{"id":2643,"date":"2013-11-18T07:00:00","date_gmt":"2013-11-18T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2013\/11\/18\/how-can-i-launch-an-unelevated-process-from-my-elevated-process-and-vice-versa\/"},"modified":"2013-11-18T07:00:00","modified_gmt":"2013-11-18T07:00:00","slug":"how-can-i-launch-an-unelevated-process-from-my-elevated-process-and-vice-versa","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20131118-00\/?p=2643","title":{"rendered":"How can I launch an unelevated process from my elevated process and vice versa?"},"content":{"rendered":"

\nGoing from an unelevated process to an elevated process is easy.\nYou can run a process with elevation by\n\npassing the runas<\/code> verb<\/a>\nto Shell­Execute<\/code> or\nShell­Execute­Ex<\/code>.\n<\/p>\n

\nGoing the other way is trickier.\nFor one thing, it’s really hard to munge your token to remove the\nelevation nature properly.\nAnd for another thing, even if you could do it, it’s not the right\nthing to do, because the unelevated user may be different from the\nelevated user.\n<\/p>\n

\nLet me expand on that last bit.\n<\/p>\n

\nTake a user who is not an administrator.\nWhen that user tries to run a program with elevation,\nthe system will display a prompt that says,\n“Hey, like, since you’re not an administrator,\nI need you to type the userid and password of somebody\nwho is<\/i> an administrator.”\nWhen that happens, the elevated program is running not as the\noriginal user but as the administrative user.\nEven if the elevated program tried to remove elevation from its token,\nall it managed to do is create an unelevated token\nfor the administrative user<\/i>, not the original user.\n<\/p>\n

\nSuppose we have Alice Administrator and Bob Banal.\nBob logs on,\nand then tries to run LitWare Dashboard,\nwhich requires elevation.\nThe prompt comes up, and Bob calls over Alice to grant\nadministrative privileges.\nAlice types her password, and boom, now LitWare Dashboard is running\nelevated as Alice<\/i>.\n<\/p>\n

\nNow suppose LitWare Dashboard wants to launch the user’s Web browser\nto show some online content.\nSince there is no reason for the Web browser to run elevated,\nit tries to unelevate the browser in order to reduce the security\nattack surface.\nIf it simply neutered its token and used that to launch the browser,\nit would be running a copy of the browser unelevated as Alice<\/i>.\nBut LitWare Dashboard presumably\nreally wanted to run the browser as Bob,\nsince it is Bob who is the unelevated user in this session.\n<\/p>\n

\nThe solution here is to go back to Explorer and ask Explorer to\nlaunch the program for you.\nSince Explorer is running as the original unelevated user,\nthe program (in this case, the Web browser) will run as Bob.\nThis is also important in the case that the handler for the file\nyou want to open runs as an in-process extension rather than as\na separate process,\nfor in that case,\nthe attempt to unelevate would be pointless since no new process\nwas created in the first place.\n(And if the handler for the file tries to communicate with\nan existing unelevated copy of itself, things may fail because of UIPI.)\n<\/p>\n

\nOkay, I know that Little Programs are not supposed to have motivation,\nbut I couldn’t help myself.\nEnough jabber.\nLet’s write code.\n(Remember that Little Programs do little or no error checking,\nbecause that’s the way they roll.)\n<\/p>\n

