Solved

How to RENAME file in C:\WinNT\System32\.... when not administrator logged in?

Posted on 2002-06-07
18
477 Views
Last Modified: 2010-04-13
We've learned of a DLL, not critical to Windows (used by some obscure redirector for WinSock that we
know we do not require at our institution), that needs to be renamed so it cannot be used.   The file sits in
a subdirectory of C:\WinNT\System32\...     and is thus protected from prying non-Administrative user hands.

Unfortunately we have 700+ workstations deployed statewide and it's not practical to log into every one of
them remotely as Administrator to rename this file.  We need to have the actual user of the workstation,
who is VERY SELDOM granted administrative rights, run something that will rename that file.  Note an administrative user HAS been defined for each workstation (although there are a finite, but non-trivial, collection of names/password pairs for this user, depending on the make/model/phase of moon).

The workstations in question are Win2K, but they're not connected to an AD type hub yet.  Instead, it's an old NT-style domain.  So the suddenly discovered Run-As service was just as quickly discarded.

Are there any tools available for Win2K that could do this?  
0
Comment
Question by:jlw011597
  • 9
  • 2
  • 2
  • +3
18 Comments
 
LVL 12

Expert Comment

by:Wouter Boevink
Comment Utility
I believe in the nt resource kit there is something like su.exe for running commands as super user. It's almost the same as the run-as service.
0
 

Author Comment

by:jlw011597
Comment Utility
Well, we HAVE access to a WinNT Resource Kit, just not at the moment.  While we try to find the right locksmith to get us access to it, tell me more about this SU.EXE
program...  Is it something that would run on a Win2K box without our having to put it there, such that we could run it from, say, a Netware login script as the user makes a
network connection?
0
 
LVL 12

Expert Comment

by:Wouter Boevink
Comment Utility
http://www.swynk.com/trent/Articles/SUReadme.asp

Extract from the above page

The above privileges are no longer required when using SU. In order to support this, the user
must install a new service based component used by SU. The service component is encapsulated in
the executable suss.exe, and this is installed by issuing the following command line at a Windows NT
command prompt (cmd.exe):
suss.exe -install

I don't thinks this is a solution.

Are you running netware?
0
 

Author Comment

by:jlw011597
Comment Utility
Not without having somebody do an ADMINistrative login already, and if that happens
then we could delete the file ourselves during that procedure.  

Yes, running NW.  No, don't have ZENWorks.  Wish we'd taken the time years ago to
do so, it would solve oh-so-many problems.
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
Comment Utility
I would use the elevated privileges option.
This may be able to be used as is, or you might need create a small install package, that all it does, is delete the file.

I hope this helps !
--------------------------------------------------------


Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer
0
 

Author Comment

by:jlw011597
Comment Utility
SysExpert:

If the WinNT domain that these Win2K workstations are beholden to doesn't already
allow this policy, can it be made without needing to physically visit each Win2K box
to grant/install this?

If we have to visit every box anyway, it defeats the purpose, we could do the rename
ourselves manually.  

If it requires Win2K server for the Win2K workstations to be beholden to, that ain't gonna happen in the timeframe before we'd be visiting every workstation physically
anyway (3-4 months total).

Need something we can effect this on from the WinNT domain controller (?) or from
a Netware Login Script (which of course runs under the unprivileged user's ID).
0
 
LVL 32

Expert Comment

by:jhance
Comment Utility
Unfortunately, anything you do presents a security risk.

You can deploy some application via the server logon script but it needs to use some form of LogonUser or otherwise gain access to administrator level privileges.  The only way to do that is to supply the username/password to the LogonUser call and that means either giving the user the admin pw or embedding it into the logon script application.  Either is risky.

The best solution would be a service that you could connect to from the server and effect changes to the system remotely.  Too bad this wasn't considered up front in the network design stage.  Perhaps now would be a good time to consider implementing such a scheme since it likely that a similar problem may come up again.

I guess if this were my problem, I'd write an application that does what you want and logs in using LogonUser to a privileged account.
0
 

Author Comment

by:jlw011597
Comment Utility
Agreed, too bad it wasn't considered in advance.  That's what we get having the
workstation folks being Windows-centric and supported by one organization, while the file/print services being Netware and supported by a different organization.  Me, I'm
in the NW camp, and am frustrated that I've never been allowed to try to resolve their
problem using the NW tools that would do it.  They, they're frustrated by the logistics of having 21 campuses state-wide with NO knowledgable personnel on site there, and a 3-month deployment window once a year when they can arrange the road trips necessary to get their deployments done.  They lock an image down, ship it to the hardware vendor, vendor drop-ships hardware state-wide, they drive around for 3 months and install it, then use Proxy software to fix one machine at a time for the next 9 months until they do it all again.

