如何在Windows 10上从提升的管理员上下文启动非提升的管理员进程？

Question

Is there an easy way to create a normal administrator process (not elevated) from an elevated administrator process? I am using Windows 10 pro. The situation is that I are trying to make some kind of deploy tools. The tool will be running with elevated administrator context in order to write files into "Program Files" ( and access other privileged resources). But one of the step is to invoke an external program. That program seems to have strange issues when created with elevated administrator privilege. We have to launch it in a non-elevated administrator context. I tried the approach in an MSDN blog, https://blogs.msdn.microsoft.com/winsdk/2010/05/31/dealing-with-administrator-and-standard-users-context it does not work at all.

Answer 1

Raymond Chen addressed this exact question on his "Old New Thing" blog on MSDN:

How can I launch an unelevated process from my elevated process and vice versa?

Going the other way is trickier. For one thing, it's really hard to munge your token to remove the elevation nature properly. And for another thing, even if you could do it, it's not the right thing to do, because the unelevated user may be different from the elevated user.

...

The solution here is to go back to Explorer and ask Explorer to launch the program for you. Since Explorer is running as the original unelevated user, the program (in this case, the Web browser) will run as Bob. This is also important in the case that the handler for the file you want to open runs as an in-process extension rather than as a separate process, for in that case, the attempt to unelevate would be pointless since no new process was created in the first place. (And if the handler for the file tries to communicate with an existing unelevated copy of itself, things may fail because of UIPI.)

Raymond uses IShellFolderViewDual and IShellDispatch2 to accomplish that ¹ :

#define STRICT
#include <windows.h>
#include <shldisp.h>
#include <shlobj.h>
#include <exdisp.h>
#include <atlbase.h>
#include <stdlib.h>

// FindDesktopFolderView incorporated by reference

void GetDesktopAutomationObject(REFIID riid, void **ppv)
{
 CComPtr<IShellView> spsv;
 FindDesktopFolderView(IID_PPV_ARGS(&spsv));
 CComPtr<IDispatch> spdispView;
 spsv->GetItemObject(SVGIO_BACKGROUND, IID_PPV_ARGS(&spdispView));
 spdispView->QueryInterface(riid, ppv);
}

void ShellExecuteFromExplorer(
    PCWSTR pszFile,
    PCWSTR pszParameters = nullptr,
    PCWSTR pszDirectory  = nullptr,
    PCWSTR pszOperation  = nullptr,
    int nShowCmd         = SW_SHOWNORMAL)
{
 CComPtr<IShellFolderViewDual> spFolderView;
 GetDesktopAutomationObject(IID_PPV_ARGS(&spFolderView));
 CComPtr<IDispatch> spdispShell;
 spFolderView->get_Application(&spdispShell);

 CComQIPtr<IShellDispatch2>(spdispShell)
    ->ShellExecute(CComBSTR(pszFile),
                   CComVariant(pszParameters ? pszParameters : L""),
                   CComVariant(pszDirectory ? pszDirectory : L""),
                   CComVariant(pszOperation ? pszOperation : L""),
                   CComVariant(nShowCmd));
}

int __cdecl wmain(int argc, wchar_t **argv)
{
 if (argc < 2) return 0;

 CCoInitialize init;
 ShellExecuteFromExplorer(
    argv[1],
    argc >= 3 ? argv[2] : L"",
    argc >= 4 ? argv[3] : L"",
    argc >= 5 ? argv[4] : L"",
    argc >= 6 ? _wtoi(argv[5]) : SW_SHOWNORMAL);

 return 0;
}

Open an elevated command prompt, and then run this program in various ways.

scratch http://www.msn.com/
Open an unelevated Web page in the user's default Web browser.

scratch cmd.exe "" C:\\Users "" 3
Open an unelevated command prompt at C:\\Users, maximized.

scratch C:\\Path\\To\\Image.bmp "" "" edit
Edit a bitmap in an unelevated image editor

¹ : the implementation of FindDesktopFolderView() is in another article on Raymond's blog:

Manipulating the positions of desktop icons :

void FindDesktopFolderView(REFIID riid, void **ppv)
{
 CComPtr<IShellWindows> spShellWindows;
 spShellWindows.CoCreateInstance(CLSID_ShellWindows);

 CComVariant vtLoc(CSIDL_DESKTOP);
 CComVariant vtEmpty;
 long lhwnd;
 CComPtr<IDispatch> spdisp;
 spShellWindows->FindWindowSW(
     &vtLoc, &vtEmpty,
     SWC_DESKTOP, &lhwnd, SWFO_NEEDDISPATCH, &spdisp);

 CComPtr<IShellBrowser> spBrowser;
 CComQIPtr<IServiceProvider>(spdisp)->
     QueryService(SID_STopLevelBrowser,
                  IID_PPV_ARGS(&spBrowser));

 CComPtr<IShellView> spView;
 spBrowser->QueryActiveShellView(&spView);

 spView->QueryInterface(riid, ppv);
}

Answer 2

Here is my version of Raymond Chen's code that adds error handling via C++ exceptions.

