The COM Elevation Nickname: Win32 Applications (2023)

  • Article
  • 8 minutes to read

The COM elevation moniker allows applications running under User Account Control (UAC) to launch COM classes with elevated privileges. For more information, seeFocus on the fewest privileges.

When to Use Nickname Boost?

The elevation moniker is used to allow a COM class to perform a specific, restricted function that requires elevated privileges, such as B. Changing the system date and time.

Elevation requires the participation of a COM class and its client. The COM class must be configured to support elevation by looking at its registry entry as described in the Requirements section. The COM client must request elevation using the elevation moniker.

The elevation nickname is not intended to provide application compatibility. For example, if you want to run a legacy COM application like WinWord as an elevated server, you should configure the COM client executable to require elevation instead of enabling the legacy application class named Elevation . When the COM client calls with elevated privilegesCoCreateInstanceUsing the legacy app's CLSID, the client's elevated state flows to the server process.

Not all COM features support elevation. Features that don't work include:

  • Height does not flow from a client to a remote COM server. If a client starts a remote COM server with the elevation name, the server will not be elevated even if it supports elevation.
  • If an elevated COM class uses impersonation during a COM call, it can lose its elevated privileges during impersonation.
  • When an elevated COM server registers a class in the running object table (ROT), the class is unavailable to non-elevated clients.
  • An elevated process using the UAC mechanism does not load per-user classes during COM activations. For COM applications, this means that the application's COM classes must be installed in theHKEY_LOCAL_MACHINERegistration section when the application is used by privileged and non-privileged accounts. The application's COM classes only need to be installed on theHKEY_USERShive if the app is never used by privileged accounts.
  • Dragging and dropping non-elevated apps into elevated apps is not allowed.


To use the height moniker to launch a COM class, the class must be configured to run as either the launch user or the "launch as trigger" application identity. If the class is configured to run under a different identity, activation returns the error CO_E_RUNAS_VALUE_MUST_BE_AAA.

The class must also be annotated with a "friendly" display name that supports a multilingual user interface (MUI). The following registry entry is required for this:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID{CLSID}LocalizedString = displayName

If this entry is missing, activation will return the error CO_E_MISSING_DISPLAYNAME. If the MUI file is missing, the error code fromRegLoadMUISTringWfunction is returned.

Optionally add the following registry key to specify an application icon to be displayed in the UAC UI:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID{CLSID}ElevationIconReference = applicationIcon

IconoReferenciauses the same format aschain located:

@binary path,-Resource number

Also, the COM component must be signed for the icon to appear.

The COM class must also be specified as LUA-enabled. The following registry entry is required for this:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID{CLSID}ElevationEnabled = 1

If this entry is missing, activation returns the error CO_E_ELEVATION_DISABLED.

Note that these entries must exist in the HKEY_LOCAL_MACHINE hive, not in the HKEY_CURRENT_USER or HKEY_USERS hive. This prevents users from promoting COM classes for which they also do not have permission to register.

The Elevation nickname and Elevation UI

If the client is already elevated, using the elevation name will not display the elevation UI.

How to use the nickname for height

The promotion moniker is a standard COM moniker, similar to session, partition, or queue monikers. Routes an activation request to a specific server with the specified elevation level. The CLSID to be activated appears in the moniker string.

Elevation alias supports the following runlevel tokens:

  1. Administrator
  2. higher

The syntax for this is as follows:


The syntax above uses the "new" moniker to return an instance of the COM class specified byguide. Note that the nickname "new" is used internallyIClassFactoryinterface to get a class object, and then callsIClassFactory::CreateInstancedarin.

The height alias can also be used to get a class object that implementsIClassFactory. The caller then callsCreateInstanceto get an object instance. The syntax for this is as follows:


sample code

The following code example shows how to use the height moniker. It is assumed that you have already initialized COM for the current thread.

