In our software, user can select to make the application "Auto Run" during system startup. However, the user may not have admin rights. In this case, he won't have the rights to update the registry. I've tried both of the following paths w/o admin rights, and access is denied.
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
So is there any way that I can "Auto Run" a program w/o having the admin rights, regardless of the platform(Win7, Vista, XP, etc)? Thanks!
You shouldn't require admin rights to write to HKCU\Software\Microsoft\Windows\CurrentVersion - the ACLs allow the current user to read and write to that key.
The most plausible explanation for this is that your anti-virus software is blocking your attempts to write to this key. Yes it's possible that somebody has applied an ACL to that key to deny you write access but it's pretty unlikely. On the other hand it's very common for anti-virus software to take exception to programs that modify that particular key.
Related
I have a Delphi 6 program that for most users installs fine while running under a user account without admin privileges. However, on some systems it triggers a request for admin rights. Unfortunately mine isn't one of them so it's hard for me to diagnose this problem. I use InnoSetup 5.1.9 to build my install programs.
How can I figure out what I need to change about my installation program's configuration to neutralize the need for admin rights on some people's systems? It's causing trouble for my system because during installation, certain program data files are being copied into the admin account's application data folder. Then when my program is launched under a user account, those files can not be found since they are not in the user account application folder, where they are expected to be.
This happens due to default PrivilegesRequired directive value, which is, by default configured to require administrator elevation. If you don't need this, simply change in your InnoSetup script, value of this directive explicitly to something like this:
[Script]
PrivilegesRequired=lowest
From the reference:
When PrivilegesRequired is set to lowest, Setup will not request to be
run administrative privileges even if it was started by a member of
the Administrators group. Additionally, the uninstall info root key
will always be HKEY_CURRENT_USER, and the "common" forms of the Shell
Folder constants are mapped to the "user" forms, even if
administrative privileges are available.
Firstly I want to emphasize that I'm not trying to do anything "nasty" or "hackerish", nor am I trying to hide anything from user here.
During installations (using InstallShield LE) of my application user is prompted by Windows UAC to allow it to run in Administrator mode; If user accepts it - installation continues (standard behavior) and user again can check the option to add this program to autorun list (by adding a registry key to HKLM/../Run). All is fine and normal. But after every Windows restart, when this application starts, UAC kicks in and asks for user permission. Question is, how to avoid it, since it's a bit annoying (yet my app needs Administrator privileges to run)?
I mean user already granted such permissions on installation, so I cannot see a reason why it needs to be prompted on every startup? Moreover, I believe most antivirus software and such, also require elevated permissions to operate, but UAC doesn't prompt for it at Windows Startup.
Thank you for any advises, information, comments or solutions.
Does your application really need to start elevated? Or will it need to elevated access later when the user uses it to perform an action? If you can, drop the later admin task into a separate exe, allowing the main exe to start with no elevation - when you shellexecute the worker process later it will UAC on demand.
At install time, as you have noted, you have elevated the installer. If you want to run elevated code on subsequent runs, automatically, this is the point to install a service - which is what all those other apps you mentioned do.
You can't get around UAC for a process started in an interactive session. You could use a service running as a privileged user but you would be far better off finding a way to do whatever you do without requiring admin rights.
It's not possible for a program to run elevated without prompting. What you want to do is factor those portions of your application that need elevation into a windows service that runs as system. Then your autostarting application can make remoting calls to the service to delgate those activities that the user can't do without elevating.
Not done it but I found this article Selectively disable UAC for your trusted Vista applications that says use 'Application Compatibility Toolkit' from microsoft.
The Compatibility Administrator allows you to create a database of
compatibility fixes that will allow you to run certain applications
without an accompanying UAC.
Run the Compatibility Administrator as admin
select a new database template
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard ... enter details about your app
Select a Compatibility Level
Select RunAsInvoker as the fix
It seems that the last one
Selecting the RunAsInvoker option will allow the application to launch
without requiring the UAC prompt.
Should do what you want provided that the invoker is admin and I think you can do this at start up using the scheduler : Create Administrator Mode Shortcuts Without UAC Prompts in Windows 7 or Vista
As you can see it runs your app in the compatibility mode which may or may not be acceptable for you.
