I installed my application in Windows 7 and as part of the installation, it installs some text files. Now, if I open the text file in notepad and try to save it, I get an "Access denied" error. I'm logged in as administrator on the machine and the file is not marked read only and security permissions seem to be fine.
However, I could delete or rename the file without any problem and I could create a new file with the same name/location using notepad and the save works fine.
I understand it has something to do with UAC. I'm wondering what UAC does in order to block access to the file. Our application is not installed in Program files folder as I believe UAC restrict any changes to files in Program Files folder
Can anyone throw light on what is going on.
regards
G
With UAC, just because you're logged in as a user with administrator privileges does not mean a program actually runs with them. The program has to either request privilege elevation (which gives the "Do you want to allow this program to _____" UAC pop-up) or explicitly be run as administrator (right-click on the program/shortcut and choose Run as Administrator).
By default most areas of the drive outside of the standard "user files" (a.k.a. My Documents & co.) are restricted to administrator-only access, but the folder permissions can be changed to add access for a particular user if desired.
You will find that saving files almost anywhere except the "my documents" area for the user will be restricted, this includes saving to other drives on the system etc.
If you check the permissions for the directory you are trying to write to, all you have to do is expressely give the user permission. Otherwise only the admins have permission, which requires UAC approval from the user to get the admin token.
You normally get "Access Denied" error when the file is in use. UAC could not be an issue here. Check out if the file is in use by anyother process.
You can use tools like Process Explorer from sysinternals to do that.
You have to right click the file and select properties. THen open the security tab and you can see different accounts with differet privelages. Click USERS and it should highlight. The box under it should have a bunch of check marks that indicate what this user can do. Click Full Control. Apply and Okay. Then you can save!!!
Related
After installing XAMPP to Windows 10 (all default/recommended installation attributes), I now have an issue changing its configuration after opening it.
Error: Cannot create file "C:\xampp\xampp-control.ini".
Access is denied
Clicking Save to a change in Configuration of Control Panel:
This "Configuration of Control Panel" box opens after clicking the "Config" button at the top right of the running XAMPP app:
I've tried a suggestion to run the XAMPP app with Administrator (elevated) access… but that seems like a major security issue, considering I don't know exactly what XAMPP would or could do with my files that require that permission, whether intended by the people who run XAMPP or not.
I've tried re-installing to another folder, like to C:\Users\Me, or a sub-folder like Documents or a custom one, but I just got different permissions issues that I struggled to figure out.
If you know a solution that worked for you, that avoided running XAMPP with Admin privileges, please let me know. I've gone through a handful of seemingly-related questions here but they seem to be related to MySQL/PHP questions and not Windows file system permissions.
I found a solution after noticing that the file already existed from apparently a past workaround I tried with running XAMPP as Admin... based on the permissions of the file being different than its parent folder. I discovered this by right-clicking the xampp folder or the xampp-control.ini file then selecting Properties and clicking the Security tab, then clicking into each attached user account's permissions.
So, my C:\xampp folder has these permissions: for Admin, basically full access; for my user account, Read, Execute, and Write.
The xampp-control.ini file has only Admin permissions; my user account is not attached to it.
Adding my user account to the xampp-control.ini file's Security, and adding Write permission then allowed XAMPP's config panel to save my changes.
Note that I typed my username into the "Enter the object names to select" box, then clicked Check Names; this auto-populated my username reference (?), though I'm not sure how it would work if it finds multiple results. Then I could click OK to get back to the Permissions box to add "Modify" and "Write" for it. I'm completely OK giving my user account permission to modify and write to this file through the XAMPP app.
Now, that fixes that file for that scenario; now I'm wondering if there will be other permissions issues with other files, because I noticed some other files (that I checked randomly) don't all share the same permissions for my user account!
Maybe I should have instead modified the xampp folder's permissions recursively to give my user account Write and/or Modify access (I'm not sure of the difference, Windows permissions seem far more complicated to understand and use than Linux's and Mac's do).
I think the file permissions were all set by XAMPP during install; I don't know yet that expanding permissions on certain files will not create new problems...
I found a solution after noticing that error, here is my solution
go to xampp installation folder on the c drive
Xampp Destination
then find xammp control panel.exe
Xampp Control Panel
then right click and go to properties(or press ALT+ENTER)
Click Properties
then go to compatibility and enable Run this program as an administrator
Compatibility tab
Your Problem is now fixed
Apologies if this is a really simple question...
We have a .NET application that is installed by an administrator, and then run by multiple staff on the same computer with their own login credentials (normal user - non-admin).
Application uses MSI installer and is installed to Program Files folder.
The application needs to have some settings about attached devices to the computer saved as preferences so when a user opens the app these settings are set and the user is not asked for preferences each time. These preferences should not be set per user, rather per computer.
