server-default_integrity: New patch set.

This patch set, as an alternative approach to advapi32-Token_Integrity_Level,
creates all processes as a limited administrator by default. This doesn't
actually seem to break most applications, apparently since they assume that
their manifest is enough to force them to run as administrator and don't bother
verifying that's what they get, and since we don't actually prevent accessing
low-integrity objects. I'm adding this patch to wine-staging in order to smoke
out any applications that might be broken, as it's still a very risky patch.

patches/patchinstall.sh

@@ -210,6 +210,7 @@ patch_enable_all ()
 	enable_server_Realtime_Priority="$1"
 	enable_server_Signal_Thread="$1"
 	enable_server_Stored_ACLs="$1"
+	enable_server_default_integrity="$1"
 	enable_setupapi_DiskSpaceList="$1"
 	enable_setupapi_SPFILENOTIFY_FILEINCABINET="$1"
 	enable_shdocvw_ParseURLFromOutsideSource_Tests="$1"
@@ -701,6 +702,9 @@ patch_enable ()
 		server-Stored_ACLs)
 			enable_server_Stored_ACLs="$2"
 			;;
+		server-default_integrity)
+			enable_server_default_integrity="$2"
+			;;
 		setupapi-DiskSpaceList)
 			enable_setupapi_DiskSpaceList="$2"
 			;;
@@ -3515,6 +3519,21 @@ if test "$enable_server_Stored_ACLs" -eq 1; then
 	patch_apply server-Stored_ACLs/0007-server-Retrieve-file-security-attributes-with-extend.patch
 fi
 
+# Patchset server-default_integrity
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#40613] Multiple applications require UAC implementation to run installer/app as a normal user instead of administrator
+# | 	(WhatsApp Desktop, Smartflix, Squirrel Installers, OneDrive)
+# |   *	[#39262] DiscordSetup.exe (.NET 4.5.2 app): Squirrell installer requires being run as unelevated process ('explorer.exe'
+# | 	should run unelevated by default with Vista+ setting)
+# |
+# | Modified files:
+# |   *	server/process.c
+# |
+if test "$enable_server_default_integrity" -eq 1; then
+	patch_apply server-default_integrity/0001-server-Create-processes-using-a-limited-administrato.patch
+fi
+
 # Patchset setupapi-DiskSpaceList
 # |
 # | This patchset fixes the following Wine bugs:

patches/server-default_integrity/0001-server-Create-processes-using-a-limited-administrato.patch

@@ -0,0 +1,27 @@
+From 528811e294f3f81ccb78fc22a3e3787495a3a51a Mon Sep 17 00:00:00 2001
+From: Zebediah Figura <z.figura12@gmail.com>
+Date: Sun, 7 Feb 2021 22:54:19 -0600
+Subject: [PATCH] server: Create processes using a limited administrator token
+ by default.
+
+Signed-off-by: Zebediah Figura <z.figura12@gmail.com>
+---
+ server/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/server/process.c b/server/process.c
+index e5fe7cc6b6e..ed4c810878e 100644
+--- a/server/process.c
++++ b/server/process.c
+@@ -578,7 +578,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
+     if (!parent)
+     {
+         process->handles = alloc_handle_table( process, 0 );
+-        process->token = token_create_admin( TokenElevationTypeFull );
++        process->token = token_create_admin( TokenElevationTypeLimited );
+         process->affinity = ~0;
+     }
+     else
+-- 
+2.20.1
+

patches/server-default_integrity/definition

@@ -0,0 +1,2 @@
+Fixes: [40613] Multiple applications require UAC implementation to run installer/app as a normal user instead of administrator (WhatsApp Desktop, Smartflix, Squirrel Installers, OneDrive)
+Fixes: [39262] DiscordSetup.exe (.NET 4.5.2 app): Squirrell installer requires being run as unelevated process ('explorer.exe' should run unelevated by default with Vista+ setting)