I have an exe created with an old Borland C++ compiler. It needs administrator privileges to function correctly. Since the app will run at startup, I do not want the user prompted if it's OK to run the program (testing on Win7). My question is is there ANY way to remove that annoying prompt every time the app is run?
I added a manifest file with admin privs and signed it, but it then still appears with the publisher name.
This will be distributed, so I don't want users to have to turn off UAC or do anything too complicated. Any suggestions are much appreciated.
I am hoping there's something for UAC like "Always Trust This Program" or something.
The answer would be using a scheduled task to run at logon. Scheduled tasks are launched by the task scheduler service which runs with SYSTEM privileges, and therefore it's possible to have them run with elevated privileges without prompting the user on startup. You still have to get the user's confirmation once - when you set up the scheduled task - but not every time the program runs.
Since I don't know how you are installing your program (which installer you are using, if any), I'll describe to you a way which you can probably implement in any environment: Using schtasks.exe and an XML file. (Note that this won't work with Windows XP and older, but there you don't have to worry about UAC anyway.)
You need to create an XML file like this:
<?xml version="1.0" ?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2013-11-01T00:00:00.0000000</Date>
<Author>USERDOMAIN\USERNAME</Author>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
<UserId>USERDOMAIN\USERNAME</UserId>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<RunLevel>HighestAvailable</RunLevel>
<UserId>USERDOMAIN\USERNAME</UserId>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>c:\path\to\your\app.exe</Command>
<Arguments>/your /parameters</Arguments>
</Exec>
</Actions>
</Task>
Replace all USERDOMAIN\USERNAME here with the actual user's domain and name. You can, for example, read those out of the corresponding environment variables USERDOMAIN and USERNAME.
Replace c:\path\to\your\app.exe with your application's path and /your /parameters with the arguments you want to pass to your app, if any.
The secret magic here lies in <RunLevel>HighestAvailable</RunLevel> which will make the task scheduler run your app elevated.
The Date doesn't really matter, but for completeness you could set it to the current date and time.
After creating the XML file and saving it somewhere (e.g. temporary folder), you have to run this command which will create the actual task: schtasks.exe /Create /TN "My App" /F /XML "c:\path\to\xmlfile.xml" (replace My App with the name which should appear in the task scheduler when viewed).
You can delete the task again using schtasks.exe /Delete /TN "My App".
(For a pure C++ solution, you could also take this example and add the missing things which would be specifying the username and setting the flag for using the highest available privileges.)
I am writing this because although CherryDT's answer is a good approach, longer-run depending on context it may be a little inflexible.
Another option (depending on the context) may be to refactor into two components:
A system service which runs at startup and does everything that needs admin access
A client program that communicates with the service and does not need admin access.
This avoids the annoying prompt but it is more work. Based on your description it is not clear this is the right way to go here, but it may be down the road (and for others finding this ticket) so I figure it is worth mentioning separately.
Related
We have a Windows Script File X.wsf, which in turn will call Y.vbs. When we run X.wsf from the command window in Windows Server 2008 R2, either as "cscript X.wsf" or "X.wsf", it works fine. However, if we create a task in Windows Scheduler and trigger X.wsf, the only thing that we see is "Running" status, but nothing seems to happen. The task will remain in "Running" status forever, but we don't see anything happening.
Note that "Start In" in the task properties is already set to the folder containing X.wsf, and we also set it to run with SYSTEM and with "Run with highest privileges".
In Windows Server 2003, the same task works just fine. Also, we created a small .bat script and tested running it with a scheduled task in Windows Server 2008 R2, and it worked fine as well. So we suspect that Windows Scheduler must be behaving differently in Windows Server 2008 R2 for .wsf or .vbs files. Anyone know what the root cause is, and what is the solution?
User,
I tried executing a wscript on a command session as well as a task session. Im able to execute from both the ways.
