I work on an NSIS installer doing (among other things) in this order:
uses UAC to run elevated (this is needed for other things made by
the installer)
closes explorer.exe
starts explorer.exe (using
Exec command)
launches the installed executable, running as same
user as the one launching (using Exec command)
and everything works good.
Now the installer is requested to be launched by a Service.
This ends in both explorer and the installed program been launched as SYSTEM.
How can modify the installer to get the program run as current logged user?
I know if it was not for steps 2-3 I could use explorer to launch my executable (this works!), but this does not fit my needs, since I need also to stop and start explorer.exe as the current user.
Any idea how can accomplish that?
If you are restarting Explorer because you are installing a shell extension then this is a flawed idea. A shell extension can be loaded in any process at any time (GetOpenFilename() etc). You should rename the file that is in use and delete it later with FILE_FLAG_DELETE_ON_CLOSE and/or MoveFileEx.
If you are restarting Explorer for some other reason (Why?) it is better to restart it with the token from OpenProcessToken (or WTSQueryUserToken if you could not get Explorers token)
Related
I have an elevated console running some bat files. Having this console running in elevated mode is mandatory for it to be able to perform some tasks like managing network shares, etc without asking for permissions. But sometimes the scripts also have to launch some applications which are not desired to run elevated. So we want our elevated bats to start come application in non-elevated mode. Is there any built-in way to do this on Windows? Processes were started with DOS command START up to the date.
By the way, the machine is a Windows 7 Ultimate Edition x64.
I know this isue is already discussed programatically in many questions (this collects many of them), but our requirements are bat scripts running on cmd, and any standalone executable that may help in our tasks, like nircmd, 7z, etc.
Clarification: we already have a scheduled task which starts the console elevated, and elevating the console is not the issue os this answer.
The built-in Windows way: START RUNAS ... allows you to run a process as limited user. Here's an example:
runas /trustlevel:0x20000 cmd.exe
Anyway, there are some internal differences between the execution permissions on a process executed that way and another started from the UI with UAC enabled (explorer.exe via normal user interaction, I mean, execution from file browser or from start menu).
On the process started via runas (right) we miss some permissions disabled:
On the process started via runas (right) Administrators have some permisions set over the process:
The Third-Party application way: we can achieve our goal using PSExec, a standalone executable we can find on PSTools from Windows Sysinternals. Here's an example:
psexec -l -d cmd.exe
I've looked very deep into the issue and I've noticed no difference in any of the running permissions or security flags.
From the Microsoft Technet blogs:
PsExec use the CreateRestrictedToken API to create a security context, called a token, that’s a stripped-down version of its own, removing administrative privileges and group membership. After generating a token that looks like one that Windows assigns to standard users Process Explorer calls CreateProcessAsUser to launch the target process with the new token.
These are the best conslussions I've managed to get after many hours of research; anyone who can provide further details will be welcome.
Really not my area of expertise, but would START RUNAS ... or perhaps AT fit the bill?
I currently have a huge number of VBS Scripts which are, when doubleclicked in Windows Explorer, run by wscript.exe. These scripts need to be run in UAC elevated mode, i.e. doubleclicking by default will not work.
One solution for this would be to alter all the scripts, and make the scripts run themselves elevated, this solution can be found on many places, but Altering all the scripts is a tedious work.
So I am currently thinking of another solution to alter the default Shell Extension behaviour in Windows 10, so that wscript.exe will always be started elevated wenn a vbs script is doubleclicked in Windows Explorer. The problem is that I currently cannot find any commandline option that I can pass to wscript.exe to run it elevated.
Is there any solution available to call wscript.exe always in elevated mode? The scenario that should work is that a user can doubleclick the .vbs-file in Windows Explorer, and then automatically be prompted with the UAC-elevation dialog (if configured in Windows)
You can use Task Scheduler to run your script as an administrator without having to go through User Account Control (UAC) every time.
You can run scripts as administrator with the runas verb, but the user must have admin rights on the machine to do so.
You could store admin credentials in the script, but it would be plain text and not secure.
Run elevated commands only work on machines where you have local admin privileges. Other non admins can't use the script.
I have an Inno Setup installer that needs to restart the explorer (in order to install a shell extension). During installation, I can start explorer.exe with ShellExecAsOriginalUser so that it doesn't start with admin privileges; this is important on Windows 8, because running explorer with admin privileges prevents Metro apps from running.
The trouble is that this function can't be called during uninstall, as stated in the documentation (I tried to do it anyway, but of course it fails). I don't understand why it's not possible. Any clue? Is there a workaround?
It cannot be called during uninstall because the Programs and Features control panel always starts the uninstaller with elevated permissions (when running a per-machine uninstaller, anyway); the "original user" is therefore still the admin user.
In this situation, probably the correct thing to do is to just use the latest version of Inno -- this includes Restart Manager functionality which should automatically sort Explorer out without you having to do anything.
I have made an application that copy the vb components to the system32 folder of the windows and register those components with “regsvr32”. It works well in Window XP, but in Windows Vista and Windows7 it can’t perform its task without right clicking the application .exe file and selecting “Run as administrator”. Is there any code in vb that automatically allows the application .exe file to run as administrator?
To do precisely what you ask you can add an application manifest that specifies an execution level of "requireAdministrator" within it. However this means the application will always run elevated, and the user will also have to provide admin credentials or approve elevated execution for every run (UAC prompt).
Please just do things the right way.
I'm going to second Bob's excellent comment above and suggest that you use a tool like Inno Setup http://www.jrsoftware.org (it's free) to build a proper installer. One of the benefits of using a proper setup tool is that the setup application can request to the OS to run with administrative privileges without using external files and manifests to make that happen. The setup.exe that you build will have the necessary code built in to ask the OS for elevated privilege.
In windows 7, we can go to the properties of the file or an application exe file and then "Compatibility" tab. Then check the "Run this program as an administrator".
It will force the application to be executed under the administrator privilege.
I used this and my problem was solved.
I'm writing an NSIS installer and the setup program elevates "as administrator" as needed on Windows 7 / vista.
I need to run the installed program at the end of the install and don't want to launch it with the same privileges as the installer.
The regular NSIS exec commands run the child process with the same permissions as the installer.
There is a UAC plugin for NSIS, but the documentation on it isn't great and it seems v. new; I'd prefer not to use that plugin.
Ideally, I'm looking for a small .exe I can include that'll launch the target program without UAC elevation. Does this exist?
Any other suggestions?
Thanks!
You only have two options:
Uncheck and remove the run checkbox (When running on NT6+)
Use the UAC plugin (It is not that new, but it is a pain to use, so I would suggest you just go for the first option)
There is no external program you can use since it is impossible to get back to the original user from a elevated process (You can try, and get pretty close, but it will not get the correct user in every case)
I found the following, which could be wrappered into a a simple command line utility:
http://brandonlive.com/2008/04/27/getting-the-shell-to-run-an-application-for-you-part-2-how/
It only took about an hour to get that code working for my project, and it works flawlessly so far. ;)