Elevating COM objects from .Net

September 10, 2011 at 9:43 PMJoshua Harley

While I was working on one of my personal projects I needed to do some administrative tasks from a program launched as a normal user. Since I try to follow best practice to the best of my ability I knew I had to write an external module that could elevate to handle the administrative tasks required.

After doing quite a bit of research I came across two possible methods

  1. Create a new external program with <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> in the embedded manifest and pass all of the information needed through the command line.
  2. Create a COM object and elevate the object when using it. Information would be passed through COM object calls in real time and allows the caller to handle problems.

Obviously because I like a challenge and I'm a sadist, I decided on option number two, creating and elevating a COM object. Following the directions generously provided by Christoph Wille I was able to successfully create and register a .Net COM object that was able to be elevated. Unfortunately after elevating the object I was unable to invoke any methods and kept getting an odd exception (I think it was 0x80070005, Access Denied, I didn't keep notes for it – so it may be I'm mixing them up).

Honestly, I didn't get the .Net method 100% working, no matter how I ran the commands the methods with the [ComRegisterFunction] and [ComUnregisterFunction] never executed, so I had to finish registration by hand (without those extra registry entries, the COM object won't elevate). As part of my troubleshooting and because of the actions I needed to take when elevated I switched from a .Net component to an ATL component. This simplified development since I could incorporate the registry entries directly into the .rgu file.

Thinking I've solved all of the problems I wrote the ATL COM component, coded it to the best of my ability, set up the .Net calling code and tried it out. Guess what... 0x80070005 Access Denied. At this point I was going insane, everything I tried and everything I did was being denied when it was elevated. If I launched the object under the normal user I was able to interact with it. Elevate it? BOOM access denied. *sigh*

Continuing to research and try to find the problem, I eventually read the small nugget of information about Over-The-Shoulder elevation. Having been on this page many, many times trying to find the information I need, I felt quite stupid when I realized the information I needed was right there the whole time.

For such servers, COM computes a security descriptor that allows only SELF, SYSTEM, and Builtin\Administrators to makes COM calls into the server. This arrangement will not work in OTS scenarios. Instead, the server must call CoInitializeSecurity, either explicitly or implicitly, and specify an ACL that includes the INTERACTIVE group SID and SYSTEM.

Totally makes sense right? Well, to break it down simpler, the default security on the COM object is such that only SYSTEM and Administrators have access to the COM object when elevated, and even though you just gave it permission, your limited user process can't access it. Turns out to properly allow a limited process access to the elevated COM object you need to grant Local Activation to the INTERACTIVE SID.

After using the Component Services snap-in (dcomcnfg) and manually granting the right permissions and confirming that it worked I looked for a way to make the change programmatically, and what do you know, there's an example right there on that same MSDN article!

Below is the code I use to set up the proper security for the COM object (grants local activation to INTERACTIVE and SYSTEM, grants local and remote activation to the Built-in Administrators and SELF SIDS) and is executed through the DllRegisterServer function that ATL calls when registration is to occur. The registry entries required for elevation are handled by ATL when it processes the .rgu file.

STDAPI DllRegisterServer(void) {
  // (0x3 = Local Access, 0x7 = Local + Remote Access)
  // See http://msdn.microsoft.com/en-us/library/ms693364(VS.85).aspx
  static const wchar_t comSDDL[] =
      L"O:BAG:BAD:(A;;0x3;;;IU)(A;;0x3;;;SY)(A;;0x7;;;BA)(A;;0x7;;;PS)";
  bool perUser = false;
  ULONG securityDescriptorSize = 0;
  SECURITY_DESCRIPTOR* securityDescriptor = NULL;

  // Determine if the registration is per user.
  ATL::AtlGetPerUserRegistration(&perUser);

  // registers object, typelib and all interfaces in typelib
  HRESULT hr = _AtlModule.DllRegisterServer();

  // Only set up the elevation moniker if it is a system-wide install.
  // (Elevation doesn't work on per-user COM)
  if (SUCCEEDED(hr) && !perUser) {
    hr = E_FAIL;
    if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(comSDDL, SDDL_REVISION_1, (PSECURITY_DESCRIPTOR*)&securityDescriptor, &securityDescriptorSize))
      return E_FAIL;

