i'm writing a security program for vista and 7 (Right now my main os i'm using is 08 server which i'm testing it on as well) and I would like to block the fast user switching option from within windows. The problems is that I can't edit the registry under a normal user as its under the HKLM and I need to be able to edit the key to block it or find another way to accomplish this.
I tried running it as admin and that hasn't worked. With wxDev C++ I tried the manifest option and I still can't get it to work. If the program runs under an admin account though it does.
Would anyway happen to know how to do this? I've been looking on Google all day today now and all I keep finding out is how to edit the reg or group policy to turn it off but I need a way to do it though c++.
Again thank you
The registry key that controls fast user switching is in key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
it is a DWORD value named AllowMultipleTSSessions.
Set it to 0 to disable fast user switching. Windows uses terminal services to implement multiple desktops.
To write to the HKEY_LOCAL_MACHINE hive, the process must be running with administrator privileges.
The manifest needed to make your process automatically prompt for administrator privileges is:
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
Related
I have a multi-process application that was originally developed in XP and was originally designed with no regard to administrator privileges. We used to configure and sell computers with the software. We are now selling the application by itself, without the hardware, to be installed on user systems in a corporate environment. Currently our software package requires our users to run in administrator mode, which is not making us popular with our customers IT departments.
I have been working to remove items that obviously require administrator privileges (writing to HKLM in the registry, writing to the Program Files folders). However, Windows continues to require administrator rights to run the software. If I deny the rights, it closes with no logs. It has a lot of legacy code and so hints to find where the administrator access is happening has proven difficult.
Is there an easy way to see what is being accessed or done that is hitting Windows 10 admin requirements?
Currently I have removed moved writing of data files I could identify to the Program Data folder or to user documents. (depending on whether I want users to be able to easily find them or not).
Configuration files have been moved to user folders.
Registry key access has been kept to HKLU or read-only in HKLM.
Thank you all for the help. I ended up finding the answer in the C# based launcher for our software, which was starting all processes with the verb "runas" set:
try
{
myProcess.StartInfo.Verb = "runas";
myProcess.StartInfo.FileName = command;
myProcess.StartInfo.WorkingDirectory = workingDir;
myProcess.StartInfo.Arguments = prams;
myProcess.Start();
}
catch (Exception ex){}
I removed the "runas" verb and now the system is not requesting admin privileges on the started pieces of code.
I found the cause when I tried to setup a debug run from the Program Files directory and started the code without going through the launcher. (started in a debugger) The system did not request administrative permissions which led me back to the launcher. I recently got the launcher to run without needing administrative permissions and so I had assumed that the problem was in the other processes. Seems I was mistaken.
I want to design the program in such a way that whenever it is installed , it should be auto restart on Windows Startup on the All USERS of the Windows...
My foremost requirement is that I can not give my program Admin Rights as it has to run in Limited Account or sometimes on Admin accounts with UAC enabled to max level...
What and Where should I write in Registry to achieve this.. or If Registry can not be modified for all users without admin privileges then Is there any alternate way to restart the Program after Windows Bootup ?
As far as I know, one alternate way is to install our program in Start Up folder .. however Please let me know if it is feasible to install the program without admin privileges in startup folder for all users and can all write operations be performed in startup folder even for limited account user ?
The simple answer is: You can't. Vista and above (and XP if you're not running under a power user or administrator account) has no write-access to HKEY_LOCAL_MACHINE.
You also need administrative privileges to install an application for all users; without that privilege, you can only install for the current logged in user. This means that installing a shortcut in the "all users" startup folder won't work either.
Barring an exploitable security vulnerability, only Admin accounts can do things that affect other users on the machine, such as setting keys in HEY_LOCAL_MACHINE, registering programs to run for other users via the Task Scheduler, or installing a service. This is by design.
I am developing a partition disk program, and for me to read the \\\\.\\PhysicalDrive0 I need admin rights.
I am wondering if it is possible, in the run time, for the program to gain admin rights? Is there any win api for that?
I want to do that because I want the program to execute with admin rights only when it is reading/writing the disk. For security reasons, I don't want the program to execute all the time with admin rights, because someone could find a bug (stack or heap overflow for example) in some module and execute arbitrary commands as adm.
You cannot acquire elevated privileges after the process has started. Your options are:
Put the part of your application that requires elevated privileges into a separate process and manifest that with requireAdministrator.
Run the part of your application that requires elevated privileges as an out-of-proc COM object.
I have never seen a way to transition rights once a process has begun executing. The only way I know of is for the process to be created as privileged.
