0

How can you ensure that an executable is silently launched with admin (or sufficiently elevated) privileges when that executable is launched by a user who is logged into a Windows account which has default user privileges (i.e., not an admin account)?

I don’t want the user to have to enter an admin password to be able to launch the exe with admin privileges.

Background:

The executable is sending out network packets which has to be marked with a certain DSCP value (QOS, qwave.lib). This is not possible unless the executable is executing with elevated privileges.

indiv
  • 15,860
  • 6
  • 52
  • 82
user1884325
  • 2,726
  • 1
  • 24
  • 44
  • 1
    You can't. If you could do so, there would be no point in having an administrative account. Do you not understand the concept of requiring elevated privileges? (It's to prevent non-admin users and malicious code from doing bad things.) If you could arbitrarily go around it, it would be a pretty huge security hole, don't you think? – Ken White Mar 04 '15 at 16:49
  • I understand that, but can you tell me how an application which is using QOS is supposed to work under a default user account then? QOSAddSocketToFlow fails (ACCESS_DENIED) when the application is run under a default user account. – user1884325 Mar 04 '15 at 16:54
  • I'm afraid I don't know the answer to that, but that's not what you asked here. You asked about bypassing UAC to run an elevated process from a default user account (which is what both my comment and the answer below address). If you now have a different question about using QOS, you should create a new question and ask there. – Ken White Mar 04 '15 at 17:33
  • I edited the question – user1884325 Mar 04 '15 at 17:39
  • I rolled back your edit. It is inappropriate here to change the entire meaning of the question after you've received answers to it in the prior state. It makes the answers appear totally wrong, the person answering appears foolish, and it can cost them reputation via downvotes as a result. Once again: **If you now have a different question about using QOS, you should create a new question and ask it there.** This question is about launching an application silently with admin privileges from a default user account, and it has an answer. – Ken White Mar 04 '15 at 17:42
  • In Linux you'd do this by setting the [suid](http://en.wikipedia.org/wiki/Setuid) bit on your executable. I disagree with the assertion of previous comments that say there would be no point in having an administrator account. An administrator would of course set up the program for the unprivileged users to use. Anyway, knowing this bit of trivia about suid will let you find a question that was [asked before](http://stackoverflow.com/questions/651787/what-choices-do-i-have-on-ms-windows-platforms-for-the-equivalent-of-suid-from-u) related to this issue. – indiv Mar 04 '15 at 20:18

1 Answers1

2

This goes against the security of the OS. You are basically asking to be able to bypass a security measure enforced by the OS. If you were allowed to do this, any malicious code could do the same thing, so I don't think that you can (or should) do it.

rgargente
  • 1,622
  • 1
  • 15
  • 30
  • So applications which are run under default user accounts can't use QOS? In many setups users do not know (and are not allowed to know) what the admin's password is. So how can you ensure that an application which is run under a default user account can use QOS (i.e. mark outgoing packets with a certain DSCP value) in that case? – user1884325 Mar 04 '15 at 16:08
  • Is there a way to grant/modify certain permissions for a user, so that QOS can be used? – user1884325 Mar 04 '15 at 16:10
  • I don't know specifically about QOS. But you are basically asking to bypass a security measure, which is just not reasonable. If for some reason QOS requires privileges, then I guess you will have to live with that. – rgargente Mar 04 '15 at 16:18
  • 1
    The correct solution is to install a system service to do the work on the user's behalf. – Harry Johnston Mar 04 '15 at 22:28