weird admin permission for application to function

Posted on 2006-04-04
Last Modified: 2013-12-04

We run an application that requires local machine administrator rights to run.  In the interests of security, we are trying to identify which specific files/folders/regkeys require the admin rights for the app to work.  We are doing this by applying full control to certain objects related to the application.  This did not allow the app to work.  So we applied full control to the entire C drive and to the entire registy.  This did not allow the app to work either.  So my question is, what's the difference in reality between a user having local machine admin rights and full control rights to everything on the machine?

Your help is greatly appreciated!
Question by:cvcnetwork
    LVL 9

    Expert Comment

    The operating system is devided into two parts.  The "machine" part, and the "user" part.  The user part if further devided into different parts of different priveledges.  In general, you have the SYSTEM account, and you have the USER account, now, the SYSTEM (OS) account can do anything basically, it is the operating system, it has full permisisons to do everything, you also cannot access or use this account.  The USER, does not, and can not interfere with the system meaning the SYSTEM (OS) is protected from damage from outside code, or that's supposed to be how it works.  The USER however can change the system.  And the varying levels of privledges dictate just how much the USER can change the way the SYSTEM works.

    It is difficult to explain why the program is doing what it's doing without knowing what the program is, but there is a way to solve it.

    Firstly understand the program operates on as much privleges as the user has, meaning, if the user has standard user privledges (with respect to the SYSTEM (OS), not the files or folders or registry), the application has standard user privleges, or is generally the case.  If you run the program as an admin, the program will have admin rights, think of it like allowance, the program can spend so much "money" depending on how much allowance is given.  The most privledged the USER, the greater the allowance.

    Secondly, windows has accounted for this, because many applications need to be used across accounts, and some of those accounts aren't privledged enough to enable the program to function.  Windows has created a way to bypass this.  The "Run As" context menu when right clicking on the executable or shortcut will allow you to run any app as another user.  Meaning, if your guest can't use this program, you can say "run as" and then you'll be asked which account you want to run it as, select an administrator, provide a password and the program will run as if it had aministrative access.  This is the one time solution, since i've never used this feature, i do not know if it is perminant.  I believe that you will have to enter the admin name and password everytime you want to run the program, but i'm sure there is a way to set the program up to always load with certain permissions.  It appears possible in linux, but i've yet to find anything for windows XP/2003.

    So in summary, think of it like this, permission are set with respect to the SYSTEM account, meaning the operating system, file access permissions are managed by the OS, but aren't the operating system themselves.  Admins appear to have all permissions and no problems because they operate on a "near" SYSTEM level privledge, standard users are often stopped by the OS and told, you don't have the right to do this, because that is how OS/multiuser protection is implemented.

    Hope this helps.

    Author Comment

    Thanks, we use the 'run as' feature of Windows every now and then for once-off things.  However, we need a more permenant solution this time.  Everything you said makes sense, however its not really the answer to the question.

    Let me rephrase the question:

    What does admin rights give you that full control to everything does not?  Is there any other part of the OS, aside from files, folders and reg, that can have permissions altered?

    Thanks for your help.

    LVL 9

    Accepted Solution

    Well, actually, that's harder to describe than you think.  And unless you made windows, quite abstract.  I'll see if i can explain better.

    Now, it's not likely, but it could be possible that this is an aberrant program that simply wants to be run by someone who is labeled administrator, i don't know.

    So here we go.
    The windows OS is built on a hierarchy, with SYSTEM, at the top, then administrators and on down the list.  So, whenever we are on the machine we can think of it like there are two people at the computer.  So lets look at it this way, we'll pretend that the two accounts are fighting for 1 resource, the keyboard.  SYSTEM says to the admin, i have full "control" of the keyboard at anytime i want it.  And so that is the case, the admin says, i have full "view" of the keyboard too, but i can't "use" all the keys, but most of them.  And for the standard user, we say well you can "view" the bottom row of keys, but you can only "use" the right half of them and you "control" nothing.

    So how does this apply to your question.  In this example what setting full control to the standard user means something along these lines, the standard users can now "view" the whole keyboard just like an admin, and can "use" more keys just like the admin, but the user's level of control did not change, or changed so little has to have no effect.

    So we can classify these as,

    Control is System permissions    (account's interface with SYSTEM)
    Use is Windows permissions      (group access settings dictating greater control of file permissions)
    View is file permissions             (read/write/execute)

    Things you can change, are your file and windows permissions(read/write/change view copy etc.), in order to change your system permissions you must elevate the users level to a higher user level, the SYSTEM says that you are trying to control something that is out of your level of permissions, and that to my knowledge can not be changed.  They only way they can be is by change the USER's account type.

    The easiest way to answer your final question is this, no...files, folders, and the registry and network are the extent that you the USER have been given the right to change permissions.  SYSTEM level permissions are handled internally in the windows dll's and by the type of account the USER is listed as.  I could be wrong, but this is windows permissions as i understand and was taught them.

    Author Comment

    maninblac1, I've got it now.  That was a great explanation.  I guess I'll wait to hear from the vendor then.  I have written to them describing the problem and I'm hoping they know how to enable their app without enabling local admin rights.

    Thanks again, Matt.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now