I look forward to other answers in case there is another way.
(update)
The article Teach Your Apps To Play Nicely With Windows Vista User Account Control (about halfway down) confirms that admin rights can be granted only at process creation time.
You need to embed manifest with requireAdministrator flag
http://msdn.microsoft.com/en-us/library/bb756929.aspx
Project's Propeties (Alt + Enter) -> Linker -> Manifest File
-> UAC Execution level (in VS2015, in 2010 it's similar)
-> requireAdministrator or highestAvailable
Edit: Also, if it's updating program, simply make your program's name starting with Update and Windows will automatically recognize it.
Well , when ever I am trying to run my application as administrator I am getting the following
error, and whether to allow or not.
If I am running the app directly and not as an administrator then this seems to work. Is there Some thing I need to do to get rid of the UAC , no I dont want user to manually change the UAC settings.
Do I need to tweak registry settings only for my programe or any certificate I need to sign with.
In general, you can't disable UAC. The goal of UAC is to provide a defense in depth against malware. It would be counterproductive if an Tojan could just disable UAC.
What you can do is accept that UAC exists, and roll with it. You shouldn't usually run as Administrator, so it's perfectly fine to get a UAC dialog when you do. For instance, Auto Start can be handled as a per-user setting, which means you don't need to be an admin to change that.
As a workaround on your machine, you can create a scheduled task that launches your application and tick the "run with highest privileges" in the general settings. Then you create a link to the sheduled task with schtasks /run /tn "TASKNAMEINQUOTES" as the link text. This will call the task that will run the application with elvated privileges without the UAC prompt.
More on this here: http://www.howtogeek.com/howto/windows-vista/create-administrator-mode-shortcuts-without-uac-prompts-in-windows-vista/
In
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
there is such item as ConsentPromptBehaviorAdmin. Change it.
Configure an application to always run elevated:
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx#BKMK_S2
I had a program (Notepad2)suddenly require admin rights on a win-7 system. Seems that this can be changed easily.
Right-click the applicaiton, select properties, go to the compatibility tab, at the bottom is
Privilege level: Run this program as an administrator.
Unclick it and OK your way out. Worked for me.
Your process needs to elevate its privileges. There are couple of articles about this in CodeProject but have a look at this one first.
I have an MFC application developed in VS Studio 2008 which reads and writes to a JSON file in its installation folder. It works perfectly in vista(administrator) BUT ONLY when UAC is turned off. When UAC is ON, the application isn't able to write to its JSON file. I figured I had to create a manifest file but I haven't really tried creating one.
Questions:
reference: http://msdn.microsoft.com/en-us/library/bb384691.aspx.
It says here that you can simply set the linker options in the Visual Studio development environment.
What values do I need to select for:
a) Enable User Account Control (UAC)? [I tried NO].
b) UAC Execution Level? [I tried highestAvailable].
c) and UAC Bypass UI Protection? [I tried Yes].
Do I need to add the manifest file in the software package (exe, Dll's, etc.)?
Thanks...
The whole concept of UAC is that you can not bypass it. If you could, it would be useless.
The only solution (which is what you should do anyway, not just because of UAC) is to never ever write files in the install folder but in %APPDATA% where it belongs.
You should copy this file to AppData. Modifying a file in Program Files will always trigger a UAC prompt. This operation requires admin privileges and manifest won't help you with that.
Adding manifest file you can only declare that the application needs UAC permisison. This way the user will be prompted for UAC on application start.
If this is what you want here you can find description how to do it.
Other aprroach is to install a service which runs with LocalSystem account and is allowed to do (almost) anything without asking for UAC permission. For this to work you have to implement inter process communication between your UI applicaiton and the service. Kernel objects shared between processes have to be created from the service with appropriate security attributes in order to be accessed form not elevated programs.
The installation of the service will prompt the user for UAC ( as most other installations )
You mentioned you tried manifesting the executable as
UAC Execution Level: highestAvailable
It should be set to requireAdministrator.
The difference is that highestAvailable will only elevate if the user really is an administrator who's been (UAC) stripped of their admin privelages. If they really are a standard user then it won't elevate.
On the other hand requireAdministrator will require that they elevate. If the user is not an administrator, they will be presented with a prompt to enter a Username and Password of someone who is an administrator; they'll have to call someone to come down and type in their username and password.
If the user already was an administrator, then requireAdministrator will just ask them to Continue.
Set the EnableLUA DWORD value in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to 0 and reboot.
This will disable UAC without a problem, I would do it to all your users, with or without permission is up to you.
Works in Windows Vista and Windows 7 as well.