Is there a way to find out what privileges my application needs in order to run in a Windows 7 environment?
I have a Delphi application that is using BDE and ODBC for database connectivity. This application works on most computers with Windows 7 running on a normal user account. However on some computers it only works on accounts with administrative privileges and is not working correctly on normal user accounts. I suspect it's a permission problem. The computers also are running in Active Directory.
I tried to find some informations using Process Monitor from SysInternals, however the output for me is too advanced. The process monitor log for two runs of my app (1. successful with administrative rights, 2. unsuccessfull on normal rights) had over 22k lines and i could not find the answer (needle) in the process monitor log (haystack).
What could i do to determine the privileges that my app needs in windows 7?
Use the Standard User Analyzer from the Microsoft Application Compatibility Toolkit.
The Standard User Analyzer (SUA) tool and the Standard User Analyzer
Wizard (SUA Wizard) both enable you to test your applications and to
monitor API calls in order to detect potential compatibility issues
due to the User Account Control (UAC) feature in the Windows® 7
operating system.
UAC, formerly known as Limited User Account (LUA), requires that all
users (including members of the Administrator group) run as Standard
Users, until the application is deliberately elevated, by using the
security prompt dialog box. However, not all applications can run
properly with the Standard User role, due to the application requiring
access and privileges for locations that are unavailable to a Standard
User.
Aaron Margosis has a tool called LUA Buglight that is designed to help track down issues related to privileges.
You can download the latest version from this blog post:
LUA Buglight 2.1.1 with support for Win7/2008R2 SP1
It is similar in concept to the MS Application Verifier. However, in practice I found LUA Buglight much easier to use and understand. Same with ProcessMonitor. It will monitor your process in a similar way but only report actions that failed as a normal user but succeeded as a admin user.
There is no documentation but it is simple to use. From the main GUI window select your Exe and let the BugLight program launch it. You need to be running in an Admin account with UAC enabled. Run your program though the steps that fail when you are not an admin. When you are done click on the Stop Logging button to see a report that lists what calls would have failed without admin rights.
Related
I'm developing a Windows application that must execute other GUI programs with privileges (executed as administrator).
Scope
My application is a "daemon", a long-running process that it will be launched with no user action;
My application must be executed as administrator (privileges elevation);
Processes executed by my application must be executed as administrator and must display on the screen.
Approach
Firstly, I developed my application as Windows service. I thought that it was the best way to run programs with privileges but services can't run programs that use the GUI session.
This restriction has been introduced by Microsoft with Windows Vista. An article from Microsoft - Impact of Session 0 Isolation on Services and Drivers in Windows - explains these changes. I tried to change the user who runs my service but this isolation appears to apply for all services.
Purpose
So my question is "What's the best way to run a program that it will launch another program with elevation of privileges (executed as administrator) with no action from user ?"
Currently, the only once idea to solve my problem is to register my application into Task Scheduler but I think that it probably exists a best way.
Windows Services have not been designed to interact in current session (user session). Services are running into Session 0 since the deployment of Windows Vista.
Explanations about this changes can be found in "Impact of Session 0 Isolation on Services and Drivers in Windows".
I have found another Microsoft post "Launching an interactive process from Windows Service in Windows Vista and later" but we can read at the beginning:
The first thing you should do about it is that, don't do it. There are many limitations, bad implications and restrictions involved into it.
Windows Services are definitely a wrong solution for this use case. The unique solution that I can found is the Task Scheduler.
I have successfully captured an image using sysprep and can provision new machines from it, however all the custom user settings are missing (desktop shortcuts, chrome bookmarks etc...).
A more serious issue is that one of the applications I had installed fails on the provisioned machine unless run as administrator (due to the way it writes some files when being installed originally).
How can I ensure this profile information is preserved and I don't hit the permissions issue for the application?
I have been pointed at the following link (http://theitbros.com/sysprep-xp-sp3-copy-administrator-profile/) but it seems to be Win XP specific.
Profile information can be migrated to a new deployment using the User State Migration Tool (USMT). USMT is a free tool designed to help IT Professionals migrate files and settings to Windows 7 or Windows 8. USMT captures user accounts, user files, operating system settings, and applications settings and then migrates them to the new Windows installation. The TechNet articles ‘Step-by-Step: Basic Windows Migration using USMT for IT Professionals’ and ‘User State Migration Tool 4.0 User’s Guide’ are good places to start learning how to use USMT.
For your application issue, I would recommend using the Microsoft Deployment Toolkit (MDT) for your deployments. MDT can deploy your image and then install device drivers and applications to the machine automatically. These two video walkthroughs are specific to migrating from Windows XP to Windows 7 with MDT, and using USMT to migrate the user files and settings:
Part 1: Building the Deployment Environment
Part 2: Initiating the Install and Migrating the PC
There is also a Microsoft Virtual Academy 7 part course titled ‘Migrating from Windows XP to Windows 7’ that has two parts dedicated to using USMT to transfer user data and one part for MDT.
MDT can be downloaded here, and USMT is a part of the ADK which is a component of MDT.
