How to elevate integrity level of a process

[Darshan Tilak]

Hi,

I have written an application (win32 exe) that calls GetActiveObject() to
get an object of Microsoft Excel. I use a batch file to launch this exe.
This worked fine on XP, but the call returns a failure when used on Windows
Vista. I found some answers for the same that suggest to elevate the process
integrity level.

So I have the following questions:
-- How to elevate a processs integrity level? (where can i find the relevent
information?)
-- Will I have to change my application code to achieve this?
-- Can a not simply make changes to the batch file, that calls the exe, to
elevate the process integrity level?


(I hope this is the right forum to ask this question. It will be really
helpful if anyone can point me in the right direction.)

Thanks,
Darshan

 

[Pete Delgado]

Hi,

I have written an application (win32 exe) that calls GetActiveObject() to
get an object of Microsoft Excel. I use a batch file to launch this exe.
This worked fine on XP, but the call returns a failure when used on
Windows Vista. I found some answers for the same that suggest to elevate
the process integrity level.

So I have the following questions:
-- How to elevate a processs integrity level? (where can i find the
relevent information?)
-- Will I have to change my application code to achieve this?
-- Can a not simply make changes to the batch file, that calls the exe, to
elevate the process integrity level?


(I hope this is the right forum to ask this question. It will be really
helpful if anyone can point me in the right direction.)

http://msdn2.microsoft.com/en-us/library/bb625964.aspx

I'm not sure that integrity levels are your problem though unless you are
running the batch file as another user or you are running it as a scheduled
task.

http://blogs.msdn.com/michael_howar...ok-writing-secure-code-for-windows-vista.aspx

The above book is pretty good at explaining the basics, but there are many
details left out...

-Pete

 

[Toad]

Hi,

I have written an application (win32 exe) that calls
GetActiveObject() to get an object of Microsoft Excel. I use a batch
file to launch this exe. This worked fine on XP, but the call
returns a failure when used on Windows Vista. I found some answers
for the same that suggest to elevate the process integrity level.

So I have the following questions:
-- How to elevate a processs integrity level? (where can i find the
relevent information?) -- Will I have to change my application code
to achieve this? -- Can a not simply make changes to the batch file,
that calls the exe, to elevate the process integrity level?


(I hope this is the right forum to ask this question. It will be
really helpful if anyone can point me in the right direction.)

Thanks,
Darshan

Hi there,

I just got Vista by virtue of a new machine and was playing around with
UAC. Unfortunately, the runas command provided does not elevate rights
as does the Run as Administrator on the contecxt menu.

Anyway, I have compiled up shellas.exe which just calls ShellExecute
API with the runas verb as one of the parameters - this isn't different
than in XP.

So, now I can type shellas somecommand in the Run dialog and not have
to find the exe and right click on it... The command will run with
elevated rights as the user you select in the dialog.

I have gone a step further. In XP, I run as a limited user, but once I
log in, I become an administrator, so that I can optionally run
processes that need admin rights as myself and not another user (e.g.
installs). Upon, logoff I am depricated to a limited user again for the
next time.

I have now dome something similar in Vista, but it works subtley
different and isn't really as necessary any more, but works to keep
myself a limited user until I logon.

Toad

--

 

[Darshan]

Thanks. That link did put some light on why the GetActiveObject method was
failing. But i need to find a method to make my application work without
modifying the code. This is important because the application was initially
developed targeting the earlier windows versions (2000/2003/XP). And it also
works fine on vista, but only with UAC turned off.

"""What i want is to make it run on vista, with UAC turned on."""

My application is an exe (myapp.exe) that uses a COM dll (from where i call
GetActiveObject()). The whole thing is packaged in an installer (setup.exe)
using Install Sheild 11.5 (this does not claim to have any support for
vista). The myapp.exe is run from a batch file, which executes right after
the installation procedure and at machine startup. (I do not want a pop-up
everytime myapp.exe runs. It is supposed to run in the background.)

Would embedding a manifest (as explained below) solve my problem?
Is there any other way to make my setup.exe (or its indivudial components)
compatible to vista, with UAC turned on?

I tried embedding a manifest in myapp.exe using the command "mt.exe
/manifest myapp.exe.manifest -outputresource:myapp.exe;1". But it is still
failing i.e. GetActiveObject() still returns a failure. And I also get a
"consent prompt" when I run myapp.exe. My login belongs to the
administrators group on my vista machine.

Following is the manifest file that I used to embed:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0"
processorArchitecture="X86"
name="myapp"
type="win32"/>
<description>application description</description>
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
<ms_asmv2:security>
<ms_asmv2:requestedPrivileges>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator">
</ms_asmv2:requestedExecutionLevel>
</ms_asmv2:requestedPrivileges>
</ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>

Any suggestions/pointers are welcome.

Thanks,
- Darshan