[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


weird admin permission for application to function

Posted on 2006-04-04
Medium Priority
Last Modified: 2013-12-04

We run an application that requires local machine administrator rights to run.  In the interests of security, we are trying to identify which specific files/folders/regkeys require the admin rights for the app to work.  We are doing this by applying full control to certain objects related to the application.  This did not allow the app to work.  So we applied full control to the entire C drive and to the entire registy.  This did not allow the app to work either.  So my question is, what's the difference in reality between a user having local machine admin rights and full control rights to everything on the machine?

Your help is greatly appreciated!
Question by:cvcnetwork
  • 2
  • 2

Expert Comment

ID: 16378423
The operating system is devided into two parts.  The "machine" part, and the "user" part.  The user part if further devided into different parts of different priveledges.  In general, you have the SYSTEM account, and you have the USER account, now, the SYSTEM (OS) account can do anything basically, it is the operating system, it has full permisisons to do everything, you also cannot access or use this account.  The USER, does not, and can not interfere with the system meaning the SYSTEM (OS) is protected from damage from outside code, or that's supposed to be how it works.  The USER however can change the system.  And the varying levels of privledges dictate just how much the USER can change the way the SYSTEM works.

It is difficult to explain why the program is doing what it's doing without knowing what the program is, but there is a way to solve it.

Firstly understand the program operates on as much privleges as the user has, meaning, if the user has standard user privledges (with respect to the SYSTEM (OS), not the files or folders or registry), the application has standard user privleges, or is generally the case.  If you run the program as an admin, the program will have admin rights, think of it like allowance, the program can spend so much "money" depending on how much allowance is given.  The most privledged the USER, the greater the allowance.

Secondly, windows has accounted for this, because many applications need to be used across accounts, and some of those accounts aren't privledged enough to enable the program to function.  Windows has created a way to bypass this.  The "Run As" context menu when right clicking on the executable or shortcut will allow you to run any app as another user.  Meaning, if your guest can't use this program, you can say "run as" and then you'll be asked which account you want to run it as, select an administrator, provide a password and the program will run as if it had aministrative access.  This is the one time solution, since i've never used this feature, i do not know if it is perminant.  I believe that you will have to enter the admin name and password everytime you want to run the program, but i'm sure there is a way to set the program up to always load with certain permissions.  It appears possible in linux, but i've yet to find anything for windows XP/2003.

So in summary, think of it like this, permission are set with respect to the SYSTEM account, meaning the operating system, file access permissions are managed by the OS, but aren't the operating system themselves.  Admins appear to have all permissions and no problems because they operate on a "near" SYSTEM level privledge, standard users are often stopped by the OS and told, you don't have the right to do this, because that is how OS/multiuser protection is implemented.

Hope this helps.

Author Comment

ID: 16378455
Thanks, we use the 'run as' feature of Windows every now and then for once-off things.  However, we need a more permenant solution this time.  Everything you said makes sense, however its not really the answer to the question.

Let me rephrase the question:

What does admin rights give you that full control to everything does not?  Is there any other part of the OS, aside from files, folders and reg, that can have permissions altered?

Thanks for your help.


Accepted Solution

maninblac1 earned 2000 total points
ID: 16378584
Well, actually, that's harder to describe than you think.  And unless you made windows, quite abstract.  I'll see if i can explain better.

Now, it's not likely, but it could be possible that this is an aberrant program that simply wants to be run by someone who is labeled administrator, i don't know.

So here we go.
The windows OS is built on a hierarchy, with SYSTEM, at the top, then administrators and on down the list.  So, whenever we are on the machine we can think of it like there are two people at the computer.  So lets look at it this way, we'll pretend that the two accounts are fighting for 1 resource, the keyboard.  SYSTEM says to the admin, i have full "control" of the keyboard at anytime i want it.  And so that is the case, the admin says, i have full "view" of the keyboard too, but i can't "use" all the keys, but most of them.  And for the standard user, we say well you can "view" the bottom row of keys, but you can only "use" the right half of them and you "control" nothing.

So how does this apply to your question.  In this example what setting full control to the standard user means something along these lines, the standard users can now "view" the whole keyboard just like an admin, and can "use" more keys just like the admin, but the user's level of control did not change, or changed so little has to have no effect.

So we can classify these as,

Control is System permissions    (account's interface with SYSTEM)
Use is Windows permissions      (group access settings dictating greater control of file permissions)
View is file permissions             (read/write/execute)

Things you can change, are your file and windows permissions(read/write/change view copy etc.), in order to change your system permissions you must elevate the users level to a higher user level, the SYSTEM says that you are trying to control something that is out of your level of permissions, and that to my knowledge can not be changed.  They only way they can be is by change the USER's account type.

The easiest way to answer your final question is this, no...files, folders, and the registry and network are the extent that you the USER have been given the right to change permissions.  SYSTEM level permissions are handled internally in the windows dll's and by the type of account the USER is listed as.  I could be wrong, but this is windows permissions as i understand and was taught them.

Author Comment

ID: 16378625
maninblac1, I've got it now.  That was a great explanation.  I guess I'll wait to hear from the vendor then.  I have written to them describing the problem and I'm hoping they know how to enable their app without enabling local admin rights.

Thanks again, Matt.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question