In C#, is it possible to Impersonate as an admin user and Run another program with Admin privileges without it asking for a password? - SOLVED

Question

The tech team doesn't want to give all the users admin rights on the machines. But still those same users should be able to update by themselves one software. So, inside of this software, it should launch another one with admin rights. They will set one admin user that will have admin rights on all the machines. Then the code should use this admin user and it's password to impersonate as an admin. So it should launch the update software as another user.

I tried to do it, but it still asks for a user and password when I try to run things with admin rights. I've checked and System.Security.Principal.WindowsIdentity.GetCurrent().Name; returns the user admin username inside the code. So it is indeed impersonating this another user.

The question is, is it even possible inside windows? How can it run as admin, and only appear the UAC prompt, without it asking for a user and a password?

I'm impersonating with this

SafeAccessTokenHandle safeAccessTokenHandle;  
bool returnValue = LogonUser(user, domain, password,  
LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,  
out safeAccessTokenHandle);

Then running the other process this way.

if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
    var output = WindowsIdentity.RunImpersonatedAsync(  
        safeAccessTokenHandle,                  
        async () =>  
        {                        
            try 
            {           
                return await RunProcessAsync("XYZ.exe","", true);
                
            }
            catch (Exception e){
                Console.WriteLine(e.Message);
            }
        } 
    ).Result;
}


static Task<int> RunProcessAsync(string fileName, string arguments = "", bool runAsAdmin = false)
{
    var tcs = new TaskCompletionSource<int>();

    var process = new Process
    {
        StartInfo = { FileName = fileName, Arguments = arguments, UseShellExecute = true, LoadUserProfile = true },
        EnableRaisingEvents = true                  
    };

    if (runAsAdmin) process.StartInfo.Verb = "runas";
    
    process.Exited += (sender, args) =>
    {
        tcs.SetResult(process.ExitCode);
        process.Dispose();
    };            
    process.Start();

    return tcs.Task;
}

I tried to impersonate as an Admin user Then run another program with Admin privilegs, and all the user would have to do is agree with the UAC prompt. I was expecting to be able to run without it asking for user and password, but it still asked anyway.

EDIT - 1

It seems to have worked, somehow this code would not work if called from a .net framework application. It would still ask for a login and password. But it will work if you call from a .NET 6 application. It will then impersonate as a admin, then it will only do a UAC prompt for yes or no.

EDIT - 2

Some windows policies are needed in order for this to work.

1. User needs impersonation permission. "Impersonate client after authentication.", logged user needs to be there.

2. Without the permission prompt, it won't work. "User control account: Run All Administrators in Admin Approval Mode" needs to be enabled. Without this prompt, the application will give a "not enough memory" error.

Answer 1

The tech team doesn't want to give all the users admin rights on the machines. But still those same users should be able to update by themselves one software.

• If you want to allow any user to be able to update your application
• then grant all Users permission to modify the contents of the folder

This is the kind of action your installer is supposed to perform while it has admin access during installation.

• In reality they don't need Full Control (i.e. they don't need permission to change permissions on the folder)
• they can get by with Modify

This is what Microsoft did with World of Warcraft; they created an app-compat shim that grants everyone permission to Modify the World of Warcraft folder. This way the 12-year old is able to get their game updates.