Elevating COM objects from .Net

September 10, 2011 at 9:43 PMJoshua Harley

While I was working on one of my personal projects I needed to do some administrative tasks from a program launched as a normal user. Since I try to follow best practice to the best of my ability I knew I had to write an external module that could elevate to handle the administrative tasks required.

After doing quite a bit of research I came across two possible methods

  1. Create a new external program with <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> in the embedded manifest and pass all of the information needed through the command line.
  2. Create a COM object and elevate the object when using it. Information would be passed through COM object calls in real time and allows the caller to handle problems.

Obviously because I like a challenge and I'm a sadist, I decided on option number two, creating and elevating a COM object. Following the directions generously provided by Christoph Wille I was able to successfully create and register a .Net COM object that was able to be elevated. Unfortunately after elevating the object I was unable to invoke any methods and kept getting an odd exception (I think it was 0x80070005, Access Denied, I didn't keep notes for it – so it may be I'm mixing them up).

Honestly, I didn't get the .Net method 100% working, no matter how I ran the commands the methods with the [ComRegisterFunction] and [ComUnregisterFunction] never executed, so I had to finish registration by hand (without those extra registry entries, the COM object won't elevate). As part of my troubleshooting and because of the actions I needed to take when elevated I switched from a .Net component to an ATL component. This simplified development since I could incorporate the registry entries directly into the .rgu file.

Thinking I've solved all of the problems I wrote the ATL COM component, coded it to the best of my ability, set up the .Net calling code and tried it out. Guess what... 0x80070005 Access Denied. At this point I was going insane, everything I tried and everything I did was being denied when it was elevated. If I launched the object under the normal user I was able to interact with it. Elevate it? BOOM access denied. *sigh*

Continuing to research and try to find the problem, I eventually read the small nugget of information about Over-The-Shoulder elevation. Having been on this page many, many times trying to find the information I need, I felt quite stupid when I realized the information I needed was right there the whole time.

For such servers, COM computes a security descriptor that allows only SELF, SYSTEM, and Builtin\Administrators to makes COM calls into the server. This arrangement will not work in OTS scenarios. Instead, the server must call CoInitializeSecurity, either explicitly or implicitly, and specify an ACL that includes the INTERACTIVE group SID and SYSTEM.

Totally makes sense right? Well, to break it down simpler, the default security on the COM object is such that only SYSTEM and Administrators have access to the COM object when elevated, and even though you just gave it permission, your limited user process can't access it. Turns out to properly allow a limited process access to the elevated COM object you need to grant Local Activation to the INTERACTIVE SID.

After using the Component Services snap-in (dcomcnfg) and manually granting the right permissions and confirming that it worked I looked for a way to make the change programmatically, and what do you know, there's an example right there on that same MSDN article!

Below is the code I use to set up the proper security for the COM object (grants local activation to INTERACTIVE and SYSTEM, grants local and remote activation to the Built-in Administrators and SELF SIDS) and is executed through the DllRegisterServer function that ATL calls when registration is to occur. The registry entries required for elevation are handled by ATL when it processes the .rgu file.

STDAPI DllRegisterServer(void) {
  // (0x3 = Local Access, 0x7 = Local + Remote Access)
  // See http://msdn.microsoft.com/en-us/library/ms693364(VS.85).aspx
  static const wchar_t comSDDL[] =
  bool perUser = false;
  ULONG securityDescriptorSize = 0;
  SECURITY_DESCRIPTOR* securityDescriptor = NULL;

  // Determine if the registration is per user.