Make sure that you mention the correct path/filename in the trigger section. Also make sure that you provide the complete path of the switch
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\wscript.exe</Command>
<Arguments>u:\Scripts\test.vbs</Arguments>
</Exec>
</Actions>
Let me know if this works.
I have the requirement to create a scheduled tasks that runs once when a particular user logs on. The intention is to start a task only for a particular user.
I know that I can use the Task Scheduler to create a Task with a trigger At log on and under Settings, I specify the particular user.
However, because I need this created during an install routine, it must be created automatically, using the command line, for example using the schtasks command. It is possible to create a task executed at log on using the following example:
schtasks /Create /TR executable.exe /RU user /TN name /SC ONLOGON
But I did not find any modifier to specify a particular user for the ONLOGON trigger.
Resources:
http://technet.microsoft.com/en-us/library/bb490996.aspx
http://ss64.com/nt/schtasks.html
Do you know if there is any undocumented switch? Or any other commandline tool that provides the necessary features?
Thanks.
Add the option "/IT" to the schtasks /create command, e.g:
schtasks /Create /TR executable.exe /RU user /TN name /SC ONLOGON /IT
As mentioned at https://technet.microsoft.com/en-us/library/cc725744(v=ws.11).aspx "the /it parameter to indicate that the task runs only when the (specific user) is logged on"
You should disregard the Task Scheduler GUI where "At log on of any user" is mentioned and actually try rebooting your device. You'll find that the specific command is only run when you log in with the (specific user)'s account.
Best way is to simply import an XML via the schtasks command line. Here is a sample that runs "calc.exe" as bob, whenever bob logs in:
<?xml version="1.0" encoding="UTF-16" ?>
- <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
- <RegistrationInfo>
<Date>2014-10-22T01:50:13</Date>
<Author>user</Author>
</RegistrationInfo>
- <Triggers>
- <LogonTrigger>
<StartBoundary>2014-10-22T01:50:00</StartBoundary>
<Enabled>true</Enabled>
<UserId>WIN7BOX\bob</UserId>
</LogonTrigger>
</Triggers>
- <Principals>
- <Principal id="Author">
<UserId>bob</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
- <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
- <IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
- <Actions Context="Author">
- <Exec>
<Command>calc.exe</Command>
</Exec>
</Actions>
</Task>
I'm not aware of any such option. Unfortunately the schtasks command does not cover all features Task Scheduler 2.0 provides. You could accomplish this with a VBScript using the Task Scheduler Scripting Objects, however, it deems me quite troublesome to (ab)use Task Scheduler for something that could be achieved far easier with a Startup shortcut, a registry entry in the user's Run key, or a logon script.
This works.
SchTasks /Create /SC DAILY /TN “abcMyTask” /TR “C:RunMe.bat” /ST 09:00 /IT /S /U testuser /P password#123
Create a new user (here I created testuser from my local Windows system).
On your local machine it does not work. Try to run the command from another Windows system with the username testuser and password. It creates a scheduled task remotely.
I am building a tool which allows to install an application into our simulator and it is called 'cl-install.exe'. It really doesn't need any administrator privileges to run. But Windows 7 always pops up a dialog asking the user to provide administrator privileges when this command is invoked from the command prompt.
If I rename the same executable to some other name, without the words 'install' or 'setup' in it, Windows doesn't ask for admin privileges.
Is there any way I can prevent Windows from doing this, without renaming my executable?
This is part of the heuristics present in Windows Vista and later. From here if the file contains the words "install", "setup", "update" or "patch" - installer is assumed.
You can prevent this by adding the following to your manifest
<requestedExecutionLevel level="asInvoker" />
I've found a working solution here: https://github.com/bmatzelle/gow/issues/156
Quote:
The solution is to write a manifest file listed below for the executables, in order to persuade UAC that it does not require administrative privilege.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<!-- Make sure that UAC believes
that it does not require administrative privilege -->
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
The filenames of the manifest files should be install.exe.manifest and patch.exe.manifest, and then put them in the same folder as install.exe and patch.exe.
