8

For some reason, my C# program needs to restart with elevated privileges. I use the following code to achieve it:

private static void RestartForPermissionsFix()
{
    ProcessStartInfo processInfo = new ProcessStartInfo();
    processInfo.Verb = "runas";
    processInfo.FileName = Assembly.GetExecutingAssembly().Location;

    Process.Start(processInfo);
}

This works great.

After I "fix my privileges", I want to restart the program unelevated. I tried the same as above without the "runas", but it does not work. I assume the process being started from an elevated process automatically gets elevated. Any idea?

Sven
  • 21,903
  • 4
  • 56
  • 63
coffee_machine
  • 1,203
  • 14
  • 28

2 Answers2

11

In order to launch a process at medium integrity from a high integrity process, I believe you would have to get the current process token using OpenProcessToken, duplicate it, remove the high integrity SID from the token using SetTokenInformation, and then use that token to create the new process using CreateProcessAsUser. This would be similar to this example, except rather than add the low integrity SID you'd have to remove the high integrity one. Note: I haven't tested this, so I'm not 100% sure it would work.

I suggest you leave the original unelevated process running, and have it wait for its elevated counterpart to finish (e.g. using Process.WaitForExit). Once that finishes, it can continue unelevated as before. This would be a lot easier and more foolproof.

Sven
  • 21,903
  • 4
  • 56
  • 63
  • 3
    I second the idea of letting the first (unelevated) process running and resume it when the second (elevated) process has finished (you could use `Process.WaitForExit()`). – Otiel Jul 18 '11 at 16:12
  • Thanks sven. Of course your suggestion is a lot simpler. I refactored my program a little bit so that there's no problem having two instances running in parallel. – coffee_machine Jul 18 '11 at 16:37
  • 3
    @coffee_machine: One additional bit of info: one of the reasons why re-launching unelevated would be a bad idea is if the user is an actual limited user. In that case elevation executes the process in a different account and you'd have to somehow figure out what the original account was to launch the process using those credentials. I myself run in that configuration. – Sven Jul 18 '11 at 17:08
  • `elevation executes the process in a different account` - Raymond [explains what to do in this situation](http://blogs.msdn.com/b/oldnewthing/archive/2013/11/18/10468726.aspx). – GSerg Feb 11 '14 at 00:34
2

I had the same problem with an application that I wanted to update automatically (The update program requires elevated privileges).

What I did was creating an external .exe that would start my updater program with elevated privileges, wait for it to exit, then restart my application with normal privileges.

I then embedded this .exe in my main application, and start this .exe just before leaving my application when I update it.

Otiel
  • 18,404
  • 16
  • 78
  • 126