weird admin permission for application to function


We run an application that requires local machine administrator rights to run.  In the interests of security, we are trying to identify which specific files/folders/regkeys require the admin rights for the app to work.  We are doing this by applying full control to certain objects related to the application.  This did not allow the app to work.  So we applied full control to the entire C drive and to the entire registy.  This did not allow the app to work either.  So my question is, what's the difference in reality between a user having local machine admin rights and full control rights to everything on the machine?

Your help is greatly appreciated!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The operating system is devided into two parts.  The "machine" part, and the "user" part.  The user part if further devided into different parts of different priveledges.  In general, you have the SYSTEM account, and you have the USER account, now, the SYSTEM (OS) account can do anything basically, it is the operating system, it has full permisisons to do everything, you also cannot access or use this account.  The USER, does not, and can not interfere with the system meaning the SYSTEM (OS) is protected from damage from outside code, or that's supposed to be how it works.  The USER however can change the system.  And the varying levels of privledges dictate just how much the USER can change the way the SYSTEM works.

It is difficult to explain why the program is doing what it's doing without knowing what the program is, but there is a way to solve it.

Firstly understand the program operates on as much privleges as the user has, meaning, if the user has standard user privledges (with respect to the SYSTEM (OS), not the files or folders or registry), the application has standard user privleges, or is generally the case.  If you run the program as an admin, the program will have admin rights, think of it like allowance, the program can spend so much "money" depending on how much allowance is given.  The most privledged the USER, the greater the allowance.

Secondly, windows has accounted for this, because many applications need to be used across accounts, and some of those accounts aren't privledged enough to enable the program to function.  Windows has created a way to bypass this.  The "Run As" context menu when right clicking on the executable or shortcut will allow you to run any app as another user.  Meaning, if your guest can't use this program, you can say "run as" and then you'll be asked which account you want to run it as, select an administrator, provide a password and the program will run as if it had aministrative access.  This is the one time solution, since i've never used this feature, i do not know if it is perminant.  I believe that you will have to enter the admin name and password everytime you want to run the program, but i'm sure there is a way to set the program up to always load with certain permissions.  It appears possible in linux, but i've yet to find anything for windows XP/2003.

So in summary, think of it like this, permission are set with respect to the SYSTEM account, meaning the operating system, file access permissions are managed by the OS, but aren't the operating system themselves.  Admins appear to have all permissions and no problems because they operate on a "near" SYSTEM level privledge, standard users are often stopped by the OS and told, you don't have the right to do this, because that is how OS/multiuser protection is implemented.

Hope this helps.
cvcnetworkAuthor Commented:
Thanks, we use the 'run as' feature of Windows every now and then for once-off things.  However, we need a more permenant solution this time.  Everything you said makes sense, however its not really the answer to the question.

Let me rephrase the question:

What does admin rights give you that full control to everything does not?  Is there any other part of the OS, aside from files, folders and reg, that can have permissions altered?

Thanks for your help.

Well, actually, that's harder to describe than you think.  And unless you made windows, quite abstract.  I'll see if i can explain better.

Now, it's not likely, but it could be possible that this is an aberrant program that simply wants to be run by someone who is labeled administrator, i don't know.

So here we go.
The windows OS is built on a hierarchy, with SYSTEM, at the top, then administrators and on down the list.  So, whenever we are on the machine we can think of it like there are two people at the computer.  So lets look at it this way, we'll pretend that the two accounts are fighting for 1 resource, the keyboard.  SYSTEM says to the admin, i have full "control" of the keyboard at anytime i want it.  And so that is the case, the admin says, i have full "view" of the keyboard too, but i can't "use" all the keys, but most of them.  And for the standard user, we say well you can "view" the bottom row of keys, but you can only "use" the right half of them and you "control" nothing.

So how does this apply to your question.  In this example what setting full control to the standard user means something along these lines, the standard users can now "view" the whole keyboard just like an admin, and can "use" more keys just like the admin, but the user's level of control did not change, or changed so little has to have no effect.

So we can classify these as,

Control is System permissions    (account's interface with SYSTEM)
Use is Windows permissions      (group access settings dictating greater control of file permissions)
View is file permissions             (read/write/execute)

Things you can change, are your file and windows permissions(read/write/change view copy etc.), in order to change your system permissions you must elevate the users level to a higher user level, the SYSTEM says that you are trying to control something that is out of your level of permissions, and that to my knowledge can not be changed.  They only way they can be is by change the USER's account type.

The easiest way to answer your final question is this, no...files, folders, and the registry and network are the extent that you the USER have been given the right to change permissions.  SYSTEM level permissions are handled internally in the windows dll's and by the type of account the USER is listed as.  I could be wrong, but this is windows permissions as i understand and was taught them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cvcnetworkAuthor Commented:
maninblac1, I've got it now.  That was a great explanation.  I guess I'll wait to hear from the vendor then.  I have written to them describing the problem and I'm hoping they know how to enable their app without enabling local admin rights.

Thanks again, Matt.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.