Calling DeleteIpForwardEntry() works perfectly well on Windows XP and Windows 7. On Windows Vista, however, it fails with ERROR_ACCESS_DENIED.
The documentation says that "the user lacks the required administrative privileges on the local computer or the application is not running in an enhanced shell as the built-in Administrator (RunAs administrator)."
Well, in my case the user is the Administrator on the local computer and the application is run on logon via SOFTWARE\Microsoft\Windows\CurrentVersion\Run so I can't really tell it to run in an "enhanced shell".
Is there a way to solve this "Catch 22" situation in Vista?
I don't understand why this would work on Windows 7. The docs indicate the failure will be the same.
On Windows Vista and later, the
DeleteIpForwardEntry function can only
be called by a user logged on as a
member of the Administrators group. If
DeleteIpForwardEntry is called by a
user that is not a member of the
Administrators group, the function
call will fail and ERROR_ACCESS_DENIED
is returned.
Also, your post indicates the logged on user is an Administrator. Is it possible that your Windows 7 and Windows Vista tests are for different users - on Windows 7 your test user is an admin, on Windows Vista machine the test user is not?
There's no way to work around this running the app in that way. Can you re-implement this as a Windows Service running in an admin account, which acts on interactive logon events on the machine to manipulate the IP configuration as needed?
Related
Is there a way to find out what privileges my application needs in order to run in a Windows 7 environment?
I have a Delphi application that is using BDE and ODBC for database connectivity. This application works on most computers with Windows 7 running on a normal user account. However on some computers it only works on accounts with administrative privileges and is not working correctly on normal user accounts. I suspect it's a permission problem. The computers also are running in Active Directory.
I tried to find some informations using Process Monitor from SysInternals, however the output for me is too advanced. The process monitor log for two runs of my app (1. successful with administrative rights, 2. unsuccessfull on normal rights) had over 22k lines and i could not find the answer (needle) in the process monitor log (haystack).
What could i do to determine the privileges that my app needs in windows 7?
Use the Standard User Analyzer from the Microsoft Application Compatibility Toolkit.
The Standard User Analyzer (SUA) tool and the Standard User Analyzer
Wizard (SUA Wizard) both enable you to test your applications and to
monitor API calls in order to detect potential compatibility issues
due to the User Account Control (UAC) feature in the Windows® 7
operating system.
UAC, formerly known as Limited User Account (LUA), requires that all
users (including members of the Administrator group) run as Standard
Users, until the application is deliberately elevated, by using the
security prompt dialog box. However, not all applications can run
properly with the Standard User role, due to the application requiring
access and privileges for locations that are unavailable to a Standard
User.
Aaron Margosis has a tool called LUA Buglight that is designed to help track down issues related to privileges.
You can download the latest version from this blog post:
LUA Buglight 2.1.1 with support for Win7/2008R2 SP1
It is similar in concept to the MS Application Verifier. However, in practice I found LUA Buglight much easier to use and understand. Same with ProcessMonitor. It will monitor your process in a similar way but only report actions that failed as a normal user but succeeded as a admin user.
There is no documentation but it is simple to use. From the main GUI window select your Exe and let the BugLight program launch it. You need to be running in an Admin account with UAC enabled. Run your program though the steps that fail when you are not an admin. When you are done click on the Stop Logging button to see a report that lists what calls would have failed without admin rights.
I have code that uses Win API function RegSaveKeyEx to save registry entries to a file. However, RegSaveKeyEx returns ERROR_PRIVILEGE_NOT_HELD when run on Win Vista or Win 7. The code enables security privilege SE_BACKUP_NAME using code Microsoft provides in example function SetPrivilege.
Everything works fine on Win XP (admin user) or if I disable UAC on Win Vista or Win 7. Is it not possible to use RegSaveKeyEx on Vista without elevating the process?
Standard users do not have SE_BACKUP_NAME privilege, so no, RegSaveKeyEx will not work on Vista without elevation.
Backup is one of the very "dangerous" privileges - it enables you to basically read anything on disk regardless of ACL's.
You could give permission the specific user (or group) by going to the following ...
Control Panel->
Administrative Tools->
Local Security Policy->
Local Policies->
User Rights Assignment-> Back up files and directories (SE_BACKUP_NAME)
... and adding the user (or group) you want. Or you could add the users to Backup Operators.
But, you should be cautious here. See great comment below by Michael.
I wonder if it's possible to programmaticaly share folders in Windows 7 while running in restricted logon session:
1) NetShareAdd returns ERROR_ACCESS_DENIED.
2) Command line net share says the same.
3) But explorer has no problems creating new shares without invoking UAC. How does it do that?
Any help will be greatly appreciated.
UAC in windows 7 is less strict than it was in Vista. Windows 7 regards Explorer as a trusted application so it will silently create the share without a UAC prompt (you can change this behavior in the Control Panel).
Your application isn't a trusted one (OK, you trust it, but the operating system does not). Probably you also don't explicitly demand administrator rights in your application. In that case Windows 7 treats your program as unprivileged and refuses access, that why the error message.
A solution could be adding a manifest to your program requesting an ExecutingLevel of requireAdministratior. See for example Demand UAC elevation for an application by adding a manifest. But then your whole application runs as administrator. There are some more granular solutions.
A GetPrivateProfileString() call works fine on Windows XP but fails with an Access Denied error when run on Vista.
The call is being made inside a thread spawned by a Windows service which I wrote. The Windows service itself is run using the credentials of a user account on the local machine (thought to be needed because the code requires access to HKCU).
I suspect this has something to do with the UAC or virtualization.
I would welcome any suggestions on how I can get this call to work on Vista, or on experiments I can run to help track down a solution.
Thanks
Parts of the Windows registry are locked down in Vista for security reasons.
For example if you are trying to access the HKEY_LOCAL_MACHINE this will fail for a user with out the correct privileges.
If you give the user a sufficient privilege level they will be able to access the registry but the recommended approach is to move the registry settings to the HKEY_CURRENT_USER branch of the registry, since this is not locked and is accessible by all users.
The following question answers how to get large memory pages on Windows :
"how do i run my app with large pages in windows".
The problem I'm trying to solve is how do I configure it on Vista and 2008 Server.
Normally you just allow a specific user to lock pages in memory and you are done. However on Vista and 2008 this only works if you are using an Administrator account. It doesn't help if the user is actually part of the Administrators group. All other users always get a 1300 error code stating that some rights are missing.
Anyone have a clue as to what else needs to be configured?
Thanks,
Staffan
On Vista and Windows 2008, you're getting bitten by UAC. People in the Administrators group have a restricted token, which doesn't contain all of their privileges. The UAC elevation prompt is used to turn on the extra privileges.
I'm assuming that the "lock pages in memory" privilege is one of the extras.
The real "Administrator" account isn't subject to UAC.
You need to run your program elevated, which means running it from an elevated command prompt, or setting it up with a manifest that states "requireAdministrator".
http://support.microsoft.com/default.aspx?scid=kb;EN-US;918483
Walks through the user rights required to pin pages