Make self elevation stable, change to using a limited token as when t…

…o use it
JohnMcPMS · Jan 29, 2025 · d77b935 · d77b935
1 parent 2dc4c07
commit d77b935
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 12 deletions.
diff --git a/src/AppInstallerCLICore/Workflows/ConfigurationFlow.cpp b/src/AppInstallerCLICore/Workflows/ConfigurationFlow.cpp
@@ -106,8 +106,8 @@ namespace AppInstaller::CLI::Workflow
 
             IConfigurationSetProcessorFactory factory;
 
-            // Since downgrading is not currently supported, only use dynamic if not running as admin.
-            if (Settings::ExperimentalFeature::IsEnabled(Settings::ExperimentalFeature::Feature::ConfigureSelfElevation) && !Runtime::IsRunningAsAdmin())
+            // Since downgrading is not currently supported, only use dynamic if running limited.
+            if (Runtime::IsRunningWithLimitedToken())
             {
                 factory = ConfigurationRemoting::CreateDynamicRuntimeFactory();
             }

diff --git a/src/AppInstallerCommonCore/ExperimentalFeature.cpp b/src/AppInstallerCommonCore/ExperimentalFeature.cpp
@@ -44,8 +44,6 @@ namespace AppInstaller::Settings
                 return userSettings.Get<Setting::EFResume>();
             case ExperimentalFeature::Feature::Configuration03:
                 return userSettings.Get<Setting::EFConfiguration03>();
-            case ExperimentalFeature::Feature::ConfigureSelfElevation:
-                return userSettings.Get<Setting::EFConfigureSelfElevation>();
             case ExperimentalFeature::Feature::ConfigureExport:
                 return userSettings.Get<Setting::EFConfigureExport>();
             case ExperimentalFeature::Feature::Font:
@@ -83,8 +81,6 @@ namespace AppInstaller::Settings
             return ExperimentalFeature{ "Resume", "resume", "https://aka.ms/winget-settings", Feature::Resume };
         case Feature::Configuration03:
             return ExperimentalFeature{ "Configuration Schema 0.3", "configuration03", "https://aka.ms/winget-settings", Feature::Configuration03 };
-        case Feature::ConfigureSelfElevation:
-            return ExperimentalFeature{ "Configure Self Elevation", "configureSelfElevate", "https://aka.ms/winget-settings", Feature::ConfigureSelfElevation };
         case Feature::ConfigureExport:
             return ExperimentalFeature{ "Configure Export", "configureExport", "https://aka.ms/winget-settings", Feature::ConfigureExport };
         case Feature::Font:

diff --git a/src/AppInstallerCommonCore/Public/winget/ExperimentalFeature.h b/src/AppInstallerCommonCore/Public/winget/ExperimentalFeature.h
@@ -25,9 +25,8 @@ namespace AppInstaller::Settings
             DirectMSI = 0x1,
             Resume = 0x2,
             Configuration03 = 0x4,
-            ConfigureSelfElevation = 0x8,
-            ConfigureExport = 0x10,
-            Font = 0x20,
+            ConfigureExport = 0x8,
+            Font = 0x10,
             Max, // This MUST always be after all experimental features
 
             // Features listed after Max will not be shown with the features command

diff --git a/src/AppInstallerCommonCore/Public/winget/UserSettings.h b/src/AppInstallerCommonCore/Public/winget/UserSettings.h
@@ -76,7 +76,6 @@ namespace AppInstaller::Settings
         EFDirectMSI,
         EFResume,
         EFConfiguration03,
-        EFConfigureSelfElevation,
         EFConfigureExport,
         EFFonts,
         // Telemetry
@@ -162,7 +161,6 @@ namespace AppInstaller::Settings
         SETTINGMAPPING_SPECIALIZATION(Setting::EFDirectMSI, bool, bool, false, ".experimentalFeatures.directMSI"sv);
         SETTINGMAPPING_SPECIALIZATION(Setting::EFResume, bool, bool, false, ".experimentalFeatures.resume"sv);
         SETTINGMAPPING_SPECIALIZATION(Setting::EFConfiguration03, bool, bool, false, ".experimentalFeatures.configuration03"sv);
-        SETTINGMAPPING_SPECIALIZATION(Setting::EFConfigureSelfElevation, bool, bool, false, ".experimentalFeatures.configureSelfElevate"sv);
         SETTINGMAPPING_SPECIALIZATION(Setting::EFConfigureExport, bool, bool, false, ".experimentalFeatures.configureExport"sv);
         SETTINGMAPPING_SPECIALIZATION(Setting::EFFonts, bool, bool, false, ".experimentalFeatures.fonts"sv);
         // Telemetry

diff --git a/src/AppInstallerCommonCore/UserSettings.cpp b/src/AppInstallerCommonCore/UserSettings.cpp
@@ -267,7 +267,6 @@ namespace AppInstaller::Settings
         WINGET_VALIDATE_PASS_THROUGH(EFDirectMSI)
         WINGET_VALIDATE_PASS_THROUGH(EFResume)
         WINGET_VALIDATE_PASS_THROUGH(EFConfiguration03)
-        WINGET_VALIDATE_PASS_THROUGH(EFConfigureSelfElevation)
         WINGET_VALIDATE_PASS_THROUGH(EFConfigureExport)
         WINGET_VALIDATE_PASS_THROUGH(EFFonts)
         WINGET_VALIDATE_PASS_THROUGH(AnonymizePathForDisplay)

diff --git a/src/AppInstallerSharedLib/Public/winget/Runtime.h b/src/AppInstallerSharedLib/Public/winget/Runtime.h
@@ -43,6 +43,14 @@ namespace AppInstaller::Runtime
     // Determines whether the process is running with administrator or system privileges.
     bool IsRunningAsAdminOrSystem();
 
+    // Determines whether the current token can be elevated.
+    // This only returns true for tokens that are TokenElevationTypeLimited.
+    // Thus, it will only be true if:
+    //  1. UAC is enabled
+    //  2. the user is in the Administrators group
+    //  3. the token is not already elevated
+    bool IsRunningWithLimitedToken();
+
     // Returns true if this is a release build; false if not.
     inline constexpr bool IsReleaseBuild()
     {

diff --git a/src/AppInstallerSharedLib/Runtime.cpp b/src/AppInstallerSharedLib/Runtime.cpp
@@ -213,4 +213,9 @@ namespace AppInstaller::Runtime
     {
         return IsRunningAsAdmin() || IsRunningAsSystem();
     }
+
+    bool IsRunningWithLimitedToken()
+    {
+        return wil::get_token_information<TOKEN_ELEVATION_TYPE>() == TokenElevationTypeLimited;
+    }
 }