    ATL::CRegKey rootAppId;
    ATL::CRegKey appId;
    if (ERROR_SUCCESS == rootAppId.Open(HKEY_CLASSES_ROOT, L"AppID", KEY_READ | KEY_WOW64_32KEY) &&
        ERROR_SUCCESS == appId.Open(rootAppId, _AtlModule.GetAppIdT(), KEY_WRITE | KEY_WOW64_32KEY) &&
        ERROR_SUCCESS == appId.SetBinaryValue(L"AccessPermission", securityDescriptor, securityDescriptorSize)) {

        hr = S_OK;
    }
    LocalFree(securityDescriptor);
  }
  return hr;
}

Posted in: Programming

Tags: , ,

Extraordinarily educative thank you, I believe your trusty readers could want even more information like this carry on the great effort.

Not clear on what you might have in mind, Laila. Can you give us some more information?

YES! I finally discovered this web page! Ive been seeking for this article for so long!!

Basically to follow up on the update of this matter on your web-site and wish to let you know just how much I loved the time you took to publish this helpful post. Within the post, you really spoke on how to definitely handle this matter with all convenience. It would be my personal pleasure to get some more suggestions from your site and come up to offer other people what I discovered from you. Thanks for your usual fantastic effort. Voip Termination

I have been surfing on-line more than three hours these days, yet I never found any attention-grabbing article like yours. It is lovely price sufficient for me. In my opinion, if all webmasters and bloggers made good content as you did, the internet will likely be a lot more useful than ever before.

I real when you this of sundry your posts. Perhaps could you maintain this?

jasmine cams Intimately, the post is in reality the freshest topic on this registry related issue. I concur with your conclusions and will eagerly look forward to your forthcoming updates. Saying thanks will not just be enough, for the wonderful clarity in your writing.

Yes, Bevin. We do know. Most kid's still played outside in the woods and fields when the metal equipment was around. Before you open your mouth and make comments that are not factual put a sock in it buddy.

Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your site? My blog is in the very same niche as yours and my visitors would definitely benefit from a lot of the information you provide here. Please let me know if this alright with you. Thanks!

I am new to the blog scene and at the moment I'm not yet sure what CMS to use? Most folks have warmly recommended me to try out WordPress. Do you think Blogengine is better?

You...are...my...hero!!! I cant believe something like this exists on the internet! Its so true, so honest, and more than that you dont sound like an idiot! Finally, someone who knows how to talk about a subject without sounding like a kid who didnt get that bike he wanted for Christmas.

My wife and i ended up being now fortunate that Michael managed to finish up his studies by way of the precious recommendations he was given using your site. It is now and again perplexing to simply happen to be giving out hints which often some people might have been making money from. Therefore we consider we have the website owner to be grateful to for this. All of the illustrations you've made, the straightforward web site menu, the relationships your site give support to engender  it's many superb, and it is facilitating our son in addition to our family imagine that that issue is satisfying, which is wonderfully mandatory. Many thanks for the whole lot!

Useful information shared..Iam very happy to read this article..thanks for giving us nice info.Fantastic walk-through. I appreciate this post.I agree with your thought.Thank you for your sharing.

Can I simply say what a aid to seek out somebody who truly is aware of what theyre speaking about on the internet. You definitely know the right way to convey an issue to light and make it important. More people need to learn this and perceive this side of the story. I cant believe youre not more widespread because you undoubtedly have the gift.

I've to confess that i generally get bored to read the whole thing however i feel you'll be able to add some value. Bravo !

and just exactly who was it that was supposed to be watching them to being with ?!?!?

Thank you so much pertaining to giving everyone an update on this subject matter on your blog. Please understand that if a completely new post appears or when any improvements occur to the current publication, I would be thinking about reading more and finding out how to make good using of those strategies you share. Thanks for your efforts and consideration of other folks by making this website available.

This is the best blog for anyone who wants to seek out out about this topic. You realize so much its almost onerous to argue with you (not that I truly would want...HaHa). You definitely put a new spin on a subject thats been written about for years. Great stuff, just nice!

Truly great site you have there. I was thinking about starting a website of my own. Can you recommend a good hosting provider? Thanks.

i am really thankful to this topic because it really gives great information

Add comment

biuquote
Loading