Is it possible for a C++ application running on Windows to drop privileges at runtime?
For instance, if a user starts my application as Administrator, but there's no reason to run my application as administrator, can I in some way give up the Administrator-privileges?
In short, I would like to write code in the main() function which drops privileges I don't need (for instance, Write access on the Windows directory).
Yes, you can use AdjustTokenPrivileges to remove unneeded and dangerous privileges from your token. You can either disable if not immediately needed (the privilege can be enabled later) or remove a privilege from your token altogether.
You can also create a restricted token via CreateRestrictedToken and relaunch your application running with that restricted token. CreateRestrictedToken can be used to disable privileges and remove groups (like Administrators Group) from a token.
You may be able to use AdjustTokenGroups to remove the administrator group from the token of your running process, but I've never tried this on an already running process.
Note that write-access to the Windows directory is not covered by a privilege. Resources in the system have ACL's which govern who has access. System and administrators have write-access to the Windows directory.
Related
I have a multi-process application that was originally developed in XP and was originally designed with no regard to administrator privileges. We used to configure and sell computers with the software. We are now selling the application by itself, without the hardware, to be installed on user systems in a corporate environment. Currently our software package requires our users to run in administrator mode, which is not making us popular with our customers IT departments.
I have been working to remove items that obviously require administrator privileges (writing to HKLM in the registry, writing to the Program Files folders). However, Windows continues to require administrator rights to run the software. If I deny the rights, it closes with no logs. It has a lot of legacy code and so hints to find where the administrator access is happening has proven difficult.
Is there an easy way to see what is being accessed or done that is hitting Windows 10 admin requirements?
Currently I have removed moved writing of data files I could identify to the Program Data folder or to user documents. (depending on whether I want users to be able to easily find them or not).
Configuration files have been moved to user folders.
Registry key access has been kept to HKLU or read-only in HKLM.
Thank you all for the help. I ended up finding the answer in the C# based launcher for our software, which was starting all processes with the verb "runas" set:
try
{
myProcess.StartInfo.Verb = "runas";
myProcess.StartInfo.FileName = command;
myProcess.StartInfo.WorkingDirectory = workingDir;
myProcess.StartInfo.Arguments = prams;
myProcess.Start();
}
catch (Exception ex){}
I removed the "runas" verb and now the system is not requesting admin privileges on the started pieces of code.
I found the cause when I tried to setup a debug run from the Program Files directory and started the code without going through the launcher. (started in a debugger) The system did not request administrative permissions which led me back to the launcher. I recently got the launcher to run without needing administrative permissions and so I had assumed that the problem was in the other processes. Seems I was mistaken.
I'm developing an application in C++ which needs to be as portable as possible and be able to run without elevated privileges, so a regular user can run it.
But I'm not sure how can I check it because in my system it runs without any popup like UAC or asking for privileges. Is there a way to check required privileges by an application?
There are two ways how an application can cause windows to display the UAC prompt to aquire higher privileges:
Heuristic
Windows includes a heuristic-based detection mechanism that tries to detect whether your application should be classified as an "installer" and should thus require elevated privileges. This is done automatically and can cause problems if it has a false-alarm and this causes your program to require elevated privileges.
Explicit
If you do not want to rely on the automatic detection system to correctly classify your application, you can explicitely state what elevation level your application needs by modifiying your application's manifest.
Quoting this MSDN article:
asInvoker requesting no additional permissions. This level requires no additional trust prompts.
This is what you should use in your case if you want to guarantuee that your application will not be categorized wrongly.
If you will not mark it explicitly in app manifest it should not require elevated privileges, however you need to ensure all functionalities would work.
Programs under windows need administrator privilege must get user's permission when they start. And they can also run with administrator privilege by right click the EXE and select "Run as Administrator". But, before the EXE start, a message box will show up. It's really disgusting.
Now I want my application to run as the Administrator, and I don't want the popup message box when user click the EXE file.
Now I wonder whether the AdjustTokenPrivileges function can help me achieve this.
Any one can help me?
You're getting confused between rights and privileges. At least from the viewpoint of the Windows API, the two are entirely different (though they're otherwise treated as synonymous a great deal of the time, at least when dealing with "what you can do on Windows").
What you're really looking for is the ability to elevate rights. Short of some defect in the security model of the system, you shouldn't be able to do this. To get administrative rights, the intent is that the code should have to run under an administrative account -- either by the user initially logging in as an administrator, or else by them entering the credentials at run time as you've seen.
Privileges (which are what AdjustTokenPrivileges actually manipulates) are things you have the right to do, but still aren't allowed to do without specifically enabling that privilege. For example, let's assume you start out logged in as an administrator. That gives you the right to adjust the system clock -- but adjusting the system clock is something normal programs almost never have a reason to do, so they added an extra step, before you can do it -- you need to enable the SE_SYSTEMTIME privilege before you can make use of that right.
If you're logged in under an account that doesn't have the right to change the system time, you simply can't do it. If you're logged into an account that can change it, you have to enable the privilege first before you can do it.
Bottom line: AdjustTokenPrivileges won't accomplish what you're trying to do.
Actually there is a way, which allows you to change security credentials for the thread by calling LogonUser API function. It returns handle to a token which could be used in ImpersonateLoggedOnUser and CreateProcessAsUser calls. This technique is called impersonalization.
Howewer, I think you are trying to achieve a different thing - to run a process with elevated administrative rights without UAC user notification. You could either disable UAC completely in msconfig utility, which is a pretty bad solution, or leave your program as it is, because to be quite frank, user has a right to know, when your program is running with superuser privileges, and disabling this notifications should be his decision.
I want to design the program in such a way that whenever it is installed , it should be auto restart on Windows Startup on the All USERS of the Windows...
My foremost requirement is that I can not give my program Admin Rights as it has to run in Limited Account or sometimes on Admin accounts with UAC enabled to max level...
What and Where should I write in Registry to achieve this.. or If Registry can not be modified for all users without admin privileges then Is there any alternate way to restart the Program after Windows Bootup ?
As far as I know, one alternate way is to install our program in Start Up folder .. however Please let me know if it is feasible to install the program without admin privileges in startup folder for all users and can all write operations be performed in startup folder even for limited account user ?
The simple answer is: You can't. Vista and above (and XP if you're not running under a power user or administrator account) has no write-access to HKEY_LOCAL_MACHINE.
You also need administrative privileges to install an application for all users; without that privilege, you can only install for the current logged in user. This means that installing a shortcut in the "all users" startup folder won't work either.
Barring an exploitable security vulnerability, only Admin accounts can do things that affect other users on the machine, such as setting keys in HEY_LOCAL_MACHINE, registering programs to run for other users via the Task Scheduler, or installing a service. This is by design.
I need to do some registry operations & other system operations for that i need admin permission. currently user have to start my application as "Run as administrator".
so How could i launch my application with admin rights?
CreateProcessAsUser or CreateProcessWithLogonW is the main thing you need. For CreateProcessAsUser, you'll need to use a few other things to make it do its tricks though (e.g., AdjustTokenPrivileges to enable the privileges it uses, and LogonUser to get a user's token).
You can also use ShellExecuteEx() for this purpose. This routine expects a SHELLEXECUTEINFO structure to be passed to it. The relevant attribute of this structure is "lpverb" which has to be set to a value "runas". This will ensure that the task that is run with elevated priveleges.
The answers deal with starting it programatically, but if the program's entire purpose is to run as admin to make these changes, you can add an appropriate manifest to make Windows elevate for you.
If just part of your application needs admin access, look at COM elevation.