I have been unsuccessful getting a Java WebStart application that should have AllPermissions to write a file to Windows/System32 on Vista or Windows 7. While I don't believe this is possible, perhaps there is a way to lower the integrity level of this folder to Medium?
I am getting desperate and am not above insane registry hacks to make this happen. We have a production app that runs fine on Windows XP however a new prospective client is unbending in their determination to ONLY maintain Windows 7 or Vista workstations.
I appreciate any help or suggestions and would especially love to hear from anybody if this is impossible. Please no comments on how insecure and dangerous this can be, I am aware of the risks.
The proper solution is to have the required DLLs placed in the system32 folder from your installer.
Your MSI installer will know how to prompt the user to elevate to administrator, so you then have permission to add your files to the users System32 folder.
You will not be able to modify files in the users's System32 without them being (or elevating to) an administrator; that's a fundamental constraint of the secure operating system.
First of all, as the author of CHML -- the app you mentioned -- it's unfortunately not a great idea to lower the integrity of the Windows folder (as you've seen).
That said, there IS a way to get things back the way you want -- several, actually, but the easiest way is to
1) Create a bootable WinPE CD or USB stick
2) add my chml.exe executable
3) Boot your system
And at that point you could use chml to re-raise the integrity level. It works because under WinPE you ARE running as System, and can raise your IL. (The docs (ahem) DO mention this. :-)
I figured out how to do this for Vista but am really unnerved by what I have done.
There is a free program out there that you can download that will give you the ability to change the integrity level of a folder. http://www.minasi.com/apps/
Using this program however from the commandline will give you Access Denied when attempting to change System32 to Medium integrity. This is because the Administrator does not have explicit rights to this directory.
This is where it gets really scary, to give yourself Full Control on System32 you have to make Administrator the Owner of that directory. The current owner is TrustedInstaller originally.
So, I changed the Owner of System32 to Administrator, Gave Administrator FullControl, then used chml from an Adminstrator command prompt to give System32 Medium integrity.
I now wonder what the consequences could be of System32 having a different Owner, however if Vista allows you to do this out of the box then it can't be that bad. Right???
Related
Based on the assumption that standard users can't write directly to ProgramData on Vista and later, I'm creating a directory inside it and giving all users full control of that for my program's use. It works fine, but during testing I tried to run some test code as Guest (which is supposed to be restricted) and it successfully created the directory and granted the intended rights. I wasn't expecting that to work, when I've seen so many stories of that kind of thing not working. The same thing happens if I create a standard user account and run the program from there.
Has anyone else seen that behavior? It's not being virtualized, and it appears that the UAC awareness tweak to the program's manifest (I'm using VS2005 here) is working because I get errors when I try to write to System32 instead of a file in VirtualStore.
I would just let it go and count my blessings, but this software won't just be running on my machine and I'd like to make sure it'll work in other environments.
Users are able to write to the ProgramData folder, because rights to create files and folders are granted to Users by default:
The same is true on Windows 7. Likely also true on Windows Vista.
The default permissions allow non-admin users to create directories in ProgramData, so the observed behaviour is as-expected.
Until Windows Vista I saved my application data into the directory where the program was located. The most common place was "C:\Program Files\MyApplication". As we know, under Vista and later the common user does't have rights to write under "Program Files" folder.
So my first idea was to save the application data under the "All Users\Application Data" folder. But it seems that this folder has writing restrictions too!
So to sum up, my requirements are:
The folder should exist under Windows XP and above.
All users of the system should have read\write\creation rights to this folder and its subfolders and files.
I want to have only one copy of file\files for all users.
It's often good to use environment variables so you keep things more generic.
Vista has changed some things, with NTFS Junction Points. See http://www.svrops.com/svrops/articles/jpoints.htm
Anyway, using %appdata% should automagically put files in the proper place on xp/vista/7
There is no such location. Even on Windows XP (and probably 2000 as well) no such location ever existed; we just think it did because we all ran with administrative privileges. It is not until Vista forces us to run as limited user that we realize our incorrect assumptions. You're going to have to explicitly set the permissions on your directory.
