Download ElevateUAC.zip - 9.37 KB (Executable)
Download HowToElevate_By_Michael_Haephrati.zip - 10.1 KB (Source Code)
Introduction
This article explains how to elevate an applicaiton during runtime.
Background
Some actions and tasks require elevation to an Admin rights. The User Access Control mechanism (UAC) provides the protection required to prevent performing critical changes by users other than the ones with Admin privileges. For example, if your application needs to make a change in the Registry, it will require Admin users to run it.
What happens if your application would not require Admin rights except for certain occasions, i.e. during first run only. In such case, you might prefer building your application with no specific requirement to be ran in Admin mode, but when it needs to make a Registry change, only then, it will elevate itself to Admin mode.
Here is how that is done.
What is UAC
User Account Control (UAC) is a mechanism developed by Microsoft as part of the newer Windows versions (starting of Vista). It provides higher security level by limiting applications from performing sensitive and dangerous tasks without gaining administrative rights.
Is it really possible to elevate during runtime?
Well, not exactly. The entire idea behind UAC is to prevent users with limited access rights to perform tasks that require higher access rights, so when an applicaiton is executed in "user" mode, it can't change itself, as if it was initially ran in "Admin" mode. The trick is to be able to elevate itself during runtime, when required, by restarting it, elevated to "admin" this time.
Am I running in Admin mode?
This is the first question you should ask when you need to do something that requires administrative priveleges. If your applicaiton was already started in "admin" rights, there is no need to elevate. Only when a certain task you are about to perform, requries "admin" rights, and your applicaiton was started in "user" mode, you need to elevate. So to begin with, how can you determine if your application is ran elevated already.
First, you allocate and initilize a SID of the Admin group. According to MSDN, A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.
Before we proceed, lets get familiar with another function, CheckTokenMembership:
The CheckTokenMembership function determines whether a specified security identifier (SID) is enabled in an access token. In order to determine group membership for tokens of applications, CheckTokenMembershipEx is used instead.
For our purpuse, we can call CheckTokenMembership and by doing so, enquire whether the SID is enabled in the primary access token of the process.
To sum the first part, here is how we check if our applicaiton is running with administrative priveleges:
BOOL IsAppRunningAsAdminMode()
{
BOOL fIsRunAsAdmin = FALSE;
DWORD dwError = ERROR_SUCCESS;
PSID pAdministratorsGroup = NULL;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdministratorsGroup))
{
dwError = GetLastError();
goto Cleanup;
}
if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin))
{
dwError = GetLastError();
goto Cleanup;
}
Cleanup:
if (pAdministratorsGroup)
{
FreeSid(pAdministratorsGroup);
pAdministratorsGroup = NULL;
}
if (ERROR_SUCCESS != dwError)
{
throw dwError;
}
return fIsRunAsAdmin;
}
If IsAppRunningAsAdminMode returns TRUE, then there is nothing left to be done, and everything is OK to continue with any task.
If it returns FALSE, then we need to elevate.
How to Elevate
The way we elevate during runtime is obtaining the application name and path and executing it elevated to "Admin", while the currently running instance, of course, must terminate.
We also need to address the scenario in which the end user refuses to confirm this elevation, which is addressed, as you can see in the following code:
wchar_t szPath[MAX_PATH];
if (GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath)))
{
SHELLEXECUTEINFO sei = { sizeof(sei) };
sei.lpVerb = L"runas";
sei.lpFile = szPath;
sei.hwnd = NULL;
sei.nShow = SW_NORMAL;
if (!ShellExecuteEx(&sei))
{
DWORD dwError = GetLastError();
if (dwError == ERROR_CANCELLED)
{
std::cout << "User did not allow elevation" << std::endl;
}
}
else
{
_exit(1); }
} Running my POC
I have written a little POC to demonstrate this idea.
After pressing "Y", the applicaiton will try to elevate itself, only if it is not ran in Admin privileges already.
Michael Haephrati, born in 1964, an entrepreneur, inventor and a musician. Haephrati worked on many ventures starting from HarmonySoft, designing Rashumon, the first Graphical Multi-lingual word processor for Amiga computer.
Worked with
Amdocs and managed several software projects, among them one for the
Ministry of Tourism in New Zealand. During 1995-1996 he worked as a Contractor with
Apple at Cupertino. After returning to Israel, worked as a Project Manager with
Top Image Systems (mostly with
JCC, Nicosia), and then at a research institute made the fist steps developing the credit scoring field in Israel. He founded Target Scoring and developed a credit scoring system named ThiS, based on geographical statistical data, participating VISA CAL, Isracard, Bank Leumi and Bank Discount (Target Scoring, being the VP Business Development of a large Israeli institute).
During 2000, he founded Target Eye, and developed the first remote PC surveillance and monitoring system, named Target Eye.
Other ventures included:
Data Cleansing (as part of the
DataTune system which was implemented in many organizations.
Submit an article or tip
Post your Blog
News 
Suggestion 
Bug 
Joke 
Rant 
Admin 
