I am developing a VB.NET based application which requires administrative privileges in order to run properly. However I went through several tutorials online and it all mentioned how to do this using a mainifest file. The problem with this technique is that whenever the program is opened I need to type in the Administrator password, however I want this to happen automatically. (The user should not type the Admin password, the password must be entered from the code level)
The following code is the closest I could find, but it too does not satisfy my problem,
Dim securePass As New Security.SecureString()
Dim pass As String = "password"
For Each c As Char In pass
securePass.AppendChar(c)
Next
' If there isn't a domain, set the argument to 'Nothing', as demonstrated below.
Process.Start("testsoftware\WinKBSel\WinKBSel1003.exe", "username", pass, Nothing)
Could anyone please let me know how I could do this without requiring the user to enter the administrator password?
You would probably be best splitting the application up, if you had a back-end service that runs under an administrator account your application could use that to do stuff it requires at an elevated privilege. UAC is designed to protect the user from themselves, you can get around it by adding a backend service... but be very careful about opening up holes in this way as they could be exploited by other applications/viruses. Storing an administror password inside an application is always a bad idea as the application could be decompiled and the password extracted.
You cannot create a program that will automatically log on as a user unless the username/password is already known.
That means that you're either restricted to running on systems where your app already knows the credentials, your user has to enter the credentials into your app, or your user has to use the "Run As" functionality in Windows to use the correct user.
If what you're proposing were actually possible, it would represent a huge security hole: you'd be able to run any code as any user without requiring authentication first. That is not a good thing!
Think about it like this: if you were sold a program that would automatically log on as administrator even without your permission, how would you feel?
UAC is designed so that you cannot do what you want. UAC ensures that in order to elevate the user must pass through a UAC dialog (either the admin consent dialog or the over-the-shoulder dialog). You need to adapt your expectations to the reality of UAC.
You don't need a code for this action, UAC is made so you can automatically log on without the user's permission. What you can do is use the manifest and change the startup so when the application starts it runs as administrator and asks for permission! Change the manifest. look it up!
Related
In my work we have users who access a Web based tool called Microstrategy that serves different reports from different projects. Users are added to various groups in the Developer tool by importing them from the selected domain they are on into a specific group that gives them access to only the project > report they require. Most users come from one main central domain, some others are still on old domains.
I am currently involved with admin on this system and I am experiencing a problem I cannot get to the bottom of. I think they problem lies in no man's land, I don't know if it is a problem with network, domain, or something else?
Most users will be set up with authenticated login, meaning that when they click on the respective link for their report they are logged straight in using their windows credentials.
In this particular case however the user does not seem to be able to login, but can get in by manually typing their username in (username and password) to access.
I'm not sure what the problem is, why it won't authenticate automatically like most of the others do? I don't know if this makes any difference but when I RDP into the machine I cannot see the C drive due to 'admin restrictions on effect on this pc'.
I don't know what this restriction is and if it is a symptom or related to the login problem. Is there a way of fault finding this?
Thanks
Andrew
The answer to this partly depends on the version of MicroStrategy you are using.
Forget about RDP to the server, you won't need that.
Assuming you have access to edit and change users with the Developer tool, open Developer.
In the tree on the left,
open the "project source" (the top level of the tree)
then Administration
then User Manager
then find the user, most likely within one of the groups you have set up
right click on the user and choose Edit
go to the Authentication section
There's a few relevant things here.
Is the user linked to a windows user? (they should be for the access you want)
Is the tickbox ticked "user cannot use standard authentication to logon"
You probably don't want to allow that if the standard at your workplace is auto login
There is a Windows app that requires admin rights and this is declared in its manifest. When a restricted user starts it she has to input admin credentials. It's OK and the application works well, but it can't obtain original user folders anymore (ShellAPI returns admin's ones).
Since the application is started under admin initially, there is no point where I can store original user's folder paths to use them later.
Is there a way to get initial restricted user credentials?
Regards,
Because of your manifest, your app is running as an admin user, not the currently logged in restricted user. As David Heffernan mentioned, you should redesign your app to not require the entire app to be run elevated. Delegate your admin tasks to a separate process that runs elevated when needed.
That being said, if you must run your entire app elevated, all is not lost, but you are going to have to do some extra work.
Start by getting the Session ID that your elevated app is running in. You can do that using WTSQuerySessionInformation() with WTS_CURRENT_SESSION, or ProcessIdToSessionId() with GetCurrentProcessId(), or open the current process's token with OpenProcessToken() and then use GetTokenInformation().