What is LogonUser?  A standalone program, or a system service to call from a
program written for Win2K?  I'm a programmer as well as a network admin, but I don't program in Windows environments -- OpenVMS is where I do my coding.
0
 

Author Comment

by:jlw011597
Comment Utility
Agreed, too bad it wasn't considered in advance.  That's what we get having the
workstation folks being Windows-centric and supported by one organization, while the file/print services being Netware and supported by a different organization.  Me, I'm
in the NW camp, and am frustrated that I've never been allowed to try to resolve their
problem using the NW tools that would do it.  They, they're frustrated by the logistics of having 21 campuses state-wide with NO knowledgable personnel on site there, and a 3-month deployment window once a year when they can arrange the road trips necessary to get their deployments done.  They lock an image down, ship it to the hardware vendor, vendor drop-ships hardware state-wide, they drive around for 3 months and install it, then use Proxy software to fix one machine at a time for the next 9 months until they do it all again.

What is LogonUser?  A standalone program, or a system service to call from a
program written for Win2K?  I'm a programmer as well as a network admin, but I don't program in Windows environments -- OpenVMS is where I do my coding.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 32

Expert Comment

by:jhance
Comment Utility
There are several Windows API calls which permit a "logon" or its equivalent from an application.  LogonUser() coupled with CreateProcessAsUser() can get you a process running as a privileged user.  But you may have some issues with how things are currently setup.

What security context does the NW logon script run in?

What about remote access via administrative shares on the workstations?

How do you deploy new software?  Is that method an option?

0
 

Author Comment

by:jlw011597
Comment Utility
Security Context of the NW login is of course the context of the user logging in.  So
unless that user is Administrator (which requires us to visit or proxy one-by-one to
each workstation) the NW login script will not have sufficient rights to delete or rename
the file.

Remote Access via admniistrative shares on the workstation?  When I last looked at
these workstations, they had deliberately disabled admininstrative shares.  At least
it looked that way...   I'll ask the folks who own the boxes.

They deploy new software by visiting each workstation once a year with a CD
containing a new image, or in many cases by having the hardware vendor place
their image on the machine and having it drop shipped to the remote site.  This is
done when the machine onsite already is being aged out.  Said machine usually
goes to an underling whose own machine is passed down another level and finally
salvaged out.  Old machines being passed down are reimaged from CD while new
machines imaged at the factory are installed, both by the roving technician teams which visit each of the 21 campuses once a year.  In fact that method is somewhat
of an option, since the new images have a newer version of the NW client that does
not have this problem DLL, but that deployment takes 3-4 months, and we need to
get this DLL renamed faster than that, hense our search for ideas here.
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
Have you considered unregistering the .dll prior to attempting to delete it?
REGSVR32 /U your.DLL
then rename it from a dos window?
0
 

Author Comment

by:jlw011597
Comment Utility
shekerra:

No, we haven't, and here's why:

We  need something that can be run non-interactively from, preferably, a NW login script or, perhaps, from a .BAT file that's ALREADY being run from the Startup group in
Windows.   And it's got to be able to be run from any user context.  Something that's interactive or requires an Administrator login is going to require a hands-on or, possibly, a proxy visit to each and every workstation, and that takes more time than we
can tolerate.

Your suggestion certainly doesn't sound like something that could be done by a
non-Administrator.
0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
jlw is awaiting Expert feedback here.
Asta
0
 
LVL 16

Expert Comment

by:GUEEN
Comment Utility
I'm still not clear on this particular .dll file
What is it used for and why is it there (from an old image?)
0
 

Author Comment

by:jlw011597
Comment Utility
The particular DLL is part of an obsoleted Netware Client.  It lived in C:\WINNT\SYSTEM32\NETWARE\ and, as such, was well protected from users'
meddling hands.

It's used by the Netware Client for redirecting of WINSOCK calls to an NDS server (normally
bounces right back, since the service being requested seldom exists there).  Under certain
circumstances [still waiting for an explanation of these], this DLL decides that it will NOT bounce
back to its caller, and instead sits in a tight loop pounding at all available NDS servers requesting
data which does not exist there, and won't take any of the responses (No such data here, bozo)
for veracity, just asking again.  Floods the network with irrelevant tripe in the process.

Yes, it's from an old image, but because of deployment choices made by the owners of the
boxes, upgrading that image requires physically visiting the machines with somebody knowledgable of the procedures AND the authentications of a Win2K administrator.  State-wide.
Long and time-consuming, hense our desire to find some way to effect a non-interactive backdoor way to disable the .DLL until such time as the scheduled re-imaging could take place.
0
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
Because of the way win2k protects "critical" Dlls, this is going to be a real problem.
You would need to rename it both in the Main directory and in the DLL cache.

In addition, yes you should be able to deploy  elevated privileges remotely, as shown in my previous comment.

I hope this helps !
0
 

Author Comment

by:jlw011597
Comment Utility
I'm going to accept this answer because, simply, we haven't been able to verify it but it seems to be referenced as the final response we've received.

At this point the issue is no longer an issue so I'm trying to
close off anything I've got pending escrow points for.

Sorry we can't validate/verify this answer locally.  We'll come back to it eventually when the powers-that-be decide it's
critical enough to have to have been done yesterday, again.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now