Problems running with Elevated Privileges

We have a .NET (WPF) application that is interacting with the Lync SDK. The application works great outside of Inteset and our user accounts belong to the Administrators group on the machine.

Our problem occurs when we run our application through Inteset. We see AccessDenied exceptions coming from the Lync SDK when we attempt to marshal pointers across our processes. For example, attempting to show the incoming video feed from the Lync SDK inside our application.

We've discovered that we can reproduce this problem outside of Inteset by right clicking our application shortcut and choosing "Run as Administrator". We believe the error occurs because the Lync SDK is a separate process that is running in a non-elevated state and the inter-process communication is failing because the security contexts are different or something.

I'm guessing that the Inteset process runs as an elevated process to lock down the machine. As an extension of this, perhaps Inteset is also launching our application with elevated privileges? Is it possible to configure Inteset to launch our application as a Basic User?

Our requirements are to restrict access to the UI (startmenu, desktop icons) and windows keys (ALT+Tab, ALT+F4, CTRL+ALT+DEL, etc).

Secure Lockdown does not directly launch master applications with elevated privileges. Is this software something we can test in our lab? We could troubleshoot it for you. Otherwise, you might want to try launching your app with a script (ie: the script becomes the "Master Application"), then enter the "Process Name" field to monitor the actual application.

I'm not sure that I can legally provide you with a copy of our application, but we might be able to provide a sample that exhibits the same issue. There are a few environmental dependencies required to test and if you're open to that option we may need to discuss how we'd get you a copy and set it up, etc.

Regarding using a script to launch our application, we're exploring this option as well. We've identified that we can get the behavior we want by using a batch file that uses "runas.exe" to run it as a Basic User. This is not perfect as the runas command always prompts for credentials.

If it's not launching the master application with elevated privileges, can you elaborate about how the process is being launched?

The code used to launch applications does not explicitly define using elevated privileges or "Run as". It does have this capability, but it does not use it. It may inherit the privileges of the Secure Lockdown application which does run with admin privileges. You could use a vbs or PowerShell script to launch your application with pre-defined user credentials of a basic user. Here is a good example of using a PowerShell script to do what you need:

http://powershell.com/cs/forums/t/9502.aspx

Thanks for the link to the PowerShell command. This would solve the password prompt issue but requires that we specify the password in the script file, which won't work for us since because its insecure and the kiosks may have different usernames / passwords per machine.

At this point I can pretty much guarantee that if Inteset is being launched with elevated privileges then any new spawned process from it will also be elevated.

We're investigating an alternate technique to spawn a process without the elevated security context. Will keep you posted.

As a follow-up to my last post...

We've discovered an alternative that does not require hard-coded credentials or prompts. Our batch script uses "explorer.exe" to launch our application in a non-elevated security context. http://stackoverflow.com/questions/1173630/how-do-you-de-elevate-privileges-for-a-child-process

Great. Thanks for updating the post.