COM Elevation Moniker fails to elevate the server under Vista/Windows 7

Question

I’ve created a local COM server that requires elevation and should be instantiated from inside a non-elevated process.

Using MSDN's article on the COM elevation moniker, I’ve configured the server class following the specified requirements. The server was successfully registered in the HKLM hive.

The code sample:

procedure CoCreateInstanceAsAdmin(const Handle: HWND;
      const ClassID, IID: TGuid; PInterface: PPointer);
var
  rBindOpts: TBindOpts3;
  sMonikerName: WideString;
  iRes: HRESULT;
begin
  ZeroMemory(@rBindOpts, Sizeof(TBindOpts3));
  rBindOpts.cbStruct := Sizeof(TBindOpts3);
  rBindOpts.hwnd := Handle;
  rBindOpts.dwClassContext := CLSCTX_LOCAL_SERVER;  
  sMonikerName := 'Elevation:Administrator!new:' + GUIDToString(ClassID);
  iRes := CoGetObject(PWideChar(sMonikerName), @rBindOpts, IID, PInterface);
  OleCheck(iRes);
end;

class function CoIMyServer.Create: IMyServer;
begin
  CoCreateInstanceAsAdmin(HInstance, CLASS_IMyServer, IMyServer, @Result);
end;

When it comes to CoGetObject(PWideChar(sMonikerName), @rBindOpts, IID, PInterface) I get the UAC screen and confirm running the server as admin. However, OleCheck(iRes) returns: "The requested operation requires elevation" error.

From that article I’ve read about "Over-The-Shoulder (OTS) Elevation".

Is this the only way to get my server instance available for the non-elevated process? If so, when should CoInitializeSecurity be called on the server?

---

Complete registration details

HKLM\SOFTWARE\Wow6432Node\Classes\CLSID
    {MyServer CLSID}
        (Default) = IMyServer Object  
        LocalizedString = @C:\Program Files (x86)\MyServer\MyServer.exe,-15500  
    Elevation
        Enabled = 0x000001 (1)  
    LocalServer32
        (Default) = C:\PROGRA~2\MyServer\MYSERVER.EXE  
    ProgID
        (Default) = uMyServer.IMyServer  
    TypeLib
        (Default) = {TypeLib GUID}  
    Version
        (Default) = 1.0  

HKLM\SOFTWARE\Wow6432Node\Classes\Interface
    {GUID of IID_IMyServer}
        (Default) = IMyServer  
    ProxyStubClsid32
        (Default) = {Some GUID}  
    TypeLib
        (Default) = {TypeLib GUID}  
        Version = 1.0

Above are the only entries that exist in my registry after registering the server.

---

Additional details

Tried without success calling CoInitializeSecurity() implicitly + setting lunch permissions as advised using the following code:

function GetSecurityDescriptor(const lpszSDDL: LPWSTR; out pSD: PSecurityDescriptor): Boolean;
begin
  Result := ConvertStringSecurityDescriptorToSecurityDescriptorW(lpszSDDL, SDDL_REVISION_1,
    pSD, nil);
end;

function GetLaunchActPermissionsWithIL(out pSD: PSecurityDescriptor): Boolean;
var
  lpszSDDL: LPWSTR;
begin
  // Allow World Local Launch/Activation permissions. Label the SD for LOW IL Execute UP
  lpszSDDL := 'O:BAG:BAD:(A;;0xb;;;WD)S:(ML;;NX;;;LW)';
  Result := GetSecurityDescriptor(lpszSDDL, pSD);
end;

function GetAccessPermissionsForLUAServer(out pSD: PSecurityDescriptor): Boolean;
var
  lpszSDDL: LPWSTR;
begin
  // Local call permissions to IU, SY
  lpszSDDL := 'O:BAG:BAD:(A;;0x3;;;IU)(A;;0x3;;;SY)';
  Result := GetSecurityDescriptor(lpszSDDL, pSD);
end;

function SetAccessPermissions(hAppKey: HKEY; pSD: PSECURITY_DESCRIPTOR): Boolean;
var
  dwLen: DWORD;
  iRes: LONG;
begin
  dwLen := GetSecurityDescriptorLength(pSD);
  iRes := RegSetValueExA(hAppKey, 'AccessPermission', 0, REG_BINARY, pSD, dwLen);
  Result := iRes = ERROR_SUCCESS;
end;

function SetLaunchActPermissions(hAppKey: HKEY; pSD: PSECURITY_DESCRIPTOR): Boolean;
var
  dwLen: DWORD;
  iRes: LONG;
begin
  dwLen := GetSecurityDescriptorLength(pSD);
  iRes := RegSetValueExA(hAppKey, 'LaunchPermission', 0, REG_BINARY, pSD, dwLen);
  Result := iRes = ERROR_SUCCESS;
end;

procedure Initialize;
var
  pSD: PSecurityDescriptor;
  sSubKey: WideString;
  hAppKey: HKEY;
begin
  sSubKey := 'AppID\{GUID}';
  RegOpenKeyW(HKEY_CLASSES_ROOT, PWideChar(sSubKey), hAppKey);
  if GetAccessPermissionsForLUAServer(pSD) then
    if not SetAccessPermissions(hAppKey, pSD) then
      raise Exception.Create(Format('Access permissions aren''t set. System error: %d',
        [GetLastError()]));

  pSD := nil;
  if GetLaunchActPermissionsWithIL(pSD) then
    if not SetLaunchActPermissions(hAppKey, pSD) then
      raise Exception.Create(Format('Launch permissions aren''t set. System error: %d',
        [GetLastError()]));
end;

initialization
  TAutoObjectFactory.Create(ComServer, TMyServer, Class_IMyServer,
    ciMultiInstance, tmApartment);
  Initialize;  

As a AppID GUID I tried to use both the same CLSID GUID of my server interface and a new generated GUID: result was the same. AccessPermission and LaunchPermission values appeared at the specified place after server registering.

Also tried:

• Specifying ROTFlags = 1 in the AppId key
• Building the server as 64-bit application

Additional registry keys/values I created manually:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MyServer.exe]
@="MyServer"
"AppID"="{My GUID}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{My GUID}]
@="MyServer"
"ROTFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{My GUID}]
@="MyServer Object"
"AppID"="{My GUID}"

Answer 1

One mistake you are making is you are passing the RTL's global HInstance variable where CoGetObject() expects an HWND instead. An HINSTANCE handle is not a valid HWND handle. You need to use an actual HWND such as the Handle property of a TForm, or else specify 0 to let the Elevation Moniker choose a suitable window for you.

As for the ERROR_ELEVATION_REQUIRED return value, all I can say is that your COM registration is likely incomplete somewhere. Please show the complete registration details that are actually being stored in the Registry (not what your code thinks it is storing - what the Registry is actually storing).

CoInitializeSecurity() should be called when the server process begins running.