  // registers object, typelib and all interfaces in typelib
  HRESULT hr = _AtlModule.DllRegisterServer();

  // Only set up the elevation moniker if it is a system-wide install.
  // (Elevation doesn't work on per-user COM)
  if (SUCCEEDED(hr) && !perUser) {
    hr = E_FAIL;
    if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(comSDDL, SDDL_REVISION_1, (PSECURITY_DESCRIPTOR*)&securityDescriptor, &securityDescriptorSize))
      return E_FAIL;

    ATL::CRegKey rootAppId;
    ATL::CRegKey appId;
        ERROR_SUCCESS == appId.Open(rootAppId, _AtlModule.GetAppIdT(), KEY_WRITE | KEY_WOW64_32KEY) &&
        ERROR_SUCCESS == appId.SetBinaryValue(L"AccessPermission", securityDescriptor, securityDescriptorSize)) {

        hr = S_OK;
  return hr;

Posted in: Programming

Tags: , ,

Extraordinarily educative thank you, I believe your trusty readers could want even more information like this carry on the great effort.

Not clear on what you might have in mind, Laila. Can you give us some more information?

YES! I finally discovered this web page! Ive been seeking for this article for so long!!

Basically to follow up on the update of this matter on your web-site and wish to let you know just how much I loved the time you took to publish this helpful post. Within the post, you really spoke on how to definitely handle this matter with all convenience. It would be my personal pleasure to get some more suggestions from your site and come up to offer other people what I discovered from you. Thanks for your usual fantastic effort. Voip Termination

I have been surfing on-line more than three hours these days, yet I never found any attention-grabbing article like yours. It is lovely price sufficient for me. In my opinion, if all webmasters and bloggers made good content as you did, the internet will likely be a lot more useful than ever before.

I real when you this of sundry your posts. Perhaps could you maintain this?

jasmine cams Intimately, the post is in reality the freshest topic on this registry related issue. I concur with your conclusions and will eagerly look forward to your forthcoming updates. Saying thanks will not just be enough, for the wonderful clarity in your writing.

Yes, Bevin. We do know. Most kid's still played outside in the woods and fields when the metal equipment was around. Before you open your mouth and make comments that are not factual put a sock in it buddy.

Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your site? My blog is in the very same niche as yours and my visitors would definitely benefit from a lot of the information you provide here. Please let me know if this alright with you. Thanks!

I am new to the blog scene and at the moment I'm not yet sure what CMS to use? Most folks have warmly recommended me to try out WordPress. Do you think Blogengine is better?

You...are...my...hero!!! I cant believe something like this exists on the internet! Its so true, so honest, and more than that you dont sound like an idiot! Finally, someone who knows how to talk about a subject without sounding like a kid who didnt get that bike he wanted for Christmas.

My wife and i ended up being now fortunate that Michael managed to finish up his studies by way of the precious recommendations he was given using your site. It is now and again perplexing to simply happen to be giving out hints which often some people might have been making money from. Therefore we consider we have the website owner to be grateful to for this. All of the illustrations you've made, the straightforward web site menu, the relationships your site give support to engender  it's many superb, and it is facilitating our son in addition to our family imagine that that issue is satisfying, which is wonderfully mandatory. Many thanks for the whole lot!

Useful information shared..Iam very happy to read this article..thanks for giving us nice info.Fantastic walk-through. I appreciate this post.I agree with your thought.Thank you for your sharing.

Can I simply say what a aid to seek out somebody who truly is aware of what theyre speaking about on the internet. You definitely know the right way to convey an issue to light and make it important. More people need to learn this and perceive this side of the story. I cant believe youre not more widespread because you undoubtedly have the gift.

I've to confess that i generally get bored to read the whole thing however i feel you'll be able to add some value. Bravo !

and just exactly who was it that was supposed to be watching them to being with ?!?!?

Thank you so much pertaining to giving everyone an update on this subject matter on your blog. Please understand that if a completely new post appears or when any improvements occur to the current publication, I would be thinking about reading more and finding out how to make good using of those strategies you share. Thanks for your efforts and consideration of other folks by making this website available.

This is the best blog for anyone who wants to seek out out about this topic. You realize so much its almost onerous to argue with you (not that I truly would want...HaHa). You definitely put a new spin on a subject thats been written about for years. Great stuff, just nice!