If the UAC prompt still pops up, change the timestamp of install.exe and patch.exe to persuade Windows to pick up the new manifest file.
If I remember correctly you can disable this behaviour the following way (quoted from Technet):
Click Start, click All Programs, click Accessories, click Run, type secpol.msc in the Open text box, and then click OK.
From the Local Security Settings console tree, click Local Policies, and then click Security Options.
Scroll down and double-click User Account Control: Detect application installations and prompt for elevation.
Select the Disabled option, and then click OK.
Close the Local Security Settings window.
You may need to re-logon for the setting to take effect.
Help!!!
I am trying to create a windows ami that when launched (need multiple [20] live servers to be launched for short durations at short notice) auto logon and run an .exe application (unfortunately I can not get the app to run as a service). Also machine names must be unique.
Problem works fine pre sysprep, but when I launch instance from the ami it fails to logon as the machine name has obviously changed from the original machine image.
The only way I have managed it is to not sysprep, take an ami, then log onto the new machine when launched and manually change the machine name, and set the autologon sysinternal tool. THis is not ideal as the end user is not technical and time constraints do not allow for this action to be performed efficiently.
I am at my wits end! Your help is very much appreciated.
I am aware this is a very old question. Google, nonetheless, led me to this question when I faced a similar issue. I did the following to solve my issue.
Customize an instance to your liking. The AMI will be created using this instance.
Create a new user account with admin privileges. This is needed as Sysprep\Ec2ConfigService will reset the Administrator password. Add this user to the group Remote Desktop Users, so you can RDP using this user account.
Edit EC2's Sysprep answer file to enable auto-logon.
Append the following to component node named Microsoft-Windows-Shell-Setup in the file C:\Program Files\Amazon\Ec2ConfigService\sysprep2008.xml
.
<AutoLogon>
<Password>
<Value>NewUser'sPassword</Value>
<PlainText>true</PlainText>
</Password>
<Username>NewUser'sName</Username>
<Enabled>true</Enabled>
<LogonCount>999</LogonCount>
</AutoLogon>
The resulting file should look like the snippet below. I have removed the parts not necessary for this answer.
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<!-- snip -->
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- snip -->
<AutoLogon>
<Password>
<Value>NewUser'sPassword</Value>
<PlainText>true</PlainText>
</Password>
<Username>NewUser'sName</Username>
<Enabled>true</Enabled>
<LogonCount>999</LogonCount>
</AutoLogon>
</component>
</settings>
<!-- snip -->
</unattend>
Next we edit the EC2ConfigService settings.
In the file "C:\Program Files\Amazon\Ec2ConfigService\Settings\BundleConfig.xml", ensure the value for SetPasswordAfterSysprep is Yes.
In the file, "C:\Program Files\Amazon\Ec2ConfigService\Settings\config.xml", ensure the state node has the value Enabled for the plugin Ec2SetPassword.
In the file, "C:\Program Files\Amazon\Ec2ConfigService\Settings\config.xml", ensure the value for RemoveCredentialsfromSysprepOnStartup is false.
You are already launching an exe on logon. Using the same mechanism, also launch a script that will delete the AutoLogonCount setting from the registry. This step is important, else after 999 (as per the example mentioned above) logins, the autologon will stop.
.
powershell.exe -command { Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\winlogon" -Name AutoLogonCount -Force -ErrorAction 0 }
Now we can start Sysprep. Either use the UI or the following command.
.
%ProgramFiles%\Amazon\Ec2ConfigService\ec2config.exe -sysprep
Any instance launched using an AMI created from the above instance, retains the auto-logon behaviour indefinitely.
