How to elevate integrity level of a process

[Darshan Tilak]

Hi,

I have written an application (win32 exe) that calls GetActiveObject() to
get an object of Microsoft Excel. I use a batch file to launch this exe.
This worked fine on XP, but the call returns a failure when used on Windows
Vista. I found some answers for the same that suggest to elevate the process
integrity level.

So I have the following questions:
-- How to elevate a processs integrity level? (where can i find the relevent
information?)
-- Will I have to change my application code to achieve this?
-- Can a not simply make changes to the batch file, that calls the exe, to
elevate the process integrity level?


(I hope this is the right forum to ask this question. It will be really
helpful if anyone can point me in the right direction.)

Thanks,
Darshan

 

[Pete Delgado]

Re: How to elevate integrity level of a process


"Darshan Tilak" <darshan_tilak@persistent.co.in> wrote in message
news:e8JiZkaMIHA.5300@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I have written an application (win32 exe) that calls GetActiveObject() to
> get an object of Microsoft Excel. I use a batch file to launch this exe.
> This worked fine on XP, but the call returns a failure when used on
> Windows Vista. I found some answers for the same that suggest to elevate
> the process integrity level.
>
> So I have the following questions:
> -- How to elevate a processs integrity level? (where can i find the
> relevent information?)
> -- Will I have to change my application code to achieve this?
> -- Can a not simply make changes to the batch file, that calls the exe, to
> elevate the process integrity level?
>
>
> (I hope this is the right forum to ask this question. It will be really
> helpful if anyone can point me in the right direction.)

http://msdn2.microsoft.com/en-us/library/bb625964.aspx

I'm not sure that integrity levels are your problem though unless you are
running the batch file as another user or you are running it as a scheduled
task.

http://blogs.msdn.com/michael_howar...ok-writing-secure-code-for-windows-vista.aspx

The above book is pretty good at explaining the basics, but there are many
details left out...

-Pete

 

[Toad]

Re: How to elevate integrity level of a process

Darshan Tilak wrote:

> Hi,
>
> I have written an application (win32 exe) that calls
> GetActiveObject() to get an object of Microsoft Excel. I use a batch
> file to launch this exe. This worked fine on XP, but the call
> returns a failure when used on Windows Vista. I found some answers
> for the same that suggest to elevate the process integrity level.
>
> So I have the following questions:
> -- How to elevate a processs integrity level? (where can i find the
> relevent information?) -- Will I have to change my application code
> to achieve this? -- Can a not simply make changes to the batch file,
> that calls the exe, to elevate the process integrity level?
>
>
> (I hope this is the right forum to ask this question. It will be
> really helpful if anyone can point me in the right direction.)
>
> Thanks,
> Darshan

Hi there,

I just got Vista by virtue of a new machine and was playing around with
UAC. Unfortunately, the runas command provided does not elevate rights
as does the Run as Administrator on the contecxt menu.

Anyway, I have compiled up shellas.exe which just calls ShellExecute
API with the runas verb as one of the parameters - this isn't different
than in XP.

So, now I can type shellas somecommand in the Run dialog and not have
to find the exe and right click on it... The command will run with
elevated rights as the user you select in the dialog.

I have gone a step further. In XP, I run as a limited user, but once I
log in, I become an administrator, so that I can optionally run
processes that need admin rights as myself and not another user (e.g.
installs). Upon, logoff I am depricated to a limited user again for the
next time.

I have now dome something similar in Vista, but it works subtley
different and isn't really as necessary any more, but works to keep
myself a limited user until I logon.

Toad

--

 

[Darshan]

Re: How to elevate integrity level of a process

Thanks. That link did put some light on why the GetActiveObject method was
failing. But i need to find a method to make my application work without
modifying the code. This is important because the application was initially
developed targeting the earlier windows versions (2000/2003/XP). And it also
works fine on vista, but only with UAC turned off.

"""What i want is to make it run on vista, with UAC turned on."""

My application is an exe (myapp.exe) that uses a COM dll (from where i call
GetActiveObject()). The whole thing is packaged in an installer (setup.exe)
using Install Sheild 11.5 (this does not claim to have any support for
vista). The myapp.exe is run from a batch file, which executes right after
the installation procedure and at machine startup. (I do not want a pop-up
everytime myapp.exe runs. It is supposed to run in the background.)

Would embedding a manifest (as explained below) solve my problem?
Is there any other way to make my setup.exe (or its indivudial components)
compatible to vista, with UAC turned on?

I tried embedding a manifest in myapp.exe using the command "mt.exe
/manifest myapp.exe.manifest -outputresource:myapp.exe;1". But it is still
failing i.e. GetActiveObject() still returns a failure. And I also get a
"consent prompt" when I run myapp.exe. My login belongs to the
administrators group on my vista machine.

Following is the manifest file that I used to embed:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0"
processorArchitecture="X86"
name="myapp"
type="win32"/>
<description>application description</description>
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
<ms_asmv2:security>
<ms_asmv2:requestedPrivileges>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator">
</ms_asmv2:requestedExecutionLevel>
</ms_asmv2:requestedPrivileges>
</ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>

Any suggestions/pointers are welcome.

Thanks,
- Darshan

"Pete Delgado" <Peter.Delgado@noads.net> wrote in message
news:u%23KqJmgMIHA.5208@TK2MSFTNGP04.phx.gbl...
>
> "Darshan Tilak" <darshan_tilak@persistent.co.in> wrote in message
> news:e8JiZkaMIHA.5300@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> I have written an application (win32 exe) that calls GetActiveObject() to
>> get an object of Microsoft Excel. I use a batch file to launch this exe.
>> This worked fine on XP, but the call returns a failure when used on
>> Windows Vista. I found some answers for the same that suggest to elevate
>> the process integrity level.
>>
>> So I have the following questions:
>> -- How to elevate a processs integrity level? (where can i find the
>> relevent information?)
>> -- Will I have to change my application code to achieve this?
>> -- Can a not simply make changes to the batch file, that calls the exe,
>> to elevate the process integrity level?
>>
>>
>> (I hope this is the right forum to ask this question. It will be really
>> helpful if anyone can point me in the right direction.)
>
> http://msdn2.microsoft.com/en-us/library/bb625964.aspx
>
> I'm not sure that integrity levels are your problem though unless you are
> running the batch file as another user or you are running it as a
> scheduled task.
>
> http://blogs.msdn.com/michael_howar...ok-writing-secure-code-for-windows-vista.aspx
>
> The above book is pretty good at explaining the basics, but there are many
> details left out...
>
> -Pete
>
>
>
>
>