I'm trying to hook up to an already existing Word window.
Set WordApp = GetObject(, "Word.Application")
If UAC is turned off this works fine. If UAC is turned to "Default", I get an error. "ActiveX component can't create object".
Once thing I noticed in my experimenting is that if Word was started with "Run as Administrator", things work normally. Unfortunately the box/login I'm expected to run on likely won't have admin rights.
This sounds like an issue developers were educated on back in 2006.
You want both processes to have the same integrity level. It sounds as if you are testing within the IDE running elevated, which should normally be the case. When that is true then the process you want to automate must also be elevated.
This shouldn't be an issue when running normally, since both processes would typically by run at the same level, standard user. If you need something other than this then you need a manifest with uiAccess = True and your code must be signed and formally installed.
See User Interface Privilege Isolation (UIPI) and integrity within Windows Integrity Mechanism Design.
But automating Office has been deprecated for a very long time.
Related
We have Symantec Wise Package Studio to build simple custom MSI files (Yes I know the product is beyond end-of-life but for our needs it serves it's purpose)
It used to work fine but now when we try to run it , the main executable "PackageStudio8.exe" gets blocked by something which seems to be SmartScreen maybe?
Translation : This application has been blocked for your protection.
An administrator prevents you from running this application. To know more, contact the administrator.
Could it be some kind of GPO I don't know about?
Based on web findings I tried setting the following values :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="Off"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"EnableSmartScreen"=dword:00000000
"ShellSmartScreenLevel"=-
But it doesn't change anything, it still gets blocked and that window still appears. Turning off SmartScreen (disabled) in the Windows 10 GUI still doesn't make it go away.
Interesting thing I noticed is if you open a shell (cmd or powershell) AS AN ADMINISTRATOR and run the exe, it runs fine and everything works. So for now we make do by running it as administator, but it's not ideal.
What gets bypassed when you run as admin and how can I find and adjust what creates this prompt?
Much appreciated.
Turns out it's UAC actually. I found out that the only way to get rid of that prompt is to completly disable UAC for example : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (set value ' EnableLUA' to 0) but of course it's a security risk. I guess the safer way is to run it as administrator simply, instead of getting rid of UAC completly just for that program! Wondering why UAC blocks it though? Is it because the app has "EDITOR/PUBLISHER : UNKNOWN" ?
We have a windows service that gets installed and runs on users system in the background, but on some windows machine user get an error "A device or program has requested your attention" This is specific to Windows 7.
This is because when we are installing the .exe on the user machine using MSI(created with WIX), the installer job I believe runs on Session 0, and when any prompt appears the user is prompted that a program has requested attention and he gets switched to Session 0. Can we suppress messages for installer or exe running in Session 0.
Thanks.
To fix this you will have to determine what UI is shown if the user switches to Session 0, what shows it, and how to remove it.
Services run on Session 0. Before Windows Vista, they could interact with the desktop, so many did. Chances are your service is trying to show some UI. Upon detecting this, Windows is trying to help you out. Fix the service to avoid showing UI, and the message will go away.
It's plausible that this could also occur for a deferred custom action in the system context (as those are invoked by the Windows Installer service), but I've never run into this scenario. If so, the fix is the same: make that action not show any UI.
Michael's correct, but I want to expand on it a little.
The issue isn't primarily about session 0 or services. It is about anything that tries to show a UI that is not part of the interactive user's current session. The main problem is the shatter attack where (for example) something running with the system (or otherwise privileged) account shows UI to the (perhaps limited) interactive user. The window into the privileged process is a security hole. As a result, attempts by an install to run custom actions with the system account (deferred CAs) that show UI are an issue, as are services. Session 0 is really just part of the implementation that is intended to address the security issues.
So yes, address UI attempts from your services and from (primarily deferred) custom actions in the install.
Let's say app.exe has been built with requireAdministrator manifest as detailed here (this is really needed for a reason that would be out of topic here). When launching the app, when Windows UAC is enabled, there is a normal prompt:
Now this application needs to run on Windows startup: in an Options dialog, there is a "Launch at Windows startup" checkbox that can be checked or not. When checked, it adds a key in the registry in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
to enable this "launch on Windows startup feature".