I would create a subfolder like All Users\Application Data\YourAppName\Shared, so that it's clear that just that folder will contain files writeable by all the users, setting up the privileges in the installer.
I have an application written in Delphi 2006 that was working fine in Windows XP. I packed the application using Inno Setup, using Program Files as the default folder. A few users migrated to Windows Vista and Windows 7. The issue here is that the application creates some files inside its installation folder by its own. This was working in XP but in Windows Vista the users were having problems with the created files (they don't appear and so on). After investigating the users' reports I discovered KB 927387: "Common file and registry virtualization issues in Windows Vista or in Windows 7."
Running the application with administrator rights just solves the problem, but that is (I think) an awful workaround. I would like to know if there are any directives or tips for making the application compatible with Vista and 7, because more users will migrate to these OS soon.
You need to re-write your application to store its files in the proper locations, even in XP, but especially in Vista onwards, particularly if UAC is enabled. This is becoming more and more important to get right as Microsoft keeps locking down and enforcing its security models with each new OS version. The rules for how to properly manage application- and user-related files is documented on MSDN, for example: "Application Specification for Microsoft Windows 2000 for Desktop Applications, Chapter 4: Data and Settings Management" and "Application Specification for Microsoft Windows 2000 for Desktop Applications Appendix A: Best Practices" (yes, they are old, but are still quite relevant). Look at SHGetSpecialFolderLocation(), SHGetFolderPath(), SHGetKnownFolderPath() and other related functions to help you.
For Vista/Win7, your app can't put the files in a subfolder of Program Files / Programs unless UAC is turned off or the app is running as elevated. Note that "elevated" does not necessarily mean "logged in as Administrator." Non-administrator users can elevate, and Administrator isn't necessarily elevated.
If the app does attempt to write to Program Files but is not elevated, the OS will either block the app or "virtualize" the write (put the files somewhere else), depending upon how UAC is configured. Neither one helps the app succeed at what it was trying to od.
So it needs to put them somewhere else. Where depends on why the files are being created, and you haven't told us that. You can read this article to learn about the options. Note that in addition to the user's AppData and Roaming folders, there is also an "All Users" (shared) profile.
You should probably look at this article and screencast, which discusses UAC in depth from a Delphi point of view.
Files you create for use by your application other than at installation time should go into the ProgramData directory if its global to the workstation, or into the users ApplicationData directory if its specific to the user.
For cases where you absolutely must place a file in the program files directory, you can use com to request elevation. This is discussed in great detail, and delphi specific bits are also available. One example that I have used this is in patching my users installation base. They are warned by UAC that the system needs to make changes, so if your doing this as an automated task, you might need to rethink the logic to be more user driven.
Here is another article, by Zarko Gajic, which shows how to get different system directories. Also have a look at this related question.
I had a similar enquiry here (Stack Overflow).
In the end I realised that I needed to put my application into Program Files at install time (requiring UAC/elevation) and then store my app's data in the user's App Data folder. I had to change the way my program generated 'default' configuration settings and also where I was saving this stuff, but it was worth the effort in the end - we ended up with something that installs and runs fine on XP, Vista and Windows 7.
The only UAC hit we get is at installation time, which makes sense to me (and you get a similar hit at install-time on the Mac too). We didn't have any data that would be common to all users in this particular case but I would have looked at the Program Data special folder if that had been the case.
The installer software we use (Setup Factory) made this fairly straightforward (we just wrote a small bit of code to detect XP versus Vista/Win7 and choose the right special folder accordingly). It would be easy to do this in Inno Setup too, from what limited experience I have of it.
I work on a vb6 application which is having problems with Vista, for the obvious reasons (writing to program files, and other things that are no longer allowed by default).
Where should I store application data or user's saved files?
