On XP (user account) when running this shortcut:
<Shortcut Id="UninstallStartMenuShortcut" Advertise="no"
Name="AppName" Description="Uninstalls AppName"
Target="[SystemFolder]msiexec.exe" Arguments="/x [ProductCode]"/>
I'm getting an error "You must be an Administrator to remove this application. To remove this
application, you can log on as an administrator, or contact your technical
support group for assistance."
Why this happens instead of asking for elevation with admin password?
How can I avoid this stupid error?
"Elevation" doesn't exist in XP. LUA / UAC is a Vista and beyond concept.
You could create and install an EXE that is the target of the shortcut. This EXE could then determine if higher priviledges are needed and ask for the username and password to run the uninstall as.
Only administrators can install (and uninstall) applications. Therefore it makes sense that the user doesn't have permission to uninstall the software previously installed by the administrator.
runas allows you to run programs as a different user.
Related
I’ve recently been working on a project involving FIDO2.
While working on this project, I generated several FIDO2 keys on Windows Hello in my laptop (OS: Windows 10 Enterprise 22H2) using a non-admin account. I now have about 40. I’ve been looking for a way to delete them. The only way is apparently running this command from an elevated powershell:
certutil -csp NGC -key
certutil -csp NGC -delkey <name>
The problem with this is that the archive that contains the keys is user-specific, so when I use an elevated Powershell, I don’t see the keys for my non-admin account. I only see them using my non-admin account (from a non-elevated Powershell), but I can’t delete them from that account :).
I've been looking at this github repo which gives a more simplified interface over that same certutil command. The problem is the same.
https://github.com/passwordless/webauthn-fido2-key-remover
I’m not sure how to get around this problem.
Any ideas would be appreciated.
Update 5 Dec 22:
Thanks to the comments, I learnt that there is an API for managing Fido2 keys in Windows, but it's available only for Windows 11, starting from version 22H2. Google Chrome uses this to manage Fido2 keys from the browser dev tools. This wasn't applicable for me though.
If you're on Windows 11 22H2 (the fall release), you can use Chrome 109 (chrome://settings/passkeys) to delete individual passkeys.
The solution I found was to ask for my non-admin account to be added to the Administrators group temporarily, just so I could run
certutil -csp NGC -delkey
from my account with admin privileges.
This allowed me to delete the Fido2 keys. I hope the Fido key management API is made available for Windows 10 too.
I need to query some WMI values using PowerShell from Windows 10 devices. The script is executed in the context of a non-admin user by some software distribution tooling.
There is a local admin account, and for the current purpose (retrieving information before wiping the system) it wouldn't be a problem to put the password in the script. As automation is a hard requirement, there is no way to deal with UAC windows or the user to enter some credentials.
Is there any way to get
$sess = New-CimSession -Credential $admincred
to work without running into Access is denied, because it isn't run in an elevated context? Can I somehow self-elevate it by just having the admin credentials?
[Edit]
The comments asked to provide more concrete information:
I want to onboard many unmanaged (i.e. no software distribution tool, no domain join) Windows 10 devices to Windows Autopilot.
The devices are not at a specific site.
The device vendor can't provide the information.
The users don't have administrative privileges
The users don't know the local admin password (I do)
Exposing the local admin password is less of a problem than the missing tech knowledge of the users (the password is considered legacy)
The firewall is preventing incoming traffic (no RDP, WinRM)
Code (Source):
$devDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")
It is too time consuming to get the information using manual remote sessions with a tool like Teamviewer. Getting the users to download a tool from the intranet and running it would be a way to go. So I created a standalone application that builds and runs a customized PowerShell script. What won't work is getting it to run in an elevated session. I always end up with Access denied.
Can I somehow self-elevate it by just having the admin credentials?
No you cannot. UAC is designed to prevent exactly what you are trying to do. Related Q&A:
elevate without prompt - verb runas start-process
UAC Getting in the Way of EXE Install Powershell
Powershell provide credentials for RunAs
There may be many workarounds, but they all will have in common that you have to go to your machines (locally or remotely) at least once, gain administrative privileges and prepare something, e. g.:
A scheduled task that runs under your local administrator account or under SYSTEM and triggers the execution of your script
Disabling UAC (temporarily) (not recommended either way)
Installing any remote management software, services or accounts (with extra run as background job privilege)
what I'm trying to achieve is to log from linux to a windows machine which is already being used by one user who should not be logged off and the system should be working with both the users simultaneaously .I'm using krdc to connect to windows machine from linux,which logs off the user when other user logs in.Is there any other way to achieve my intension.
Thanks and Regards
You need to have the real Terminal Services installed. Usually the windows (Home,Professional, etc) can be enabled to have Terminal services but only for a 1 single session. If you install Terminal Services you will need to pay the license for users.
To allow multiple connection you should use VNC/teamviewer (is the most simple way to achieve what you want).
Suppose that I had an SDK to develop an application on smartcard to store my password and acts as an Authentication server toward Windows XP. That is, when an user wants to log on Windows XP with a certain username and password, Windows XP will send this account's information to smartcard and wait for a response. If smartcard says YES, user will be granted to log in.
This is my idea but I don't know how to implement it with Windows XP. I have designed an interface between smartcard and Windows XP but I don't know where to begin? I must write my logon application (prefered in C#.NET) to replace the actual standard logon process of Windows XP? How can I intervene in the Windows XP process?
I highly appreciate your helps
Best regards,
Hai-Binh LE
Smart Card Authentication is worth a read.
Write custom GINA:
http://en.wikipedia.org/wiki/Graphical_identification_and_authentication
and
http://msdn.microsoft.com/en-us/magazine/cc163803.aspx
and
http://msdn.microsoft.com/en-us/magazine/cc163786.aspx
But it is not trivial task.
I recently developed an application for Windows XP and newer which make some changes in the system registry. It has been tested on several machines and i now got an incident where a user gets the error message when launching the installer: "You must be logged in as an administrator when installing this program" on Windows XP. It's understandable if the user don't got any administration privileges that Windows rejects the installer.
As being the developer of the software, can I do anything to prevent this from happening? (Without doing the work not touching the registry). Or is it simply just a user problem?
What you didn't say was what the software was going to do. If it was true administrator software, then it can require administration privileges. If it's for a specific use and your client approves, it can require administration privileges (ask the client before assuming it's OK). If it's something a normal user might use, and will see use outside an enterprise that has specifically approved this,you need to find a way to make it usable by less privileged accounts, and if that includes not making changes to the system registry that's what you'll have to do.
Windows Vista introduced UAC, which was designed to make software like yours, which requires administrator privileges, awkward to use. This was for a reason: allowing people in general to run as administrator at all times is a big security issue. More and more enterprises are passing out computers without admin privileges, so your software will be usable on fewer and fewer corporate systems.
If this is some sort of home/personal software, requiring admin privileges is going to make users on Vista and 7 less happy with your software, and is going to perpetuate the global security issue of hordes of individual users, with no computer savvy, being on the net logged in as administrator.
Unless you're in some sort of niche, this is not a user problem (and, if it was, do you really want to be causing your users problems?). It's a developer problem.