I use 'elevated' here in the context of Windows UAC (i.e. Run as Administrator).
Seemingly the standard way to check if a process is elevated is to use OpenProcess
to get a handle to that process, then use OpenProcessToken
to get an access token for that process, followed by GetTokenInformation()
with the TokenElevation or TokenElevationType classes and finally checking the resultant info.
However, OpenProcessToken
requires the process handle to have the PROCESS_QUERY_INFORMATION
permission, so ironically this check cannot be performed if the checking process is not elevated and the checked process is (as based on my testing trying to use OpenProcess in that circumstance results in an access denied error).
One could presume this means that the process is elevated, but this isn't wholly correct as I believe another possibility for that outcome is simply that the process was started by another user.
In many circumstances it may just be easier to attempt a needed action and look for an access denied error and go from there, but in one particular case I need to start an external application and I'd like to start it as an administrator depending on whether or not a third process is running as an administrator. Since in this case "just attempting what I want to do" is more involved that simply calling a function or two, I was hopping there might be a more direct way for a non-elevated process to check if another process is elevated (including when it is elevated, hilariously).
CodePudding user response:
If the owner of the target process is the same account of the checking process, then you can check the process's elevation without any special privileges.
However, if the owner of the target process is a different account of the process checking the elevation, the checking process will need the privilege SE_DEBUG_NAME enabled. In order to enable this privilege, the process usually needs to be elevated.
CodePudding user response:
Thanks to RbMm (and Hantalyte indirectly) I've been made aware that the Microsoft documentation for OpenProcessToken is incorrect in its assertion that the provided handle must have the PROCESS_QUERY_INFORMATION
access permission, as it actually only requires that the handle have PROCESS_QUERY_LIMITED_INFORMATION
(I have confirmed this with my own testing).
It is possible to get a handle to an elevated process from within a non-elevated process with the permission PROCESS_QUERY_LIMITED_INFORMATION
, as long as both were started from the same account, meaning that one can check other processes for elevation using the procedure in my question that I original though didn't work due to the errant documentation.
As Hantalyte/RbMm point out, if the process being checked is owned by a different account the checking process needs the SE_DEBUG_NAME
privilege to be enabled.
Hopefully the MS docs should be corrected soon.