Use high integrity instead of elevation token to properly detect "elevated" installs

Fixes 8178
author: Rob Mensching <rob@firegiant.com> 2026-01-30 12:49:59 -0800
committer: Rob Mensching <rob@firegiant.com> 2026-01-30 14:54:28 -0800
commit: bdda474a01d09013c839cf4dfd45cea2ecc44e1f (patch)
tree: 7956ee86b43877703de2ebc83ef3ce6ccd1d1953 /src/libs/dutil/WixToolset.DUtil/procutil.cpp
parent: af69ebe04deade267c347f0b790b6574f2fa31fa (diff)
download: wix-bdda474a01d09013c839cf4dfd45cea2ecc44e1f.tar.gz
wix-bdda474a01d09013c839cf4dfd45cea2ecc44e1f.tar.bz2
wix-bdda474a01d09013c839cf4dfd45cea2ecc44e1f.zip
1 files changed, 24 insertions, 1 deletions
diff --git a/src/libs/dutil/WixToolset.DUtil/procutil.cpp b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
index 6cd3214c..7109551b 100644
--- a/src/libs/dutil/WixToolset.DUtil/procutil.cpp
+++ b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
@@ -34,7 +34,6 @@ static BOOL CALLBACK CloseWindowEnumCallback(
    __in LPARAM lParam
    );
 extern "C" HRESULT DAPI ProcElevated(
    __in HANDLE hProcess,
    __out BOOL* pfElevated
@@ -141,6 +140,30 @@ LExit:
    return hr;
 }
+extern "C" HRESULT DAPI ProcIsHighIntegrity(
+    __in HANDLE hProcess,
+    __out BOOL* pfHighIntegrity
+    )
+{
+    HRESULT hr = S_OK;
+    TOKEN_MANDATORY_LABEL* pTokenMandatoryLabel = NULL;
+    DWORD integrityRid = 0;
+    *pfHighIntegrity = FALSE;
+    hr = ProcGetTokenInformation(hProcess, TokenIntegrityLevel, reinterpret_cast<LPVOID*>(&pTokenMandatoryLabel));
+    ProcExitOnFailure(hr, "Failed to get token mandatory label.");
+    integrityRid = *::GetSidSubAuthority(pTokenMandatoryLabel->Label.Sid, *::GetSidSubAuthorityCount(pTokenMandatoryLabel->Label.Sid) - 1);
+    *pfHighIntegrity = (SECURITY_MANDATORY_HIGH_RID <= integrityRid);
+LExit:
+    ReleaseMem(pTokenMandatoryLabel);
+    return hr;
+}
 extern "C" HRESULT DAPI ProcHasPrivilege(
    __in HANDLE hProcess,
    __in LPCWSTR wzPrivilegeName,
author	Rob Mensching <rob@firegiant.com>	2026-01-30 12:49:59 -0800
committer	Rob Mensching <rob@firegiant.com>	2026-01-30 14:54:28 -0800
commit	bdda474a01d09013c839cf4dfd45cea2ecc44e1f (patch)
tree	7956ee86b43877703de2ebc83ef3ce6ccd1d1953 /src/libs/dutil/WixToolset.DUtil/procutil.cpp
parent	af69ebe04deade267c347f0b790b6574f2fa31fa (diff)
download	wix-bdda474a01d09013c839cf4dfd45cea2ecc44e1f.tar.gz wix-bdda474a01d09013c839cf4dfd45cea2ecc44e1f.tar.bz2 wix-bdda474a01d09013c839cf4dfd45cea2ecc44e1f.zip

diff --git a/src/libs/dutil/WixToolset.DUtil/procutil.cpp b/src/libs/dutil/WixToolset.DUtil/procutil.cpp index 6cd3214c..7109551b 100644 --- a/src/libs/dutil/WixToolset.DUtil/procutil.cpp +++ b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
@@ -34,7 +34,6 @@ static BOOL CALLBACK CloseWindowEnumCallback(
34	__in LPARAM lParam	34	__in LPARAM lParam
35	);	35	);
36		36
37
38	extern "C" HRESULT DAPI ProcElevated(	37	extern "C" HRESULT DAPI ProcElevated(
39	__in HANDLE hProcess,	38	__in HANDLE hProcess,
40	__out BOOL* pfElevated	39	__out BOOL* pfElevated
@@ -141,6 +140,30 @@ LExit:
141	return hr;	140	return hr;
142	}	141	}
143		142
		143	extern "C" HRESULT DAPI ProcIsHighIntegrity(
		144	__in HANDLE hProcess,
		145	__out BOOL* pfHighIntegrity
		146	)
		147	{
		148	HRESULT hr = S_OK;
		149	TOKEN_MANDATORY_LABEL* pTokenMandatoryLabel = NULL;
		150	DWORD integrityRid = 0;
		151
		152	*pfHighIntegrity = FALSE;
		153
		154	hr = ProcGetTokenInformation(hProcess, TokenIntegrityLevel, reinterpret_cast<LPVOID*>(&pTokenMandatoryLabel));
		155	ProcExitOnFailure(hr, "Failed to get token mandatory label.");
		156
		157	integrityRid = ::GetSidSubAuthority(pTokenMandatoryLabel->Label.Sid, ::GetSidSubAuthorityCount(pTokenMandatoryLabel->Label.Sid) - 1);
		158
		159	*pfHighIntegrity = (SECURITY_MANDATORY_HIGH_RID <= integrityRid);
		160
		161	LExit:
		162	ReleaseMem(pTokenMandatoryLabel);
		163
		164	return hr;
		165	}
		166
144	extern "C" HRESULT DAPI ProcHasPrivilege(	167	extern "C" HRESULT DAPI ProcHasPrivilege(
145	__in HANDLE hProcess,	168	__in HANDLE hProcess,
146	__in LPCWSTR wzPrivilegeName,	169	__in LPCWSTR wzPrivilegeName,