Process owner, Elevation state, and Integrity level do not always ensure the proper permissions about uachelper HOT 2 CLOSED

This is true, however, ACL is not a single property as you can clearly see in the picture but rather contains detailed access permissions. What permission should we choose to return a simple boolean value indicating if a user has admin access? Currently, we are only checking if the user is a member of the built-in administrator group. However in theory a user can be a member of another group with the same level of access in which case this library returns a false negative. This could also happen in reverse but that's quite implausible. In any case, what is done now actually should be sufficient for 99% percent of users on 99% percent of machines.

On the other hand, ACL and user permission has nothing to do directly with the UAC. UAC is just virtualization on top of actual user access of the owner and since it is actually not possible to run an unelevated process from an elevated one, you need to either copy the token of another unelevated process or use other workarounds. This library uses Task Scheduler and the token of explorer process to do so (two methods for the library user to choose from). The word "elevated" here is used in regard to the UAC behavior.

So this makes things complicated as to what to do; what are you suggesting to be done to make the library more useful but still keep it relatively easy to use and understand?

from uachelper.

On the other hand, ACL and user permission has nothing to do directly with the UAC.

Indeed. I'd only realized after opening this issue that ACL comparisons and management are outside the scope of this project. I'm sorry for er...barking up the tree. Although this library does check some ACLs, I understand that its primary use is to determine if a process is considered "Elevated".

On the bright-ish side, this exposed an issue I have with .NET; it has little or no functionality for accessing and manipulating ACLs with resorting to WMI or PInvoke.

For the library I'm working on, I'd need to know if the current process has a certain set of permissions to a given filesystem path. If the process does not have permission, it would need to either change the filesystem object's ACLs or start a child process with the needed ACLs to complete the task.

P.S. thank you for your time and hard work maintaining a C# port of the UACHelper library!

from uachelper.