Do I need priviledges to create folders and files, there, too?
What other common actions will cause problems?
The program has an updater which must download and register files, how do I elevate priviledges when this occurs?
Some of these questions have obvious answers, but I want to get the obvious stuff right.
Depending upon what you are doing, you might be in for a world of pain. There are no hard and fast answers to any of those questions, but from someone who is going through the same issues right now, here's what I know.
1) Where should I store application data or user's saved files?
This depends on what you are wanting to do. If you want them per user, store them in Users/AppData, if you want them for all users, store them in Common/AppData
If SHGetFolderPath(0, CSIDL_COMMON_APPDATA, -1, SHGFP_TYPE_CURRENT, sTempPath) = 0 Then
sCommonAppdata = Left$(sTempPath, InStr(1, sTempPath, Chr(0)) - 1) & "CompanyName\AppName"
End If
Change that to CSIDL_APPDATA for the Users AppData directory. Note: These map to totally different places on the filesystem for XP and Vista so when you are debugging prepare to look in different places.
2) Do I need priviledges to create folders and files, there, too?
You need Adminsitrator access to write anything in Program Files, if at all possible don't do it! We are currently running into issues that the API's for VB and the standard API's behave differently on files in Program Files.
3) What other common actions will cause problems?
There are lots of hidden gotchas. Just to name a few, you cannot communicate through IPC or Named Pipes to other applications (we have a Service that we were talking to through a Tray Notification Icon and that had to be completely re-written). Anything were you see a UAC notification is very difficult. Also you cannot write to anything in the Registry in LOCAL_MACHINE without Administrator, so you either have to stick to LOCAL_USER or raise credentials (see below).
4) The program has an updater which must download and register files, how do I elevate priviledges (sic) when this occurs?
Good luck with this, I highly recommend that you don't write it in VB6, like I said, the VB6 file api's appear to access files differently from the standard API's. If you need to elevate privileges see this post that someone kindly helped me with.
In the sort term turning off UAC and installing the ActiveX installer server will help. Long term you need to put data and configuration information in the users directory under \users or in \programdata.
In the short run it might not be necessary at all to modify your application, because
Vista comes with a set of compatibility options to allow legacy applications to run. This includes file and registry virtualization, a feature which basically redirects write operations to protected folders such as C:\Program Files to a virtual location only visible for the specific application running in a compatibility mode.
Some more details are mentioned in this article: How To Manage Windows Vista Application Compatibility in Dr. Dobb's.
Karl Peterson wrote a nice article on where to store user data & app data, with a VB6 class that retrieves the location of the special paths for you.
I have a vb6 application. I am unable to carry out the following on a Windows Vista machine:
Register a .DLL from the Users directory
Start another .EXE
Write to a file in the Users directory.
How can I overcome these issues?
This is by design. Software is supposed to require admin rights for installation (including update/upgrades). You got away with it in XP because so many people ran as administrator. If you're registering a dll after installation, you're doing something wrong.
You should be able to do this without issue, but only with the same rights as the user that the current app is running under. What is this exe trying to do, and would a standard user normally have those permissions?
What specific folder in the user's directory? Again: a user should have write access to most of the their own profile, but not necessarily as much outside of that as you think.
You have access to write to the c:\users\ directory. Going to another users directory is a bit of a security problem that you're not going to work around.
As far as registering an assembly from a users directory... There is a directory under c:\users\\AppData\Local\assembly which you should have access to for temporary assemblies
Starting another exe is trivial... As long as it's installed in the normal \program files.. path.
It really sounds like maybe you need to reevaluate how your application works.
Some suggestions:
Move to Reg-Free COM where it can handle things (i.e. not for ActiveX EXEs, DCOM).
We'd need more information. This should be no problem unless there are permissions issues.
Users are not supposed to be creating files outside of their own profiles, CommonAppData, and application-defined locations (often on non-system drives). More information is required to give any really useful answer.