0

Folks,

Big problem that I'm not sure how to address. Seems that Win7 SP1 broke my application. My scenario used to work!

I have a Win C# .NET 4.0 application with a manifest that requests administrative privileges via app.manifest line:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

I also am starting a new thread in my application via the following lines of code:

Process certMaker = new Process();
certMaker.StartInfo.FileName = makeCertExe;
certMaker.StartInfo.UseShellExecute = false;
certMaker.StartInfo.RedirectStandardOutput = true;
certMaker.Start();
certMaker.WaitForExit();

This used to work no problems, but now it no longer runs under elevated privileges. Just to be sure, I've decorated the method with:

[PrincipalPermission(SecurityAction.Demand, Role = @"BUILTIN\Administrators")]

but am only getting a "Request for principal permission failed" error.

Any help? What has changed in SP1 that could'ev caused this? Our application is not signed yet due to high costs.

I tried to have UAC off or ON at any level, I trued to set compatibility mode set from XP through Win7 and nothing.

I've enabled full audit reports for any sorts of security failures in the OS. Here is what I think I'm getting everytime I try to run my command:

A handle to an object was requested.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:       LOCAL SERVICE
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3e5

Object:
    Object Server:      PlugPlayManager
    Object Type:        Security
    Object Name:        PlugPlaySecurityObject
    Handle ID:      0x0

Process Information:
    Process ID:     0x2dc
    Process Name:       C:\Windows\System32\svchost.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       Unknown specific access (bit 1)

    Access Reasons:     -
    Access Mask:        0x2
    Privileges Used for Access Check:   -
    Restricted SID Count:   0

Thank you!

Igorek
  • 15,716
  • 3
  • 54
  • 92

1 Answers1

0

Why UseShellExecute=false? If you make it true, it will use your manifest. I know you say it used to work, but in my experience you have to use ShellExecute to get your manifest taken into account.

This is independent of signing, btw - that just determines whether you get the scary orange dialog with question marks on it and Unknown Publisher or a slightly less scary one that names your firm.

Kate Gregory
  • 18,808
  • 8
  • 56
  • 85
  • Thanks for the response. I've tried following your directions to no avail! I've also looked at this thread for the verb usage of "runas". http://stackoverflow.com/questions/3596259/elevating-privileges-doesnt-work-with-useshellexecute-false – Igorek Mar 04 '11 at 17:47
  • ok, let's try some things. Go double click makecert.exe. Does it ask to elevate? If not, it's the manifest. If yes, it's the way you're launching it. – Kate Gregory Mar 04 '11 at 19:10
  • UAC is off. It does not ask to elevate. But it runs OK from a command prompt – Igorek Mar 04 '11 at 19:56
  • Here is what's interesting, I've enabled detailed audit reports on pretty much everything under Audit Policies... I'm adding the report to the main body of this post – Igorek Mar 04 '11 at 19:58