A GetPrivateProfileString() call works fine on Windows XP but fails with an Access Denied error when run on Vista.
The call is being made inside a thread spawned by a Windows service which I wrote. The Windows service itself is run using the credentials of a user account on the local machine (thought to be needed because the code requires access to HKCU).
I suspect this has something to do with the UAC or virtualization.
I would welcome any suggestions on how I can get this call to work on Vista, or on experiments I can run to help track down a solution.
Thanks
Parts of the Windows registry are locked down in Vista for security reasons.
For example if you are trying to access the HKEY_LOCAL_MACHINE this will fail for a user with out the correct privileges.
If you give the user a sufficient privilege level they will be able to access the registry but the recommended approach is to move the registry settings to the HKEY_CURRENT_USER branch of the registry, since this is not locked and is accessible by all users.
Related
I need to programmatically create a new Windows account for running a Windows service I recently developed.
Due to lack of sufficient privileges I cannot use any of the existing service accounts (LocalService, NetworkService and LocalSystem), so I have to create my own account during installation of my service.
Unfortunately, I have no idea on how to accomplish this from code (C#). However, I know that the steps I have to go through include:
Create the account
Deny account log on via console
Grant log on as a service.
Add the account to the local administrators group on the PC
My service must install and run on all Windows PC operating systems ranging from Windows XP SP3 and up.
Question: Which command line tools are available for this purpose (I can very well call those command line tools from code)?
Further, any relevant links, code snippets or scripts will be very much appreciated!
If you just want a single command you can probably do:
net user /ADD "newuser" "Pass phrase" /passwordchg:no
However I looked into 'grant logon as a service' in the past, and had to download an additional .exe from a Windows Server Resource Pack to do this. That may be a pain as you'll need to redistribute the .exe.
Unless someone suggests a better way which uses only built in .exes I'd try and do this with one of:
Powershell
VBscript
Calling DeleteIpForwardEntry() works perfectly well on Windows XP and Windows 7. On Windows Vista, however, it fails with ERROR_ACCESS_DENIED.
The documentation says that "the user lacks the required administrative privileges on the local computer or the application is not running in an enhanced shell as the built-in Administrator (RunAs administrator)."
Well, in my case the user is the Administrator on the local computer and the application is run on logon via SOFTWARE\Microsoft\Windows\CurrentVersion\Run so I can't really tell it to run in an "enhanced shell".
Is there a way to solve this "Catch 22" situation in Vista?
I don't understand why this would work on Windows 7. The docs indicate the failure will be the same.
On Windows Vista and later, the
DeleteIpForwardEntry function can only
be called by a user logged on as a
member of the Administrators group. If
DeleteIpForwardEntry is called by a
user that is not a member of the
Administrators group, the function
call will fail and ERROR_ACCESS_DENIED
is returned.
Also, your post indicates the logged on user is an Administrator. Is it possible that your Windows 7 and Windows Vista tests are for different users - on Windows 7 your test user is an admin, on Windows Vista machine the test user is not?
There's no way to work around this running the app in that way. Can you re-implement this as a Windows Service running in an admin account, which acts on interactive logon events on the machine to manipulate the IP configuration as needed?
We have an application that programmatically maps network drives. On Vista with UAC on, we get some strange issues.
Our application maps the drive non-elevated, so if the user browses explorer and double clicks to run an exe, it prompts for UAC. So when they approve it, it prompts for a username/password for the share... Strange since the credentials are saved.
It turns out, an elevated process cannot access a mapped drive that was mapped from a non-elevated process.
To see this issue in action, do the following steps:
Run cmd.exe with no UAC
Run "net use w: \yourHostname\yourShare /user:yourUser yourPassword /persistent:yes"
Run cmd.exe as Administrator
Type "w:", and see the error message
At this point you can run plain "net use" and see the connection on the elevated cmd is Unavailable but the other non-elevated cmd sees it as OK.
Does anyone know a workaround to fix this issue? or maybe a way to map a network drive to "All Users"?
This is by design.
Even though the user account is the same, with the elevated version having a token with membership in the administrator group and addition privileges, the tokens are created independently and thus have different LUID's and appear to the kernel to be from different user logons. Since they are from different logons, mapped drives are not shared between them.
http://blogs.msdn.com/cjacks/archive/2007/02/19/mapped-network-drives-with-uac-on-windows-vista.aspx discusses this in additional detail.
Check out this link: Regedit Link
They describe a registry key that allows elevated users to access mapped drives and vice versa. This solves all my issues and was exactly what I was looking for.
EDIT:
The original link is dead, but here's the text as copied from the Jan 24, 2009 snapshot at www.archive.org:
If you are finding that you don't have access to mapped drives from your admin token try the following. When running as a protected admin you have two tokens and this key will maintain the connection for both tokes (that is my understanding anyway). It can also help to clear up issues with Login scripts.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections =(dword)1
Also of use is the "'Group Policy Scripts can fail due to User Account Control" section of this doc.
http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx?mfr=true
I will be posting more information on this soon.
I have code that uses Win API function RegSaveKeyEx to save registry entries to a file. However, RegSaveKeyEx returns ERROR_PRIVILEGE_NOT_HELD when run on Win Vista or Win 7. The code enables security privilege SE_BACKUP_NAME using code Microsoft provides in example function SetPrivilege.
Everything works fine on Win XP (admin user) or if I disable UAC on Win Vista or Win 7. Is it not possible to use RegSaveKeyEx on Vista without elevating the process?
Standard users do not have SE_BACKUP_NAME privilege, so no, RegSaveKeyEx will not work on Vista without elevation.
Backup is one of the very "dangerous" privileges - it enables you to basically read anything on disk regardless of ACL's.
You could give permission the specific user (or group) by going to the following ...
Control Panel->
Administrative Tools->
Local Security Policy->
Local Policies->
User Rights Assignment-> Back up files and directories (SE_BACKUP_NAME)
... and adding the user (or group) you want. Or you could add the users to Backup Operators.
But, you should be cautious here. See great comment below by Michael.
I wonder if it's possible to programmaticaly share folders in Windows 7 while running in restricted logon session:
1) NetShareAdd returns ERROR_ACCESS_DENIED.
2) Command line net share says the same.
3) But explorer has no problems creating new shares without invoking UAC. How does it do that?
Any help will be greatly appreciated.
UAC in windows 7 is less strict than it was in Vista. Windows 7 regards Explorer as a trusted application so it will silently create the share without a UAC prompt (you can change this behavior in the Control Panel).
Your application isn't a trusted one (OK, you trust it, but the operating system does not). Probably you also don't explicitly demand administrator rights in your application. In that case Windows 7 treats your program as unprivileged and refuses access, that why the error message.
A solution could be adding a manifest to your program requesting an ExecutingLevel of requireAdministratior. See for example Demand UAC elevation for an application by adding a manifest. But then your whole application runs as administrator. There are some more granular solutions.