Click here to Skip to main content
Click here to Skip to main content

Elevating during runtime

, 15 Feb 2013
Rate this:
Please Sign up or sign in to vote.
How can an applicaiton elevate itself to gain "Admin" rights during runtime

Download ElevateUAC.zip - 9.37 KB (Executable)

Download HowToElevate_By_Michael_Haephrati.zip - 10.1 KB (Source Code)

Introduction

This article explains how to elevate an applicaiton during runtime.

Background

Some actions and tasks require elevation to an Admin rights. The User Access Control mechanism (UAC) provides the protection required to prevent performing critical changes by users other than the ones with Admin privileges. For example, if your application needs to make a change in the Registry, it will require Admin users to run it.

What happens if your application would not require Admin rights except for certain occasions, i.e. during first run only. In such case, you might prefer building your application with no specific requirement to be ran in Admin mode, but when it needs to make a Registry change, only then, it will elevate itself to Admin mode.

Here is how that is done.

What is UAC

User Account Control (UAC) is a mechanism developed by Microsoft as part of the newer Windows versions (starting of Vista). It provides higher security level by limiting applications from performing sensitive and dangerous tasks without gaining administrative rights.

Is it really possible to elevate during runtime?

Well, not exactly. The entire idea behind UAC is to prevent users with limited access rights to perform tasks that require higher access rights, so when an applicaiton is executed in "user" mode, it can't change itself, as if it was initially ran in "Admin" mode. The trick is to be able to elevate itself during runtime, when required, by restarting it, elevated to "admin" this time.

Am I running in Admin mode?

This is the first question you should ask when you need to do something that requires administrative priveleges. If your applicaiton was already started in "admin" rights, there is no need to elevate. Only when a certain task you are about to perform, requries "admin" rights, and your applicaiton was started in "user" mode, you need to elevate. So to begin with, how can you determine if your application is ran elevated already.

First, you allocate and initilize a SID of the Admin group. According to MSDN, A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.

Before we proceed, lets get familiar with another function, CheckTokenMembership:

The CheckTokenMembership function determines whether a specified security identifier (SID) is enabled in an access token. In order to determine group membership for tokens of applications, CheckTokenMembershipEx is used instead.

For our purpuse, we can call CheckTokenMembership and by doing so, enquire whether the SID is enabled in the primary access token of the process.

To sum the first part, here is how we check if our applicaiton is running with administrative priveleges:

//
BOOL IsAppRunningAsAdminMode()
{
    BOOL fIsRunAsAdmin = FALSE;
    DWORD dwError = ERROR_SUCCESS;
    PSID pAdministratorsGroup = NULL;

    // Allocate and initialize a SID of the administrators group.
    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
    if (!AllocateAndInitializeSid(
        &NtAuthority, 
        2, 
        SECURITY_BUILTIN_DOMAIN_RID, 
        DOMAIN_ALIAS_RID_ADMINS, 
        0, 0, 0, 0, 0, 0, 
        &pAdministratorsGroup))
    {
        dwError = GetLastError();
        goto Cleanup;
    }

    // Determine whether the SID of administrators group is enabled in 
    // the primary access token of the process.
    if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin))
    {
        dwError = GetLastError();
        goto Cleanup;
    }

Cleanup:
    // Centralized cleanup for all allocated resources.
    if (pAdministratorsGroup)
    {
        FreeSid(pAdministratorsGroup);
        pAdministratorsGroup = NULL;
    }

    // Throw the error if something failed in the function.
    if (ERROR_SUCCESS != dwError)
    {
        throw dwError;
    }

    return fIsRunAsAdmin;
}
// 

If IsAppRunningAsAdminMode returns TRUE, then there is nothing left to be done, and everything is OK to continue with any task.

If it returns FALSE, then we need to elevate.

How to Elevate

320748/Elevator.jpg

The way we elevate during runtime is obtaining the application name and path and executing it elevated to "Admin", while the currently running instance, of course, must terminate.

We also need to address the scenario in which the end user refuses to confirm this elevation, which is addressed, as you can see in the following code:

wchar_t szPath[MAX_PATH];
if (GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath)))
{
    // Launch itself as admin
    SHELLEXECUTEINFO sei = { sizeof(sei) };
    sei.lpVerb = L"runas";
    sei.lpFile = szPath;
    sei.hwnd = NULL;
    sei.nShow = SW_NORMAL;
    if (!ShellExecuteEx(&sei))
    {
        DWORD dwError = GetLastError();
        if (dwError == ERROR_CANCELLED)
        {
            // The user refused to allow privileges elevation.
            std::cout << "User did not allow elevation" << std::endl;
        }
    }
    else
    {
        _exit(1);  // Quit itself
    }
}  

Running my POC

I have written a little POC to demonstrate this idea.

320748/HowToElevate-1.jpg

After pressing "Y", the applicaiton will try to elevate itself, only if it is not ran in Admin privileges already.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Michael N. Haephrati
CEO
United States United States
Michael Haephrati, is an entrepreneur, inventor and a musician. Haephrati worked on many ventures starting from HarmonySoft, designing Rashumon, the first Graphical Multi-lingual word processor for Amiga computer. During 1995-1996 he worked as a Contractor with Apple at Cupertino. Worked at a research institute made the fist steps developing the credit scoring field in Israel. He founded Target Scoring and developed a credit scoring system named ThiS, based on geographical statistical data, participating VISA CAL, Isracard, Bank Leumi and Bank Discount (Target Scoring, being the VP Business Development of a large Israeli institute).

During 2000, he founded Target Eye, and developed the first remote PC surveillance and monitoring system, named Target Eye.

Other ventures included: Data Cleansing (as part of the DataTune system which was implemented in many organizations.


Follow on   Twitter   Google+   LinkedIn

Comments and Discussions

 
QuestionNo elevation - but process creation PinmemberAjay Vijayvargiya29-Jan-12 16:18 
AnswerRe: No elevation - but process creation PinmemberMichael Haephrati29-Jan-12 21:55 
GeneralRe: No elevation - but process creation Pinmemberzart_zurt30-Jan-12 3:36 
GeneralRe: No elevation - but process creation PinmemberMichael Haephrati30-Jan-12 5:04 
GeneralRe: No elevation - but process creation PinmemberAjay Vijayvargiya30-Jan-12 16:01 
GeneralRe: No elevation - but process creation PinmemberAjay Vijayvargiya30-Jan-12 15:58 
AnswerRe: No elevation - but process creation PinmvpMichael Haephrati מיכאל האפרתי20-Feb-13 7:33 
GeneralRe: No elevation - but process creation PinmemberAjay Vijayvargiya20-Feb-13 15:56 
GeneralRe: No elevation - but process creation PinmvpMichael Haephrati20-Feb-13 19:30 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140709.1 | Last Updated 16 Feb 2013
Article Copyright 2012 by Michael N. Haephrati
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid