0

My C# code is running on a faraway Windows Server where I cannot login, only deploy code. I want to run Process Monitor from that code - start it in "quiet" mode, then stop it after a while. The code which would run Process Monitor is running under "NT AUTHORITY\SYSTEM" local account so I assume it has all the rights required.

However if I run Process Monitor on my developer box it triggers a rights elevation prompt. If I run it from command line locally:

procmon /Terminate

then I see an elevation prompt, confirm elevation and the process exits (as expected).

If I run it from inside C# code on the faraway server:

using (var process = new System.Diagnostics.Process())
{
    process.StartInfo.FileName = pathToProcMonExe;
    process.StartInfo.Arguments = "/Terminate";
    process.Start();
    process.WaitForExit();
    WriteToLog("Exited");
}

then it looks like it just hangs on the elevation prompt and the process never exits.

Again I cannot login there and confirm elevation. I need to do everything programmatically.

My process runs under "NT AUTHORITY\SYSTEM". How does it run Process Monitor which requires elevation without triggering the prompt?

sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • this might help: _UAC self-elevation (CSUACSelfElevation)_ https://code.msdn.microsoft.com/windowsdesktop/csuacselfelevation-644673d3 – Jeroen van Langen Jul 26 '16 at 07:36
  • @JeroenvanLangen There's a `catch` statement with a comment `The user refused the elevation.` which most likely means the prompt is still there. – sharptooth Jul 26 '16 at 08:04
  • Are you running as a Service? – lokusking Jul 26 '16 at 09:38
  • @lokusking Honestly I don't know, most likely not. – sharptooth Jul 26 '16 at 10:15
  • Well i could provide a bunch of code (It's really a lot) im using inside a WindowsService to perform the start of an GUI-Application. Im able to bypass Session0-Isolation and UAC with this code and it seems not to trigger AntiVirus. [Fiddle](https://dotnetfiddle.net/ESmeoP). Only requirement is, that Explorer or at least one GUI-Process is running – lokusking Jul 26 '16 at 10:26

2 Answers2

1

Turns out it was not an elevation prompt. It was a "here's my license agreement, please read and accept it" dialog box shown by Process Monitor despite the silent mode. Once license agreement is accepted Process Monitor can run just fine without elevation prompts in that environment.

sharptooth
  • 167,383
  • 100
  • 513
  • 979
0

There is a related discussion here List of UAC prompt triggers? which indicates that the UAC dialog is triggered by a number of possible decisions, including registry settings and executable filename. If UAC prompt is not turned off in the destination operating system I think there is nothing you can do - the operating system is trying to protect itself against a program which is spawning administrator level system utilities without notifying the user.

However - the process monitor information shown in the Process Monitor application is available in the System.Diagnostics namespace of .net so there is no need to actually shell out to Process Monitor to get the data you need.

Community
  • 1
  • 1
PhillipH
  • 6,182
  • 1
  • 15
  • 25
  • Can I trace all API calls using `System.Diagnostics`? – sharptooth Jul 26 '16 at 07:44
  • What data are you aiming to gather from Procmon ? Perhaps that is the subject of another query - because I dont believe you will be able to prevent UAC popup unless the user has explicitly turned it off. – PhillipH Jul 26 '16 at 17:02