\n#define STRICT\n#include <windows.h>\n#include <shldisp.h>\n#include <shlobj.h>\n#include <exdisp.h>\n#include <atlbase.h>\n#include <stdlib.h>\n\/\/ FindDesktopFolderView<\/a> incorporated by reference\nvoid GetDesktopAutomationObject(REFIID riid, void **ppv)\n{\n CComPtr<IShellView> spsv;\n FindDesktopFolderView(IID_PPV_ARGS(&spsv));\n CComPtr<IDispatch> spdispView;\n spsv->GetItemObject(SVGIO_BACKGROUND, IID_PPV_ARGS(&spdispView));\n spdispView->QueryInterface(riid, ppv);\n}\n<\/pre>\n
\nThe\n\nGet­Desktop­Automation­Object<\/code>\nfunction\nlocates the desktop folder view\nthen asks for the dispatch object for the view.\nWe then return that dispatch object in the form requested by the caller.\nThis dispatch object is a Shell­Folder­View<\/code>,\nand the C++ interface for that is\nIShell­Folder­View­Dual<\/code>,\nso most callers are going to ask for that interface,\nbut\nif you are a masochist, you can skip the dual interface and\ntalk directly to IDispatch<\/code>.\n<\/p>\n<\/p>\n
\nvoid ShellExecuteFromExplorer(\n    PCWSTR pszFile,\n    PCWSTR pszParameters = nullptr,\n    PCWSTR pszDirectory  = nullptr,\n    PCWSTR pszOperation  = nullptr,\n    int nShowCmd         = SW_SHOWNORMAL)\n{\n CComPtr<IShellFolderViewDual> spFolderView;\n GetDesktopAutomationObject(IID_PPV_ARGS(&spFolderView));\n CComPtr<IDispatch> spdispShell;\n spFolderView->get_Application(&spdispShell);\n CComQIPtr<IShellDispatch2>(spdispShell)\n    ->ShellExecute(CComBSTR(pszFile),\n                   CComVariant(pszParameters ? pszParameters : L\"\"),\n                   CComVariant(pszDirectory ? pszDirectory : L\"\"),\n                   CComVariant(pszOperation ? pszOperation : L\"\"),\n                   CComVariant(nShowCmd));\n}\n<\/pre>\n
\nThe\nShell­Execute­From­Explorer<\/code>\nfunction\nstarts by getting the desktop folder automation object.\nWe use the desktop not because it’s particularly meaningful\nbut because we know that it’s always going to be there.\n<\/p>\n
\nAs with the desktop folder view,\nthe Shell­Folder­View<\/code> object is not interesting\nto us for itself.\nIt’s interesting to us because the object\nresides in the process that is hosting the desktop view\n(which is the main Explorer process).\nFrom the Shell­Folder­View<\/code>, we ask for the\nApplication<\/code> property\nso that we can get to the main\nShell.Application<\/code> object,\nwhich has the IShell­Dispatch<\/code> interface\n(and its extensions\nIShell­Dispatch2<\/code> through\nIShell­Dispatch6<\/code>)\nas its C++ interfaces.\nAnd it is the\nIShell­Dispatch2::Shell­Execute<\/code> method\nthat is what we really want.\n<\/p>\n
\n“You never loved me.\nYou only wanted me in order\nto get access to my family,” sobbed the shell folder view.\n<\/p>\n
\nAnd we call\nIShell­Dispatch2::Shell­Execute<\/code> with\nthe appropriate parameters.\nNote that the parameters to\nIShell­Dispatch2::Shell­Execute<\/code> are\nin a different order<\/i> from the parameters to\nShell­Execute<\/code>!\n<\/p>\n
\nOkay, let’s put this inside a little program.\n<\/p>\n
\nint __cdecl wmain(int argc, wchar_t **argv)\n{\n if (argc < 2) return 0;\n CCoInitialize<\/a> init;\n ShellExecuteFromExplorer(\n    argv[1],\n    argc >= 3 ? argv[2] : L\"\",\n    argc >= 4 ? argv[3] : L\"\",\n    argc >= 5 ? argv[4] : L\"\",\n    argc >= 6 ? _wtoi(argv[5]) : SW_SHOWNORMAL);\n return 0;\n}\n<\/pre>\n
\nThe program takes a mandatory command line argument which is\nthe thing to execute, be it a program or a document or a URL.\nOptional parameters are the parameters to the thing being executed,\nthe current directory to use,\nthe operation to perform, and how the window should be opened.\n<\/p>\n
\nOpen an elevated command prompt, and then run this program\nin various ways.\n<\/p>\n\n\n\n\n
scratch http:\/\/www.msn.com\/<\/code><\/td>\nOpen an unelevated Web page in the user’s default Web browser.<\/td>\n<\/tr>\n
scratch cmd.exe \"\" C:\\Users \"\" 3<\/code><\/td>\nOpen an unelevated command prompt at\n        C:\\Users<\/code>, maximized.<\/td>\n<\/tr>\n
scratch C:\\Path\\To\\Image.bmp \"\" \"\" edit<\/code><\/td>\nEdit a bitmap in an unelevated image editor.<\/td>\n<\/tr>\n<\/table>\n
\nThis program is basically the same as the\nExecute in Explorer<\/a>\nsample.<\/p>\n","protected":false},"excerpt":{"rendered":"
Going from an unelevated process to an elevated process is easy. You can run a process with elevation by passing the runas verb to Shell­Execute or Shell­Execute­Ex. Going the other way is trickier. For one thing, it’s really hard to munge your token to remove the elevation nature properly. And for another thing, even if […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-2643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Going from an unelevated process to an elevated process is easy. You can run a process with elevation by passing the runas verb to Shell­Execute or Shell­Execute­Ex. Going the other way is trickier. For one thing, it’s really hard to munge your token to remove the elevation nature properly. And for another thing, even if […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/2643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=2643"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/2643\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=2643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=2643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=2643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}