I have a basic requirement - to run my application smoothly on Windows by creating firewall rules when prompted, that has windows firewall turned-ON.
When I log in to my system as an user with Admin privileges when I run my application the first time, the firewall comes up with a prompt, I inform it to allow my app and create a rule, nice.
However when I turn-on my PC, log in as a non-Admin user, and I run my application, the firewall shows up with a prompt as expected; however when I click on the same options as I did from the Admin user, the firewall prompt keeps popping up continuously even though I clicked on Allow /ok every time the prompt appears. The prompt only goes away when I click on "Cancel / Block" the application from running, which is obviously not what I want to do.
So here comes the million $ question, What and How should I change my application code to run smoothly by creating the firewall rule successfully the first time I click on the firewall prompt to allow my application; exactly the same way it is working when I run my application as an user with Admin privileges.
I have done my bit of searching online and have come to understand that Non-admin users cannot modify firewall rules (cannot even create them???). BTW I have tested this scenario on Windows XP, Vista 7 both x86 and x64 with same results.
If someone has encountered and / or solved similar issues please share your knowledge. If I am missing something, please make me understand what I am missing.
Thanks
I don't think what you are trying is possible in a non-admin account. What you may try is to gain admin privilege by using the windows runas feature by creating a new process, so that the user is prompted for the username and password of the Admin Account, which would give your program the required access to create firewall rules for your program.
You may also take a look into CreateProcessAsUser or LogOnUSer . Basically in order to succeed in what you are trying to do, you need a token that represents the Administrator account or an account which has admin privileges.
Related
I am trying to create a service which does following:
Logging in as a user with specified username/password
Running an application on the desktop of logged in user of step 1
Note: before step 1, user is not logged on. (something like right after machine is rebooted)
The expected result is, the user should be able to see the UI of launched app at step 2 if user logged onto the desktop with the user account logged on at step
I found this article, but this code will launch the app on current desktop (let's say, currently logged on as userA. Using username/password of userB, the app is still be launched on userA desktop, but using userB's account).
https://support.microsoft.com/en-ca/help/165194/createprocessasuser-windowstations-and-desktops
Please let me know what's the correct way to achieve my goal.
IDE: Visual Studio 2015 C++ on Windows.
Let me answer to my question.
The bottom line is:
I cannot launch a process on a desktop of not-logged-on user by programmatically logging in.
Reason:
Calling certain function such as LogOnUser, I can login and access to resources related to user's account.
However, the logon session is different from a Session which will be created when user logs on from login screen.
Because of security reason, once a process is launched, we cannot move the process to another Session. So, UI will never be able to show on the desktop after the user logs on from login screen.
Alternative solution:
Use auto-logon
Redesign app, and split UI and its data. So, a process with data can run as service, and UI can launch later on a desktop.
The details explanation of how Windows Session, Window Station, and Desktop works:
https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops
Thank you very much for Harry Johnston for detailed explanation in the comment.
I am the only user and admin of my computer. My account doesn't have password because the computer is located in a secret room. I want to restart a process as administrator.
I don't want to change manifest because it makes the process to run always on administrative privilege.
I want administrative privilege only when I need it.
Using functions CreateProcessWithLogon, LogonUser and command tool runas.exe is not appropriate for me because I have no password.
What can I do? Moreover when I run an application as administrator, it prompts but it doesn't ask for password. Is there any way to make such a prompt?
Moreover when I run an application as administrator,it prompts but it doesn't ask for password.Is there any way to make such a prompt?
It would ask you for the password if you attempted to run the application as administrator from user account with limited user rights (non-admin).
If you wish to run under admin rights only when you really need them, you should split your application to two parts: one part would run under limited rights, the other, only capable to do the administrative actions and nothing more, would be run only at need (so it should not "run away").
I am the admin of a OSQA system (which is cool and great, by the way).
I tried to learn and understand the "maintenance mode", in order to create backups. So I have entered the "maintenance mode", and there I saw the text box with the message that my users will see when the site is under maintenance mode. Plus, there was a list of IPs that will be allowed to access the site even if it is under maintenance mode.
My IP was there...
My mistake was that I changed the IP in that text box, in order to see what my users will see. Immediately, I lost access the web site, and all I can see is the message, as the rest of my users... (at least now I know that it works - users cannot access the site, and they DO see the message...)
How can I regain access to my web site?
thanks!
do you have acces to the server where your site is hosted?
if so you just need to enter in django shell: python manage.py shell
then run the following code:
from forum import settings
settings.MAINTAINANCE_MODE.set_value(None)
exit()
With that the maintainance mode will be disable and you will be able to modify the allowed IP's.
~Mike
I've coded a programm that require to be run as an admin privileges. I'm aware that I can do that through going to property/Compatibility/Run as adminstrator in Windows but how can I do that if possible to make it programmatically, so that when launched programm automatically gained Adminstrator privilege level?
Yes, with an application manifest that requests admin privileges.
http://msdn.microsoft.com/en-us/library/bb756929.aspx
(This will still ask the user whether he wants that, of course. And if your account cannot have admin privileges, the user will also have to use Run As to choose a different account.)
On this page, it talks about Windows NT, 2000, XP and 2003. Fortunately, I have a Windows 7 machine.
The very first line says:
In User Manager for Domains, create a local user for the ColdFusion
service to log in as.
I don't see a "User Manager for Domains", so do they mean just "Add a new user"?
If it DOES mean that, can I use my own user account as the ColdFusion user, or should I specifically create a new account just for ColdFusion?
If you are creating a domain account it has to be created ON the domain - using user manager for domains connected to your domain controllers. If that's what you need then a sys admin has to help.
If you are doing a "local" user on a windows 7 I always end up hunting around for the right view of user manager before I get it right :) Here are the steps that I use:
Search from start and open the "user accounts" cpl.
Click on "Manage User Accounts"
Click on the "advanced" tab
Click on the "advanced" buttton.
This takes me to the mmc-like view of users that I'm accustomed to where I can add a user, change membership, set passwords etc.
Hope this helps :)
You can use your own username or you can create one for CF to run as. Creating a user to run CF as probably more closely replicates your production environment ( an assumption ) so if production for example writes to a UNC path the coldfusion user must have acces. You could
Mimic this locally.
You can use either an account local to the OS where ColdFusion is running, or a domain account if the OS is joined to a domain. In your case, you can just create a local user on your Windows 7 OS and run the ColdFusion Application Service as that user. The user account will need access to ColdFusion's installation folder, as well as read access to the webroot.
The whole idea is to run the ColdFusion service as a user with the minimum privileges necessary to handle requests and prevent access to other resources in the event of a data breach or remote code execution (e.g. someone exploits an upload form and manages to get their own CF code to run on your server; it's not pretty but can be somewhat restricted by running the CF service under a user account with restricted access).
As someone else mentioned, if CF needs access to other network resources, the user account will need to be granted access to those resources as well (either by using a domain account or having a local account with the same username and password on the remote system).
Just did this on Windows 2008 R2 with CF 10. The trick was to change the ownership of the c:\windows and c:\windows\system32 directories as outlined here.
change ownership from trustedInstaller