To enable my application to startup with admin rights at user login, I use a task in task scheduler. And it works fine. Mostly. Now I've received bug reports saying that this fails:
rootFolder->RegisterTaskDefinition( _bstr_t(name.toWideCharPointer()), task,
TASK_CREATE_OR_UPDATE, _variant_t(L"Builtin\\Administrators"), _variant_t(),
TASK_LOGON_GROUP, _variant_t(L""), ®isteredTask) -> 0x80070534
0x80070534 seems to mean "No mapping between account names and security IDs was done". I'm following (pretty much verbatim) the example at:
http://msdn.microsoft.com/en-us/library/aa381911(v=VS.85).aspx
Ideas what has gone wrong, and how to fix it ? The application has manifest set so the user needs to be admin to run it.
Question: The "Builtin\\Administrators" group, it is language dependent, isn't it ? I think that the user in question might have a non-english Windows 7. If so I imagine it would work better with specifying "S-1-5-32-544" instead ( http://support.microsoft.com/kb/243330 )
Update: So the explicit call looks like:
rootFolder->RegisterTaskDefinition(
_bstr_t(name.toWideCharPointer()),
task,
TASK_CREATE_OR_UPDATE,
_variant_t(L"S-1-5-32-544"), // Language independent "BUILTIN\Administrators"
_variant_t(),
TASK_LOGON_GROUP,
_variant_t(L""),
®isteredTask)
Make sure that the application is executed with elevated privileges, otherwise that call will fail.
The problem indeed lies in the parameter _variant_t(L"Builtin\\Administrators"), which is hard-coded to English version of Windows. By using the language agnostic security identifier "S-1-5-32-544" ( http://support.microsoft.com/kb/243330 ), the problem is resolved.
Update: So the explicit call looks like:
rootFolder->RegisterTaskDefinition(
_bstr_t(name.toWideCharPointer()),
task,
TASK_CREATE_OR_UPDATE,
_variant_t(L"S-1-5-32-544"), // Language independent "BUILTIN\Administrators"
_variant_t(),
TASK_LOGON_GROUP,
_variant_t(L""),
®isteredTask)
Make sure that the application is executed with elevated privileges, otherwise the call will fail.
After spending some time, I've seen that more modifications than just _variant_t(L"S-1-5-32-544") are needed to make this "Logon Trigger Example (C++)" example work.
All the details can be found in this answer.
Related
I'm building a windows UMDF 2.0 driver and when I call OpenEvent I get an error of 2. any help would be great. below is my code
HANDLE userEvent = OpenEvent(EVENT_ALL_ACCESS, FALSE, myUserEvent);
std::cout<
Windows 7,8 require security descriptors while wec does not. Their default security descriptors are different.
Also if your events are to be accessed by different users or by elevated processes you need to make it a global event, otherwise it will not be able to access it.
So I figured it out, when you create a driver user event it has a default security permissions as high, so you have to create a security descriptor and pass it in to override the the default. For some reason it gives spits out an error 2 which is cant find file. hope this helps someone in the future.
https://msdn.microsoft.com/en-us/library/windows/hardware/ff538907%28v=vs.85%29.aspx
I am building an application that simulates user input (command+c and command+v). Before sandboxing it, everything worked fine, but now I am getting these errors from the console:
Firstly, when I fire it up:
5/27/13 1:35:11.980 AM appleeventsd[54]: A sandboxed application with pid 5343, "CopyBoard" checked in with appleeventsd, but its code signature could not be validated ( either because it was corrupt, or could not be read by appleeventsd ) and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Error=ERROR: #100013 { "NSDescription"="SecCodeCopyGuestWithAttributes() returned 100013, -." } (handleMessage()/appleEventsD.cp #1755) com.apple.coreservices.appleevents.peer.0x7fa9b0411260.xpcq
Then, when I try to simulate command+c, I get:
5/27/13 1:52:22.980 AM WindowServer[85]: post_filtered_event_tap_data: Sender is prohibited from synthesizing events
5/27/13 1:52:23.000 AM kernel[0]: Sandbox: sandboxd(6515) deny mach-lookup com.apple.coresymbolicationd
5/27/13 1:52:24.252 AM sandboxd[6515]: ([5343]) CopyBoard(5343) deny hid-control
I'm looking for a solution that would allow me to copy and paste globally in a sandboxed environment. Is it possible that the Accessibility API is a good answer? Has my problem got anything to do with how I'm simulating user input? I'm very confused, thank you very much for helping.