Truly great site you have there. I was thinking about starting a website of my own. Can you recommend a good hosting provider? Thanks.

i am really thankful to this topic because it really gives great information

Thanks for the suggestions you write about through this blog. In addition, quite a few young women who become pregnant never even seek to get medical care insurance because they are full of fearfulness they couldn't qualify. Although many states at this point require that insurers supply coverage regardless of pre-existing conditions. Charges on these kinds of guaranteed programs are usually larger, but when thinking about the high cost of health care it may be some sort of a safer way to go to protect one's financial future.

Hey there! Cool content! I happen to be a ordinary visitor (much like addict ) of this website however , I had a challenge. I am not absolutely sure if its the right site to ask, but there are no spam comments. I get comments constantly. May you assist me? Cheers!

I admit, I have not been on this webpage in a long time... however it was another joy to see It is such an very important topic and ignored by so many, even professionals. I thank you to assist making people more aware of possible issues.

I have been exploring for a bit for any high quality articles or blog posts on this kind of area . Exploring in Yahoo I at last stumbled upon this web site. Reading this information So i am happy to convey that I've a very good uncanny feeling I discovered exactly what I needed. I most certainly will make sure to do not forget this website and give it a look on a constant basis.

Dead indited content material, Really enjoyed looking through.

It's cool, thanks

I'm not aware of any books like your idea, but I'm not exactly a librarian. Regardless, you can but your thoughts together for your own benefit as well as others. Quite often our identity can be wrapped up in our careers, when there is really a alter there can be emptiness left. Fortunately, it is not to late to fill that void as lengthy as we are still alive. One of the greatest ways to obtain your phone to ring is to dial it first. Just like everything else in existence that is worthwhile it will consider time. Good Luck

You made a number of good points there. I did a search on the issue and found a good number of folks will agree with your blog.

We're a group of volunteers and starting a new scheme in our community. Your web site provided us with valuable info to work on. You've done an impressive job and our whole community will be grateful to you.

You made some clear points there. I did a search on the subject matter and found most people will approve with your blog.

I am constantly invstigating online for posts that can aid me. Thank you!

For me, his acting stands out the most in City Lights, particularly in the scene that you chose a picture from. I agree that his other filmmaking roles often overshadow his acting talents. Great post!

Excellent goods from you, man. I've understand your stuff previous to and you're just too wonderful. I actually like what you have acquired here, really like what you're saying and the way in which you say it. You make it entertaining and you still care for to keep it wise. I cant wait to read much more from you. This is actually a tremendous site.

This was a good post. In theory I'd like to write like this too, taking time and real effort to make a good article... but what can I say... I procrastinate a lot and never seem to get something done

It is fully well-connected to compel ought to netting hosting. This is because without a hosting provider is not getting from your install in the online world. You could gunfire that ploy hosting is nothing but a back-breaking thrust, where you can scheduled your clarify with files and pictures.

Hello There. I found your blog using msn. This is a very well written article. I will make sure to bookmark it and come back to read more of your useful info. Thanks for the post. I will certainly return.

I completely agree with the above comment, the world-wide-web is with a doubt growing into your most very important medium of communication across the globe and its due to sites like that that ideas are spreading so quickly.

Ok, how do you do the peanut butter coating? Cause coated in chocolate these are amazing, so I must make them again. And do you have any tips for getting them off the fork without having to drizzle chocolate on them to fill the gash I made pushing the ball off? Either way these taste so decadent!

Bonjour! Super Blogg! Info Website Fatburner Kapseln helfen beim gesunden Fettabbau! Danke sehr!

Hello, i think that i saw you visited my blog so i came to "return the favor".I am trying to find things to enhance my website!I suppose its ok to use some of your ideas!!

With everything which appears to be developing inside this area, a significant percentage of opinions are actually quite exciting. However, I appologize, but I do not subscribe to your whole plan, all be it stimulating none the less. It would seem to everybody that your remarks are not completely rationalized and in fact you are yourself not really fully convinced of your point. In any event I did enjoy reading through it.

