RE: proper way to insert program for run on startup in Vista



Hi Jim,

Thanks for your feedback.

Yes, on Vista, a normal process runs under Admin Approval mode if you used
an Admin account to login the machine. That is the Vista will use a
stripped version of token for the normal process. In this token, the
"Administrators" group is disabled, also most of the priviledges.

Since the HKLM's DACL setting will only give "write" permission to
"Administrators" group or Local System account, the stripped process token
will get access deny while writting to this location. Only elevated process
can write this registry location. This is by design of Vista security push.
The best practice is saving the data/settings in the HKCU registry, which
is writable to the normal user token.

I am not sure why "user startup folder" does not work for you. In test, it
works well without any exception. Based on my examine on "Startup" folder
on my machine, it grants Full Trust to my account SID. Below is the DACL
dump with "ICacls" tool:

D:\Users\jetan>ICacls
"D:\Users\jetan\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup"
D:\Users\jetan\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup FAREAST\jetan:(I)(F)

FAREAST\jetan:(I)(OI)(CI)(IO)(F)

NTAUTHORITY\SYSTEM:(I)(F)

NTAUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

BUILTIN\Administrators:(I)(F)

BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files

Can you paste the problematic folder path to me? I would recommend you use
"ICacls" tool to dump this folder DACL and paste it here for analysis.

Additionally, "Developer Best Practices and Guidelines for Applications in
a Least Privileged Environment" is a little out-dated. Below is the most
complete Vista guide on UAC:
"Windows Vista Application Development Requirements for User Account
Control Compatibility"
http://www.microsoft.com/downloads/details.aspx?FamilyID=BA73B169-A648-49AF-
BC5E-A2EEBB74C16B&displaylang=en

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.



Relevant Pages

  • Re: Problem with self hosting under the NetworkService account
    ... On Vista I run as an Administrator, ... and you're using http channel, therefore, I think it is likely the cause. ... http url on vista machine(for a certain user account). ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Vista and Fax Client on SBS 2003
    ... Could Vista be trying to logon to the domain with the built in system ... account on thw workstation which shouldn't work! ... see Help and Support Center at ...
    (microsoft.public.windows.server.sbs)
  • Re: Need to understand permissions and ownership
    ... I am the only user and have only one administrator account with my name. ... There are also some other folders such as: ... The vista help files are so fragmented and confusing that they are ...
    (microsoft.public.windows.vista.general)
  • Re: Need to understand permissions and ownership
    ... I am the only user and have only one administrator account with my name. ... There are also some other folders such as: ... The vista help files are so fragmented and confusing that they are ...
    (microsoft.public.windows.vista.general)
  • Just fixed this error on my Windows 7 PC
    ... I have had this problem since upgrading from XP to Vista and thought that the upgrade to Windows 7 would cure it, ... John,Suggest you call in for no charge support. ... If you can not install Security updates, then MS offers no charge support. ...
    (microsoft.public.windowsupdate)