Limited Start Bug about uachelper HOT 4 CLOSED

Well, that's the expected behavior.
You see, the section of the code you posted here is in a loop. What we are trying to do is to go through all processes and see if any of them are in limited mode and then start our process using their token. Now if you remove the check, you effectively removed the whole logic for this method and the process starts with the token of the first process it finds.
Unfortunately, copying the token of a limited process is the only way to execute an application in the limited environment while the parent process is already elevated. So if the library can't find an unelevated process to copy the token from, it SHOULD throw an error; as it does now.

What I can suggest is to put your code in a try {} catch{} block and capture the exception, then inform the user, execute the process normally, or use other methods like StartLimitedTask(). You can also use the StartWithShell() method if you don't care if the child process always ends up being limited. But this may also fail if the shell process is not running at the time.

from uachelper.

That is clear to me, we didn't understand each other. What i did propose is to change that if from

                    {
                        var elevationType = Tokens.GetTokenElevationType(processIdentity.Token);
                        if (elevationType == TokenElevationType.Limited ||
                            (elevationType == TokenElevationType.Default &&
                             !new WindowsPrincipal(processIdentity).IsInRole(WindowsBuiltInRole.Administrator)))
                        {
                            return StartAndCopyProcessPermission(process, startInfo);
                        }
                    }

to

                    {
                        var elevationType = Tokens.GetTokenElevationType(processIdentity.Token);
                        if (elevationType == TokenElevationType.Limited ||
                            elevationType == TokenElevationType.Default )
                        {
                            return StartAndCopyProcessPermission(process, startInfo);
                        }
                    }

because in my case, there is only Administrator user with no password, and there is no linked token, so a elevation type will be default and an extracted user from a process identity shell be in Administrator group so that function StartAndCopyProcessPermission will never be executed. So i simply removed that role check from if.
Is this ok to you?
Best regards.

from uachelper.

I see your point, and you can change what part of the library you want in your local version or your fork. After all, this is an open source project. You don't need my permission for it.
What I am trying to do is to describe the logic of that block so you end up with the result you want instead of the result you expect.

There are three elevation types, Limited, Full and Default. Limited and Full types are only valid when the program is running under UAC SandBox and the Default is the elevation type you get when the program is not in the UAC SandBox (usually when UAC is disabled). With Default elevation you run your application with full user access, so if your user is an administrator, Default means elevated execution, not limited. The whole use of this method to execute an application in limited mode and for that, I check if the user is not an administrator. By removing the check for the administrative role, you may end up with an elevated process instead of a limited one, so the method throws an exception, by design.

If this is what you want, why not simply capture the exception and start the process normally?

var startInfo = new StartInfo(.......);
Process process = null;
try {
    process = UACHelper.StartLimited(startInfo);
} catch (InvalidOperationException) {
    process = Process.Start(startInfo);
}

from uachelper.

I agree with you, that is behaviour i want. If a UAC is disabled, or in some case token can't be linked and elevation type is default and process can't run limited, i want it to start elevated.
Thanks for the solution.
Best regards.

from uachelper.