-1

I want to call diskpart.exe from my application (C# .net 4.8) to delete and reinitialize an attached storage device.

However, the user needs administration rights to do this.

However, I do not want to store an admin user with password in the application.

Is it somehow possible to authorize my program once to call diskpart.exe at any time?

I have already read on the internet that it is possible via a Windows Service or a Scheduled Task. However, both approaches have not worked for me so far.

curious_evolution
  • 1
  • 3
    Why do you think you want that? If what you want was possible, every malware would be able to make modifications without the user knowing about this. The end user's computer isn't yours, you can't make any changes without the actual user's consent. – Panagiotis Kanavos May 15 '23 at 07:19
  • 1
    no. That would be **very** unsafe. You _can_ probably tell windows to launch it as administrator. But it's usually not a good idea to just give admin right once to any application. – JHBonarius May 15 '23 at 07:19
  • Thank you first of all for the quick answers. The computer will not be connected to a public network. The computer will only be used to read a storage medium and then completely erase and reinitialize it. – curious_evolution May 15 '23 at 07:25
  • The application's problem is that it tries to start *another* application that requires elevated privileges. All operating systems require extra permissions for this - MacOS, Linux, Windows, Android, iOS. If anything, *more* and finer-grained permissions are required as time goes by. Apps on any OS now can be registered with a manifest that describes what permissions are needed so the user can consent to them. – Panagiotis Kanavos May 15 '23 at 07:25
  • @curious_evolution ` will not be connected to a public network` neither were the thousands of computers infected by viruses, or destroyed by "unfortunate" application actions that eg formatted `C:` in the 1990s. It's not your computer. You can't make modifications to it without the user's consent – Panagiotis Kanavos May 15 '23 at 07:26
  • 1
    You probably need to register the service when you're logged in as administrator. And register it as system service. – JHBonarius May 15 '23 at 07:29
  • Shouldn't an admin be able to configure the dotnet app such that it runs with elevated privileges anytime the non-admin end user runs it? – Good Night Nerd Pride May 15 '23 at 07:29
  • @GoodNightNerdPride yes, but the application in question starts *another* one, `diskpart`, to make the modifications. The original application's permissions no longer apply. *Maybe* if the original application requested and got consent through UAC this would flow to any launched application as as well. A better solution would be to use the correct API to format/repartition the USB drive though. – Panagiotis Kanavos May 15 '23 at 07:31
  • I suspect this question was caused by following the "easy" answer in SO questions like [this one](https://stackoverflow.com/questions/33120387/formatting-usb-drives-programmatically) - start another app like `format` or `diskpart` instead of using the actual APIs. That will always require extra consent and isn't even a bad idea - let the main app do "normal" stuff and only require consent when dangerous operations are required. – Panagiotis Kanavos May 15 '23 at 07:44
  • 1
    Disk utilities like Windows' own Disk Management don't launch `format` or `diskpart`, they use the proper APIs like [MSFT_Volume.Format](https://learn.microsoft.com/en-us/windows-hardware/drivers/storage/format-msft-volume). The root application could do the same, and either get consent every time it launches or use a manifest requiring permission during installation – Panagiotis Kanavos May 15 '23 at 07:46
  • @JHBonarius Yes, I already did that. My service implement a OnStart() method. Within that method, I want do call the process, e.g. diskpart.exe But how can I call e.g. diskpart.exe within the service from outside? Do I stop and restart the service every time with new start parameter, or how should I call my proccess? – curious_evolution May 15 '23 at 08:08
  • @Good Night Nerd Pride My application itself does not run with administrator permissions. – curious_evolution May 15 '23 at 08:10
  • @Panagiotis Kanavos I want to delete not only a volume, but the entire storage medium. It may be that the storage medium has several partitions. And finally only one partition should exist. – curious_evolution May 15 '23 at 08:13
  • @curious_evolution Then you are basically asking for an exploit to do privilege escalation in a dotnet app. I hope that's not your intention, but you should understand that an app must never be allowed to execute code which requires higher privileges than it is being run with. Maybe there is a way by deploying admin credentials within your app, but I think you also understand how this presents security risk. – Good Night Nerd Pride May 15 '23 at 13:55
  • I use "sc sdset" to change the permissions for a service, who can start/stop the service as a normal user. The service itself run system user permissions. With that I can now start a service as a normal user, which can starts a process with the appropriate parameters. Thanks all for your help! – curious_evolution May 16 '23 at 12:55

1 Answers1

0

What you can do is query the admin rights for your application at startup, see this answer on how to do that (add <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> to your application manifest).

Of course, that requires that the user gives consent to run your application (or provides an admin password at startup), but if your c# application runs as admin, it will be possible to start other applications requiring admin permissions (such as diskpart) to run without further queries.

The hint with the task scheduler won't work so easily, because configuring the task scheduler for certain actions will also require admin rights. The only thing you could try is prepare a task during application installation (as admin) and then start that task later as non-admin. That could work.

PMF
  • 14,535
  • 3
  • 23
  • 49