UAC, are you high?

MSDN has a Starting Low Integrity Processes sample that creates a process with a Low IL and this works fine if the parent is running at Medium IL, but if the parent is running at High IL, UAC elevation no longer works. (The sample code does not talk about High IL parent, only Medium IL parents)

Windows does not seem to take the Integrity Level into account when checking for admin rights:
UAC Low IL Admin
When requesting elevation, it does not seem to check if Current IL < High IL and just assumes that any token that has a non-deny administrators group SID is elevated and starts the process with the wrong IL when it really should show the consent UI and force the IL to be >= High IL on the new process. Once we are in this state (Non-deny admin. group SID and IL < 0x3000) there is no way for us to elevate a child process or to get a higher IL!

It would probably come as a surprise to most people that the simple reg.exe command fails when the console has the "Administrator: " prefix and most admin check methods (IsUserAnAdmin(), TokenElevationType=TokenElevationTypeFull and TokenElevation: TokenIsElevated!=0) indicate that you are elevated! IsUserAnAdmin is only documented to check group membership and is a pre Vista API, but the other two are elevated token/privileges specific so either my definition of elevated is wrong, or there are some major bugs with the IL handling.

Advertisements

Tags: , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s