I have code that uses Win API function RegSaveKeyEx to save registry entries to a file. However, RegSaveKeyEx returns ERROR_PRIVILEGE_NOT_HELD when run on Win Vista or Win 7. The code enables security privilege SE_BACKUP_NAME using code Microsoft provides in example function SetPrivilege.
Everything works fine on Win XP (admin user) or if I disable UAC on Win Vista or Win 7. Is it not possible to use RegSaveKeyEx on Vista without elevating the process?
Standard users do not have SE_BACKUP_NAME privilege, so no, RegSaveKeyEx will not work on Vista without elevation.
Backup is one of the very "dangerous" privileges - it enables you to basically read anything on disk regardless of ACL's.
You could give permission the specific user (or group) by going to the following ...
Control Panel->
Administrative Tools->
Local Security Policy->
Local Policies->
User Rights Assignment-> Back up files and directories (SE_BACKUP_NAME)
... and adding the user (or group) you want. Or you could add the users to Backup Operators.
But, you should be cautious here. See great comment below by Michael.
Related
I need to programmatically create a new Windows account for running a Windows service I recently developed.
Due to lack of sufficient privileges I cannot use any of the existing service accounts (LocalService, NetworkService and LocalSystem), so I have to create my own account during installation of my service.
Unfortunately, I have no idea on how to accomplish this from code (C#). However, I know that the steps I have to go through include:
Create the account
Deny account log on via console
Grant log on as a service.
Add the account to the local administrators group on the PC
My service must install and run on all Windows PC operating systems ranging from Windows XP SP3 and up.
Question: Which command line tools are available for this purpose (I can very well call those command line tools from code)?
Further, any relevant links, code snippets or scripts will be very much appreciated!
If you just want a single command you can probably do:
net user /ADD "newuser" "Pass phrase" /passwordchg:no
However I looked into 'grant logon as a service' in the past, and had to download an additional .exe from a Windows Server Resource Pack to do this. That may be a pain as you'll need to redistribute the .exe.
Unless someone suggests a better way which uses only built in .exes I'd try and do this with one of:
Powershell
VBscript
Calling DeleteIpForwardEntry() works perfectly well on Windows XP and Windows 7. On Windows Vista, however, it fails with ERROR_ACCESS_DENIED.
The documentation says that "the user lacks the required administrative privileges on the local computer or the application is not running in an enhanced shell as the built-in Administrator (RunAs administrator)."
Well, in my case the user is the Administrator on the local computer and the application is run on logon via SOFTWARE\Microsoft\Windows\CurrentVersion\Run so I can't really tell it to run in an "enhanced shell".
Is there a way to solve this "Catch 22" situation in Vista?
I don't understand why this would work on Windows 7. The docs indicate the failure will be the same.
On Windows Vista and later, the
DeleteIpForwardEntry function can only
be called by a user logged on as a
member of the Administrators group. If
DeleteIpForwardEntry is called by a
user that is not a member of the
Administrators group, the function
call will fail and ERROR_ACCESS_DENIED
is returned.
Also, your post indicates the logged on user is an Administrator. Is it possible that your Windows 7 and Windows Vista tests are for different users - on Windows 7 your test user is an admin, on Windows Vista machine the test user is not?
There's no way to work around this running the app in that way. Can you re-implement this as a Windows Service running in an admin account, which acts on interactive logon events on the machine to manipulate the IP configuration as needed?
I wonder if it's possible to programmaticaly share folders in Windows 7 while running in restricted logon session:
1) NetShareAdd returns ERROR_ACCESS_DENIED.
2) Command line net share says the same.
3) But explorer has no problems creating new shares without invoking UAC. How does it do that?
Any help will be greatly appreciated.
UAC in windows 7 is less strict than it was in Vista. Windows 7 regards Explorer as a trusted application so it will silently create the share without a UAC prompt (you can change this behavior in the Control Panel).
Your application isn't a trusted one (OK, you trust it, but the operating system does not). Probably you also don't explicitly demand administrator rights in your application. In that case Windows 7 treats your program as unprivileged and refuses access, that why the error message.
A solution could be adding a manifest to your program requesting an ExecutingLevel of requireAdministratior. See for example Demand UAC elevation for an application by adding a manifest. But then your whole application runs as administrator. There are some more granular solutions.
A GetPrivateProfileString() call works fine on Windows XP but fails with an Access Denied error when run on Vista.
The call is being made inside a thread spawned by a Windows service which I wrote. The Windows service itself is run using the credentials of a user account on the local machine (thought to be needed because the code requires access to HKCU).
I suspect this has something to do with the UAC or virtualization.
I would welcome any suggestions on how I can get this call to work on Vista, or on experiments I can run to help track down a solution.
Thanks
Parts of the Windows registry are locked down in Vista for security reasons.
For example if you are trying to access the HKEY_LOCAL_MACHINE this will fail for a user with out the correct privileges.
If you give the user a sufficient privilege level they will be able to access the registry but the recommended approach is to move the registry settings to the HKEY_CURRENT_USER branch of the registry, since this is not locked and is accessible by all users.
The following question answers how to get large memory pages on Windows :
"how do i run my app with large pages in windows".
The problem I'm trying to solve is how do I configure it on Vista and 2008 Server.
Normally you just allow a specific user to lock pages in memory and you are done. However on Vista and 2008 this only works if you are using an Administrator account. It doesn't help if the user is actually part of the Administrators group. All other users always get a 1300 error code stating that some rights are missing.
Anyone have a clue as to what else needs to be configured?
Thanks,
Staffan
On Vista and Windows 2008, you're getting bitten by UAC. People in the Administrators group have a restricted token, which doesn't contain all of their privileges. The UAC elevation prompt is used to turn on the extra privileges.
I'm assuming that the "lock pages in memory" privilege is one of the extras.
The real "Administrator" account isn't subject to UAC.
You need to run your program elevated, which means running it from an elevated command prompt, or setting it up with a manifest that states "requireAdministrator".
http://support.microsoft.com/default.aspx?scid=kb;EN-US;918483
Walks through the user rights required to pin pages