Hope this helps,
The answer here wasn't very elegant (in my mind at least) but here is what I did to achieve the desired result:
Create the VM as usual (specifying the admin user during setup)
Create a new (non-admin) user and give them RDP access
Log in as the non-admin user
Install all the necessary software
Log in as the admin user, change the permissions for any files that were causing an issue to be readable by the non-admin user
Run sysprep as the admin and complete the process as detailed elsewhere
This gave me an image that I was able to provision VMs from. When creating the VM I specified the admin user to be created (but then never needed to login as the admin, as I would just login as my non-admin user that was created before). All profile settings for the non-admin user are preserved.
Hope this helps anyone else facing the same issue.
Firstly I want to emphasize that I'm not trying to do anything "nasty" or "hackerish", nor am I trying to hide anything from user here.
During installations (using InstallShield LE) of my application user is prompted by Windows UAC to allow it to run in Administrator mode; If user accepts it - installation continues (standard behavior) and user again can check the option to add this program to autorun list (by adding a registry key to HKLM/../Run). All is fine and normal. But after every Windows restart, when this application starts, UAC kicks in and asks for user permission. Question is, how to avoid it, since it's a bit annoying (yet my app needs Administrator privileges to run)?
I mean user already granted such permissions on installation, so I cannot see a reason why it needs to be prompted on every startup? Moreover, I believe most antivirus software and such, also require elevated permissions to operate, but UAC doesn't prompt for it at Windows Startup.
Thank you for any advises, information, comments or solutions.
Does your application really need to start elevated? Or will it need to elevated access later when the user uses it to perform an action? If you can, drop the later admin task into a separate exe, allowing the main exe to start with no elevation - when you shellexecute the worker process later it will UAC on demand.
At install time, as you have noted, you have elevated the installer. If you want to run elevated code on subsequent runs, automatically, this is the point to install a service - which is what all those other apps you mentioned do.
You can't get around UAC for a process started in an interactive session. You could use a service running as a privileged user but you would be far better off finding a way to do whatever you do without requiring admin rights.
It's not possible for a program to run elevated without prompting. What you want to do is factor those portions of your application that need elevation into a windows service that runs as system. Then your autostarting application can make remoting calls to the service to delgate those activities that the user can't do without elevating.
Not done it but I found this article Selectively disable UAC for your trusted Vista applications that says use 'Application Compatibility Toolkit' from microsoft.
The Compatibility Administrator allows you to create a database of
compatibility fixes that will allow you to run certain applications
without an accompanying UAC.
Run the Compatibility Administrator as admin
select a new database template
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard ... enter details about your app
Select a Compatibility Level
Select RunAsInvoker as the fix
It seems that the last one
Selecting the RunAsInvoker option will allow the application to launch
without requiring the UAC prompt.
Should do what you want provided that the invoker is admin and I think you can do this at start up using the scheduler : Create Administrator Mode Shortcuts Without UAC Prompts in Windows 7 or Vista
As you can see it runs your app in the compatibility mode which may or may not be acceptable for you.
To get Windows users to log on as regular users instead of admin, I need to check that all their applications run OK with limited rights.
Is there an application specifically aimed at checking that an application can run with limited rights, or is SysInternals' Process Monitor what everyone uses for this purpose?
Thank you.
Create a test account that has the permissions as the domain users of your application Login in as this user on a non-development computer. Preferrably a computer with a new operating system installation and all of the other "standard" company software. Install the software and run. This is the only way to really test your application.
Make sure you exercise the entire application.
Make sure install and uninstall work as expected and do not leave any artifacts behind.
Having the ability to restore the operating-system and software on the test computer to its original state is a great help.
Use the Permission Calculator Tool to make sure you handle obvious issues before performing this test.
I'm not sure if it would help since I never used it but I know there's a Permission Calculator Tool (Permcalc.exe) at http://msdn.microsoft.com/en-us/library/ms165077%28VS.80%29.aspx.
Permission Calculator Tool
(Permcalc.exe)
The Minimum Grant Set Determination
tool (Permcalc.exe) is used to
estimate the permissions callers must
be granted to access the public entry
points of an assembly. This tool is
new in the .NET Framework version 2.0.
It is intended for use by advanced
users.
Run this application on Windows 7/Vista with access control enabled. You may consider Windows 7 as such testing application :)
It is recommended to use non-administrator account with activated access control on a developer computer, when you write and debug the program. This creates some problems, and Windows developers hate this, turning off access control or using administrator account. However, working on Linux/Unix, we don't have administrator rights, and this is OK.
I have installed cc.net 1.4.3 version on Windows Vista. But It keeps giving me Interactive services dialog detection when I execute tests. I even have disabled the interactive services from services panel. but still getting this.
Any idea how to get rid of this problem
regards
Sam
No easy fix that you can do. The service is trying to pop up UI on the user desktop. In XP this worked because services and the first user log on both run in session 0. In Vista, services run in session 0 and the first user runs in session 1, so there is no way for a service to directly show UI to the user. This was due to security issues - search for Win32 Shatter Attack to get more details, but basically an untrusted user could send malformed window messages to the services, and in some cases could even cause arbitrary code execution.
You can disable it altogether by disabling the "Interactive Services Detection" service on the system. But you won't see notifications at all, and this will disable it for all interactive services. Best approach is to complain to the vendor to update their software for Vista.
EDIT: And the software is broken on XP when multiple users are logged on and the active user isn't in session 0.