Don't know if this software can help, look at LogonExpert and its satilite articles:
1) Deployment
2) Commmand line/vbscript control
3) Scheduling
In order to run one application, a batch file has to be kicked off (which does things like start Jetty, display live logs, etc). The application will work only if this batch file is running. I am hence forced to have this batch file running and not logout from the Windows server.
Can this batch file be run as a service? I am experimenting with one of the suggestions from a similar question.
NSSM is totally free and hyper-easy, running command prompt / terminal as administrator:
nssm install "YourCoolServiceNameLabel"
then a dialog will appear so you can choose where is the file you want to run.
to uninstall
nssm remove "YourCoolServiceNameLabel"
There's a built in windows cmd to do this: sc create. Not as fancy as nssm, but you don't have to download an additional piece of software.
sc create "ServiceName" start= demand displayname= "DisplayName" binpath= [path to .bat file]
Note
start=demand means you must start the service yourself. Options include: boot, system, auto, demand, disabled, delayed-auto
whitespace is required after =
I did encounter an error on service start that the service did not respond in a timely manner, but it was clear the service had run the .bat successfully. Haven't dug into this yet but this thread experienced the same thing and solved it using nssm to install the service.
No need for extra software. Use the task scheduler -> create task -> hidden. The checkbox for hidden is in the bottom left corner. Set the task to trigger on login (or whatever condition you like) and choose the task in the actions tab. Running it hidden ensures that the task runs silently in the background like a service.
Note that you must also set the program to run "whether the user is logged in or not" or the program will still run in the foreground.
On Windows 2019 Server, you can run a Minecraft java server with these commands:
sc create minecraft-server DisplayName= "minecraft-server" binpath= "cmd.exe /C C:\Users\Administrator\Desktop\rungui1151.lnk" type= own start= auto
The .lnk file is a standard windows shortcut to a batch file.
--- .bat file begins ---
java -Xmx40960M -Xms40960M -d64 -jar minecraft_server.1.15.1.jar
--- .bat file ends ---
All this because:
service does not know how to start in a folder,
cmd.exe does not know how to start in a folder
Starting the service will produce "timely manner" error, but the log file reveals the server is running.
If you need to shut down the server, just go into task manager and find the server java in background processes and end it, or terminate the server from in the game using the /stop command, or for other programs/servers, use the methods relevant to the server.
As Doug Currie says use RunAsService.
From my past experience you must remember that the Service you generate will
have a completely different set of environment variables
have to be carefully inspected for rights/permissions issues
might cause havoc if it opens dialogs asking for any kind of input
not sure if the last one still applies ... it was one big night mare in a project I worked on some time ago.
While it is not free (but $39), FireDaemon has worked so well for me I have to recommend it. It will run your batch file but has loads of additional and very useful functionality such as scheduling, service up monitoring, GUI or XML based install of services, dependencies, environmental variables and log management.
I started out using FireDaemon to launch JBoss application servers (run.bat) but shortly after realized that the richness of the FireDaemon configuration abilities allowed me to ditch the batch file and recreate the intent of its commands in the FireDaemon service definition.
There's also a SUPER FireDaemon called Trinity which you might want to look at if you have a large number of Windows servers on which to manage this service (or technically, any service).
Since NSSM is no longer maintained, you can consider using WinSW. It has binaries that would work with or without .Net.
Basically you create an XML file and then install it. Here is a sample of a minimal XML:
<service>
<!-- ID of the service. It should be unique across the Windows system-->
<id>myapp</id>
<!-- Path to the executable, which should be started -->
<!-- CAUTION: Don't put arguments here. Use <arguments> instead. -->
<executable>%BASE%\myExecutable.exe</executable>
</service>
And then you can install and start it:
winsw install myapp.xml
winsw start myapp.xml
Install NSSM and run the .bat file as a windows service.
Works as expected
My easest way is using opensource svcbatch (https://github.com/mturk/svcbatch/) as wrapper of CMD(BAT) in sc :
sc create myservice binPath= ""%cd%\svcbatch.exe" myservice.bat"