Re: turn off user account control

Sam Hobbs wrote:
"Jack the Ripper" <Jack@xxxxxxxxxxx> wrote in message news:O%23e4SzBlJHA.1928@xxxxxxxxxxxxxxxxxxxxxxx
Sam Hobbs wrote:
"Jack the Ripper" <Jack@xxxxxxxxxxx> wrote in message news:ufyvTt9kJHA.1168@xxxxxxxxxxxxxxxxxxxxxxx

They are NOT false positive responses. Whatever you are trying to do requires escalated privileges to use the user-admin account's full- rights access token to perform the task or allow a program to run that needs full-admin-rights to execute, with UAC enabled.

Another possibility is that the developers might not be using the least privileges that their software needs and instead required Administrator privileges.

Then it's not Vista compliant software. And mostly, what is requiring admin rights to run is old legacy COM solutions.

http://www.developer.com/net/net/article.php/3695651

One of the requirements of Vista compliant software is that it only needs Standard user rights to execute.

Where does the article say that? What if a COM object truly does need Administrator privileges, your statement is saying that it cannot be done in a COM object. That article even says "There will still be circumstances when an application needs administrative privileges to carry out certain processes, especially if the application is written for administrator use.".

I did not say that it cannot be done with a COM object. I am saying that in order for the COM legacy solution application to execute, a COM object execution is on a given process/thread and it may need privileged escalation to execute.

Even a .NET solution may need its rights escalated if the solution is doing administrative tasks, like making registry changes as an example.

But the bottom line is to make the application run with only requiring Standard user rights or least privilege, which most software developers bluntly disregard and everything runs with full-admin-rights when 9 times out of 10 it is not required.

But that was also due to Limited account rights on XP solutions not being able to run properly, so it became full-rights execution for just about everything written on the XP platform.

For Vista and Win-7, if it calls for the application to be leveraged to use Standard user rights only on a rewrite of code, then so be it.

One thing that is happening is more and more code for the MS platform are being written in .NET, which is managed code using the CLI/CLR. And they are looking at code intent to prevent things if hostile or dubious intent is determined with in the code, before it is executed and stop the execution.

However, that can be circumvented by a COM object code being called in the solution that is not manageable by the CLI/CLR. And therefore, the push is being made to eliminate/eradicate COM off the MS O/S platform. Of course, not everyone will be going to .NET, and if it's not broke them don't fix it, legacy COM solutions.

<http://msdn.microsoft.com/en-us/library/bb530410.aspx>

<copied>

How Do I Determine If My Application Has Administrative Dependencies?

To assist developers, ISVs, and organizations in evaluating their applications, Microsoft provides the Microsoft Standard User Analyzer. The Standard User Analyzer can be used to help identity non-UAC–compliant behavior of an application. Microsoft recommends that developers run this tool to identify issues with running the application under a standard user account. These tests should be performed, even if the application already installs and runs properly under a standard user account on Windows XP. The application may perform operations, such as attempting to write to system registry locations, and make decisions based on the system's behavior, such as looking for an error response. Windows Vista may behave differently than earlier versions of the Windows operating system due to the addition of new application compatibility support. Therefore, it is recommended that all applications be tested with the new version of the Standard User Analyzer.

The Standard User Analyzer will record all administrative operations encountered by an application, including registry/file system access and elevated API calls. This data is stored in a log file and is displayed within the tool. The Standard User Analyzer identifies the following common dependencies, in addition to many others:

<copied>




.

Relevant Pages

  • RE: Upgraded to Word 2003, now I cant open files
    ... Novell NetWare Network Privileges Required to Run Word ... Description of File System Directory and File Rights ...
    (microsoft.public.word.application.errors)
  • =?windows-1252?Q?Re=3A_=93Libertarians=2C=94=2F_vs_Corporate_Power?=
    ... result is that these collectivist entities with their government- ... bestowed privileges have taken over our economy, ... the defenders of individual rights. ... distinction between Big Brother and God! ...
    (alt.gathering.rainbow)
  • Re: How to manage user access in FM7 and later
    ... > profiles and then use this groups to assign rights in FMP. ... > personal login system and a users file where a rights manager could ... > Take into account that the delegated rights manager knows nothing ... about everything you can do with homebuilt, individual privileges can be ...
    (comp.databases.filemaker)
  • What is the Anglobitch Thesis?
    ... the advance of women's 'rights' across the Anglosphere has not been ... accompanied by a corresponding reduction of their traditional privileges - ... men only with obligations and women aglow with rights plus privileges. ... Anglo-American media, ...
    (soc.men)
  • Re: Vista: How to execute standard user app by setup with admin pr
    ... that allows to drop down privileges to standard user. ... If an administrator has the right to do anything, ... The setup is executed under an account that has _no_ administrator ...
    (microsoft.public.platformsdk.security)