I'm considering using shims to get around a game demanding Admin privileges (I tried editing the embedded "requestedExecutionLevel" tag with Resource Hacker and using .manifest files, but discovered the launcher software always downloads a new version of itself before running, thereby overwriting "asInvoker" with "requireAdministrator"). If I write protect the exe it exits with an error.
I understand that the shim required to spoof Admin privileges will probably add no appreciable overhead in itself; but MicroSoft's Application Compatibility Toolkit (ACT) that you need to install to enable shims uses a database to keep track of which application requires which shim. I'm sure this could be done with little overhead; but having seen MS' (and other corporates') past bloatware, I'm concerned my entire system will be slowed down if I install it.
Does anyone have DIRECT experience of installing ACT and KNOWS whether it slows the system down generally?
I've discovered you can add RUNASINVOKER as the value of a STRING key given the name of the application's full path here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
and it will do the job without you having to install Microsoft's ACT package.
Example: if you had an application called Smeagol.exe in the directory c:\LordOfTheRings, then create a STRING key called:
c:\LordOfTheRings\Smeagol.exe
in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
and give it the value of
^ RUNASINVOKER
and it will run without requesting Admin privileges.
Related
Hello a few days ago I wanted to rename "ProcessorName" in
HKEY_LOCAL_MACHINE \ HARDWARE \ DESCRIPTION \ System \ CentralProcessor \ 0.
I succeeded, but every time the system was rebooted, windows reverted the changes I made.
With SubACL, I changed the owner of the registry keys to the administrator group, but it still didn't work.
I also tried to put a .reg file to
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
But I dont want this, as I'm creating a program that allows renaming your CPU name.
I guess if I make this key is "read only", the system cannot change it, it just reads it.
How can I make that happen with cmd, powershell, etc. (without opening regedit)?
I don't think you can ever get a change to survive a reboot by design. As far as I'm aware, HKLM\HARDWARE is volatile data. My understanding is that the entire key is deleted and recreated at each boot by ntdetect.com scanning the system for hardware. So I don't believe that it's going to matter if you make it read only.
Even if my understanding above is incorrect, ntdetect.com is run by the NT bootloader (NTLDR) before execution has been passed off to the NT kernel (ntoskrnl.exe). Hardware detection runs before the NT kernel has loaded because the kernel needs the list of installed hardware before it can load. I would be surprised if it would respect a write-deny ACLs. I think this is before the security system is even available.
All I can think you could do would be to create a script or program that executes at startup or login to rename the value, but I guess I don't see the purpose in that.
I am a web developer, and for some upcoming projects I would like to use a file-based CMS. This means that many of the files I create at the start must be editable by the PHP user later, but also remain editable for my user (and also the other way around). My PC runs Debian 9, which I love but am not super knowledgeable about, and I have also just set up a local network server with Debian 9 for backups and possibly file sharing. (I'm using Webmin to configure this, which reflects my level of command line skills).
On my online shared hosting server, the PHP user and the FTP user seem to be the same, and 644/755 permissions work fine, this is also recommended by the CMS I'm using. I would like to mimic this on my computer so I don't have to fiddle with permissions all the time. But how do I do this? Currently, my regular user (anna) does not have access to www-data's files and vice versa. Putting them in the same group still means changing file permissions. Making anna the PHP user is a Bad Idea (as far as I understand it) because anna has sudo permissions.
So far I have researched three possible solutions that I don't really know very much about, and I would like to know which is the best route to take.
Develop locally on my computer and use apache-mpm-itk or suPHP to let PHP edit the files (I got that idea from this question on ServerFault).
Develop locally on my computer and rsync the files to my server with grunt-rsync, and somehow get rsync to set the ownership to www-data (another ServerFault thread helping here).
Mount the project's server directory, which is owned by www-data, on my computer with SSHFS and then either edit the files on the server directly or copy them over from my local directory with grunt-copy.
What do you think: from a security and ease of use perspective, which is the best way? Or do you know an even better one?
Thank you for taking the time to read and think about this!
Anna~
I figured it out! I finally ended up reading about running PHP as CGI instead of as an Apache module, and that this would solve my permissions problem. Plus, as far as I understand it, there are no extra security precautions to take when I'm the only one working with it on my local computer.
In case someone comes across this who might find it helpful, here's what I did (basically following these instructions):
I installed php7.0-fpm
Edited /etc/apache2/sites-enabled/000-default.conf and put the following just before </VirtualHost>:
DirectoryIndex index.php
<LocationMatch "^(.*\.php)$">
ProxyPass fcgi://127.0.0.1:9000/var/www/html
</LocationMatch>
I activated the Apache module proxy_fcgi (via Webmin, which apparently does an automatic Apache restart)
In /etc/php/7.0/fpm/pool.d/www.conf I commented out a listen line and put another below like this:
; listen = /run/php/php7.0-fpm.sock
listen = 127.0.0.1:9000
I then restarted PHP-FPM with this command: /etc/init.d/php7.0-fpm restart (a little different from the instructions, I'm on Debian 9). After that, phpinfo() gave me the Server API "FPM/FastCGI".
And finally, I changed the user and group from www-data to anna in three places, twice in /etc/php/7.0/fpm/pool.d/www.conf and then once more in /usr/lib/tmpfiles.d/php7.0-fpm.conf (this last bit may be Ubuntu/Debian specific, my thanks go to Keith for a comment on StackExchange).