Once you have the Session ID, use EnumProcesses(), GetProcessImageFileName() (or equivalent), OpenProcessToken(), and GetTokenInformation() to find the instance of explorer.exe (or whatever the PC's registered shell app is, which you can find in the Registry) that is running in the same Session ID as your app.
When found, you have the user token for that process from OpenProcessToken(). Duplicate it using DuplicateTokenEx() to get its primary token, and then you can use that token with APIs like LoadUserProfile(), SHGetFolderPath() and SHGetKnownFolderPath() as needed.
I would like to know if there are any API's available to switch users programmatically in windows.My application when provided with user credentials(account name & password) will try to logout any other user logged on and try to login the present user.
Any help would be greatly appreciated.
The function you are presumably looking for is LogonUser
However, you are probably better off using user impersonation in most cases.
Personally, I suspect you are likely better off user neither method and simply using security context of the running user, providing an privileged function via a windows service you wrote specifically for your application
Why don't you create a service to switch user credentials (by methods mentioned in the other answers), and install and run the service as "Administrator". From the logged in user account, you can invoke this service (Which is already running as admin), and make it switch user accounts without the permissions issue (as the service responsible to switching is already running as admin)
I want to implement a self reset password functionality for Windows 7 users. When the Logon screen prompts the domain users should be presented with a forgot password button which will open the password reset wizard. So the problem is how to add a command button to the standard windows logon screen?
I know about GINA in Windows XP as mentioned here:
Adding command button to Windows Logon screen
But this topic is 3 years old, and with Vista / Windows 7 Microsoft came up with "Microsoft Windows Credential Provider".
Those button are called "Tiles", and they are implemented in a Credential Provider. Anything you read about a Gina will not work in Vista or later.
Those tiles a created by the LogonUI.exe process, itself launched by Winlogon.exe. LogonUI.exe runs with high priviledges. You don't want to run anything there. Besides, any wizard you run will run under the system account. Security issues aside, anything that resets the password of the current user will not work.
But let's assume that you have a solution that can reset a user's password. Like a web site (or a local application) that :
Ask for the user's name
Ask some security questions
Connects to Active Directory to reset the password
Then here is a way to implement the functionality.
Create a user, a domain user if possible. Give it a name and a password easy to remember, like "reset" and "reset". Make shure that everybody knows the password.
Change the shell of that user to Internet Explorer, that you would be running in kiosk mode, pointing to your web application.
Now when someone wants to reset their password, here is what they will do :
Use the standard Windows Credential Provider, like they do every day, but with the user "reset" and the password "reset".
Instead of the normal Windows shell, they will be presented with your password reset web application.
The user resets their password and they are instructed to log off using CTRLATLDEL
They can log in with their own username and brand new password.
This idea can be improved upon if you are ready to write some code:
Instead of Internet Explorer, write a simple web application that wraps the web browser control. if the application is closed, or any other funny business, logoff.
Hack one of the Credential Provider samples to supply the well know password reset username and password, making password reset merely a click away
Change that password reset credential provider's image to reflect the password reset functionnality.
I am new to vista and not a advanced programmer. From past few days i am trying to digest many technical details about vista. But still i have few basic questions on it. Hope you all will be help me in getting the answers for my questions.
Can we create a interactive process(which is having a embedded manifest file with "invokeAsAdministrator") from a service which is running under Local system account?
Here i know about the session 0 isolation and all.Still i am asking this question because, when i create a interactive process through CreateProcessAsUser(which requires admin privileges) it is failing with error 740. While using this i have given proper session id. The session id is that of my active desktop, where my user login as administrative privilages.
If the process can be created does that show up the UAC dialog?
If the UAC dialog shows up, can we avoid this?
It is well understandable problem. Local account has no privelegies of admin. The only thing you can do is impersonation. Temporary you emulates another account (in your case it is admin). Example of this technique you can find in MSDN for topic WindowsIdentity.Impersonate ( http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx )
EDIT
Sorry, only after post noticed that you use vc++,
On Win API use ImpersonateLoggedOnUser
The createprocessasuser is failing in my case because by default when we query for the user token for the users desktop session I was getting a restricted token that was created for the user (for administrators two tokens are created 1)restricted token 2) full token; any how my application can be run only by administrators).
By browsing the net i have found that i have to find for linked token and use that token for creation of process.
The code for creation of process from service can be found in the following question:
Desktop problem with using CreateProcessAsUser from a service on Vista