Problem: At Windows startup, when app.exe is (automatically) launched in background, there is this UAC dialog box (see screenshot before), which is annoying for the user.
Question: How to make that app.exe can be launched 1. with requireAdminstrator 2. silently at Windows startup ?
What is the clean way to do this? Lots of software do this (indexing software that both run on background since Windows startup, and don't show such a dialog box).
Note: I would like to avoid TaskScheduler method if possible: https://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html
The indexing software "Everything" does show such a dlalog.
The others you are thinking of run only services with admin rights, not UI.
Running a service requires the software to be architected with that intent, ordinary user applications can be started with the service rules with the help of the "at" service, which you already know how to do (Task Scheduler).
You can substitute some other service for Task Scheduler, at the risk of annoying the user through needless duplication, waste of resources, and likely new security flaws.
Set aside your preference, and use Task Scheduler.
Or remove the background parts of your app and write a service to do those instead.
And be very careful when giving your code administrator rights. Any bug can result in subverting the entire security infrastructure. With great power comes great responsibility.
I have a console application written in c#, which downloads a file to program files. So of course it needs to run as admin. This program gets called from a Win32 C++ application which almost certainly is not running as administrator
What are my options. How can I get this to work on UAC and non UAC enabled boxes ( I don't know if there needs to be separate solution in each case )
Oh and the console app is in .NET 2.0
On a machine with UAC you need to include a manifest resource to specify that you want the process to run as administrator.
On a machine without UAC you will simply have to instruct your users that they need to run it as a user in the administrators group. Almost all users of XP (the version that you will most commonly encounter without UAC) are in the administrators group so you won't encounter many problems.
I never tried it, but this can probably be done using the
CreateProcessAsUser Function.
I would greatly appreciate some help on this one! It may be a tricky one. :)
Problem
I have an VB6 application which is set up as scheduled task. It starts every time, but when executing CreateObject() it fails if a user is not logged on to computer.
I am looking for information on what could cause this. My primary suspicion is that some Windows API fails.
Key points
Behaviour confirmed on Windows 2000, 2003, 2008 and Vista.
The application executes as user X at scheduled time, executed by Windows Task Scheduler.
It executes every time. Application does start!
If user X is logged on via RDP it runs perfectly. (Note that user doesn't need to be connected, only logged on)
If user X is not logged on to computer the application fails.
Failure point
Application fails when using CreateObject() to instantiate a DCOM object which is also part of the application.
The DCOM objects declare .dll-references at startup (globally/on top of .bas-file) and run a small startup function. Failure must be during startup, possibly in one of the .dll-declarations.
Thoughts
After some Googling my initial suspicion was directed at MAPI. From what I could see MAPI required user to be logged on. The application has MAPI references. But even with all MAPI references removed it still does not work.
What is the difference if an user is logged on? Registry mapping? Environment? Explorer.exe is running.
Isn't the user logged on when application executes as the user?
What info would help?
A definitive answer would be truly great.
Any information regarding any VB6 feature/Windows API that could act differently depending on whether user is logged on or not would definitively help.
Similar experiences may lead me in the right direction.
Tips on debugging this.
The VB application possibly needs to get hold on to running services that are only running when a user is logged on.
What is the "Identity" setting of the DCOM component.
C:\WINDOWS\system32\Com\comexp.msc
C:\WINDOWS\system32\Com\comexp.msc
Component Services
My Computer
DCOM Config
The DCOM Object, right click properties
Identity tab
Set it to "This User" and set a user with the required permissions, and then run the app as your self to see if the DCOM component can still work, then try again from the scheduler.
We never found out what caused this.
Instead I made a RDP client which I put in Scheduled Tasks. It logged on a user which had the required app in startup. After some time the RDP client forcefully logged out the user (to prevent runaway apps hanging the system).
Not the perfect solution, but a solution nevertheless.
has your VB6 forms?
because when you run scheduled, it run "as a service", so it can't have forms, or if it have forms an enviroment where to show them.
I don't remember what I have used, but exists generic "run as a service" converter exe to run windowed VB6 projects.
Also perhaps you can easy convert your code to run as a VBScript, and schedule it.