RE: proper way to insert program for run on startup in Vista



Hi Jim,

Thanks for your feedback.

Yes, on Vista, a normal process runs under Admin Approval mode if you used
an Admin account to login the machine. That is the Vista will use a
stripped version of token for the normal process. In this token, the
"Administrators" group is disabled, also most of the priviledges.

Since the HKLM's DACL setting will only give "write" permission to
"Administrators" group or Local System account, the stripped process token
will get access deny while writting to this location. Only elevated process
can write this registry location. This is by design of Vista security push.
The best practice is saving the data/settings in the HKCU registry, which
is writable to the normal user token.

I am not sure why "user startup folder" does not work for you. In test, it
works well without any exception. Based on my examine on "Startup" folder
on my machine, it grants Full Trust to my account SID. Below is the DACL
dump with "ICacls" tool:

D:\Users\jetan>ICacls
"D:\Users\jetan\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup"
D:\Users\jetan\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup FAREAST\jetan:(I)(F)

FAREAST\jetan:(I)(OI)(CI)(IO)(F)

NTAUTHORITY\SYSTEM:(I)(F)

NTAUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

BUILTIN\Administrators:(I)(F)

BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files

Can you paste the problematic folder path to me? I would recommend you use
"ICacls" tool to dump this folder DACL and paste it here for analysis.

Additionally, "Developer Best Practices and Guidelines for Applications in
a Least Privileged Environment" is a little out-dated. Below is the most
complete Vista guide on UAC:
"Windows Vista Application Development Requirements for User Account
Control Compatibility"
http://www.microsoft.com/downloads/details.aspx?FamilyID=BA73B169-A648-49AF-
BC5E-A2EEBB74C16B&displaylang=en

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.