Search code examples
c#securityhidelevated-privilegesaccess-rights

How to elevate account on start / install with standard user?

Is it possible to enable /disable touchscreen trough hid (Human Interface Devices in "Control Panel\All Control Panel Items\Device Manager") with standard user right (without elevated-privileges / admin access-rights) ?
I'm programing an application in C#. If I don't start my application trough "run as" on Visual Studio, security is blocking access.

What are my alternatives with my current setup / limitation:

  • Standard user (basic right)
  • Admin account with password in a secure encrypted file.
  • The standard user cannot grant permission trough UAC because he don't have right.
  • Using this code to check if user have elevated/admin right: return new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator);

Currently tested and not working:

  1. Process with startInfo.Verb = "runas"; Standard user can't accept UAC to run a process that require admin privilege / elevated. Elevating process privilege programmatically?

  2. App.manifest: Standard user can't accept UAC to run an app that require admin privilege / elevated. How do I force my .NET application to run as administrator?

Potential alternatives ?

  1. ACL ???
  2. App.manifest: with an install.msi from my "IT team packager with Zenwork or SCCM" to deploy it on computers user ?
  3. Service that run as "local service" or "system" and an app to call methods of service with an install.msi from my "IT team packager with Zenwork or SCCM" to deploy it on computers user ?
Solution

  • If you don't want to prompt the UAC in the moment of the administrative operation (using runas), or on every program start (via manifest), you need to create a Service or a Scheduled Task once, at first program setup. A lot of programs use this technique such as Chrome for updates, which normally don't require elevated privileges but for few occasional operations.

    Choosing the service method means that you must implement an IPC mechanism for example via named pipe so the low privilege program can talk to the service and ask to execute the desired operation. Keep in mind that the service will always run in background and you shouldn't expose too much permissive operations otherwise other malicious programs could use your service to elevate themselves, or you'll need also an authentication method.

    For the scheduled task you could use the same executable with a command line argument like /disabletouch. You only need to manually trigger the task from the low privilege instance. There are the TaskScheduler COM interface (some open-source wrappers exists around it) and the schtasks tool that allow task creation and manual triggers. The task can be created for running as Administrator or SYSTEM account. As for the service allow only strict and harmless elevated operations to prevent misuse.