First we declare some helper functions for throwing std::system_error exception from HRESULT , converting a GUID to string and a RAII wrapper for COM initialization.

#include <windows.h>
#include <shldisp.h>
#include <shlobj.h>
#include <exdisp.h>
#include <atlbase.h>
#include <stdlib.h>
#include <iostream>
#include <system_error>

template< typename T >
void ThrowIfFailed( HRESULT hr, T&& msg )
{
    if( FAILED( hr ) )
        throw std::system_error{ hr, std::system_category(), std::forward<T>( msg ) };
}

template< typename ResultT = std::string >
ResultT to_string( REFIID riid )
{
    LPOLESTR pstr = nullptr;
    if( SUCCEEDED( ::StringFromCLSID( riid, &pstr ) ) ) 
    {
        // Use iterator arguments to cast from wchar_t to char if element type of ResultT is char.
        ResultT result{ pstr, pstr + wcslen( pstr ) };
        ::CoTaskMemFree( pstr ); pstr = nullptr;
        return result;
    }
    return {};
}

struct ComInit
{
    ComInit() { ThrowIfFailed( ::CoInitialize( nullptr ), "Could not initialize COM" ); }
    ~ComInit() { ::CoUninitialize(); }
    ComInit( ComInit const& ) = delete;
    ComInit& operator=( ComInit const& ) = delete;
};

This is followed by the functions that do the actual work. This is basically the same code as in Remy Lebeau's answer , but with added error handling (and my personal formatting style).

void FindDesktopFolderView( REFIID riid, void **ppv )
{
    CComPtr<IShellWindows> spShellWindows;
    ThrowIfFailed( 
        spShellWindows.CoCreateInstance( CLSID_ShellWindows ),
        "Could not create instance of IShellWindows" );

    CComVariant vtLoc{ CSIDL_DESKTOP };
    CComVariant vtEmpty;
    long lhwnd = 0;
    CComPtr<IDispatch> spdisp;
    ThrowIfFailed( 
        spShellWindows->FindWindowSW(
            &vtLoc, &vtEmpty, SWC_DESKTOP, &lhwnd, SWFO_NEEDDISPATCH, &spdisp ),
        "Could not find desktop shell window" );

    CComQIPtr<IServiceProvider> spProv{ spdisp };
    if( ! spProv )
        ThrowIfFailed( E_NOINTERFACE, "Could not query interface IServiceProvider" );

    CComPtr<IShellBrowser> spBrowser;
    ThrowIfFailed( 
        spProv->QueryService( SID_STopLevelBrowser, IID_PPV_ARGS(&spBrowser) ),
        "Could not query service IShellBrowser" );

    CComPtr<IShellView> spView;
    ThrowIfFailed( 
        spBrowser->QueryActiveShellView( &spView ),
        "Could not query active IShellView" );

    ThrowIfFailed( 
        spView->QueryInterface( riid, ppv ),
        "Could not query interface " + to_string( riid ) + " from IShellView" );
}

void GetDesktopAutomationObject( REFIID riid, void **ppv )
{
    CComPtr<IShellView> spsv;
    FindDesktopFolderView( IID_PPV_ARGS(&spsv) );

    CComPtr<IDispatch> spdispView;
    ThrowIfFailed( 
        spsv->GetItemObject( SVGIO_BACKGROUND, IID_PPV_ARGS(&spdispView) ),
        "Could not get item object SVGIO_BACKGROUND from IShellView" );
    ThrowIfFailed( 
        spdispView->QueryInterface( riid, ppv ),
        "Could not query interface " + to_string( riid ) + " from ShellFolderView" );
}

void ShellExecuteFromExplorer(
    PCWSTR pszFile,
    PCWSTR pszParameters = nullptr,
    PCWSTR pszDirectory  = nullptr,
    PCWSTR pszOperation  = nullptr,
    int nShowCmd         = SW_SHOWNORMAL)
{
    CComPtr<IShellFolderViewDual> spFolderView;
    GetDesktopAutomationObject( IID_PPV_ARGS(&spFolderView) );

    CComPtr<IDispatch> spdispShell;
    ThrowIfFailed( 
        spFolderView->get_Application( &spdispShell ),
        "Could not get application object from IShellFolderViewDual" );

    CComQIPtr<IShellDispatch2> spdispShell2{ spdispShell };
    if( !spdispShell2 )
        ThrowIfFailed( E_NOINTERFACE, "Could not query interface IShellDispatch2" );

