Is it possible for a service to start a user app running with admin privilege?

Hi Vista Experts:

I have an UI application which needs admin privilege to run on Vista. In
order for non-admin user to run it, can I create a service and then the
service calls CreateProcessAsUser with a duplicate token of the service
itself to start the UI application for the non-admin user to interact with?
If the UI App is started this way, will it have the same privilege as the
service (and thus be able to run with admin privilege)?

Thanks in advance.

Polaris

Polaris--

I'd sure like to know what the application is. You should be able to rt.
click the program and give them permissions using the security tab which is
going to list all the user's profiles>add>edit, but I wouldn't think your
user would need to. What app do you have that others can't get permission
to run?

I would think that you could go to :\Windows\Program Files and if you need
to right click the folders and give the users you want privileges at the
security tab if you have to. I don't think a service would come into play
here.

CH

The Mighty Cheney has struck out. Chutzpah enough to pardon? In a psychotic
world anything goes for Bushey and Cheney.
The lawyuhs are richer a few million dollars. The closing arguments for the
defense should be good for Comedy Central and Saturday Night Live. Fitz has
been gentle in this case--but if he ever had a chance to tear this
administration a new one--it's on Closing Argument Tuesday.


"Polaris" <etpolaris@hotmail.com> wrote in message
news:%23e%23WPCYUHHA.528@TK2MSFTNGP03.phx.gbl...
> Hi Vista Experts:
>
> I have an UI application which needs admin privilege to run on Vista. In
> order for non-admin user to run it, can I create a service and then the
> service calls CreateProcessAsUser with a duplicate token of the service
> itself to start the UI application for the non-admin user to interact
> with? If the UI App is started this way, will it have the same privilege
> as the service (and thus be able to run with admin privilege)?
>
> Thanks in advance.
>
> Polaris
>

Thanks. Like I said, my app is an app with UI and it needs admin privilege
to run, what I'm trying to do is to find a way so that non-admin user can
still run this application.

Polaris

"Chad Harris" <vistaneedsmuchowork.net> wrote in message
news:uPUoWwYUHHA.5060@TK2MSFTNGP06.phx.gbl...
> Polaris--
>
> I'd sure like to know what the application is. You should be able to rt.
> click the program and give them permissions using the security tab which
> is going to list all the user's profiles>add>edit, but I wouldn't think
> your user would need to. What app do you have that others can't get
> permission to run?
>
> I would think that you could go to :\Windows\Program Files and if you need
> to right click the folders and give the users you want privileges at the
> security tab if you have to. I don't think a service would come into play
> here.
>
> CH
>
> The Mighty Cheney has struck out. Chutzpah enough to pardon? In a
> psychotic world anything goes for Bushey and Cheney.
> The lawyuhs are richer a few million dollars. The closing arguments for
> the defense should be good for Comedy Central and Saturday Night Live.
> Fitz has been gentle in this case--but if he ever had a chance to tear
> this administration a new one--it's on Closing Argument Tuesday.
>
>
> "Polaris" <etpolaris@hotmail.com> wrote in message
> news:%23e%23WPCYUHHA.528@TK2MSFTNGP03.phx.gbl...
>> Hi Vista Experts:
>>
>> I have an UI application which needs admin privilege to run on Vista. In
>> order for non-admin user to run it, can I create a service and then the
>> service calls CreateProcessAsUser with a duplicate token of the service
>> itself to start the UI application for the non-admin user to interact
>> with? If the UI App is started this way, will it have the same privilege
>> as the service (and thus be able to run with admin privilege)?
>>
>> Thanks in advance.
>>
>> Polaris
>>
>

Assinging permissions by right clicking the program>properties>security tab
should allow the non-admin user to run the program. Just add the user using
the edit butt>by typing in user>check the privilegtes>close.

