0

My application is running as an administrator (elevated), but I need to run certain blocks of code in the current user's context (unelevated).

  1. How can I run a given block of code in an unelevated context?

    Is there a way to do this with impersonation, that doesn't require me to know the user's domain, name, and password?

    Is there another API for this, or a way to do it simply with attributes?

  2. Likewise, is there a way to detect that I'm currently running in an elevated context, so that I know I need to de-elevate in the first place?

I'm using C# 6.0, .NET 4.x (where x >= 5), and Visual Studio 2015.

svick
  • 236,525
  • 50
  • 385
  • 514
BrainSlugs83
  • 6,214
  • 7
  • 50
  • 56

1 Answers1

0
  1. You can achieve this by encapsulating the code that needs to run un-elevated in a separate assembly (.exe file) and start it as a new process. Take a look at Start non-elevated process from elevated process.

  2. To check if you're in elevated context:

    static bool IsAdministrator()
{
    WindowsIdentity identity = WindowsIdentity.GetCurrent();
    WindowsPrincipal principal = new WindowsPrincipal(identity);
    return principal.IsInRole (WindowsBuiltInRole.Administrator);
}

    (Taken from: Detect if running as Administrator with or without elevated privileges?)

Community
  • 1
  • 1
qbik
  • 5,502
  • 2
  • 27
  • 33
  • Is there no way to run a block of code in the same scope (let alone process)? -- What if I did it the other way around, ran as a non-admin, and requested elevation for a particular scope, could it be done then? -- I'd prefer to use a pattern similar to [SPSecurity.RunWithElevatedPrivileges](https://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx) but for the desktop. – BrainSlugs83 Jul 03 '16 at 20:10
  • @BrainSlugs83: I don't think there is any way to change the elevation other than starting a new process. Also, see here: [Using UAC with c#](https://victorhurdugaci.com/using-uac-with-c-part-1), [Windows sudo](http://superuser.com/questions/42537/is-there-any-sudo-command-for-windows) – qbik Jul 04 '16 at 03:29
  • Well, wait, how do other applications do it? -- Many applications that don't prompt for elevation when you first launch, will have some button in them that when you click it, you are hit with a UAC prompt, where it elevates. There's usually a UAC shield of some kind on the button to the left of the text. -- Is this a different windows feature? Maybe I'm asking the wrong question? – BrainSlugs83 Jul 11 '16 at 23:04
  • 1
    Maybe they're spawning a new process in background? SO articles: [How to elevate privileges only when required](http://stackoverflow.com/questions/573086/how-to-elevate-privileges-only-when-required) and [How to UAC elevate a COM component with .NET](http://stackoverflow.com/questions/573086/how-to-elevate-privileges-only-when-required) mention one other way - register a COM component, then create an elevated instance of it. – qbik Jul 12 '16 at 03:59
  • Interesting. Thanks, I'll have to take a look at that. – BrainSlugs83 Sep 28 '16 at 21:45