Start admin tool from a non-admin user program


I'm currently migrating an application to make it compatible with the UAC. This application is provided to non-admin users so that they can perform very focused administrative tasks (restart one service, run installer update...).

I carefully red Chris Jackson's blog entry and I created a bootstrapper:

  • Application A (elevation irrelevant)
  • CreateProcessWithLogonW (uses an admin account) that starts a Bootstrapper (asInvoker)
  • ShellExecute(Ex) that starts Application B (requireAdministrator)

Here is how I adapted this blog for my context:

  1. Application A starts the bootstrapper with the following call:

    var processStartInfo = new ProcessStartInfo("ApplicationA")
        WorkingDirectory = "Path to Application A",
        Arguments = "bootstrapper",
        UseShellExecute = false,
        UserName = credentials.UserName,
        Password = credentials.Password,
        Domain = credentials.Domain,
        CreateNoWindow = true
    var p = Process.Start(processStartInfo);
  2. Bootstrapper is the same executable as Application A and is started with the asInvoker elevation as defined in a manifest file. It is started with a parameter that tells Program.cs that the process has been started in the bootstrapper mode. It is not using the ShellExecute mode (as explained in the blog... so that we can start the process with another account). Here is the code snippet in Program.cs that starts Application B:

    if (Environment.GetCommandLineArgs().Any(a => "bootstrapper".Equals(a)))
        var processStartInfo = new ProcessStartInfo(fileName)
            WorkingDirectory = Path.GetDirectoryName(fileName),
            Verb = "runas", // Tried with or without runas...
            UseShellExecute = true
        var p = Process.Start(processStartInfo);
  3. Application B is started with the requireAdministrator through its manifest file.

It works just fine on Windows Server 2012 R2 but it doesn't under Windows 7 unless I open an other session simultaneously with the admin account. This means that unless I have two active sessions (one for the current user, and one for the admin user) the bootstrapper fails at calling the ShellExecute on Windows 7 but not on Windows Server 2012 R2. Here is the error message I'm getting under Windows 7:

System.ComponentModel.Win32Exception (0x80004005): Unknown error (0xfffffffe)
   à System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
   à System.Diagnostics.Process.Start()
   à System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
   à ProgramA.Program.StartBootstrapper() dans c:\...\Program.cs:ligne 82

Do you know if there is any magic policy rule that must be turned on? Or if I were using the Win32 APIs directly there would be a flag that might fix this problem?

asked on Stack Overflow Mar 25, 2015 by frblondin • edited Mar 25, 2015 by frblondin

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0