However if user A changes one of these settings on the computer, then when user B logs in they should see the changed setting from user A.
Hence the settings need to be per computer, not per user.
Where in windows 7,8,10 etc. can an application save data that is computer specific not user specific, yet allow users without admin rights to change that data?
We have looked at system temp folder but the computers have GPO policy to regularly remove temp folder content.
Any other ideas?
It takes administrator rights to change the permissions on a registry key inside HKLM, but once that's done, anyone in the group given permission can make modifications.
Obviously don't change permissions on any of the standard keys (e.g. HKLM\Software or HKLM\Classes) but in your own application area (HKLM\Software\YouCorp\YouApp\Attached Devices) it's perfectly fine to adjust permissions the way you like.
You'll just have to include "grant write permission on HKLM\Software\YouCorp\YouApp\Attached Devices to the group Users" as one of the actions of your installer.
If you are allergic to the registry, you can do the same with a subdirectory of your application install (e.g. %ProgramFiles%\YouCorp\YouApp\Device Settings)
Given you are using a .Net application, you could store the information in the app.config file associated with the application.
In matlab, I used a windows standalone application. There is a line in this application that writes a file in C:\...\...\. When I run the output exe file produced from this windows standalone application, the exe doesn't write in C:\...\...\ neither tells me that there is a security issues in that partition. All the execution does is nothing. But, when I right-click and run the exe as administrator, it runs correctly.
I want to do it without right-click and run as administrator. Are there is a command in matlab that can do that?
If you create a shortcut to your application, you can go to the Properties of the shortcut, click on Advanced in the Shortcut tab, and select "Run as administrator". That way, whenever you start the application from the shortcut it will be run as an administrator.
(Disclaimer: applications really shouldn't "foul their own nest" by writing into Program Files. This is bad design.)
Starting from Vista, unprivileged processes are not allowed to write to protected folders such as Program Files, because Program Files is designed to store code and not data. However, since this limitation has not been enforced in XP, MS has provided a backward-compatibility hack in the form of Virtual Store. Now, when a program tries to write to protected folder, its output is being redirected into a dedicated folder. This way, the program still "thinks" it writes to its usual location, while in fact it writes to an unprotected location. However, when you later check the Program Files location, you might not see the file - because it's not really there.
You can find more details here: User Account Control Data Redirection.
If you are administrator, add full control permission for your username to the destination folder. You do that by right clicking on the folder, going to properties and then security tab. Then edit and add you username with Full Control rights. Then you don;t have to run the the program as an administrator.
There is no way you can elevate a process once it is started, so Matlab cannot possibly have a command for that. Just running Matlab elevated.
I have an addin program that works with MS Word (version 2007). It is located in the C:\Program Files location. I installed Windows 7 and then went to make a routine change to my files in this location and it would only bring up a read only file. How can I grant myself permission to write to my own program? I cannot change this location or use any other workaround. I have this product out to 25 different companies and I can't change the programming to work from any other location. Thanks
You could also embed a manifest in your EXE that makes your program require adminrights on Windows 7 / Vista.
On Windows Vista, UAC means that users run without admin rights and don't have write access to the program files directories.
The correct solution is to write to a folder for which standard users do have write permissions.
The solution you are looking for is to make your app's folder within program files writeable to all users. You can do this by adding a DACL when installing. It is extremely bad practice to allow standard users to write inside the program files directory and I urge you instead to re-code your app so that it does not need to write there.
Assuming you're doing this as part of modifying the config (and not when your application is running for regular users)...
Your user account probably doesn't have the correct permissions to write/modify the file. Assuming your account is an administrator account, right-click the file, select "Properties". Click the "Security" tab. Click edit and give your user account Full Control.
If you can't do this, it's probably because the ownership of the file doesn't allow you. If this is the case, click on "Advanced", go to the "Owner" tab, and click "Edit".
However, if it needs these permissions when it's running, you should instead be using the %AppData% folder.
i am using Vista . I designed MSi file through Visual Studio 2008 Setup and deployment project in which I added one custom action. In the custom action, I am opening OpenFile dialog. This Open File dialog is not showing mapped drive or network locations. so how can i make the open file dialog to mapthe network drives.
This is a known problem with Vista User Account Control. When your installation program is started, the non-admin session of the user is elevated to an admin session. The problem is: Network drives mapped in the non-admin session of the user do not automatically carry over to the admin session.
Unfortunately, there is not much you can do about it. (You can start an elevated command prompt prior to starting your setup project and manually net use the drive letters there, but I guess that's not something you can expect your customers to do.)
Related question: Preserve mapped drive letter information during UAC elevation