HRESULT CoCreateInstanceAsAdmin(HWND hwnd, REFCLSID rclsid, REFIID riid, __out void ** ppv) { BIND_OPTS3 bo; WCHAR wszCLSID[50]; WCHAR wszMonikerName[300]; StringFromGUID2(rclsid, wszCLSID, size of (wszCLSID)/size of (wszCLSID[0])); HRESULT hr = StringCchPrintf(wszMonikerName, sizeof(wszMonikerName)/sizeof(wszMonikerName[0]), L"Elevation:Administrator!new:%s", wszCLSID); si(FALLO(hr)) returns hr; storage pool (&bo, 0, size of (bo)); bo.cbStruct = size of (bo); bo.hwnd = hwnd; bo.dwClassContext = CLSCTX_LOCAL_SERVER; return CoGetObject(wszMonikerName, &bo, riid, ppv);}

BIND_OPTS3is new in Windows Vista. it comes fromBIND_OPTS2.

The only addition is aHWNDcampo,hwnd. This identifier represents a window that owns the Elevation UI, if applicable.

EhwndesNULL, COM will callget active windowto find a window handle associated with the current thread. This case can occur when the client is a script that a cannot runBIND_OPTS3Structure. In this case, COM tries to use the window associated with the script thread.

Over the Shoulder Raise (OTS)

Over the Shoulder (OTS) refers to the scenario in which a client runs a COM server using administrative credentials instead of its own. (The term "over the shoulder" means that the administrator is looking over the shoulder of the client while the client is running the server.)

This scenario can cause a problem for COM calls to the server because the server might not callCoInicializarSeguridadeither explicit (i.e. programmatically) or implicit (i.e. declaratively using the registry). For these servers, COM computes a security descriptor that allows only SELF, SYSTEM, and Builtin\Administrators to make COM calls to the server. This fix does not work in OTS scenarios. Instead, the server should callCoInicializarSeguridad, either explicitly or implicitly, and supply an ACL containing the SID and SYSTEM of the INTERACTIVE group.

The following code example shows how to create a security descriptor (SD) with the group SID INTERACTIVE.

BOOL GetAccessPermissionsForLUAServer(SECURITY_DESCRIPTOR **ppSD){ // Permissions for local UI calls, SY LPWSTR lpszSDDL = L"O:BAG:BAD:(A;;0x3;;;UI)(A;;0x3;;;SY) " ; SECURITY_DESCRIPTOR *pSD; *ppSD = NULL; if (ConvertStringSecurityDescriptorToSecurityDescriptorW(lpszSDDL, SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)&pSD, NULL)) { *ppSD = pSD; returns TRUE; } returns false;}

The following code example shows how to callCoInicializarSeguridadimplicitly with the SD from the code sample above:

// hKey é o HKCR\AppID\{GUID} keyBOOL SetAccessPermissions(HKEY hkey, PSECURITY_DESCRIPTOR pSD){ BOOL bResult = FALSE; DWORD dwLen = GetSecurityDescriptorLength(pSD); LARGO lResultado; lResult = RegSetValueExA(hkey, "AccessPermission", 0, REG_BINARY, (BYTE*)pSD, dwLen); if (lResult != ERROR_SUCCESS) goto done; bResultado = VERDADERO;hecho: devuelve bResultado;}

The following code example shows how to callCoInicializarSeguridadexplicitly with the SD above:

// Werte SD absolutosPSECURITY_DESCRIPTOR pAbsSD = NULL;DWORD AbsSdSize = 0;PACL pAbsAcl = NULL;DWORD AbsAclSize = 0;PACL pAbsSacl = NULL;DWORD AbsSaclSize = 0;PSID pAbsOwner = NULL;DWORD AbsOwnerSize = 0;PSID pAbsGroup = NULL AbsgrupoTamanho = 0; makeabsolutesd (psd, pabssd, & abssdsize, pAbSaCl, & absaclSize, pabssacl, & abssaclsize, pabsowner, & aShisOwersize, pabsgroup, & absgroupsize); If (error_infement_buffer == getLasterRor (pSabsd) (pSCHEX) (pSCHIX) (PSCAX); ; pAbsAcl = (PACL)LocalAlloc(LMEM_FIXED, AbsAclSize); pAbsSacl = (PACL)LocalAlloc(LMEM_FIXED, AbsSaclSize); pAbsOwner = (PSID)LocalAlloc (LMEM_FIXED, AbsOwnerSize); pAbsGroup = (PSID)LocalAlloc(LMEM_FIXED, AbsGroupSize); if ( ! (pAbsSD && pAbsAcl && pAbsSacl && pAbsOwner && pAbsGroup)) { hr = E_OUTOFMEMORY; Ir a Limpieza; } if ( ! MakeAbsoluteSD( pSD, pAbsSD, &AbsSdSize, pAbsAcl, &AbsAclSize, pAbsSacl, &AbsSaclSize, pAbsOwner, &AbsOwnerSize, pAbsGroup, &AbsGroupSize )) { hr = HRESULT_FROM_WIN32(GetLastError()); Ir a Limpieza; }}else{ hr = HRESULT_FROM_WIN32(GetLastErzaror()); Limpieza }// Lamar eine CoinitilizeSecurity.

