itsameavi
Contributor
Contributor

Privilege Elevation works but not really elevating

Hi,

I have an issue in non-persistent environment where users are not admin and sometimes one of the processes they use gets "suspended" status in task manager - naturally this causes issues with that process, what I've done is provided them with argument based taskkill.exe privilege elevation I noticed it gets elevated but that just doesn't cut it, it get access denied for terminating the suspended process,

I did some troubleshooting and noticed the process that gets elevated is starting with integrity level (saw it on procmon.exe) of medium,

now if i try to run the taskkill.exe command as different user who is admin it gets integrity level of high and succeeds - 

I'm using dem version 9.11

what do you reckon is happening there?

 

0 Kudos
5 Replies
DEMdev
VMware Employee
VMware Employee

Hi @itsameavi,

Your analysis is exactly correct: DEM's "normal" privilege elevation isn't able to bump the integrity level up to high. Elevated tasks (introduced in DEM 2006) does not have that limitation.

itsameavi
Contributor
Contributor

Thanks @DEMdev , i will upgrade and check again, hope the "high integrity" will give it the extra oomf it needs to close that process, ill keep you posted!

0 Kudos
itsameavi
Contributor
Contributor

Hi @DEMdev I've upgraded and saw that the elevation task indeed bumped it to high but for some reason still not able to perform taskkill.exe on that suspended process, I am of course able to do the taskkill.exe successfully with an admin user using "run as different user",

it's as if DEM still not really elevating the privileges to admin level.

what do you suppose is missing still? should I open premier ticket?

0 Kudos
DCasota
Hot Shot
Hot Shot

Hi @itsameavi,

To forcefully terminate a suspended or running process in another users' security context you'll need to be in an administrator role on the local system. But, in localsystem you cannot use simple start-process -wait -credential $cred to run commands in a users' security context. 

Every application should finish nicely itself and its child processes. ThinApp often was a good option to better support fixed releases of migrated legacy applications. 

Struggling with misbehaviors of applications can be somewhat difficult, for administrators and for software product feature purpose as well. Privilege elevation' purpose is to start certain applications as administrators. The DEM elevated applications capability provides good support for non-blocked user-installed applications as well.

Open a SR should help. You could assemble the output from Flex Engine debug, event log entries as well.

Hope this helps. Daniel

DEMdev
VMware Employee
VMware Employee

Hi @itsameavi,

Looks like you already opened that ticket 🙂 Let's pick this up through the support route, and we can report back here once we know more.

0 Kudos