I am running this in Windows 10
What is the difference between running a program in a user account with admin rights, versus running in a standard account but right clicking and running as admin - and by difference, I mean from the program's point of view.
I thought from the program's point of view, there would be no difference. But apparently that isn't exactly true.
See - I have this piece of hardware (The DLink Air Bridge for the Quest 2 Headset). It won't connect to the desktop app unless I run it in an account with admin rights. But here is the thing, if I run it in the same account (but now with only standard rights) but right click on the program and "Run as Admin" - it still won't connect. How can this be?
I am asking this here because the support for both Meta and Dlink is hopelessly, HILARIOUSLY inept.
Also - what is worse when it comes to security: Using an account for daily stuff with admin rights, or right clicking on particular programs that need it and always running as an admin. I assumed it was the latter - but I am an idiot when it comes to computer security.
When an administrator logs in, the full elevated token is stored in a system process and a more restricted token is generated from this and is used to start Explorer.exe at logon.
When this admin user elevates, UAC starts the new process with the full elevated token (often called "split token"). This causes some minor complications related to mapped network drives and HKCU COM objects but essentially the two tokens refer to the same user account and the same HKCU registry key.
On the other hand, when a non-admin UAC elevates they have to enter the credentials of an administrator and it is this administrator and their account/profile/HKCU that is tied to the token when the new process is started. Meaning, a process running as this administrator is present in the desktop session of the non-admin user. This means a different profile folder and different HKCU compared to other processes in the session.
According to Microsoft, UAC is not a security boundary. If you are really concerned about security then you need to log in as the administrator separately.
Related
I want to execute two files after installation is finished but i don't want them to shows UAC dialogs. I have tried to use maximum execution level but its not working.
I am assuming that the executables are launched outside of the "Install Execute" sequence. I am guessing you are trying to launch these executables when the user clicks on the "Finish" button on the Installation Finished dialog.
With UAC, applications and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. i.e even if you are logged in as an administrator, any application that you run does not run with full administrative privileges. Each application that requires the administrator access token must prompt the administrator for consent. When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token.
The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start applications. The standard user access token is then used to display the desktop (Explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all applications run as a standard user unless a user provides consent or credentials to approve an application to use a full administrative access token.
In your case, I am assuming that the msi package is being installed from a non elevated command prompt. Hence, the msi package is being run with standard user privileges. So, any child processes which are spawned from this msi package outside of the InstallExecute sequence will run with standard user privileges.
For an application to be UAC compliant, the application needs to specify the "requested execution level" in the application manifest. Requested execution levels specify the privileges required for an application.
What is the requested execution level in the application manifest for your executables? You can verify the requested execution level specified in the embedded manifest of your exectuable by making use of a tool from the Sysinternals suite called "sigcheck.exe".
Verify the requested execution level. I am thinking that its set to "requireAdministrator" because of which you are being prompted for elevation. Change this to "asInvoker" and then your problem should be solved.
You can read more about UAC at the below location:
https://technet.microsoft.com/en-us/library/jj574202.aspx
This questions is a followup to
Why is SeCreateSymbolicLinkPrivilege ignored on Windows 8?
Given:
The user is in the Administrators group
Turning off UAC is not an option for me.
Running elevated is not an option.
Question: Is it possible to add the SeCreateSymbolicLinkPrivilege to the Standard User Token created by Windows for an admin user?
Appendix
Non elevated admin user:
C:\dayforce\SharpTop>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\dayforce\SharpTop>
A regular user:
C:\Windows\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
C:\Windows\system32>
Notice a regular user has the SeCreateSymbolicLinkPrivilege privilege, because I have enabled it in the Security Policy. But the admin user is screwed, because doing so does not affect its Standard User Token!
(this is a nonanswer to the actually-asked question, but it is an attempt at an answer for what I perceive to be the actual goal)
I feel your pain -- I've been looking for a way to permit an admin user running nonelevated to create Symbolic Links, without success ...
I've investigated altering the process token (of "explorer" perhaps)
to add the SeCreateSymbolicLinkPrivilege privilege, but it appears
that there is no way to alter the privilege set of an existing token.
Even if your patch process runs as SYSTEM and/or has the
SeTcbPrivilege privilege.
I've investigated using CreateRestrictedToken to create your "own"
nonelevated process, but with the SeCreateSymbolicLinkPrivilege
privilege left enabled. But all anecdotes I've read about
CreateRestrictedToken suggests that the resulting token cannot be
made sufficiently similar to an "authentic" nonelevated token. There
were insurmountable issues with the integrity level, or with the elevated flag
associated with the token.
