feat: Administrator Protection (SMAA) readiness — resolve real user SID for HKCU and LocalAppData

Author: SysAdminDoc

src/DeepPurge.Core/App/DataPaths.cs

@@ -72,7 +72,7 @@ private static string ResolveRoot()
             Directory.CreateDirectory(dir);
             return dir;
         }
-        var appData = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+        var appData = UserIdentity.RealLocalAppData;
         var root = Path.Combine(appData, "DeepPurge");
         Directory.CreateDirectory(root);
         return root;

src/DeepPurge.Core/App/UserIdentity.cs

@@ -0,0 +1,115 @@
+using System.Security.Principal;
+using DeepPurge.Core.Diagnostics;
+
+namespace DeepPurge.Core.App;
+
+public static class UserIdentity
+{
+    private static readonly Lazy<string> _realUserSid = new(ResolveRealUserSid);
+    private static readonly Lazy<string> _realLocalAppData = new(ResolveRealLocalAppData);
+    private static readonly Lazy<bool> _isSmaaElevated = new(DetectSmaaElevation);
+
+    public static string RealUserSid => _realUserSid.Value;
+    public static string RealLocalAppData => _realLocalAppData.Value;
+    public static bool IsSmaaElevated => _isSmaaElevated.Value;
+
+    private static bool DetectSmaaElevation()
+    {
+        try
+        {
+            var currentIdentity = WindowsIdentity.GetCurrent();
+            var currentSid = currentIdentity.User?.Value;
+            if (string.IsNullOrEmpty(currentSid)) return false;
+
+            var consoleSid = GetConsoleSessionUserSid();
+            if (string.IsNullOrEmpty(consoleSid)) return false;
+
+            return !string.Equals(currentSid, consoleSid, StringComparison.OrdinalIgnoreCase);
+        }
+        catch { return false; }
+    }
+
+    private static string ResolveRealUserSid()
+    {
+        try
+        {
+            var consoleSid = GetConsoleSessionUserSid();
+            if (!string.IsNullOrEmpty(consoleSid)) return consoleSid;
+        }
+        catch (Exception ex) { Log.Warn($"Console SID resolution failed: {ex.Message}"); }
+
+        try { return WindowsIdentity.GetCurrent().User?.Value ?? ""; }
+        catch { return ""; }
+    }
+
+    private static string ResolveRealLocalAppData()
+    {
+        var fallback = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
+        if (!IsSmaaElevated) return fallback;
+
+        try
+        {
+            var sid = RealUserSid;
+            if (string.IsNullOrEmpty(sid)) return fallback;
+
+            using var profileKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(
+                $@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{sid}");
+            var profilePath = profileKey?.GetValue("ProfileImagePath") as string;
+            if (!string.IsNullOrEmpty(profilePath) && Directory.Exists(profilePath))
+            {
+                var localAppData = Path.Combine(profilePath, "AppData", "Local");
+                if (Directory.Exists(localAppData)) return localAppData;
+            }
+        }
+        catch (Exception ex) { Log.Warn($"SMAA LocalAppData resolution failed: {ex.Message}"); }
+
+        return fallback;
+    }
+
+    private static string? GetConsoleSessionUserSid()
+    {
+        try
+        {
+            var explorerProcesses = System.Diagnostics.Process.GetProcessesByName("explorer");
+            if (explorerProcesses.Length == 0) return null;
+
+            foreach (var explorer in explorerProcesses)
+            {
+                try
+                {
+                    var handle = explorer.Handle;
+                    if (!OpenProcessToken(handle, TOKEN_QUERY, out var tokenHandle)) continue;
+                    try
+                    {
+                        using var identity = new WindowsIdentity(tokenHandle);
+                        return identity.User?.Value;
+                    }
+                    finally { CloseHandle(tokenHandle); }
+                }
+                catch { continue; }
+                finally { explorer.Dispose(); }
+            }
+        }
+        catch { }
+        return null;
+    }
+
+    public static Microsoft.Win32.RegistryKey? OpenRealUserHive(string subKey)
+    {
+        var sid = RealUserSid;
+        if (string.IsNullOrEmpty(sid)) return null;
+        try
+        {
+            return Microsoft.Win32.Registry.Users.OpenSubKey($@"{sid}\{subKey}");
+        }
+        catch { return null; }
+    }
+
+    private const uint TOKEN_QUERY = 0x0008;
+
+    [System.Runtime.InteropServices.DllImport("advapi32.dll", SetLastError = true)]
+    private static extern bool OpenProcessToken(IntPtr processHandle, uint desiredAccess, out IntPtr tokenHandle);
+
+    [System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true)]
+    private static extern bool CloseHandle(IntPtr handle);
+}

src/DeepPurge.Core/Registry/InstalledProgramScanner.cs

@@ -1,4 +1,5 @@
 using global::Microsoft.Win32;
+using DeepPurge.Core.App;
 using DeepPurge.Core.Models;
 
 namespace DeepPurge.Core.Registry;
@@ -30,10 +31,12 @@ public static List<InstalledProgram> GetAllInstalledPrograms(bool includeSystemC
             catch { /* Access denied or other registry errors */ }
         }
 
-        // Scan HKCU
+        // Scan HKCU — use real user's hive when running under SMAA elevation
         try
         {
-            using var hkcuKey = global::Microsoft.Win32.Registry.CurrentUser.OpenSubKey(HkcuUninstallPath);
+            using var hkcuKey = UserIdentity.IsSmaaElevated
+                ? UserIdentity.OpenRealUserHive(HkcuUninstallPath)
+                : global::Microsoft.Win32.Registry.CurrentUser.OpenSubKey(HkcuUninstallPath);
             if (hkcuKey != null)
             {
                 ScanRegistryKey(hkcuKey, HkcuUninstallPath, RegistrySource.HKCU_Uninstall,