Starting an Application as Administrator from another one

Question

I'm a little lost here.

I have an App, let's call it App1.

App1 works fine. In some cases, App1 needs to execute another program, App2.

The code is simple:

           /*call app2*/
            ProcessStartInfo startInfo = new ProcessStartInfo(Convert.ToString(ConfigurationManager.AppSettings["pathActualizador"]));

            startInfo.UseShellExecute = false;

            try
            {
                System.Diagnostics.Process.Start(startInfo);
            }
            catch (ArgumentException)
            {
                MessageBox.Show("Error en parármetros enviados al Actualizador..", Properties.Resources.txtTituloAplicacion, MessageBoxButtons.OK, MessageBoxIcon.Information);
            }

            /*close app1 and letting app2 do its work*/
            Application.ExitThread();

In some cases, I've problem with the authorization for calling app2. App1 is a simple system, app2 needs to create, move and delete some files and folders (that's why is giving me trouble) At least, we solve it executing as an administrator de app2, by right click --> properties --> execute as administrator.

I'm trying to solve this. I've read many posts, about creating a manifest file here in SO. So, I created one. I added the new item from Application project --> add new item --> app.manifest

And by the default created, only changed this

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

THIS MANIFEST is for App1. We have both apps in like 100 computers, and we can't change it one by one (most of them are in another country) But we have an application to modify, sending some commands throw Internet, the app1. So, I've read that if a process create another one, this new process will have the same ExecutionLevel that its parent. So, adding the manifest in App1, when it creates Process for App2, should execute as Administrator

I'm right or not?

By the other hand, I've added the manifest, compiled, and sent the .exe and .manifest to a client, run, and I still have the same problem: The app2 cannot access to folders to modify them, returning a problem of privileges.

Is there something wrong ? I've to create a manifest for the App2 instead? This is kinda difficult, also is difficult to configure windows for each machine..

I've read that I can also do something like

startInfo.Verb = "runas";

but also read that in the future (said this in 2008) that this could be ignored, and the only way will be using manifest. So I want to avoid this option

edit: Using Visual Studio 2010, .NET 3.5

edit2: I've tried "runas", also not working. The user is no administrator, so has no rights of administrator

Answer 1

Have you tried setting the WorkingDirectory, maybe you try to run App2 from the WorkingDir of App1

ProcessStartInfo info = new ProcessStartInfo();
info.WorkingDirectory ="SomePath";

EDITED:

I found an entry on SO which could help you: How to start a Process as administrator mode in C#

Answer 2

I will make the recommendation that you don't need administrative credentials:

app2 needs to create, move and delete some files and folders (that's why is giving me trouble)

Nothing in the statement proves you need to be an admin. I would recommend revisiting the architecture of your program. The first step I would take is to have two separate users on your system. A user for app1 and a user for app2 lets call them App1User and App2User respectively. Now the configuration for both of these users should be as follows:

Non-privileged, cannot log in, can only execute their respective programs, and do not have permissions to anything not directly controlled by them.

Now from here App1User can delegate to App2User to execute app2, this prevents any privilege escalation from occurring and removes the need for admin. Now App2User needs to be able to create,move, and delete things that it owns. That should not be a problem, as a regular user I can create,delete, and move things that I own. There are very few reasons why something needs to run as admin or root.

UPDATE

In reply to the following:

The problem is when App1 need to call App2 so App2 can do some tasks. App1 doesn't need to create folders or anything, so has no problem with UAC. App2 does

Ok so from the ground up we will have the following three system objects:

AppUser1,AppUser2, AppUserGroup

The AppUserGroup will contain both AppUser1 and AppUser2 . The AppUserGroup will need to be locked down similar to the app users. The way the permissions will need to be configured is as follows:

App1 is owned by AppUserGroup and has at the very least execute permissions.
App2 is owned by AppUserGroup and has at the very least execute permissions.

Make sure the permissions are also granted to the users within the group. Now what this allows you to do is invoke the program as AppUser1 which is a member of the AppUserGroup and run App2 by virtue of being inside of the group and that group owning the process. Let me know if this needs further clarification.