Goal:
It sounds a little bit odd, but I have to prevent that a software starts with administrative rights.
Problem:
I have a setup tool that installs the software very well. After completion the setup starts the software itself. Because the setup tool runs with administrative rights, the software that will be startet automatically after the setup does the same.
But all Settings that the program need, won't be written/read correctly that time, because due to the UAC virtualization, the config directory is different to the config directory the user would have without administrative rights.
Question:
Is there any way to downgrade from admnistrative rights to user rights, if the parent process owns administrative rights. App.config? StartParameter? or something else
Info: I'm using the INNOSETUP to build the setup tool.
Thx for your help
Just set runasoriginaluser flag for running application.
Yes, you can start a process non-elevated, however I'm not sure how this integrates with InnoSetup. The instructions are How do I start a program as the desktop user from an elevated app.
Consider marking your application with appropriate manifest to suppress UAC virtualization, it will then use the same directories in both cases: non-elevated and elevated. And better use directories in user's profile without relying on virtualization.
I have an app that normal users need to be able to run, but requires administrator privileges to actually function.
I tried to make the shortcut that my users run it with "Run as administrator" but this just causes a UAC prompt whenever they try to run the app.
Is there any way to elevate privileges programatically, without my users needing to go through a UAC prompt and/or knowing an administrator password? From a security standpoint, I understand that most applications shouldn't be allowed to do this, so I'm hoping there is some way to do it if I can provide a valid username/password pair, or something.
The app is written in C#, so a fully managed solution would be preferred, but p/Invoke Black Magic (or even writing an MC++ Wrapper Which We Do Not Speak About) would be more acceptable than disabling UAC entirely.
Generally this problem solved by installing a Windows Service which runs as SYSTEM or an admin account. Then your application can request the privileged action from this service.
Obviously to not pose a security threat ensure that your service can't run arbitrary code or something which might leave the all users vulnerable to privilege escalation attacks.
Winpcap and most of the other sniffing applications use a similar design to give sniffing access to unprivileged users.
Actually, why don't you just create a Task Schedule which runs the app with elevated privileges? As long as you setup the Task under elevation, it will not prompts you for a UAC when it is auto-run during reboot or whatever your trigger is.
Just make sure you set level=requireElevation in your manifest file, and task scheduler will run your app with admin rights without prompting your user for admin rights, as this had already been established when you setup the task with admin privileges.
It's not possible. You cannot decide to suppress UAC prompt.
You have to ask yourself:
What would happen on Windows XP?
The user is a standard user on Windows XP, and the application "needs" to run as an administrator. Are you:
going to refuse to run?
going to crash on startup?
going to show the user access denied error messages?
If the user is simply not allowed to run the application as a standard user on Windows XP, then UAC is your friend: it tells the user that they have to be an administrator.
And it even offers to let them (temporarily) gain administrative privileges.
But you have to ask yourself:
What would happen on Windows Vista?
In order to elevate, the user will need someone from IT to walk from three buildings over, so they can type in their credentials "over the shoulder". Perhaps you can make the user's life easier. Let 99.9% of the application run, and split off that 0.01% to an "administrative" module.
I've been asked to provide a program/script/whatever that enables or disables the
CD/DVD drive
USB ports
Floppy (!) drive
devices without requiring admin rights, that is, that can be run by a 'normal' user.
Ideally, something like a command line utility:
C:> foobar cdrom /disable
Any pointers, hints or clues gratefully accepted!
Thanks,
Rony
Without finding a security hole in Vista, it just plain can't be done. They require admin rights for a reason --- that's the type of things only admins should be doing.
There is a command-line utility (devcon.exe, available here), which will enable/disable devices, but it's still going to require admin rights. It's syntax is:
DEVCON disable {device id} where {device id} is one of the "Hardware ids" listed under the "details" tab of the device's Device Manager property page.
You could write a service that runs as a privileged account (e.g. Local System), and write a GUI front-end application which communicates with the server. The non-admin user can then run the front-end.
If you happen to be on a domain, I think you can disable all of that through a group policy.
First of all you should check if user without admin rights can do it from windows ui, using Device Manager. And I really doubt it.