Jump to content
PawelPepe

Run process with normal user privileges from elevated process

Recommended Posts

Hi,

Here is a problem. 
I would like to run an application with normal user privileges from elevated process.
My installer (elevated process) is written in Delphi. It launches some programs at the end of installation.
Now, as Installer is elevated, lauched process is also elevated - we don't want this!

 

The goal is to launch non-elevated process from elevated installer process. So:
- Launch any application with normal user privileges
- Launch default web browser with given webpage
- Send email to given person (with protocol Sendto:)


As far as I know it can be done using Windows Explorer process. I couldn't find any Delphi code for that in Internet 😞 I only found C- based.
Here is one that suppose to work: https://www.appsloveworld.com/coding/delphi/48/createprocess-with-lower-privileges-than-the-caller

 

Could you please try to convert it into Delphi?

 

I tried, but without success (see below example).
There are some problems with pointers (I tried to do pointers typecasting - it compiled, but with access violation)...

For example: FindDesktopFolderView(IID_IShellView, spsv); --> FindDesktopFolderView(IID_IShellView, Pointer(spsv));
I am sure, this is not a way I should do.

 

Here is my code in simple project.
Source: https://www.dropbox.com/s/6ndno59brgbn6l0/ExecAsUser.zip?dl=1

 


Thanks in advance,
-Pawel

Share this post


Link to post

May be you can also use this: https://learn.microsoft.com/en-en/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken?redirectedfrom=MSDN

 

If you use a thread to launch the activities, you can set new lower privilege with "SetThreadToken" and after that launch what you need. If you don't use a thread you must use "NtSetInformationProcess" to set lower privilege to current application.

 

I use that very long time ago and I don't have any example at hand (and I don't know if it works now).

 

Bye

Edited by DelphiUdIT

Share this post


Link to post
2 hours ago, Der schöne Günther said:

Just saying: Your source is just a copy from @Remy Lebeau's original post on https://stackoverflow.com/a/37949303

@Der schöne Günther

Did you read my post?

No, my code is not a copy - this is C->Delphi translation. But, not working.

I din't write original code! I made delphi code based on linked code. To be clear.

-Pawel

 

@DelphiUdIT

Thanks, will check that out.

Edited by PawelPepe

Share this post


Link to post
Guest

Hi, perhaps this helps:

A long time ago, I've solved a similar problem differently.

I split the setup into two processes: 1. client with UI and 2. elevated server with no UI.
I used some modified old-style DataSnap code for inter-process communication which was easy at the time but that's just an implementation detail.
https://tondrej.blogspot.com/2007/06/datasnap-to-rescue.html

Share this post


Link to post

Once you run elevated you have access to the Scheduler, use Schtasks.exe to Create/Ru/Delete a task to run that app..
 

Share this post


Link to post

Yup, I am sure there are many different methods. I can not use any that need to pass login data (user name,password).

It seems the one I have (unfortunatelly in c) is the simplest. 

 

Ps: There is a simple way to do this without complication, just run explorer:

ShellExecuteW(0, 'open', 'explorer.exe', PWideChar(AFileNameToRun), '', SW_SHOW);

But, this can not send mail with default client... so the best is to run any app with normal user privileges.

Share this post


Link to post

Considering most of the installers known to me don't care about this particular issue, I would weigh cost against benefit and end up letting it go. But then again, I'm not nearly as ambitious as I used to be 10 years ago.

Share this post


Link to post
4 hours ago, PawelPepe said:

But, this can not send mail with default client... so the best is to run any app with normal user privileges.

Not so simple then, I've not seen running code that executes with identical integrity, tokens and access..
A few posts on SO claim to have solved it but the Scheduler works so I've found no need to retest all for that..

 

ShellRun('Open', 'Schtasks', '/Create /F /SC ONCE /TN taskname /TR "<cmd>" /ST 00:00', swHide);
ShellRun('Open', 'Schtasks', '/Run /TN taskname', swHide);
ShellRun('Open', 'Schtasks', '/Delete /F /TN taskname', swHide);

Add some error checking and it works..

 

  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×