I am logging as administrator to my computer it is windows7 os(actually it has only one account)
but why some programs are still need to be run as administrator
Eg: host file
1.why it is asking
2.logging with root account is just for logging purpose
Ever since Windows Vista Microsoft introduced User Access Control. This has a completely different security model than Windows XP. Applications run at a user level with the exception of Internet Explorer which runs at 100, even lower than user level. This is to prevent malicious software having full run of your system should your PC become infected.
When logged in as admin, you will be asked to elevate the application permissions. You will not be prompted for credentials. A user logged in (not admin) would be prompted for credentials.
Related
I was arguing with my colleague about this topic.
There are two main question:
Can user (not admin) install a desktop app for all users in windows (7, 8.1, 10)?
Can user update this app without admin rights?
As I know, windows will request for admin rights if we are installing some desktop app for all users.
If a user doesn't have admin rights, he won't able to modify files which admin created. So, a simple user aren't able to update an app that was installed for all users.
Am I wrong?
If we want to install an app that will be for all users, do we exactly need admin rights?
You cannot install apps for all users without certain write privileges since you generally need to modify %ProgramFiles%, the "common" start menu and HKEY_LOCAL_MACHINE to install an app. A normal user cannot write to these locations. A member of the now deprecated power-users group can install most applications for all users even though they are not a full administrator unless the installer specifically checks for administrator rights.
A non-admin user can however install patches to an app installed for all users if the .MSI is signed, this is called User Account Control (UAC) Patching.
Chrome and Firefox use an alternative approach with a Windows service and scheduled tasks. This also requires an administrator to perform the initial installation.
I have written a WPF application.
When it is installed on client machines, they are prompted for a username and password so that they have administrator privileges to use the application.
I need administrator privileges because my application opens ports and writes files to the file system.
Is it possible to allow any user to run the application without being prompted for an administrator username and password and to elevate the application to run with administrator privleges?
Thanks
When your app is installed, it will prompt for admin rights if the installation program has been marked for admin execution. This is normally only required if you want to install to a location available to multiple users, such as within the Program Files folder hierarchy. An MSI will raise a UAC prompt by default, but it's easy to make an MSI with WIX that doesn't raise a UAC prompt.
When your app is run (by a user without admin rights), it will ask for admin rights if the app itself has been marked for admin execution. This is partly under your control, but can overridden by users on the client machine.
An app that writes to file system folders doesn't require admin rights as long as the user running the app has permission to those folders. Generally you can make this work by writing to a location that's accessible to each user.
However, I believe that opening a port does need admin rights if the app is doing anything more than querying statistical information.
If your app does need admin rights to run, and you don't want your non-admin users to see a UAC prompt during program execution, then I suggest you divide your app into 2 parts.
The first part is a Windows service that runs under a privileged user such as LocalSystem and is configured to interact with desktop programs. This service does all of the admin-related tasks, and will need to be setup by an installer that requests admin rights.
The second part is the WPF program that doesn't do anything privileged. If you mark this WPF program as not needing elevation, your end-users will never see a UAC prompt when running it, because all the privileged work is being done by a service that's always running.
Calling DeleteIpForwardEntry() works perfectly well on Windows XP and Windows 7. On Windows Vista, however, it fails with ERROR_ACCESS_DENIED.
The documentation says that "the user lacks the required administrative privileges on the local computer or the application is not running in an enhanced shell as the built-in Administrator (RunAs administrator)."
Well, in my case the user is the Administrator on the local computer and the application is run on logon via SOFTWARE\Microsoft\Windows\CurrentVersion\Run so I can't really tell it to run in an "enhanced shell".
Is there a way to solve this "Catch 22" situation in Vista?
I don't understand why this would work on Windows 7. The docs indicate the failure will be the same.
On Windows Vista and later, the
DeleteIpForwardEntry function can only
be called by a user logged on as a
member of the Administrators group. If
DeleteIpForwardEntry is called by a
user that is not a member of the
Administrators group, the function
call will fail and ERROR_ACCESS_DENIED
is returned.
Also, your post indicates the logged on user is an Administrator. Is it possible that your Windows 7 and Windows Vista tests are for different users - on Windows 7 your test user is an admin, on Windows Vista machine the test user is not?
There's no way to work around this running the app in that way. Can you re-implement this as a Windows Service running in an admin account, which acts on interactive logon events on the machine to manipulate the IP configuration as needed?
I have an app that normal users need to be able to run, but requires administrator privileges to actually function.
I tried to make the shortcut that my users run it with "Run as administrator" but this just causes a UAC prompt whenever they try to run the app.
Is there any way to elevate privileges programatically, without my users needing to go through a UAC prompt and/or knowing an administrator password? From a security standpoint, I understand that most applications shouldn't be allowed to do this, so I'm hoping there is some way to do it if I can provide a valid username/password pair, or something.
The app is written in C#, so a fully managed solution would be preferred, but p/Invoke Black Magic (or even writing an MC++ Wrapper Which We Do Not Speak About) would be more acceptable than disabling UAC entirely.
Generally this problem solved by installing a Windows Service which runs as SYSTEM or an admin account. Then your application can request the privileged action from this service.
Obviously to not pose a security threat ensure that your service can't run arbitrary code or something which might leave the all users vulnerable to privilege escalation attacks.
Winpcap and most of the other sniffing applications use a similar design to give sniffing access to unprivileged users.
Actually, why don't you just create a Task Schedule which runs the app with elevated privileges? As long as you setup the Task under elevation, it will not prompts you for a UAC when it is auto-run during reboot or whatever your trigger is.
Just make sure you set level=requireElevation in your manifest file, and task scheduler will run your app with admin rights without prompting your user for admin rights, as this had already been established when you setup the task with admin privileges.
It's not possible. You cannot decide to suppress UAC prompt.
You have to ask yourself:
What would happen on Windows XP?
The user is a standard user on Windows XP, and the application "needs" to run as an administrator. Are you:
going to refuse to run?
going to crash on startup?
going to show the user access denied error messages?
If the user is simply not allowed to run the application as a standard user on Windows XP, then UAC is your friend: it tells the user that they have to be an administrator.
And it even offers to let them (temporarily) gain administrative privileges.
But you have to ask yourself:
What would happen on Windows Vista?
In order to elevate, the user will need someone from IT to walk from three buildings over, so they can type in their credentials "over the shoulder". Perhaps you can make the user's life easier. Let 99.9% of the application run, and split off that 0.01% to an "administrative" module.
The following question answers how to get large memory pages on Windows :
"how do i run my app with large pages in windows".
The problem I'm trying to solve is how do I configure it on Vista and 2008 Server.
Normally you just allow a specific user to lock pages in memory and you are done. However on Vista and 2008 this only works if you are using an Administrator account. It doesn't help if the user is actually part of the Administrators group. All other users always get a 1300 error code stating that some rights are missing.
Anyone have a clue as to what else needs to be configured?
Thanks,
Staffan
On Vista and Windows 2008, you're getting bitten by UAC. People in the Administrators group have a restricted token, which doesn't contain all of their privileges. The UAC elevation prompt is used to turn on the extra privileges.
I'm assuming that the "lock pages in memory" privilege is one of the extras.
The real "Administrator" account isn't subject to UAC.
You need to run your program elevated, which means running it from an elevated command prompt, or setting it up with a manifest that states "requireAdministrator".
http://support.microsoft.com/default.aspx?scid=kb;EN-US;918483
Walks through the user rights required to pin pages