CH

"Polaris" <etpolaris@hotmail.com> wrote in message
news:%231BoJAZUHHA.600@TK2MSFTNGP05.phx.gbl...
> Thanks. Like I said, my app is an app with UI and it needs admin privilege
> to run, what I'm trying to do is to find a way so that non-admin user can
> still run this application.
>
> Polaris
>
> "Chad Harris" <vistaneedsmuchowork.net> wrote in message
> news:uPUoWwYUHHA.5060@TK2MSFTNGP06.phx.gbl...
>> Polaris--
>>
>> I'd sure like to know what the application is. You should be able to rt.
>> click the program and give them permissions using the security tab which
>> is going to list all the user's profiles>add>edit, but I wouldn't think
>> your user would need to. What app do you have that others can't get
>> permission to run?
>>
>> I would think that you could go to :\Windows\Program Files and if you
>> need to right click the folders and give the users you want privileges at
>> the security tab if you have to. I don't think a service would come into
>> play here.
>>
>> CH
>>
>> The Mighty Cheney has struck out. Chutzpah enough to pardon? In a
>> psychotic world anything goes for Bushey and Cheney.
>> The lawyuhs are richer a few million dollars. The closing arguments for
>> the defense should be good for Comedy Central and Saturday Night Live.
>> Fitz has been gentle in this case--but if he ever had a chance to tear
>> this administration a new one--it's on Closing Argument Tuesday.
>>
>>
>> "Polaris" <etpolaris@hotmail.com> wrote in message
>> news:%23e%23WPCYUHHA.528@TK2MSFTNGP03.phx.gbl...
>>> Hi Vista Experts:
>>>
>>> I have an UI application which needs admin privilege to run on Vista. In
>>> order for non-admin user to run it, can I create a service and then the
>>> service calls CreateProcessAsUser with a duplicate token of the service
>>> itself to start the UI application for the non-admin user to interact
>>> with? If the UI App is started this way, will it have the same privilege
>>> as the service (and thus be able to run with admin privilege)?
>>>
>>> Thanks in advance.
>>>
>>> Polaris
>>>
>>
>
>

The whole point of the improved security in Vista is so that what you want
to do can't be done.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Polaris" <etpolaris@hotmail.com> wrote in message
news:%231BoJAZUHHA.600@TK2MSFTNGP05.phx.gbl...
> Thanks. Like I said, my app is an app with UI and it needs admin privilege
> to run, what I'm trying to do is to find a way so that non-admin user can
> still run this application.
>
> Polaris
>
> "Chad Harris" <vistaneedsmuchowork.net> wrote in message
> news:uPUoWwYUHHA.5060@TK2MSFTNGP06.phx.gbl...
>> Polaris--
>>
>> I'd sure like to know what the application is. You should be able to rt.
>> click the program and give them permissions using the security tab which
>> is going to list all the user's profiles>add>edit, but I wouldn't think
>> your user would need to. What app do you have that others can't get
>> permission to run?
>>
>> I would think that you could go to :\Windows\Program Files and if you
>> need to right click the folders and give the users you want privileges at
>> the security tab if you have to. I don't think a service would come into
>> play here.
>>
>> CH
>>
>> The Mighty Cheney has struck out. Chutzpah enough to pardon? In a
>> psychotic world anything goes for Bushey and Cheney.
>> The lawyuhs are richer a few million dollars. The closing arguments for
>> the defense should be good for Comedy Central and Saturday Night Live.
>> Fitz has been gentle in this case--but if he ever had a chance to tear
>> this administration a new one--it's on Closing Argument Tuesday.
>>
>>
>> "Polaris" <etpolaris@hotmail.com> wrote in message
>> news:%23e%23WPCYUHHA.528@TK2MSFTNGP03.phx.gbl...
>>> Hi Vista Experts:
>>>
>>> I have an UI application which needs admin privilege to run on Vista. In
>>> order for non-admin user to run it, can I create a service and then the
>>> service calls CreateProcessAsUser with a duplicate token of the service
>>> itself to start the UI application for the non-admin user to interact
>>> with? If the UI App is started this way, will it have the same privilege
>>> as the service (and thus be able to run with admin privilege)?
>>>
>>> Thanks in advance.
>>>
>>> Polaris
>>>
>>
>
>

I think Polaris is trying to get at something else. Kerry summed it up: no.
Why does your app need admin privs? Can you factor out the components that do
and use COM Monikers to elevate those? If not, it is an administrative
applications and ordinary users should not run it in the first place.

"Chad Harris" wrote:

> Assinging permissions by right clicking the program>properties>security tab
> should allow the non-admin user to run the program. Just add the user using
> the edit butt>by typing in user>check the privilegtes>close.
>

On Thu, 15 Feb 2007 23:11:03 -0800, "Kerry Brown"
<kerry@kdbNOSPAMsys-tems.c*a*m> wrote:

>The whole point of the improved security in Vista is so that what you want
>to do can't be done.

Good point :-)

Polaris wrote:
> Hi Vista Experts:
>
> I have an UI application which needs admin privilege to run on Vista. In
> order for non-admin user to run it, can I create a service and then the
> service calls CreateProcessAsUser with a duplicate token of the service
> itself to start the UI application for the non-admin user to interact with?
> If the UI App is started this way, will it have the same privilege as the
> service (and thus be able to run with admin privilege)?

