I am currently using a VB-Skript, which is used to start a setup.exe file, which requires administrative privilleges in order to be installed correctly, if it is not started as an administrator it will return a corresponding error message. Both the script and the setup are located on a window share that is located in a network classified as "Worokplace" in Win7 (32 Bit).
I have the foloowing strange effect, which I do not understand:
I run explorer.exe as "Administrator", and start the script by doubleclicking, which results in a final errormessage that setup.exe requires administrative privileges in order to run. I thought that when I run explorer.exe as Administrator, all other processes started within will have the same privileges.
I tried the same by starting cmd.exe as an Administrator, run the vbs by simply typing myscript.vbs, and the installation succeeds.
Obviously, the same script started from explorer with administrative rights and started from cmd.exe with administrative right finally gets different privilleges, which is what I do not understand at all. Can anybody please explain what's going on there?
Thanks alot
Any process can start a child process, and the parent process can choose what environment (including access rights) the child process will run in. The difference is simply that cmd.exe allows child processes to inherit its own environment, while explorer.exe will only apply administrator privileges if it has been told to do so, either by right-click and 'Run as administrator' or by editing the properties of a shortcut.
The bottom line is simply that they are coded that way.
Related
I have a tablet running Windows 10, and I need to lock it down to only run my custom executables.
My launch executable require administrative privileges to perform some functions (e.g. change system clock, start other executables, open/close serial ports) and I have enabled "Run this program as an administrator" in the executable compatibility settings. Launching the application via double-click in an explorer window or via command line, the system is able to launch its other dependent executables and functions correctly.
However, I need to get this executable to launch on log-in, and research suggests replacing the registry key linking to explorer.exe with my own launch.exe to be the simplest approach. I proved this works with notepad.exe, but my launch.exe application doesn't start... I just get a black screen.
What am I missing here to get my own executable to launch?
Attempt Breakdown
By creating a registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and setting its value to notepad.exe, I can get notepad to start on launch.
When I change the value of the Shell key to C:\Windows\notepad.exe, this works too.
When I change the value of the Shell key to my custom executable, e.g. C:\custom\launch.exe... I get a black screen and no evidence the executable was launched as no log files from my system are generated.
Workaround Solution:
I was able to use Task Scheduler to launch my application with highest privileges, thus side-stepping the problem in the question above.
To disable explorer.exe as required, I replaced the Shell key value with a custom do_nothing.bat script that does (almost) nothing... and thus doesn't trigger explorer.exe. The file cannot be empty as otherwise Windows throws an error.
do_nothing.bat:
rem ---DO SOMETHING TO PREVENT EXPLORER.EXE LAUNCHING---
cd \
I have VS2015 set up so that it always runs as administrator (a la something like this https://superuser.com/a/468056/48346).
Now I want to create an AHK script to launch Visual Studio and run a few UI / Keyboard commands to get it ready for me - I want this script to run at login but that's a later problem.
The Null solution is obviously to turn UAC off, but I don't want to do that.
So far I'm stuck on the way the UAC prompt always grabs the whole screen and I can't use AHK to click the "yes" button or send any keyboard commands to press enter or something like that. I guess this is the whole point of the UAC prompt, not to allow anything to do it for me.
Is there no way to open VS without the UAC prompt showing? I'd need to open a specific solution file, so if it's possible from the command line, the solution file would need to be included in the command so that it opens.
So far I've tried the AHK command RunAs, but I couldn't get that to work - my personal user is a domain user that's a member of the admin group on my local machine. I tried creating a specific runner account with admin privileges and use the RunAs command with that, but that didn't work. I get an access is denied when I run this AHK code:
RunAs, runner, password, LocalComputer-Name
Run, %comspec% /k "start c:\Users\myacc\Documents\path\solution.sln"
The runner account is in the Administrators group on my local machine, which has full access to the folder where the solution file is stored including the file itself - so I don't understand why access is denied.
Is this not possible?
Ps. I'd ask this question on the AHK forum, but registering there seems to not send any confirmation email at all (no, it's not in my spam folder), so I can't post it there.
The answer is to schedule a task that runs with the highest privileges to run the script at logon. The problem I was really having was to construct and debug the script - running a task each time was cumbersome. So to debug the script, just right-click the script and select "Run as administrator". Then the UAC prompt will pop up before the script starts running but not during the script. Then when the script is ready, just schedule a task to run at logon and check the "Run with highest privileges" option for the task. Then you can try the task by right-clicking the newly created task and selecting run, then you will see it run without the UAC prompt.
My final version of the script just opens the solution file using Run, no RunAs required - the scheduled task is set to run as my user, with the highest privileges.