Good, Help Me! My Website is Failing! | Power Marketing.

I'm sorry, but I was eating crackers while reading your comment and I almost choked on one whilst snorting with laughter. I know what you're talking about (ya know goose egg city), it happened to me a lot when I would play tag, I would run looking back at my chaser instead of looking forward like I should have been. And then you look for one second, and BAM you smack your forehead on the slide's steel ladder and you knock out for a second, stars and cookies in your eyes!

very nice submit, i actually love this website, keep on it

I like this blog very much, Its a really nice position to read and obtain info . "One man's religion is another man's belly laugh." by Robert Anson Heinlein.

you're in reality a excellent webmaster. The website loading speed is incredible. It sort of feels that you are doing any unique trick. In addition, The contents are masterpiece. you've done a wonderful process in this topic!

It is best to take part in a contest for among the finest blogs on the web. I will suggest this website!

I simply had to appreciate you yet again. I am not sure the things that I could possibly have undertaken in the absence of the actual thoughts shown by you regarding that situation. It was a alarming concern in my position, nevertheless being able to see a new professional strategy you solved that forced me to weep for fulfillment. I'm happy for the support and thus have high hopes you are aware of a powerful job that you are carrying out teaching the mediocre ones through the use of a blog. More than likely you've never got to know all of us.

Have you ever had difficulties with spammers? I also use Blog Engine and I've some beneficial anti-spam practices; please E mail me if you'll be concerned with an change of ideas.

Current Elliott Women Skinny Jean In Love Dest...

I want to major in either English Literature, Creative Writing or English with a minor/concentration in Creative Writing..

Considerably, the article is really the freshest on that notable topic. I concur with your conclusions and will thirstily look forward to your forthcoming updates. Saying thanks will not simply just be enough, for the exceptional lucidity in your writing. I will instantly grab your rss feed to stay abreast of any kind of updates. Authentic work and much success in your business dealings!

One other thing to point out is that an online business administration course is designed for learners to be able to smoothly proceed to bachelor's degree education. The 90 credit college degree meets the lower bachelor diploma requirements and once you earn your associate of arts in BA online, you should have access to the most up-to-date technologies within this field. Some reasons why students would like to get their associate degree in business is because they're interested in the field and want to get the general training necessary just before jumping into a bachelor education program. Thanks for the tips you really provide as part of your blog.

Well I sincerely liked studying it. This post offered by you is very effective for good planning.

What's Happening i'm new to this, I stumbled upon this I've found It positively useful and it has helped me out loads. I hope to contribute & aid other users like its aided me. Great job.

Do Fad Diets Work In The Long Term?

Hi there, just wanted to say, I liked this blog post. It was inspiring. Keep on posting!

Awsome post and straight to the point. I don't know if this is actually the best place to ask but do you folks have any thoughts on where to get some professional writers? Thx

Dr Conrad Murray due verdict in 10 mintues: Guilty or Not Guilty?

With havin so much content do you ever run into any problems of plagorism or copyright infringement? My website has a lot of unique content I've either created myself or outsourced but it looks like a lot of it is popping it up all over the internet without my agreement. Do you know any methods to help stop content from being stolen? I'd really appreciate it.

orkbxkmmt fdqow htiexro xnmp sbmfntgitglbbfi

Superb site you get here but I was interested in if you knew of any message boards that cover the identical topics discussed here? I'd really love to take part in community where I could get opinions from other experienced people that share the same attention. If you have almost any recommendations, please let me learn. Thanks!

You should take part in a contest for one of the best blogs on the web. I will recommend this site!

It's really nice to see this blog! I hope we can work with you next time.

This a really nice article! I couldn't wait to cshare it with my friends. Wow, just wow!

Chris and Jess talked about what users expect.

Here sells brand-new vibram five fingers athletic shoes, 2011 year new design vibram five fingers.

Add comment