No matter what users you assign to the create-symlink user right in
security policy manager, if your process runs nonelevated (from a
user with admin), the SeCreateSymbolicLinkPrivilege privilege gets
removed. This happens even if the only user added is "Everyone".
Microsoft really fouled us up on this one, there appears to be no good workaround. There is a possibly hackish solution though ...
Now for the hackish solution - during logon of the user, start a background program (elevated) which will create symlinks on behalf of other processes. This will need to use some sort of IPC, perhaps named pipes, to receive create-symlink-requests from the client process. It's ugly, and probably slow, but other than running Elevated (or disabling UAC), or removing the user from the Administrators group, I don't see any other way.
(Skip to the bottom for the TLDR version.)
OK - so I have searched (really!) and all other UAC articles I have found seem to center on enabling, disabling, detecting or hiding UAC. My issue is not one of those, so here goes:
My user used to have the standard dual-token setup where I was in the Administrators group and the UAC's Consent UI would just ask me if I wanted to proceed. Now, we have separate administrative-level accounts that we need to use, and I have to authenticate with this new user. The problem I am having is that previously, starting an app as Administrator just elevated my current user, where now if I use the credentials of the new administrative user, whatever I am running runs AS that new user.
As an example, previously elevating CMD and typing whoami into the command prompt used to return my normal/current user, where it now returns the new administrative user.
This has serious negative consequences - since this is a new user, and an Administrative-level one, if any files are created using this new user, my normal user cannot write to or delete them unless I manually adjust permissions and ownership. If I use my development environment under the new account (e.g. I need to debug a service or work with a driver) and rebuild something, I end up with a bunch of files that I cannot manipulate unless I am an administrator. Likewise if I add a file while running as this new account - my SCM tool will not be able to update that file later unless it also runs under this new administrative account.
Also, Since a profile is associated with this user, things run under a completely different environment (different %USERNAME%, %USERPROFILE%, %LOCALAPPDATA%, etc.)
Installing an application will also work incorrectly if it is installed just for the current user (e.g. the "Just Me" option), instead of for all users. Things that are licensed to/in my normal user account also fail to function if run under the new account, because things are running as that new user.
The ripple effects of this change are getting larger and larger the more I work with it. So...
[TLDR] Is there a way to get temporary elevation of the current user without that user having the normal dual-token setup you get from being in the Administrative group? Or are you stuck with the impersonation behavior?
First of all, I realize this is a messy situation, but it's not of my design, and I'm just trying to help, and for that I need your help.
App A is getting installed automatically via SMS installer under the Administrator account, not the PC owner's User account. App A has a registry key defined in HKEY_LOCAL_MACHINE hive.
After App A is installed, we want to edit the above mentioned registry key, to assign the User's C:\Users\USER_ID\Documents\ folder (I'm told we don't don't know who the user is and don't have access to USER_ID during step 1).
I know all about UAC, Application Manifest, and requestedExecutionLevel. However, I'm told we can't expect that all users will be in the Administrators group on their machine.
Solution must be backwards compatible with Windows XP as well.
I'm searching for options to get `C:\Users\USER_ID\Documents\' into the 'HKEY_LOCAL_MACHINE' hive under the above listed conditions.
I found this thread that might be related to a similar situation, but I don't fully understand it yet (so I will give credit to anyone that explain it better):
Find out (read) logged in user in a cmd started as a different user
I also read something that rules out ClickOnce:
Clickonce + HKEY_LOCAL_MACHINE
After App A is installed with admin privileges you are trying to run an additional script as the local user who does not have admin privileges . In order for your secondary script to write to the local machine key it will have to be run with administrative privileges ..period. That said, you have basically two choices:
1) Use the RunAs command to run the script with elevated privileges and have the user type in a admin username and password to run the script with elevated privileges.
2) This is the better way imo - Since SMS is being leveraged as the delivery tool, use its capability to detect and use local client configuration settings to write the key at the time of installation.
So basically the SMS package would have to be setup to run only when the local user logs on one time so that SMS can grab the current user and write it to a file somewhere.. after that is completed SMS can run a separate package as the admin (user will get prompted) to do the software install looking for the file containing the user and then consequently updating the local machine key to the correct user my document path.
Enjoy!
Where can a user write to that can be accessed by a service when a user is logged off? When a user runs the program they will be applying settings that a service needs to read, typically a user would need to be an administrator to be able to write to 'Program Files' or HKEY_LOCAL_MACHINE so is there a correct way to prompt for admin elevation at that point rather than running the program as administrator?
Many thanks
Steven