I am currently working on a project that interacts with a COM object. In my code I call the following:
CoInitialize(NULL); //Initialize COM system
HRESULT hr = spSSCProt.CreateInstance(("SSCProt.SSCprotector"));
This should get me the object I need. If this fails, it is presumably because the COM Server does not have the COM object registered using regsvr32. All is fine and well, I have the following code to handle that:
/if its not, lets try to register it ourselves...create the command
CHAR cmdBuf[BUFSIZE];
GetCurrentDirectory(BUFSIZE,cmdBuf);
string cmd("regsvr32 -s \"");
cmd += cmdBuf;
cmd += "\\stixDlls\\SSCProt.dll\"";
//attempt to register it
system(cmd.c_str());
The problem arises if the user is not an admin. They wont be able to execute the section of code the registers the COM server. Most of my users will probably not be admins.
Any ideas on how I can register the com server if they are not an admin.
Thanks
The whole point of Windows protection is to prevent you from doing things like that. How is Windows supposed to know you're not a virus trying to install some malware?
Your only hope is to start up another program which requests administrator privileges via its manifest. At that point Windows will ask for the administrator password.
If possible, the best place to do COM registration is during the installation process, which is usually being run under admin privileges. If that's not possible, there's another standard way: most home users on Vista and Win7 do have admin privileges - it's just not enabled by default. To enable those privileges you should request elevation through the (in)famous UAC.
Related
I've coded a programm that require to be run as an admin privileges. I'm aware that I can do that through going to property/Compatibility/Run as adminstrator in Windows but how can I do that if possible to make it programmatically, so that when launched programm automatically gained Adminstrator privilege level?
Yes, with an application manifest that requests admin privileges.
http://msdn.microsoft.com/en-us/library/bb756929.aspx
(This will still ask the user whether he wants that, of course. And if your account cannot have admin privileges, the user will also have to use Run As to choose a different account.)
parts of my application suite (client + updater) needs administrator rights for correct behaviour. My client application uses QDesktopServices::storageLocation() in various places to get the correct user profile path for saving user specific data. But as soon as im using QDesktopService::storageLocation() in an elevated application the path changes to the admin user, which makes it difficult to control.
Like from "C:\Users\basic_user\AppData\Local" to "C:\Users\admin\AppData\Local".
Is there a way to deal with this with qt or is my only possibility to use the WinApi?
What is the "right way" when facing the scenario of having an elevated app but one still needs to operate in the user space.
regards,
adrian
I have a basic requirement - to run my application smoothly on Windows by creating firewall rules when prompted, that has windows firewall turned-ON.
When I log in to my system as an user with Admin privileges when I run my application the first time, the firewall comes up with a prompt, I inform it to allow my app and create a rule, nice.
However when I turn-on my PC, log in as a non-Admin user, and I run my application, the firewall shows up with a prompt as expected; however when I click on the same options as I did from the Admin user, the firewall prompt keeps popping up continuously even though I clicked on Allow /ok every time the prompt appears. The prompt only goes away when I click on "Cancel / Block" the application from running, which is obviously not what I want to do.
So here comes the million $ question, What and How should I change my application code to run smoothly by creating the firewall rule successfully the first time I click on the firewall prompt to allow my application; exactly the same way it is working when I run my application as an user with Admin privileges.
I have done my bit of searching online and have come to understand that Non-admin users cannot modify firewall rules (cannot even create them???). BTW I have tested this scenario on Windows XP, Vista 7 both x86 and x64 with same results.
If someone has encountered and / or solved similar issues please share your knowledge. If I am missing something, please make me understand what I am missing.
Thanks
I don't think what you are trying is possible in a non-admin account. What you may try is to gain admin privilege by using the windows runas feature by creating a new process, so that the user is prompted for the username and password of the Admin Account, which would give your program the required access to create firewall rules for your program.
You may also take a look into CreateProcessAsUser or LogOnUSer . Basically in order to succeed in what you are trying to do, you need a token that represents the Administrator account or an account which has admin privileges.
I'm currently using ShellExecute "open" to open a URL in the user's browser, but running into a bit of trouble in Win7 and Vista because the program runs elevated as a service.
When ShellExecute opens the browser, it seems to read the "Local Admin" profile instead of the user's. So for example, if the user at the keyboard has Firefox as his default browser, it may open IE (which is the admin's default).
I know that the "runas" verb can be used to elevate, but how do you do it the other way around? Is there a way to open a URL in the default browser on a standard user's desktop from a service?
ShellExecute will execute the program in the context of the same session and same user as the process you are running.
If you'd like to use a different session or user token you can use the CreateProcessAsUser Win32 API.
There are several ways to obtain a user token, for example you can call the Win32 API:
LogonUser if you know the username and password
WTSQueryUserToken for any given session ID.
OpenProcessToken if you have another process handle
After a while of testing, the best way to determine the default browser is the following:
NOTE: It is strange but it's true...
It has nothing to say that an application is the default application for
some file type or web protocol like 'http'. What matters to determine the default
web browser is just what is registered in the start menu entry (see reg key below).
So forget all the HKCR\http, HKCU\Software\Classes\http, HKLM\Software\Classes\http and their friends.
read from "HKEY_CURRENT_USER\Software\Clients\StartMenuInternet"
read command line from "HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\\shell\open\command"
truncate the command line after ".exe"
Of course you need to impersonate as the logged on user first.
If this solution does not work (like with w2k), use the handler for the http protocol.
To actually start the default browser from a service we use an extra process which is within the service using the logged on user-context. This process starts the above commandline (using ShellExecute on platforms >= Vista). Be sure to use same integrity level (medium) as a default user (else IE won't work because it uses DDE).
HTH.
Aaron Margosis has a seven-step native code example at http://blogs.msdn.com/aaron_margosis/archive/2009/06/06/faq-how-do-i-start-a-program-as-the-desktop-user-from-an-elevated-app.aspx. Won't help you from your service if that is what you have - I agree your service shouldn't be trying to launch an app as the logged in user, especially since there might not be one.
I am attempting to add a temporary IP address to a NIC using AddIPAddress when logged in as a non-admin user. The MSDN documentation for AddIPAddress states that ERROR_INVALID_HANDLE is returned as as error if the function is called by a non-admin user.
Given that I have preceeded the call to AddIPAddress with API calls to LogonUser() and ImpersonateLoggedOnUser(). Now my application thinks it's logged in as an Admin, but AddIPAddress still fails with ERROR_INVALID_HANDLE.
MSDN also states that..
"Note Group policies, enterprise policies, and other restrictions on the network may prevent these functions from completing successfully. Ensure that the application has the necessary network permissions before attempting to use these functions."
Is it possible to call AddIPAddress using impersonation? if so how? I'm guessing I need to change the permissions mentioned above but I am at a loss as to what to chnage in this area.
Any help would be appreciated!
Additonal: I've also drawn a blank while attempting to call out to netsh (again logged in as a normal user) using CreateProcessAsUser using a handle to an impersonated admin user to launch the process. Always returns errors indicating insufficent priviledges.
If you are using windows Vista you may need to elevate privileges.
In Vista by default UAC is enabled. This makes it so that even as an administrator you are using a limited user token unless you explicitly elevate. When you do this the user is presented with a dialog to allow or deny the request.
For more information on this see Windows Vista Application Development Requirements for User Account Control Compatibility.
You may want to try using CheckTokenMembership to verify you are properly elevated after you log on as admin. I would suspect you are getting the limited user token and thus failing requests for privileged resources.
Best of luck.