Windows Vista introduces the termrequired access codesin security descriptors. The tag determines whether clients can get runtime access to a COM object. The label is specified in the System Access Control List (SACL) portion of the security descriptor. On Windows Vista, COM supports the SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP tag. SACLs for COM permissions are ignored on operating systems prior to Windows Vista.

Beginning with Windows Vista, dcomcnfg.exe does not support changing the integrity level (IL) for COM permissions. Must be set programmatically.

The following code example shows how to create a COM security descriptor with a tag that allows launch/activation requests from all LOW IL clients. Note that launch/activation and call permissions tags are valid. It is therefore possible to write a COM server that does not allow initialization, activation, or calls from clients with a specific IL. For more information about integrity levels, see the "Understanding the Windows Vista Integrity Mechanism" section inUnderstand and work in Internet Explorer Protected Mode.

BOOL GetLaunchActPermissionsWithIL (SECURITY_DESCRIPTOR **ppSD){// Permitir permissões de activação/lanzamiento local mundial. Etiqueta SD para LOW IL Ejecute UP LPWSTR lpszSDDL = L"O:BAG:BAD:(A;;0xb;;;WD)S:(ML;;NX;;;LW)"; if (ConvertStringSecurityDescriptorToSecurityDescriptorW(lpszSDDL, SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)&pSD, NULL)) { *ppSD = pSD; devuelve VERDADERO; }} BOOL SetLaunchActPermissions (HKEY hkey, PSECURITY_DESCRIPTOR pSD) {BOOL bResult = FALSE; DWORD dwLen = GetSecurityDescriptorLength(pSD); LARGO lResultado; lResult = RegSetValueExA(hkey, "LaunchPermission", 0, REG_BINARY, (BYTE*)pSD, dwLen); if (lResult != ERROR_SUCCESS) goto done; bErgebnis = VERDADEIRO; hecho: devuelve bResult;};

CoCreateInstance and integrity levels

the behavior ofCoCreateInstancewas changed in Windows Vista to prevent low IL clients from connecting to COM servers by default. The server must explicitly allow such bindings by specifying the SACL. The changes toCoCreateInstanceThey are as follows:

  1. When a COM server process is started, the IL in the server process token is set to the IL in the client or server token, whichever is smaller.
  2. By default, COM prevents low-level IL clients from connecting to running instances of a COM server. To enable binding, a COM server's launch/activation security descriptor must contain a SACL that specifies the low-IL tag (see the previous section for sample code to create this security descriptor).

Increased servers and ROT records

If a COM server wants to register itself in the running object table (ROT) and allow any client to access the registry, it must use the ROTFLAGS_ALLOWANYCLIENT flag. An "Enable as activator" COM server cannot specify ROTFLAGS_ALLOWANYCLIENT because the DCOM Service Control Manager (DCOMSCM) enforces a spoofing check for this flag. Therefore, in Windows Vista, COM adds support for a new registry entry that allows the server to specify that its ROT entries are available to any client:


The only valid value for this REG_DWORD entry is:


The entry must exist inHKEY_LOCAL_MACHINEbeehive.

This entry provides a "Launch as Trigger" server with the same functionality that ROTFLAGS_ALLOWANYCLIENT provides for a RunAs server.

COM security

Understand and work in Internet Explorer Protected Mode

Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated: 04/10/2023

Views: 6300

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.