I have an application whose resources need to be updated externally from time to time. I want the application to update it's own resources.
The problem with UpdateResource() is that it cannot be used on a currently executing process. Any ideas how I can update resources from the application itself instead of writing an external app to handle this?
regards,
andy
This seems to be not a good solution to update the application resources. Programs are installed with Administrator rights. A standard user has no write access to the program executable files. Consider saving the data you need in a user directory. E.g. %LOCALAPPDATA%. If you really need resources you can also put a resource-only DLL there. Then it is easy to update even in a multi-user scenario.
You should move the resources to an external DLL and unload it while updating and reload
it back.
You can't modify your own executable.
Also, you must not do this. What if you're running from read-only drive?
For storing program state, there is %APPDATA%, %LOCALAPPDATA% and registry.
Related
I'm looking to access control example. https://github.com/strongloop/loopback-example-access-control
It says we need to put sample-models.js file under server/boot folder. That means, everytime I run the application, the creation process will be made again and again. Of course, I'm getting errors on the second call.
Should I put my own mechanism to disable if ones it run, or is there a functionality in loopback?
Bot scripts are for setting up the application. And run once per application start.
So if you want to initialize database or any initializing which would be persisted by running boot script, you need to check if it is initialized first or not.
For example for initializing roles in db, you need to check if there is desired roles in db or not. And if there is not, so create ones.
There is no other functionality in loopback for this.
We have an exe which actually checks the contents of a folder and then kicks off a windows service to do some processing on the files in that folder.
So, we made this exe as part of System start up program so it runs everytime the system reboots/starts.
Now the user is very annoyed as he gets pop up for UAC everytime he restarts. But we need to have admin rights for this exe as it kicks off a windows service. Therefore I researched and found a couple of solns for this prob.
This and This
But couldn't decide which is better and less vulnerable for security implications.
Another potential solution can be in the code of .exe itself detect the system start up and if we have any content in the target folder then only ask for UAC from user and kick off the windows service . Else just don't run the exe. I am not sure how to do this in C++. Any pointers would be helpful. If there is any better solution, always welcome.
You probably want to use Task Scheduler here.
Just create a task as part of the install process, with "When the computer starts" as the trigger, and set the "Run with highest privileges" security option.
The problem is that you're mixing up the system and user sessions.
If the processing of those files is done on behalf of a user, it probably should not be done by a service. What if two users wanted their files processed? What security context should the service use for that? And obviously you shouldn't need Administrator right to process some user files.
If the service is performing some system-level task, it shouldn't depend on a user. And in fact running at startup suggests you want this mode. (User applets start at login, not after reboot). The main problem in your design therefore seems to be that you try to run an app (with UI) at the wrong moment which requires far too many permissions (causing UAC). Redesign the service so that it does all the tasks which require admin permissions, and when installing the service set it to start automatically. This still requires UAC at installation, but that is when UAC is expected.
I'm trying to figure out the safest way of storing chat history for my application on the clients computer. By "safe" I mean so that my application is allowed to actually read/write to the SQLite database. Clients will range from Windows, OS X and Linux users. So i need to find a way on each platform of determining where I'm allowed to create a SQLite database for storing the message history.
Problems I've run into in the past were for example when people used terminal clients for example Citrix where the users is not allowed to write to almost any directory. The drive is often a shared network drive.
Some ideas:
Include an empty database.db within my installer that contains prebuilt tables. And store the database next to my executable. However I'm almost certain that not all clients will be allowed to read/write here, for example Windows users who do not have admin rights.
Use QStandardPaths::writableLocation and create the database at the first run time
Locate the users home dir and create the database at the first run time
Any ideas if there is a really good solution to this problem?
I have a problem I can't seem to find the answer to, though I am sure it is out there. Is there a way I can disable registry and file access for a newly-created process? I am using Job objects ( http://msdn.microsoft.com/en-us/library/windows/desktop/ms682409(v=vs.85).aspx ) and it says to set the permissions for each new job process, and in a few books I have read that things such as registry and file access can be controlled.
While looking for my answer I saw that I needed to add LUIDs for things such as SE_BACKUP_NAME and such (or whatever it is called) but none of those privilege constants seem to reflect the kind of control I want.. So my exact question is: How would I go about disabling registry/file write access for a newly created process in a Job?
I am trying to create a sandboxed-application, btw. This is so I can prevent it from making any changes to the registry or writing any files while it runs.
Any help would be appreciated!
Windows accesses many resources during process startup, so if you successfully disabled access to the filesystem and registry the process wouldn't start.
Ideally, you'd want access to be restricted after process initialization was complete, but Windows doesn't have a mechanism to do this for arbitrary processes. The sandbox in the Chrome browser relies on the cooperation of the sandboxed process.
The documentation for the Chrome sandbox has a nice overview of the various security mechanisms available in Windows and explains how they are used in Chrome. It's a nice solution if you are trying to sandbox your own code.
I don't think you can disable access outright as many susbsystems rely on it (COM, the shell, some DLL initialisation, debugging, etc) An alternative would be to allow access, but to a limited sandbox which can be done with the integrity system. Setting it to low integrity will block most write access and is used by protected mode IE.
How can I programatically detect any changes that occur to Microsoft's Active Directory?
You could enable auditing of directory service changes, than write a script or application to query the security log for the appropriate events.
You probably need to be a bit more specific. Do you want to detect changes to one or two objects? If so, #DSO's recommendation is a good one. If you want to be able to do regular imports of all changes DirSync is probably what you need.