From bdda474a01d09013c839cf4dfd45cea2ecc44e1f Mon Sep 17 00:00:00 2001
From: Rob Mensching <rob@firegiant.com>
Date: Fri, 30 Jan 2026 12:49:59 -0800
Subject: Use high integrity instead of elevation token to properly detect
 "elevated" installs

Fixes 8178
---
 src/libs/dutil/WixToolset.DUtil/inc/procutil.h |  5 ++++-
 src/libs/dutil/WixToolset.DUtil/procutil.cpp   | 25 ++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

(limited to 'src/libs/dutil')

diff --git a/src/libs/dutil/WixToolset.DUtil/inc/procutil.h b/src/libs/dutil/WixToolset.DUtil/inc/procutil.h
index e7e91705..974003eb 100644
--- a/src/libs/dutil/WixToolset.DUtil/inc/procutil.h
+++ b/src/libs/dutil/WixToolset.DUtil/inc/procutil.h
@@ -28,7 +28,10 @@ HRESULT DAPI ProcGetTokenInformation(
     __in TOKEN_INFORMATION_CLASS tokenInformationClass,
     __out LPVOID* ppvTokenInformation
     );
-
+HRESULT DAPI ProcIsHighIntegrity(
+    __in HANDLE hProcess,
+    __out BOOL* pfHighIntegrity
+    );
 HRESULT DAPI ProcHasPrivilege(
     __in HANDLE hProcess,
     __in LPCWSTR wzPrivilegeName,
diff --git a/src/libs/dutil/WixToolset.DUtil/procutil.cpp b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
index 6cd3214c..7109551b 100644
--- a/src/libs/dutil/WixToolset.DUtil/procutil.cpp
+++ b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
@@ -34,7 +34,6 @@ static BOOL CALLBACK CloseWindowEnumCallback(
     __in LPARAM lParam
     );
 
-
 extern "C" HRESULT DAPI ProcElevated(
     __in HANDLE hProcess,
     __out BOOL* pfElevated
@@ -141,6 +140,30 @@ LExit:
     return hr;
 }
 
+extern "C" HRESULT DAPI ProcIsHighIntegrity(
+    __in HANDLE hProcess,
+    __out BOOL* pfHighIntegrity
+    )
+{
+    HRESULT hr = S_OK;
+    TOKEN_MANDATORY_LABEL* pTokenMandatoryLabel = NULL;
+    DWORD integrityRid = 0;
+
+    *pfHighIntegrity = FALSE;
+
+    hr = ProcGetTokenInformation(hProcess, TokenIntegrityLevel, reinterpret_cast<LPVOID*>(&pTokenMandatoryLabel));
+    ProcExitOnFailure(hr, "Failed to get token mandatory label.");
+
+    integrityRid = *::GetSidSubAuthority(pTokenMandatoryLabel->Label.Sid, *::GetSidSubAuthorityCount(pTokenMandatoryLabel->Label.Sid) - 1);
+
+    *pfHighIntegrity = (SECURITY_MANDATORY_HIGH_RID <= integrityRid);
+
+LExit:
+    ReleaseMem(pTokenMandatoryLabel);
+
+    return hr;
+}
+
 extern "C" HRESULT DAPI ProcHasPrivilege(
     __in HANDLE hProcess,
     __in LPCWSTR wzPrivilegeName,
-- 
cgit v1.2.3-55-g6feb