    ThrowIfFailed( 
        spdispShell2->ShellExecute(
            CComBSTR{ pszFile },
            CComVariant{ pszParameters ? pszParameters : L"" },
            CComVariant{ pszDirectory ? pszDirectory : L"" },
            CComVariant{ pszOperation ? pszOperation : L"" },
            CComVariant{ nShowCmd } ),
        "ShellExecute failed" );
}

Usage example:

int main()
{
    try
    {
        ComInit init;
        ShellExecuteFromExplorer( L"http://www.stackoverflow.com" );
    }
    catch( std::system_error& e )
    {
        std::cout << "ERROR: " << e.what() << "\n"
            << "Error code: " << e.code() << std::endl;
    }
}

Additional notes:

When using this method, you may notice that the window of the launched application does not always come to the foreground, especially if it is already running. My workaround is to call AllowSetForegroundWindow( ASFW_ANY ) before the call to ShellExecuteFromExplorer() to enable the process to bring itself to the foreground (we can't specify a process ID because we don't know the process that will be launched beforehand).

Answer 3

The solution is a bit complex. Maybe you can not go from elevated administrator to non-elevated administrator directly by getting a kind of access token and passing it to createprocesswithtoken, But you can go one step further in another direction. You can go from elevated administrator to system account, which has even higher privilege. From system account privilege, you should be able to launch a process in a non-elevated administrator context. Search using keyword "impersonate" can give you a lot of examples. Then how to go from elevated administrator to system? You can only write a system service and create/start the service under elevated administrator context.

Answer 4

Here's the Raymond Chen method, with error handling, and no wretched exceptions.

#include <atlbase.h>
#include <Shlobj.h>

HRESULT FindDesktopFolderView(REFIID riid, void **ppv)
{
HRESULT hr;
CComPtr<IShellWindows> spShellWindows;
hr = spShellWindows.CoCreateInstance(CLSID_ShellWindows);
if(FAILED(hr))
    return hr;

CComVariant vtLoc { 0 };    // 0 = CSIDL_DESKTOP
CComVariant vtEmpty;
long lhwnd = 0;
CComPtr<IDispatch> spdisp;
hr = spShellWindows->FindWindowSW(&vtLoc, &vtEmpty, SWC_DESKTOP, &lhwnd, SWFO_NEEDDISPATCH, &spdisp);
if(FAILED(hr))
    return hr;

CComQIPtr<IServiceProvider> spProv{ spdisp };
if(!spProv)
    return E_NOINTERFACE;

CComPtr<IShellBrowser> spBrowser;
hr = spProv->QueryService(SID_STopLevelBrowser, IID_PPV_ARGS(&spBrowser));
if(FAILED(hr))
    return hr;

CComPtr<IShellView> spView;
hr = spBrowser->QueryActiveShellView(&spView);
if(FAILED(hr))
    return hr;

return spView->QueryInterface(riid, ppv);
}


HRESULT GetDesktopAutomationObject(REFIID riid, void **ppv)
{
HRESULT hr;
CComPtr<IShellView> spsv;
hr = FindDesktopFolderView(IID_PPV_ARGS(&spsv));
if(FAILED(hr))
    return hr;
if(!spsv)
    return E_NOINTERFACE;

CComPtr<IDispatch> spdispView;
hr = spsv->GetItemObject(SVGIO_BACKGROUND, IID_PPV_ARGS(&spdispView));
if(FAILED(hr))
    return hr;

return spdispView->QueryInterface(riid, ppv);
}


HRESULT ShellExecuteFromExplorer(PCWSTR pszFile, PCWSTR pszParameters, PCWSTR pszDirectory, PCWSTR pszOperation, int nShowCmd)
{
HRESULT hr;
CComPtr<IShellFolderViewDual> spFolderView;
hr = GetDesktopAutomationObject(IID_PPV_ARGS(&spFolderView));
if(FAILED(hr))
    return hr;

CComPtr<IDispatch> spdispShell;
hr = spFolderView->get_Application(&spdispShell);
if(FAILED(hr))
    return hr;

CComQIPtr<IShellDispatch2> spdispShell2{ spdispShell };
if(!spdispShell2)
    return E_NOINTERFACE;

// without this, the launched app is not moved to the foreground
AllowSetForegroundWindow(ASFW_ANY);

return spdispShell2->ShellExecute(
        CComBSTR{ pszFile },
        CComVariant{ pszParameters ? pszParameters : L"" },
        CComVariant{ pszDirectory ? pszDirectory : L"" },
        CComVariant{ pszOperation ? pszOperation : L"" },
        CComVariant{ nShowCmd } );
}