0

Is it possible to enable /disable touchscreen trough hid (Human Interface Devices in "Control Panel\All Control Panel Items\Device Manager") with standard user right (without elevated-privileges / admin access-rights) ?
I'm programing an application in C#. If I don't start my application trough "run as" on Visual Studio, security is blocking access.

What are my alternatives with my current setup / limitation:

  • Standard user (basic right)
  • Admin account with password in a secure encrypted file.
  • The standard user cannot grant permission trough UAC because he don't have right.
  • Using this code to check if user have elevated/admin right: return new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator);

Currently tested and not working:

  1. Process with startInfo.Verb = "runas"; Standard user can't accept UAC to run a process that require admin privilege / elevated. Elevating process privilege programmatically?

  2. App.manifest: Standard user can't accept UAC to run an app that require admin privilege / elevated. How do I force my .NET application to run as administrator?

Potential alternatives ?

  1. ACL ???
  2. App.manifest: with an install.msi from my "IT team packager with Zenwork or SCCM" to deploy it on computers user ?
  3. Service that run as "local service" or "system" and an app to call methods of service with an install.msi from my "IT team packager with Zenwork or SCCM" to deploy it on computers user ?
Deathunt
  • 3
  • 4
  • Think about it... if there was a way for programs to elevate on their own, that feature wouldn't be much use. You can manifest your program to run as admin for those with admin privileges (in which case, they may get prompted every time your program runs), but non-admin users will always be nin-admin – Flydog57 Apr 04 '21 at 21:43
  • Aren't antivirus run with elevated privilege on standard user ? – Deathunt Apr 04 '21 at 21:55
  • They are generally installed as services and run with the privileges associated with an appropriate token – Flydog57 Apr 04 '21 at 22:03

2 Answers2

0

If you don't want to prompt the UAC in the moment of the administrative operation (using runas), or on every program start (via manifest), you need to create a Service or a Scheduled Task once, at first program setup. A lot of programs use this technique such as Chrome for updates, which normally don't require elevated privileges but for few occasional operations.

Choosing the service method means that you must implement an IPC mechanism for example via named pipe so the low privilege program can talk to the service and ask to execute the desired operation. Keep in mind that the service will always run in background and you shouldn't expose too much permissive operations otherwise other malicious programs could use your service to elevate themselves, or you'll need also an authentication method.

For the scheduled task you could use the same executable with a command line argument like /disabletouch. You only need to manually trigger the task from the low privilege instance. There are the TaskScheduler COM interface (some open-source wrappers exists around it) and the schtasks tool that allow task creation and manual triggers. The task can be created for running as Administrator or SYSTEM account. As for the service allow only strict and harmless elevated operations to prevent misuse.

GrowingBrick
  • 451
  • 3
  • 11
  • You don't want 5k people to be able to elevate privilege to do what they want with their pc in my corp. In my project need, (around 100-200 users) they won't get extra rights. – Deathunt May 07 '21 at 19:43
0

I don't know about IPC /pipe mechanic. But calling method is good enough for what I need with "OnCustomCommand(int)":

protected override void OnCustomCommand(int command)
{
    switch (command)
    {
        case 129:
            RestartService_Test();
            break;
        //case 131:
        //    InstallPrinter();
        //    break;
    }
}

Also, If i want to start or stop windows service, I'll need to grant the user some right. I'll check ACL for that:

Deathunt
  • 3
  • 4