have a GUI operating on the normal desktop. I suspect this means that
whilst your service could, in theory, start an application - the fact
you have a GUI on it means it wouldn't work as you expect. I'm not sure
how it would fail (whether app would start but you'd not see anything,
or wouldn't start at all). I guess they added this to stop services
being installed which would then be used to bypass UAC etc - just as you
thought.

There are some ways around this it seems, but they won't work as you
think. See
http://www.yqcomputer.com/ #appcomp_topic10

Specifically it says:

"Quick solution:

* If the application's service uses a UI, a built-in mitigation in
Windows Vista allows the user to interact with the Session 0 UI in a
special desktop. This will make available the UI specific to the
application, instead of the entire Session 0 desktop."

Hope that helps

David
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by Dale » Sat, 17 Feb 2007 22:29:14

There is a reason for the distinction between admin and non-admin users. If
your user needs admin access, then make him an administrator.

Dale
 
 
 

Is it possible for a service to start a user app running with admin privilege?

Post by Dale » Sat, 17 Feb 2007 22:30:46

Let alone the fact that it would take less than an hour to test the whole
thing if the OP knows anything about how to create a Windows service app.

Dale