And that was it! :-)
I'm relatively new to chef and am in the process of using the edelight mongodb cookbook. I've got the process of actually creating a standalong mongodb instance working fine. It's understanding how to use the subsequent user_management recipe to create the initial admin user and regular users.
When I add "default['mongodb']['config']['auth'] = true" to the attributes/default.rb file, and run the mongodb::default recipe, the db is created and authentication is on.
However when I run the mongodb::user_management recipe I get this error every time. Clearly I'm doing something wrong, but being new to editing chef/ruby files I can't determine what's failing. Looks like I might need to work within the users.rb attribute file?
===================================================
Error executing action add on resource 'mongodb_user[admin]'
NameError
uninitialized constant Mongo::MongoClient
The edelight cookbook has been unmaintained for quite some time now. Chef-Brigade is attempting to take over maintenance on the cookbook until a new owner can be found.
https://github.com/chef-brigade/mongodb-cookbook
There is work being implemented to fix some of the user_management issues. I am not 100% sure the current state of the user_management fixes but you would likely be better off starting with that cookbook and reporting any issues to the team there so they can work to resolve. There is active development taking place.
I would be glad to help you debug the issue if it persists on the chef-brigade flavor of the cookbook as we can actively make changes to resolve any issues.
I'm in the process of developing a deployment system for a new web app and I'm wondering where the best point in the process to manage database migrations is (the question of how to do the migrations is another problem entirely).
It seems there are two ways to go:
Use a migration script that can
either be run manually from command
line or as part of the automatic
deployment/build process
Run the migrations when the app
starts up (I'm using ASP.NET so this
can be done easily enough without
causing a long-running user request)
Does anyone have any suggestions/insight/experience with these approaches? Any other suggestions?
I can see why #1 might be more attractive - it gives me complete control over when the DB is updated. However, I quite like #2 as it allows me to quickly iterate between deployments and reduces the manual process. #2 could also be used on my development machine to allow even quicker iterations. Hmm, starting to think having both might be a good thing...
We have a sales-force system with ~100 client and we are updating database at application startup (True, our is a desktop application.) I like this approach, it's safe and iterative if we have indeterministic startpoint (is the client database new or only updated to verison x.y.z?).
But at serverside I'm preferr your #1 option: we create a SQL query file on our virtual machine (based on the copy of the original database) and runs this query against the real server.
So IMHO:
Disconnected clients: startup, iterative scripts
Server: query created on VM based on the actual and real database
So I'm interrested in this problem too, and find some (half)frameworks as RikMigrations. After some googling there is a good startplace about DB versioning/migration frameworks: .NET Database Migration Tool Roundup. Not neccessarely the documentation but the team blogs can be interresting.
I like option #1 better as it seems much more flexible. In lieu of actually performing migrations on each app start, I think I would verify that the database schema (version number?) matches the code, and if not, throw a warning or error about a mismatched database schema.
I'd prefer option #1 for a number of reasons. First, integration tests usually require your DB schema to be up-to-date, and launching a web-site to upgrade the schema will be a huge timewaster. Second, you cannot change database schema while your site is running (say, add a couple of indexes to speed things up).
As for production side of things, upgrading your database in transaction MSI-style installation is much better than attempting to upgrade at each app startup since you can potentially end up with desynchronized database-application versions.
And if you're looking for the migration framework, take a look at Wizardby.
If the application ever has to run on a customer's machine than migrating at startup can prevent a lot of support calls - assuming you can do seamless migration without user intervention (I hope you aren't normally running your web app with permission to modify the database).
If the application always runs under your control automatic migration is less of an issue - but still can be a good feature, especially if you want to minimize downtime and manual deployment steps.
We had an application that uses Process.GetProcessesByName() but it is failing only on one user PC with the following error:
Process performance counter is disabled
I searched the registry for the Disable Performance Counters entry but it was not present with the value set to 1.
The user env is XP with administrative rights.
I know that on Windows Server 2003, the user account needs to be a member of the Performance Counter Users Group in order to accomplish this.
Any ideas on how to enable Process performance counter?
Issues that can be responsible: .NET version isn't compatible , Performance Counters need to be enabled or permission problems
Quoted from MSDN
In .NET 1.0/1.1, the Process class relys on performance counters to provide performance information regarding local and remote processes.
.NET 2.0, this dependancy for local processes is no longer present.
This exception can be thrown for a couple of reasons:
Performance counters are disabled - The Windows Resource Kit contains a tool called the Extensible Counter List that can be used to enable/disable counters
The user doesn't have enough rights - non-admin users (I think) may not have enough permissions to access the performance counters.
If it's possible, install .NET > 2.0 and target the newer version
There is a tutorial which shows you how to use the Extensible Counter List to enable Performance Counters here
Open Performance Monitor by clicking Start > Run > Type in Perfmon and choose Ok.
Verify that the Process Monitor object exists, as illustrated in the screenshot posted above.
If the Process object exists, choose all of the Process objects counters and all instances, click Add, and then watch the graph.
Do they all run successfully?
If the counters are missing, then you will need to enable them.
Microsoft provides several KB articles to handle this situation. Begin by reading http://support.microsoft.com/default.aspx?kbid=300956
If the steps in this KB not work properly, and if your server is Microsoft Windows Server 2003, try the next step
Download and install the Windows Server 2003 Resource Kit on the Notification Server or Task Server
Open the Windows Server 2003 Resource Kit command prompt
Type in "exctrlst.exe" to bring up the Extensible Counter List as shown in the screenshot below and scroll down and enable performance counters