The sandbox is designed to prevent exactly what you seem to be trying - allowing an application to simulate a user is defined as a security issue. If you have a narrow requirement which can be done safely you can submit it to Apple thorough bug reporter as an needed improvement to the sandbox.
The Accessibility API is not supported in general for this reason - no playing with other apps! This did not go down so well with all the developers which used it...
You can use AppleEvents in limited constrained circumstances and with the appropriate entitlements.
You'll probably need to go to developer.apple.com and read all the documents/view videos/etc you can find to see if what you wish is going to be possible.
The only point of hope I can offer you is that the sandbox is a moving target, so you may find you can do more than the above suggests. Go read. Good luck.
Recently, I have been working on a CredentialProvider in order to unlock automatically (the trigger can be any event, so let’s say the end of a timer) a Windows Vista (or more recent version) user session.
For that I read some useful articles on the subject, the change between GINA and this new architecture. http://msdn.microsoft.com/en-us/magazine/cc163489.aspx.
I think, like everyone in the process of creating a custom CredentialProvider, I didn’t start from scratch but from the sample code provided by Microsoft. And then I tried to change the behaviour (things like logging) in the different functions.
So in the end I can use the custom CredentialProvider, enter the SetUsageScenario methods but still I cannot reach the Set or GetSerialization method. From what I’ve understood in the technical documentation on CredentialProvider (still provided by Microsoft) theses two methods should be called automatically. Is there something I missed ?
Also, my original idea was to get an authentication package using Kerberos in order to perform an implicit user authentication. I got this idea by seeking information on other SO or MSDN threads like
Is this approach the good one ?
Thank you very much for your time answering my questions. Any clarifications are welcomed, even if they don’t directly resolve my problems :-)
First of all - you need to set autologon flag to true in your implementation of the ICredentialProviderCredential::SetSelected(BOOL *pbAutoLogon) and ICredentialProvider::GetCredentialCount methods.
Next, you need to call ICredentialProviderEvents::CredentialsChanged when your timer is hit.
LogonUI will recreate your credentials, and because autologon is set to true it will call your GetSerialization() method.
SetSerialization and GetSerialization functions are called from your provider by LogonUI. After user enters username/password and presses ENTER button, LogonUI calls GetSerialization function and provides a pointer, as one of the four parameters, that will point in future to CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure created and filled by you, and then this structure will be sent from LogonUI to Winlogon to perform authentication. I don't know how to make LogonUI to call GetSerialization from your credential provider code and as far as I know you can't call GetSerialization by your own because where will you pass your filled CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION structure if no one requested it, but only LogonUI can path it to Winlogon?
There is a document called "Credential Provider Technical Reference", there you can read some details about credential providers. In the Shell samples folder there is a strange folder called "Autologon", maybe it will help you! Good Luck!
I've searched around online but can't find what I'm after. Basically, during an install, we fire off a separate executable that basically brute forces a few folders to be read/write enabled for the user group "EVERYONE".
Now, the person that wrote this never took into consideration system language. I had a call with a customer in France that kept failing installation because "EVERYONE" isn't what we would expect.
I'm after an API call to Windows that would return a security group name which would be "safe" to use in a localized environment. Essentially I'm looking to safely edit this code so instead of hardcoding in "EVERYONE", we call a function instead.
The fundamental mistake here is not so much the use of EVERYONE, but rather that the code is using names at all. Instead of using names you should use the well-known SIDs. In your case you need S-1-1-0.
My app did not work properly on a customer machine. Here is a line from console messages:
sandboxd: ([14252]) aText(14252) deny mach-lookup com.apple.familycontrols
What does this mean ?
It means just what it says: Your app (or some code injected into your app or running in a child process) is trying to do lookup a Mach service named com.apple.familycontrols, probably at global scope, and you don't have an entitlement to do so, and therefore it's being denied.
If you need this to work, you need to add a temporary-exception entitlement com.apple.security.temporary-exception.mach-lookup.global-name = [com.apple.familycontrols]. But you'll have to figure out why you need this exception, and file a bug with Apple asking them to provide a better way to do the same thing.
If you don't need this to work, you need to figure out why your code is trying to look up this service and stop doing whatever is causing it. (If it's not your code, but code injected into your app via SIMBL or something, then it's your user's problem, and he has to not use whatever plugin is at fault.)