Vista: Out-proc servers vs requireAdministrator

11-23-2006

Hello everybody,

By design, our product has a set of applications which have
"requireAdministrator" in the manifest and a set of other which have
"asInvoker".
These applications use (when needed) a signle multi-use out-proc server
which has "asInvoker" in the manifest and does not need to be run elevated
(we even prohibit it from running elevated).

The problem that we see is when a client app with "requireAdministrator"
instantiates that out-proc server, the server's exe gets an an elevated
instance. And there's previously running instance of server's executable
with non-elevated context, now elevated clients cannot connect to that
either, spawning a new elevated instance.

How can we get our out-proc server be instantiated only in non-elevated
multi-use manner regardless of incoming client context?

Thanx in advance,
AlexC

11-25-2006

Don't mark the client as requiresAdministrator. Instead start the client
normally and move the requiresAdministrator functionality into another
process or com app. The client can then call the elevated process as
necessary and the client app which is running as the standard user should
start the other non-elevated process. If you start the application based on
the response of the elevated component it might be as simple as if
ElevatedComponent.DoSuchAndSuch() then start other process but if the
elevated process must initiate the request rather then the client you'll
need to establish a remoting channel or other form of IPC from the service
to the client, such as a WCF ServiceContract hosted by client application.
The client then becomes a service to the elevated process allowing the
elevated process to request the client application to start the non-elevated
process when necessary. As long as client application does not request
administrator priviliages it will not recieve them even if the user is
logged in as administrator.

- Kurt

"Alex Chmut" <AlexChmut"AT"MailShack"DOT"com> wrote in message
news:e2B3J$xDHHA.3524@TK2MSFTNGP06.phx.gbl...
> Hello everybody,
>
> By design, our product has a set of applications which have
> "requireAdministrator" in the manifest and a set of other which have
> "asInvoker".
> These applications use (when needed) a signle multi-use out-proc server
> which has "asInvoker" in the manifest and does not need to be run elevated
> (we even prohibit it from running elevated).
>
> The problem that we see is when a client app with "requireAdministrator"
> instantiates that out-proc server, the server's exe gets an an elevated
> instance. And there's previously running instance of server's executable
> with non-elevated context, now elevated clients cannot connect to that
> either, spawning a new elevated instance.
>
> How can we get our out-proc server be instantiated only in non-elevated
> multi-use manner regardless of incoming client context?
>
> Thanx in advance,
> AlexC
>
>

11-27-2006

Thanx, Kurt. It all makes sense. I'm just kind of disappointed with the
amount of work that needs to be done in order to have existing XP-compliant
apps to work properly under Vista.

AlexC

11-23-2006	#1 (permalink)
Alex Chmut Guest Posts: n/a	Vista: Out-proc servers vs requireAdministrator Hello everybody, By design, our product has a set of applications which have "requireAdministrator" in the manifest and a set of other which have "asInvoker". These applications use (when needed) a signle multi-use out-proc server which has "asInvoker" in the manifest and does not need to be run elevated (we even prohibit it from running elevated). The problem that we see is when a client app with "requireAdministrator" instantiates that out-proc server, the server's exe gets an an elevated instance. And there's previously running instance of server's executable with non-elevated context, now elevated clients cannot connect to that either, spawning a new elevated instance. How can we get our out-proc server be instantiated only in non-elevated multi-use manner regardless of incoming client context? Thanx in advance, AlexC
Alex Chmut Guest Posts: n/a

11-25-2006	#2 (permalink)
Kurt Harriger Guest Posts: n/a	Re: Vista: Out-proc servers vs requireAdministrator Don't mark the client as requiresAdministrator. Instead start the client normally and move the requiresAdministrator functionality into another process or com app. The client can then call the elevated process as necessary and the client app which is running as the standard user should start the other non-elevated process. If you start the application based on the response of the elevated component it might be as simple as if ElevatedComponent.DoSuchAndSuch() then start other process but if the elevated process must initiate the request rather then the client you'll need to establish a remoting channel or other form of IPC from the service to the client, such as a WCF ServiceContract hosted by client application. The client then becomes a service to the elevated process allowing the elevated process to request the client application to start the non-elevated process when necessary. As long as client application does not request administrator priviliages it will not recieve them even if the user is logged in as administrator. - Kurt "Alex Chmut" <AlexChmut"AT"MailShack"DOT"com> wrote in message news:e2B3J$xDHHA.3524@TK2MSFTNGP06.phx.gbl... > Hello everybody, > > By design, our product has a set of applications which have > "requireAdministrator" in the manifest and a set of other which have > "asInvoker". > These applications use (when needed) a signle multi-use out-proc server > which has "asInvoker" in the manifest and does not need to be run elevated > (we even prohibit it from running elevated). > > The problem that we see is when a client app with "requireAdministrator" > instantiates that out-proc server, the server's exe gets an an elevated > instance. And there's previously running instance of server's executable > with non-elevated context, now elevated clients cannot connect to that > either, spawning a new elevated instance. > > How can we get our out-proc server be instantiated only in non-elevated > multi-use manner regardless of incoming client context? > > Thanx in advance, > AlexC > >
Kurt Harriger Guest Posts: n/a

11-27-2006	#3 (permalink)
Alex Chmut Guest Posts: n/a	Re: Vista: Out-proc servers vs requireAdministrator Thanx, Kurt. It all makes sense. I'm just kind of disappointed with the amount of work that needs to be done in order to have existing XP-compliant apps to work properly under Vista. AlexC
Alex Chmut Guest Posts: n/a

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Print Servers w/ Vista	Peddlerp	Vista General	2	4 Weeks Ago 12:03 PM
repl mobo/proc - 0x7b error. Can't repair or reintsall	TomaxBlade	Vista installation & setup	4	02-11-2008 10:24 PM
Vista and Servers	Doug V.	Vista hardware & devices	1	07-20-2007 08:25 AM
Windows Experience Index goes down with more ram and faster proc.	EG	Vista performance & maintenance	2	03-12-2007 07:52 PM
Do Automatic Updates still use svchost? Please use a separate proc	BillD	Vista security	2	05-28-2006 05:25 AM