Are processes launched by elevated processes themselves elevated?

Posted on

QUESTION :

I have a program that launches a browser window when a user performs certain actions. My program requires Administrator access (i.e. must be launched via “Run as Administrator” or have requestedElevationLevel set to requireAdministrator in its manifest file in Vista or Win7).

I am worried that the browser will inherit the elevation level of the parent process; that is, I’m concerned the browser will also be launched with Administrator elevation. Is this correct? If so, is there any way to prevent this?

ANSWER :

UAC can be a rather complex concept to wrap your head around. Generally speaking, a child process inherits its access token from the parent process. However, this only occurs if both processes have the same integrity level:

Each application that requires the
administrator access token must prompt
the administrator for consent. The one
exception is the relationship that
exists between parent and child
processes. Child processes inherit the
user access token from the parent
process. Both the parent and child
processes, however, must have the same
integrity level.

Integrity levels depend on a variety of things, but generally speaking, a web browser is a low integrity application, and will likely require an additional UAC prompt if it tries to do any operation requiring a higher level of privilege:

Windows 7 protects processes by
marking their integrity levels.
Integrity levels are measurements of
trust. A “high” integrity application
is one that performs tasks that modify
system data, such as a disk
partitioning application, while a
“low” integrity application is one
that performs tasks that could
potentially compromise the operating
system, such as a Web browser.
Applications with lower integrity
levels cannot modify data in
applications with higher integrity
levels.

If you wish to learn more about UAC, the following articles are a good resource:

You are correct. Any process that spawns a child process inherits it’s security context (admin or not) by default.

I’m not sure there’s a way around this without control of this program’s source code (but I may be wrong).

Leave a Reply

Your email address will not be published.