Yes, I expect that a service can respond in some way to a user trigger
(eg. window message, comms on a particular port) and spawn a new process
with your application running with the service's privileges.

However - I understand that in Vista, services can no longer interact
with the standard desktop - in essence, you cannot have services which
have a GUI operating on the normal desktop. I suspect this means that
whilst your service could, in theory, start an application - the fact
you have a GUI on it means it wouldn't work as you expect. I'm not sure
how it would fail (whether app would start but you'd not see anything,
or wouldn't start at all). I guess they added this to stop services
being installed which would then be used to bypass UAC etc - just as you
thought.

There are some ways around this it seems, but they won't work as you
think. See
http://msdn2.microsoft.com/en-us/lib...ppcomp_topic10

Specifically it says:

"Quick solution:

* If the application's service uses a UI, a built-in mitigation in
Windows Vista allows the user to interact with the Session 0 UI in a
special desktop. This will make available the UI specific to the
application, instead of the entire Session 0 desktop."

Hope that helps

David

Polaris wrote:
> Hi Vista Experts:
>
> I have an UI application which needs admin privilege to run on Vista. In
> order for non-admin user to run it, can I create a service and then the
> service calls CreateProcessAsUser with a duplicate token of the service
> itself to start the UI application for the non-admin user to interact with?
> If the UI App is started this way, will it have the same privilege as the
> service (and thus be able to run with admin privilege)?

Yes, I expect that a service can respond in some way to a user trigger
(eg. window message, comms on a particular port) and spawn a new process
with your application running with the service's privileges.

However - I understand that in Vista, services can no longer interact
with the standard desktop - in essence, you cannot have services which
have a GUI operating on the normal desktop. I suspect this means that
whilst your service could, in theory, start an application - the fact
you have a GUI on it means it wouldn't work as you expect. I'm not sure
how it would fail (whether app would start but you'd not see anything,
or wouldn't start at all). I guess they added this to stop services
being installed which would then be used to bypass UAC etc - just as you
thought.

There are some ways around this it seems, but they won't work as you
think. See
http://msdn2.microsoft.com/en-us/lib...ppcomp_topic10

Specifically it says:

"Quick solution:

* If the application's service uses a UI, a built-in mitigation in
Windows Vista allows the user to interact with the Session 0 UI in a
special desktop. This will make available the UI specific to the
application, instead of the entire Session 0 desktop."

Hope that helps

David

There is a reason for the distinction between admin and non-admin users. If
your user needs admin access, then make him an administrator.

Dale

"Polaris" <etpolaris@hotmail.com> wrote in message
news:%231BoJAZUHHA.600@TK2MSFTNGP05.phx.gbl...
> Thanks. Like I said, my app is an app with UI and it needs admin privilege
> to run, what I'm trying to do is to find a way so that non-admin user can
> still run this application.
>
> Polaris
>
> "Chad Harris" <vistaneedsmuchowork.net> wrote in message
> news:uPUoWwYUHHA.5060@TK2MSFTNGP06.phx.gbl...
>> Polaris--
>>
>> I'd sure like to know what the application is. You should be able to rt.
>> click the program and give them permissions using the security tab which
>> is going to list all the user's profiles>add>edit, but I wouldn't think
>> your user would need to. What app do you have that others can't get
>> permission to run?
>>
>> I would think that you could go to :\Windows\Program Files and if you
>> need to right click the folders and give the users you want privileges at
>> the security tab if you have to. I don't think a service would come into
>> play here.
>>
>> CH
>>
>> The Mighty Cheney has struck out. Chutzpah enough to pardon? In a
>> psychotic world anything goes for Bushey and Cheney.
>> The lawyuhs are richer a few million dollars. The closing arguments for
>> the defense should be good for Comedy Central and Saturday Night Live.
>> Fitz has been gentle in this case--but if he ever had a chance to tear
>> this administration a new one--it's on Closing Argument Tuesday.
>>
>>
>> "Polaris" <etpolaris@hotmail.com> wrote in message
>> news:%23e%23WPCYUHHA.528@TK2MSFTNGP03.phx.gbl...
>>> Hi Vista Experts:
>>>
>>> I have an UI application which needs admin privilege to run on Vista. In
>>> order for non-admin user to run it, can I create a service and then the
>>> service calls CreateProcessAsUser with a duplicate token of the service
>>> itself to start the UI application for the non-admin user to interact
>>> with? If the UI App is started this way, will it have the same privilege
>>> as the service (and thus be able to run with admin privilege)?
>>>
>>> Thanks in advance.
>>>
>>> Polaris
>>>
>>
>
>