问题描述
这类似于如何创建中等完整性级别流程与低完整性级别流程? ",但我的角度略有不同.(无论如何都没有回答.):)
This is similar to " how create medium integrity level process from low integrity level process? ", but I'm coming from a slightly different angle. (And that isn't answered anyway.) :)
如果文件保存为低完整性(通常来自低完整性应用程序,例如浏览器),则它会被标记为低完整性强制标签.(这个标签也可以与icacls/setintegritylevel low
一起使用.)如果这样一个文件被执行,它就会变成一个低完整性进程,这是可以理解的.
If a file is saved as low integrity (typically from a low integrity app such as a browser) then it is marked with a Low Integrity Mandatory Label. (This label can also be applied with icacls /setintegritylevel low
.) If such a file is executed, it becomes a low integrity process, understandably.
有什么方法可以(通过同意用户界面)将此流程提升回中等完整性?如果应用程序被标记为 requiresAdministrator
清单,或者如果它使用 runas
动词调用 ShellExecute
,则可以达到高度完整性,但显然这也需要管理员权限.进入中等完整性不需要管理员权限,它仍然解锁了许多低完整性进程无法使用的权限.
Is there some way to elevate (via consent UI) this process back to medium integrity? It's possible to go to high integrity if the app is marked with a requiresAdministrator
manifest, or if it calls ShellExecute
with the runas
verb, but obviously this requires admin permissions as well. Going to medium integrity doesn't require admin permissions and it still unlocks a lot of permissions unavailable to low integrity processes.
显然,任何这样做的机制都应该要求用户同意 UI(应该不可能默默地做到这一点,否则有什么意义?),但如何调用?
Obviously any mechanism to do so should require the user consent UI (it should be impossible to do it silently, otherwise what's the point?), but how can that be invoked?
我发现关于此主题的唯一讨论涉及拥有您自己的原始中等完整性流程并从中分离出低完整性流程;这允许通过与中等完整性过程进行通信来提升并让它启动任何东西.但是,当最初以低完整性启动进程的是操作系统本身时,这无济于事.
The only discussion on this topic that I've found involves having an originally-medium-integrity process of your own and spinning off the low-integrity process from it; this permits elevation by communication back to the medium-integrity process and getting it to launch whatever. But this doesn't help when it's the OS itself that initially starts the process with low integrity.
推荐答案
我从未见过或听说过获得用户同意以将流程从低完整性提升到中等完整性的方法.我会说你运气不好.
I have never seen or heard of a way to get a user's consent to elevate a process from low to medium integrity. I would say you are out of luck.
另请参阅此博客文章以供参考:处于保护模式的 Internet Explorer – 如何创建低完整性环境
Please also see this blog article for reference: Internet Explorer in Protected Mode – How the Low Integrity Environment Gets Created
这篇关于从低完整性提升到中等完整性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!