I recently developed an application for Windows XP and newer which make some changes in the system registry. It has been tested on several machines and i now got an incident where a user gets the error message when launching the installer: "You must be logged in as an administrator when installing this program" on Windows XP. It's understandable if the user don't got any administration privileges that Windows rejects the installer.
As being the developer of the software, can I do anything to prevent this from happening? (Without doing the work not touching the registry). Or is it simply just a user problem?
What you didn't say was what the software was going to do. If it was true administrator software, then it can require administration privileges. If it's for a specific use and your client approves, it can require administration privileges (ask the client before assuming it's OK). If it's something a normal user might use, and will see use outside an enterprise that has specifically approved this,you need to find a way to make it usable by less privileged accounts, and if that includes not making changes to the system registry that's what you'll have to do.
Windows Vista introduced UAC, which was designed to make software like yours, which requires administrator privileges, awkward to use. This was for a reason: allowing people in general to run as administrator at all times is a big security issue. More and more enterprises are passing out computers without admin privileges, so your software will be usable on fewer and fewer corporate systems.
If this is some sort of home/personal software, requiring admin privileges is going to make users on Vista and 7 less happy with your software, and is going to perpetuate the global security issue of hordes of individual users, with no computer savvy, being on the net logged in as administrator.
Unless you're in some sort of niche, this is not a user problem (and, if it was, do you really want to be causing your users problems?). It's a developer problem.
Related
I need to query some WMI values using PowerShell from Windows 10 devices. The script is executed in the context of a non-admin user by some software distribution tooling.
There is a local admin account, and for the current purpose (retrieving information before wiping the system) it wouldn't be a problem to put the password in the script. As automation is a hard requirement, there is no way to deal with UAC windows or the user to enter some credentials.
Is there any way to get
$sess = New-CimSession -Credential $admincred
to work without running into Access is denied, because it isn't run in an elevated context? Can I somehow self-elevate it by just having the admin credentials?
[Edit]
The comments asked to provide more concrete information:
I want to onboard many unmanaged (i.e. no software distribution tool, no domain join) Windows 10 devices to Windows Autopilot.
The devices are not at a specific site.
The device vendor can't provide the information.
The users don't have administrative privileges
The users don't know the local admin password (I do)
Exposing the local admin password is less of a problem than the missing tech knowledge of the users (the password is considered legacy)
The firewall is preventing incoming traffic (no RDP, WinRM)
Code (Source):
$devDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")
It is too time consuming to get the information using manual remote sessions with a tool like Teamviewer. Getting the users to download a tool from the intranet and running it would be a way to go. So I created a standalone application that builds and runs a customized PowerShell script. What won't work is getting it to run in an elevated session. I always end up with Access denied.
Can I somehow self-elevate it by just having the admin credentials?
No you cannot. UAC is designed to prevent exactly what you are trying to do. Related Q&A:
elevate without prompt - verb runas start-process
UAC Getting in the Way of EXE Install Powershell
Powershell provide credentials for RunAs
There may be many workarounds, but they all will have in common that you have to go to your machines (locally or remotely) at least once, gain administrative privileges and prepare something, e. g.:
A scheduled task that runs under your local administrator account or under SYSTEM and triggers the execution of your script
Disabling UAC (temporarily) (not recommended either way)
Installing any remote management software, services or accounts (with extra run as background job privilege)
I'm not sure if I am asking this in the right spot or not, sorry if I am wrong.
I would like to know please, SCCM is currently operational in our school, and we use it to install software across our network.
I have a piece of software that requires a different channel for each room or staff laptop that it is installed in.
I have managed to set up a powershell script that polls a csv for the channel that should be assigned to each room, and when the script it run, it pulls that channel and installs the software with that channel assigned.
What I am having trouble with now, is that SCCM installs the software using the local system account, and the csv is located on a network share.
When the System account goes to poll the csv file it gets an access denied error, even though System has full control of the csv and directory that the csv is located in.
