Launch a No Elevated Process from an Elevated Process in an easy way (Win32 API)



  • I’m kind of stuck on this issue. Here’s the context:
    Notepad++ launches WinGup as admin for installing/updating Plugins, then it quite. After the operations, WinGup will relaunch Notepad++. The problem is since WinGup has the privilege right, any process launched by WinGup will inherent the elevation.

    Is there any trivial way in win32 API to get the hack down?



  • I found this MSDN blog entry concerning that topic. Wether it’s easy - I don’t know, decide by yourself.

    Another solution would be to split Gup.exe in two programs, a controller/downloader and a worker doing the copy stuff.



  • Oh, and I forgot to mention, there is the old Plugin Manager, the devs of it had to solve the same problem. Maybe have a look at their code.



  • @donho

    I found another link which seems to be more promising than the link above.

    The algorithm there retrieves the access token of the desktop shell process. The non-elevated process gets started with this token. The article mentions some caveats but I guess they are not really relevant.



  • @donho

    i’ve just tried this out:
    you can relaunch np++ using runas in the command line without the need of specifying the invokers user name.
    it should work in wingup too.

    if you want to simulate and cross check it for a quick test:

    open cmd.exe with right click > run as administrator

    cross check:
    if you now run C:\Program Files (x86)\Notepad++\notepad++.exefrom there, you will of see [Administrator] in the np++ bar as expected

    possible solution:
    execute runas /trustlevel:0x20000 "C:\Program Files (x86)\Notepad++\notepad++.exe"
    and admin mode will be off.
    you should now have the files and folder permissions of the current user 👍



  • @Meta-Chuh , @donho

    I’ve tried the runas method on my Windows 7 x64 machine. I’ve noticed a slight difference from the normal case that Notepad++ gets started via e.g. a desktop link.

    In Windows Taskmanager I have activated the column UAC virtualization. When Notepad++ gets started via a desktop link the value of this column is Deactivated. When Notepad++ gets started via the runas command the column has no value, it is empty. But when I tick the option Show processes of all users the value changes to Not allowed. If I tick this option before starting Notepad++ the value is immediatly Not allowed.

    I don’t know anything about the implications of this difference and I don’t know the difference between UAC virtualization deactivated and UAC virtualization not allowed, but there is a difference. Before adopting the runas method further investigations should take place.



  • @dinkumoil
    Indeed.

    @Meta-Chuh said:

    possible solution:
    execute runas /trustlevel:0x20000 “C:\Program Files (x86)\Notepad++\notepad++.exe”

    Just tried this method and seems Admin mode is OFF.
    However, drag & drop a file into edit zone (which is the original motivation to run Notepad++ under user level) is forbidden just like Admin mode is ON.

    I will continue to search the alternative way.



  • @dinkumoil said:

    Oh, and I forgot to mention, there is the old Plugin Manager, the devs of it had to solve the same problem. Maybe have a look at their code.

    gpup.exe is launched without elevation, then it spawns itself (another instance) with the privileges rights to download & unzip and quit. The instance without elevation then relaunches Notepad++ without elevation.

    It’s full of hack, but I guess I have no choice :(



  • @donho said:

    It’s full of hack, but I guess I have no choice :(

    Well, I would call it “skillful use of officially documented features”. In contrast, the methods suggested in the MSDN blog entries I’ve posted a link to would have been real dirty hacks.



  • @donho

    please try this from an elevated cmd or gup exec line:

    schtasks /create /tn "Notepad++ Update Reload" /tr "C:\Program Files\Notepad++\notepad++.exe" /sc once /st 23:59 /f && schtasks /run /tn "Notepad++ Update Reload" && schtasks /delete /TN "Notepad++ Update Reload" /f

    i remembered i had the same problem ages ago and solved it using the scheduled tasks
    this will create run once and delete one that uses the current user regardless of the elevation level of the parent task

    i’ve just tried it and drag and drop works, also @dinkumoil the uac in the task manager should be correct



  • @Meta-Chuh

    Yes, I remember. That was the way I suppressed UAC dialogs e.g. when starting elevated console windows around 10 years ago when I switched to Windows 7. It was the “I’m the admin, why should I been asked for approving admin tasks?”-attitude.

    But to use that from within an EXE - hmm, seems crude to me…



  • @dinkumoil

    this is just to get things going right now.
    it’s to quickly test if using the task scheduler works 100% for all cases.

    if it does, we can create an ITaskService object unsing eg taskschd.h instead of a command line.

    if you have another working solution that is testable right now, don’t complain, try it, share it



  • @donho
    Have looks at article by Raymond Chen.

    We already have a solution in place, but unfortunately that solution is in nsis. Look here. The idea is: Run a exe in explorer context.

    MS link: https://msdn.microsoft.com/library/dd940355
    MS sample: https://github.com/pauldotknopf/WindowsSDK7-Samples/tree/master/winui/shell/appplatform/ExecInExplorer

    Hope this will help you.



  • Also below can be used as simplest solution -

    ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);



  • @donho

    @donho said:

    @dinkumoil
    Indeed.

    @Meta-Chuh said:

    possible solution:
    execute runas /trustlevel:0x20000 “C:\Program Files (x86)\Notepad++\notepad++.exe”

    Just tried this method and seems Admin mode is OFF.
    However, drag & drop a file into edit zone (which is the original motivation to run Notepad++ under user level) is forbidden just like Admin mode is ON.

    I will continue to search the alternative way.

    Considering this scenario in mind, npp installer launches npp instance with same integrity level as explorer. Same is applicable here and drag n drop works fine using below method. So I feel, this should suit your requirement.

    ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);



  • @SinghRajenM said:

    Also below can be used as simplest solution -

    ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);

    Thank you for the info.
    I do remember the solution you provide in NSIS and did try the line above - only explorer launched.



  • @donho

    The last parameter has to be 1 = SW_SHOWNORMAL



  • @donho said:

    @SinghRajenM said:

    Also below can be used as simplest solution -

    ShellExecute(nullptr, L"open", L"explorer.exe", L"C:\\Program Files\\Notepad++\\Notepad++.exe", nullptr, NULL);

    Thank you for the info.
    I do remember the solution you provide in NSIS and did try the line above - only explorer launched.

    Interesting. It is working fine to me.

    [Edit]:
    @dinkumoil, nice catch. I’m using SW_SHOW



  • @SinghRajenM

    thx, very cool and easy just to execute via explorer.exe, iv’e just tried it.

    i didn’t know that explorer.exe does not pass the elevation level to a spawn.

    so simple and perfect 👍



  • @Meta-Chuh Again it depends upon how explorer.exe is executed. In most of the cases explorer is not elevated unless user explicitly do so.

    So if explorer is also elevated, then new exe also will be elevated yet. But it is expected in this case, because both will be at same integrity level which allows drag n drop.

    https://paste.pics/e25eda50315a622bfda372343fd9b722


Log in to reply