Terminal: Starting a ConPTY process with UAC elevation

KernelBase.dll has an un-exported function CreatePseduoConsoleAsUser() which uses CreateProcessAsUserW(hToken, ...). The hToken parameter can be configured with admin privileges. It seems that the underlying conhost.exe process should also be run as administrator.

@Biswa96 please do not encourage people to rely on our private APIs.

@Eugeny we don’t have an official stance on elevating a pseudoconsole client. At the moment, you’d have the best chance of success by shipping an elevated helper and using that to broker communication with your lower-IL process.

I don't think the private API really matters here - when you call CreateProcessAsUser, you need to have SE_ASSIGNPRIMARYTOKEN_NAME, which restricted tokens don't have. So the only thing that API would help with is letting you create a PTY as another user _if you are already elevated_.

I'm experimenting with these scenarios here, but it's very experimental at the moment.

This discussion has, perhaps, outlived its usefulness.

The private API CreatePseduoConsoleAsUser() now becomes a open source one in src/winconpty/winconpty.cpp.

Creating a process as a different user was always possible, even without a pseudoconsole running as that user. The hard part is getting the correct part of the user's split token to launch _elevated_, which CreatePseudoConsoleAsUser _still_ doesn't let you do. :smile:

to wit: it is subject to the same limitation @parkovski already pointed out.