Is it just me not understanding the permissions that System has, or can System not interact with other devices over the network, I assumed that being system on both devices, it would be able to cross to another device and impersonate system on that device.
Is there a way around this?
Thanks for any feedback.
The system account uses the machine account when accessing the network e.g. COMPNAME$, if you're on AD you can add a grant to that computer account to the file share ACL. If you don't have a domain you can create a local account with matching username and password on both machines and configure the service to run as that account.
By simply adding Domain Computers to the files permissions list and assigning it Read/Write permissions, I am able to let any computer in this group (all computers on the domain) access the specific files.
This is also what Andy Arismendi was saying, however just an already setup group.
Server: Windows Server 2003
PC: Windows XP (Laptop)
Issue: The PC in question cannot get administrator rights even when logged on as the top level administrator account, or any other admin account. The PC needs admin rights to install printers regularly, as well as various other hardware. I have created a custom user that has full admin rights.
Previously, this PC was only used via wireless, and was never a part of the domain, it was always just its own workgroup computer that was carried around our warehouse. It is now hooked up on a RJ-45 and will be stationary.
I have spent at least a few hours trying to figure out why this PC cannot get admin rights, and have run out of ideas. There is also an ex-navy system admin that has been unable to figure it out (though he is outdated in knowledge). Any advice on what to look at would be appreciated. I personally am a webmaster, and have very little server 03 knowledge, so any high-tech terms would prefer to be avoided :) - I can figure out whatever needs to be done though :)
Are they a member of the Administrator group on the local machine?
Check this for instructions on security, and being able to make people as admins of machines in a domain
On XP (user account) when running this shortcut:
<Shortcut Id="UninstallStartMenuShortcut" Advertise="no"
Name="AppName" Description="Uninstalls AppName"
Target="[SystemFolder]msiexec.exe" Arguments="/x [ProductCode]"/>
I'm getting an error "You must be an Administrator to remove this application. To remove this
application, you can log on as an administrator, or contact your technical
support group for assistance."
Why this happens instead of asking for elevation with admin password?
How can I avoid this stupid error?
"Elevation" doesn't exist in XP. LUA / UAC is a Vista and beyond concept.
You could create and install an EXE that is the target of the shortcut. This EXE could then determine if higher priviledges are needed and ask for the username and password to run the uninstall as.
Only administrators can install (and uninstall) applications. Therefore it makes sense that the user doesn't have permission to uninstall the software previously installed by the administrator.
runas allows you to run programs as a different user.
First of all, I'm not sure if this is generic to services in general, but the problem I'm having is pretty specific, it has got to do with the SageTV service component.
Since there isn't much help over at the SageTV forums regarding this specific subject, I thought maybe this was a generic issue with services and therefore worth asking here at Stackoverflow.
Here goes:
I'm running the SageTV windows service with a plugin activated which is supposed to execute external programs. When running under the Local System Account (with the "Interact with the desktop option" enabled), this works fine. For testing purposes I'm using notepad.exe as the program to execute.
Then I created a new user (let's call it mediabrowser) and changed the SageTV service so it would run as that user. When I do that, the SageTV plugin no longer executes notepad. It just does nothing, I don't get any errors or anything, it's just that nothing happens when notepad should be getting executed.
The mediabrowser user has administrative priviliges. The option to interact with the desktop is only available for the Local System Account, and I believe that normal users are always allowed to interact with the desktop anyways.
Is this a general issue with services? If so, what permissions might my mediabrowser user need in order for this to work? I'm pretty sure this is because of permission differences between my mediabrowser user and the Local System Account.
Thanks in advance ...
Uhhh OK. Now I feel like an idiot. I just launched the tast manager on the machine and I can see that there are tons of notepad.exe processes under the mediabrowser user so I guess that notepad IS being executed correctly. It's just not being shown on the desktop.
So I guess this just works :-)