Run, %comspec% /c "start c:\Users\myacc\path\solution.sln"
I'm using Windows Server 2012, and I want to disable the cmd and the PowerShell for the clients. I've searched in the Group Policies but i didn't find where I can do this. Please can somebody help me?
Disable access to powershell:
In the Group Policy window for those users, on the left-hand side, scroll down to User Configuration > Administrative Templates > System > Don’t run specified Windows applications.
In the properties window that opens, click the “Enabled” option and then click the “Show” button.
In the “Show Contents” window add --> powershell.exe
User Cfg - Admin Templates - System - Prevent access to the command prompt
Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.
I have no idea about powershell anything.
No matter how I open it, cmd.exe always opens with admin privileges. How can I open it without? Is there some registry setting missing? Even if I open it directly from the run dialog or by double clicking in the system32 folder it still opens with admin privs.
Thanks.
Found out I was missing a registry key. In HKEY_CLASSES_ROOT\Directory\shell\cmd I was missing the String Value "Extended". Added this back in and restarted the machine got rid of the defaulting to admin privileges.
EDIT: I had UAC turned off for my profile (to stop incessant "are you sure you want to open this .exe" warnings), and turning that back on has stopped cmd always running with greater privileges.
After some unclear actions (switch UAC on/off ?) I ended up in the same situation as described above:
Cmd.exe always starts in Adminstration mode.
Linking in VS failed with the message:
Project : error PRJ0003 : Error spawning 'C:\windows\system32\cmd.exe'.
The Properties | Compatibility tab is greyed out, so switching this off seems impossible (Compatibility modes cannot be set on this program because it is part of this version of Windows).
To recover from this situation you have to edit the registry to remove the RUNASADMIN preferences that is associated with cmd.exe.
The 'RUNASADMIN' preference is stored in these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Delete the values named c:\windows\system32\cmd.exe and you are back in business !
Kees
Right click on the cmd.exe, select properties and check the compatibility tab. Is the Run this program as an administrator checkbox checked?
This is only happening because you're logged in as a user with administrative privileges.
Since doing so defeats the entire Windows security model, you shouldn't be doing that in the first place. Create a standard user account and log in with that, instead. The command prompt should then not open with administrative privileges since you don't have administrative privileges.
If, as a standard user, you need to open a command prompt with administrative privileges, you'll need to right-click on the shortcut and select the "Run as Administrator" option (just look for the UAC shield). You'll need to provide sufficient credentials to authenticate yourself as an administrator, and then you'll have the authority to wreak whatever havoc you wish.
Found a way to run as a specific user even when UAC is turned off from http://www.sevenforums.com/general-discussion/235987-run-cmd-exe-given-user-administrator-command-line.html
This is the way to start cmd.exe as any user. Replace "username" with the correct one:
cmd.exe> runas /user:username "cmd.exe"
Right click on the cmd shortcut, navigate to properties, select advanced options and uncheck the 'Run as admin' option.
Check this video for better understanding - https://www.youtube.com/watch?v=3Mxh5TNSIl8&list=PLg8CURsOKswrzPs9fMhnmdy9TP7AkOOX1&index=1
In matlab, I used a windows standalone application. There is a line in this application that writes a file in C:\...\...\. When I run the output exe file produced from this windows standalone application, the exe doesn't write in C:\...\...\ neither tells me that there is a security issues in that partition. All the execution does is nothing. But, when I right-click and run the exe as administrator, it runs correctly.
I want to do it without right-click and run as administrator. Are there is a command in matlab that can do that?
If you create a shortcut to your application, you can go to the Properties of the shortcut, click on Advanced in the Shortcut tab, and select "Run as administrator". That way, whenever you start the application from the shortcut it will be run as an administrator.
(Disclaimer: applications really shouldn't "foul their own nest" by writing into Program Files. This is bad design.)
Starting from Vista, unprivileged processes are not allowed to write to protected folders such as Program Files, because Program Files is designed to store code and not data. However, since this limitation has not been enforced in XP, MS has provided a backward-compatibility hack in the form of Virtual Store. Now, when a program tries to write to protected folder, its output is being redirected into a dedicated folder. This way, the program still "thinks" it writes to its usual location, while in fact it writes to an unprotected location. However, when you later check the Program Files location, you might not see the file - because it's not really there.
You can find more details here: User Account Control Data Redirection.
If you are administrator, add full control permission for your username to the destination folder. You do that by right clicking on the folder, going to properties and then security tab. Then edit and add you username with Full Control rights. Then you don;t have to run the the program as an administrator.
There is no way you can elevate a process once it is started, so Matlab cannot possibly have a command for that. Just running Matlab elevated.