1

I'm developing a class library to be used by several other applications and what I need is for the applications to run the code from the external class library with administrator privileges. I don't want to force every application to require administrator privileges by default and I know that once an application has been started it can not request administrator privileges and so my solution must involve starting a new process or creating a new application domain. I need help with the code because I don’t understand those concepts very well. I wrote some code below to demonstrate what I'm thinking.

// This method is inside my application
private void ApplicationMethod(bool runExternal)
{
    if (runExternal)
    {
        // Create new process/appdomain and then run ExternalMethod.
        // The string returned by ExternalMethod needs to be stored.
    }
}

// This method is inside my external class library
private string ExternalMethod()
{
    string externalString = string.Empty;

    // Do work on externalString and then return it.

    return externalString;
}

I would really appreciate demostration code based on what I wrote above.

HelloWorld
  • 2,375
  • 5
  • 22
  • 21
  • Identity is associated with a thread. You can use thread impersonation to run some of your code with elevated privileges. This statement: *" I know that once an application has been started it can not request administrator privileges"* is incorrect. See this question: http://stackoverflow.com/q/125341/706456 – oleksii Dec 30 '13 at 19:57
  • I don't know what impersonation means in the .NET Framework world nor do I know what you mean by identity. When I was researching and trying to find easy-to-understand code samples the information always stated that you can not request administrator privileges after the process has been created. – HelloWorld Dec 30 '13 at 20:00
  • You can run some code with a specified user name and password. That user can be administrator and hence your code will execute under Administrator account. By default, identity (such as Windows User or Principal) is inherited. If one start a process with a simple *user* account, all the threads run under that identity (or user). But you can change this. By asking a user for administrator's user name and password, and then making an API call to elevate permissions of a thread to administrator. Can you please add links to posts saying you cannot run code as admin after one started a process? – oleksii Dec 30 '13 at 20:09
  • From the answer: "I don't believe that it is possible to elevate the currently running process. It is built into Windows Vista that administrator privileges are given to a process upon startup, as I understand. If you look at various programs that utilise UAC, you should see that they actually launch a separate process each time an administrative action needs to be performed (Task Manager is one, Paint.NET is another, the latter being a .NET application in fact)." http://stackoverflow.com/questions/573086/how-to-elevate-privileges-only-when-required?lq=1 – HelloWorld Dec 30 '13 at 20:25
  • Interesting read... Looks like there was a security enhancement which I overlooked - Windows Integrity Mechanism. It'd prevent elevation on a thread level. You may get lucky with `LogonUser` or similar API if UAC is turned off. This is of course must not be expected for every user. Found [this answer](http://stackoverflow.com/a/3583644/706456), that lists approaches to run a new process with elevated permissions. Another thing, app domain runs under the same process. Thus if one cannot overcome UAC control within a single process, you won't be able to run new app domain with Admin privileges. – oleksii Dec 30 '13 at 20:43

0 Answers0