From bdda474a01d09013c839cf4dfd45cea2ecc44e1f Mon Sep 17 00:00:00 2001
From: Rob Mensching <rob@firegiant.com>
Date: Fri, 30 Jan 2026 12:49:59 -0800
Subject: Use high integrity instead of elevation token to properly detect
 "elevated" installs

Fixes 8178
---
 src/burn/engine/engine.cpp                     |  3 ++-
 src/libs/dutil/WixToolset.DUtil/inc/procutil.h |  5 ++++-
 src/libs/dutil/WixToolset.DUtil/procutil.cpp   | 25 ++++++++++++++++++++++++-
 3 files changed, 30 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/burn/engine/engine.cpp b/src/burn/engine/engine.cpp
index c372772c..d432f732 100644
--- a/src/burn/engine/engine.cpp
+++ b/src/burn/engine/engine.cpp
@@ -379,7 +379,8 @@ static HRESULT InitializeEngineState(
     BurnPipeConnectionInitialize(&pEngineState->embeddedConnection);
 
     // Retain whether bundle was initially run elevated.
-    ProcElevated(::GetCurrentProcess(), &pEngineState->internalCommand.fInitiallyElevated);
+    hr = ProcIsHighIntegrity(::GetCurrentProcess(), &pEngineState->internalCommand.fInitiallyElevated);
+    ExitOnFailure(hr, "Failed to determine if process is running elevated.");
 
     // Parse command line.
     hr = CoreParseCommandLine(&pEngineState->internalCommand, &pEngineState->command, &pEngineState->companionConnection, &pEngineState->embeddedConnection, &hSectionFile, &hSourceEngineFile);
diff --git a/src/libs/dutil/WixToolset.DUtil/inc/procutil.h b/src/libs/dutil/WixToolset.DUtil/inc/procutil.h
index e7e91705..974003eb 100644
--- a/src/libs/dutil/WixToolset.DUtil/inc/procutil.h
+++ b/src/libs/dutil/WixToolset.DUtil/inc/procutil.h
@@ -28,7 +28,10 @@ HRESULT DAPI ProcGetTokenInformation(
     __in TOKEN_INFORMATION_CLASS tokenInformationClass,
     __out LPVOID* ppvTokenInformation
     );
-
+HRESULT DAPI ProcIsHighIntegrity(
+    __in HANDLE hProcess,
+    __out BOOL* pfHighIntegrity
+    );
 HRESULT DAPI ProcHasPrivilege(
     __in HANDLE hProcess,
     __in LPCWSTR wzPrivilegeName,
diff --git a/src/libs/dutil/WixToolset.DUtil/procutil.cpp b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
index 6cd3214c..7109551b 100644
--- a/src/libs/dutil/WixToolset.DUtil/procutil.cpp
+++ b/src/libs/dutil/WixToolset.DUtil/procutil.cpp
@@ -34,7 +34,6 @@ static BOOL CALLBACK CloseWindowEnumCallback(
     __in LPARAM lParam
     );
 
-
 extern "C" HRESULT DAPI ProcElevated(
     __in HANDLE hProcess,
     __out BOOL* pfElevated
@@ -141,6 +140,30 @@ LExit:
     return hr;
 }
 
+extern "C" HRESULT DAPI ProcIsHighIntegrity(
+    __in HANDLE hProcess,
+    __out BOOL* pfHighIntegrity
+    )
+{
+    HRESULT hr = S_OK;
+    TOKEN_MANDATORY_LABEL* pTokenMandatoryLabel = NULL;
+    DWORD integrityRid = 0;
+
+    *pfHighIntegrity = FALSE;
+
+    hr = ProcGetTokenInformation(hProcess, TokenIntegrityLevel, reinterpret_cast<LPVOID*>(&pTokenMandatoryLabel));
+    ProcExitOnFailure(hr, "Failed to get token mandatory label.");
+
+    integrityRid = *::GetSidSubAuthority(pTokenMandatoryLabel->Label.Sid, *::GetSidSubAuthorityCount(pTokenMandatoryLabel->Label.Sid) - 1);
+
+    *pfHighIntegrity = (SECURITY_MANDATORY_HIGH_RID <= integrityRid);
+
+LExit:
+    ReleaseMem(pTokenMandatoryLabel);
+
+    return hr;
+}
+
 extern "C" HRESULT DAPI ProcHasPrivilege(
     __in HANDLE hProcess,
     __in LPCWSTR wzPrivilegeName,
-- 
cgit v1.2.3-55-g6feb