Starting a ConPTY process with UAC elevation

[Eugeny]

What is the Microsoft's recommended way to start an elevated process with an attached PTY?

1. CredUIPromptForWindowsCredentialsW + LogonUserW + CreateProcessWithTokenW?
2. Running runas.exe with a PTY?
3. Something else?

[Biswa96]

KernelBase.dll has an un-exported function CreatePseduoConsoleAsUser() which uses CreateProcessAsUserW(hToken, ...). The hToken parameter can be configured with admin privileges. It seems that the underlying conhost.exe process should also be run as administrator.

[DHowett]

@Biswa96 please do not encourage people to rely on our private APIs.

[DHowett]

@Eugeny we don’t have an official stance on elevating a pseudoconsole client. At the moment, you’d have the best chance of success by shipping an elevated helper and using that to broker communication with your lower-IL process.

[parkovski]

I don't think the private API really matters here - when you call CreateProcessAsUser, you need to have SE_ASSIGNPRIMARYTOKEN_NAME, which restricted tokens don't have. So the only thing that API would help with is letting you create a PTY as another user if you are already elevated.

I'm experimenting with these scenarios here, but it's very experimental at the moment.

[DHowett-MSFT]

This discussion has, perhaps, outlived its usefulness.

[Biswa96]

The private API CreatePseduoConsoleAsUser() now becomes a open source one in src/winconpty/winconpty.cpp.

[DHowett-MSFT]

Creating a process as a different user was always possible, even without a pseudoconsole running as that user. The hard part is getting the correct part of the user's split token to launch elevated, which CreatePseudoConsoleAsUser still doesn't let you do. 😄

[DHowett-MSFT]

to wit: it is subject to the same limitation @parkovski already pointed out.