Start process with local user

[Adagio]

As probably many has done before me, I'm trying to start another application with elevated rights. I have tried many different things, but so far I have only gotten it working with domain Administrators

Here's the code I have seen posted most places:

Function ConvertToSecureString(ByVal str As String) As SecureString
        Dim password As New SecureString
        For Each c As Char In str.ToCharArray
            password.AppendChar(c)
        Next
        Return password
    End Function

    Public Sub DoSomething()
        Dim process As System.Diagnostics.Process = Nothing
        Dim processStartInfo As System.Diagnostics.ProcessStartInfo

        processStartInfo = New System.Diagnostics.ProcessStartInfo()

        processStartInfo.FileName =  "C:\Windows\System32\cmd.exe"

        If System.Environment.OSVersion.Version.Major >= 6 Then ' Windows Vista or higher
            processStartInfo.Verb = "runas"
        Else
            ' No need to prompt to run as admin
        End If

        processStartInfo.UserName = "SomeLocalAdmin"
        processStartInfo.Password = ConvertToSecureString("SuperSecurePassword")
        processStartInfo.UseShellExecute = False

        Try
            process = System.Diagnostics.Process.Start(processStartInfo)
        Catch ex As Exception
            MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
        Finally
            If Not (process Is Nothing) Then
                process.Dispose()
            End If
        End Try
    End Sub

The above code doesn't work. It does start cmd.exe as the local administrator (which I tested by going through cmd to C:\Users\SomeLocalAdmin, this I was allowed to do in cmd. If I started cmd as the user I'm currently logged in with I would of course not be allowed to go there). It does start the file as this administrator, but for some reason I'm not getting Administrator rights (which I tested by going to C:\Windows\ and ran the command "md test" to make a new directory. If I started the application by right-clicking on cmd.exe and used "run as" and logged in as SomeLocalAdmin I was allowed to do this)


The bottom line is: I can only run an application with elevated rights if I use a domain Admin, but if I do it as a local Admin I'm not getting any admin rights

The problem is that where this program needs to run, there is no domain. It's just some normal home computer that just needs to be allowed to run a certain program as Administrator

Of course I'm not going to let the application start cmd.exe with Administrator, that's just the program I'm using to test

 

[Dunfiddlin]

There's a name for a program which forces itself to run as Administrator and it's not a nice one! What's the point of having a security system which you can just program away? It is for the local computer to determine first whether the current user has administrative rights and then whether they have chosen to use them in running your program. If your program only works when run as administrator then that is information you have to impart to the user allowing them to decide whether to continue or not. It is not for you to rob the user of any say in the matter!

 

[Adagio]

I know where you're getting at, but the problem is that this app that needs to run with Administrator rights is needed for our users to do their job. The only other option we have is to give our users the Administrator password of their work computer, but for obvious reasons that's not a good idea
And it's not like we're just bypassing the security system as we do have the Administrator password. It's basically the same as if the user right-clicks on this application and clicks "run as", except instead of it popping up with a dialog box telling you to insert username+password, our application will give the correct username+password

 

[Dunfiddlin]

Are the computers networked or standalone?

 

[Lotok]

You could have an ActiveDirectory account that has local admin rights on PCs on the domain. Then use impersonation within the application to impersonate that account while doing specific actions. This works fine on domain based setups. The problem with non-domain based setups is the local admin password will differ from PC to PC. If you are meaning elevated rights with bypassing the admin password altogether, then as far as I am aware that is not possible. As Dunfiddlin said, it would pretty much render OS security useless.

You could however force the user to elevate the application to admin level on start.

 

[Adagio]

Then use impersonation within the application to impersonate that account while doing specific actions

Except that it's not our application that needs administrator rights, it's a 3rd party application which we trust

The problem with non-domain based setups is the local admin password will differ from PC to PC.

Which is fine for us, considering we do have the Administrator passwords for all the PC's which needs this application

If you are meaning elevated rights with bypassing the admin password altogether, then as far as I am aware that is not possible. As Dunfiddlin said, it would pretty much render OS security useless.

As mentioned above a few times, this is not the case. We do have the Administrator password, so no need to bypass the security. We basically just want to tell ApplicationX to run with the administrator account using this username and this password

You could however force the user to elevate the application to admin level on start.

That would unfortunately require us giving the Administrator password to our users, which of course we're not willing to do

 

[Adagio]

Are the computers networked or standalone?

Just standalone

 

[Lotok]

Why not write a little console application which just calls runas on the application and provides the credentials for local admin in the background? This way the user never needs to see the password and you can just maintain a datasource with admin credentials?

 

[Herman]

First off, WHY does the application need elevated privileges? Most times, answering this question solves your problem, as 95% of applications do not need them.

Secondly, what specific permissions does the application need? What is normally done when a specific permission is needed for a bunch of existing users, is you create a usergroup with the appropriate permissions, and you add the users that need to use the app to it in AD.

I am assuming here what you need for the app is one or two permissions to network shares or local folder users don't normally have access to. There is no need for administrative rights here, nor elevated privileges. Just create a group called "MyAppUsers" for example, give it ALLOW permissions for whatever you specifically need, and add users Aaron, Suzie, Tom and John to that group. They will continue to logon with their user and password, it will be completely transparent to them.

 

[Lotok]

There is no ad though, he said its stand alone machines off the domain. I agree though that he should ask why it needs admin. Service account or user group makes sense, but would need to be manually added to each machine if there is no network.


Sent from my XT910 using Tapatalk 2

 

[Adagio]

First off, WHY does the application need elevated privileges? Most times, answering this question solves your problem, as 95% of applications do not need them.

I don't know the specifics, our system administrators knows more about it and they said it's not possible to only give them permission to do this specific thing. But I agree, in most cases when it looks like something needs admin rights, it doesn't actually need it but just asks for it to be on the safe side

Why not write a little console application which just calls runas on the application and provides the credentials for local admin in the background? This way the user never needs to see the password and you can just maintain a datasource with admin credentials?

That might be an option